Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer exact Exam Questions

Question # 4

You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?

Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.

Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.

Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Full Access

Question # 5

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

What should you do?

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.

Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.

Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.

Full Access

Question # 6

Your organization has resources in two different VPCs, each in different Google Cloud projects, and requires connectivity between the resources in the two VPCs. You have already determined that there is no IP address overlap; however, one VPC uses privately used public IP (PUPI) ranges. You would like to enable connectivity between these resources by using a lower cost and higher performance method. What should you do?

Create an HA VPN between the two VPCs that includes the PUPI ranges in the custom route advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

Create a VPC Network Peering connection between the two VPCs that allows the export and import of custom routes for public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter.

Create a VPC Network Peering connection between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

Full Access

Question # 7

You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.

What should you do?

Grant the compute.instanceAdmin to your user account.

Grant the iam.serviceAccountUser to your user account.

Grant the read-only privilege to the service account for the Cloud Storage bucket.

Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.

Full Access

Question # 8

You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.

How should you configure the health check?

Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

Full Access

Question # 9

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Full Access

Question # 10

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.

What should you do?

Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Full Access

Question # 11

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.

• Each organization has enabled full connectivity between all of its projects by using Shared VPC.

• Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.

• There are no prefix overlaps between the two organizations.

• Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.

• Neither organization has Interconnects to their on-premises environment.

You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.

Which two steps should you take? (Choose two.)

Provision Cloud Interconnect to connect both organizations together.

Set up some variant of DNS forwarding and zone transfers in each organization.

Connect VPCs in both organizations using Cloud VPN together with Cloud Router.

Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.

Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

Full Access

Question # 12

You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.

What should you do?

Upload your public ssh key to the project Metadata.

Upload your public ssh key to each instance Metadata.

Create a custom Google Compute Engine image with your public ssh key embedded.

Use gcloud compute ssh to automatically copy your public ssh key to the instance.

Full Access

Question # 13

You recently deployed Cloud VPN to connect your on-premises data center to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

In the Monitoring section of the Google Cloud console, use the Dashboard section to select a default dashboard for VPN usage.

In Network Intelligence Center, check for the number of packet drops on the VPN.

In the VPN section of the Google Cloud console, select the VPN under hybrid connectivity and then select monitoring to display utilization on the dashboard.

In the Google Cloud console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

Full Access

Question # 14

Question:

Your organization has an on-premises data center. You need to provide connectivity from the on-premises data center to Google Cloud. Bandwidth must be at least 1 Gbps, and the traffic must not traverse the internet. What should you do?

Configure HA VPN by using high availability gateways and tunnels.

Configure Dedicated Interconnect by creating a VLAN attachment, activate the connection, and submit the pairing key to your service provider.

Configure Cross-Cloud Interconnect by creating a VLAN attachment, activate the connection, and then submit the pairing key to your service provider.

Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.

Full Access

Question # 15

Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must

• Support both TCP and UDP protocols

• Provide fully automated failover

• Include health-checks

Require minimal manual Intervention In the client VMS

Which approach should you take?

Create the VMS In the same zone, and configure static routes With IP addresses as next hops.

Create the VMS in different zones, and configure static routes with instance names as next hops

Create an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

Create an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

Full Access

Answer:

Explanation:

The correct answer is D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancers’ virtual IP addresses.

This answer is based on the following facts:

Using multi-NIC VMs as network virtual appliances (NVAs) allows you to route traffic between different VPC networks1. You can use NVAs to implement custom network policies and security requirements.

Using an instance template and a managed instance group allows you to create and manage multiple identical NVAs2. You can also use health checks and autoscaling policies to ensure high availability and reliability of your NVAs.

Using internal TCP/UDP load balancers allows you to distribute traffic from client VMs to NVAs based on the protocol and port3. You can also use health checks and failover policies to ensure that only healthy NVAs receive traffic.

Configuring the client VMs to use the internal load balancers’ virtual IP addresses allows you to simplify the routing configuration and avoid manual intervention4. You do not need to create static routes or update them when NVAs are added or removed.

The other options are not correct because:

Option A is not suitable. Creating the VMs in the same zone does not provide high availability or failover. Using static routes with IP addresses as next hops requires manual intervention when NVAs are added or removed.

Option B is not optimal. Creating the VMs in different zones provides high availability, but not failover. Using static routes with instance names as next hops requires manual intervention when NVAs are added or removed.

Option C is not feasible. Creating an instance template and a managed instance group provides high availability and reliability, but using a single internal load balancer does not support both TCP and UDP protocols. You cannot define a custom static route with an internal load balancer as the next hop.

Question # 16

(You are managing an application deployed on Cloud Run. The development team has released a new version of the application. You want to deploy and redirect traffic to this new version of the application. To ensure traffic to the new version of the application is served with no startup time, you want to ensure that there are two idle instances available for incoming traffic before adjusting the traffic flow. You also want to minimize administrative overhead. What should you do?)

Ensure the checkbox "Serve this revision immediately" is unchecked when deploying the new revision. Before changing the traffic rules, use a traffic simulation tool to send load to the new revision.

Configure service autoscaling and set the minimum number of instances to 2.

Configure revision autoscaling for the new revision and set the minimum number of instances to 2.

Configure revision autoscaling for the existing revision and set the minimum number of instances to 2.

Full Access

Answer:

Explanation:

Comprehensive and Detailed In Depth Explanation:

Let's analyze each option to find the one that meets the requirements of no startup time for new traffic, two idle instances, and minimal administrative overhead:

A. Unchecking "Serve this revision immediately" and using a traffic simulation tool: Unchecking "Serve this revision immediately" does prevent the new revision from receiving traffic immediately. However, manually using a traffic simulation tool adds administrative overhead. It also doesn't guarantee that two idle instances will be ready before traffic is shifted; you would need to monitor and adjust traffic manually based on the simulation.

B. Configuring service autoscaling and setting the minimum number of instances to 2: Service-level autoscaling applies to all revisions of the service. Setting the minimum instances at the service level would ensure at least two instances are running across all active revisions, not specifically for the new revision before traffic shift.

C. Configuring revision autoscaling for the new revision and setting the minimum number of instances to 2: This is the correct approach. By configuring revision autoscaling specifically for the new revision and setting the minimum number of instances to 2, Cloud Run will ensure that at least two instances of the new version are running and ready to serve traffic before you redirect any traffic to it. This eliminates startup latency when you do shift traffic. It also minimizes administrative overhead as Cloud Run manages the instance scaling based on this configuration.

D. Configuring revision autoscaling for the existing revision and setting the minimum number of instances to 2: This would ensure the existing version has at least two idle instances, which doesn't directly address the requirement of having idle instances ready for the new version before traffic redirection.

Google Cloud Documentation References:

Cloud Run Autoscaling: https://cloud.google.com/run/docs/configuring/min-instances - This document explains how to configure minimum and maximum instances for Cloud Run services and revisions. It clarifies that you can set minimum instances at the revision level to ensure instances are always ready.

Cloud Run Traffic Management: https://cloud.google.com/run/docs/managing/traffic - This describes how to deploy new revisions and gradually shift traffic between them. Combining minimum instances on the new revision with traffic splitting allows for zero-downtime deployments with pre-warmed instances.

===========

Question # 17

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.

Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

Full Access

Question # 18

After a network change window one of your company’s applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

What is the most likely cause of this problem?

The less specific VPC subnet route is taking priority.

The more specific VPC subnet route is taking priority.

The on-premises router is not advertising a route for the database server.

A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

Full Access

Question # 19

You work for a university that is migrating to GCP.

These are the cloud requirements:

• On-premises connectivity with 10 Gbps

• Lowest latency access to the cloud

• Centralized Networking Administration Team

New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

What should you do?

Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.

Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.

Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Full Access

Question # 20

Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type

Configure versioned IJRLs for each domain to serve users the •mage file before the cache entry expires

Configure the default time to live (TTL) as O for the image file.

Full Access

Question # 21

You manage two VPCs: VPC1 and VPC2, each with resources spread across two regions. You connected the VPCs with HA VPN in both regions to ensure redundancy. You’ve observed that when one VPN gateway fails, workloads that are located within the same region but different VPCs lose communication with each other. After further debugging, you notice that VMs in VPC2 receive traffic but their replies never get to the VMs in VPC1. You need to quickly fix the issue. What should you do?

Q Enable regional dynamic routing mode in VPC2.

Q Enable global dynamic routing mode in VPC1.

Q Enable global dynamic routing mode in VPC2.

Q Enable regional dynamic routing mode in VPC1.

Full Access

Question # 22

You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the object in the storage bucket can be served by the CDN.

What should you do in the GCP Console?

Create a new cloud storage bucket, and then enable Cloud CDN on it.

Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.

Full Access

Question # 23

Your organization is running out of private IPv4 IP addresses. You need to create a new design pattern to reduce IP usage in your Google Kubernetes Engine clusters. Each new GKE cluster should have a unique /24 range of routable RFC1918 IP addresses. What should you do?

Q Configure NAT by using the IP masquerading agent in the GKE cluster.

Q Share the primary and secondary ranges between multiple clusters.

Q Use dual stack IPv4/IPv6 clusters, and assign IPv6 ranges for Pods and Services.

Q Configure the secondary ranges outside the RFC1918 space, or use privately used public IPs.

Full Access

Question # 24

You’ve received reports of latency between two application VMs which run in two different regions of your Google Cloud VPC network. There is typically about 8ms of latency, but now there is approximately 17ms of latency. You've eliminated application issues as a root cause, and you suspect that the latency may be a Google Cloud platform issue. You need to confirm this hypothesis using Google-recommended practices. What should you do?

Q Use Network Intelligence Center Performance Dashboard to view the inter-region packet loss for your VPC.

O Install and run tcpdump on both instances, and calculate the latency between the two instances by comparing the timestamps in the packet captures.

Q Use Network Intelligence Center Performance Dashboard to view inter-region latency for the Google Cloud network.

Q Use Network Intelligence Center Connectivity Tests, run a test between the two VMs, and review the inter-region latency in the test results.

Full Access

Question # 25

You configured a single IPSec Cloud VPN tunnel for your organization to a third-party customer. You confirmed that the VPN tunnel is established; however, the BGP session status states that BGP is not configured. The customer has provided you with their BGP settings:

Local BGP address: 169.254.11.1/30

Local ASN: 64515

Peer BGP address: 169.254.11.2

Peer ASN: 64517

Base MED: 1000

MD5 Authentication: Disabled

You need to configure the local BGP session for this tunnel based on the settings provided by the customer. You already associated the Cloud Router with the Cloud VPN Tunnel. What settings should you use for the BGP session?

Peer ASN: 64517

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Disabled

Peer ASN: 64515

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Disabled

Peer ASN: 64515

Advertised Route Priority (MED): 1000

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Enabled

Peer ASN: 64515

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.1

Peer BGP IP: 169.254.11.2

MD5 Authentication: Disabled

Full Access

Question # 26

One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance.

In the GCP Console, what should you do?

Assign a public IP address to the instance.

Assign a new reserved internal IP address to the instance.

Change the instance’s current internal IP address to static.

Add custom metadata to the instance with key internal-address and value reserved.

Full Access

Question # 27

Question:

Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption in transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?

Enable MACsec on Partner Interconnect.

Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same Cloud Router used for the Cloud Interconnect tier.

Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router peer VPN gateway resources and HA VPN tunnels.

Enable MACsec for Cloud Interconnect on the VLAN attachments.

Full Access

Question # 28

You are deploying GKE clusters in your organization's Google Cloud environment. The pods in these clusters need to egress directly to the internet for a majority of their communications. You need to deploy the clusters and associated networking features using the most cost-efficient approach, and following Google-recommended practices. What should you do?

Q Deploy the GKE cluster with public cluster nodes. Do not deploy Cloud NAT or Secure Web Proxy for the cluster.

Q Deploy the GKE cluster with private cluster nodes. Deploy Secure Web Proxy, and configure the pods to use Secure Web Proxy as an HTTP(S) proxy.

Q Deploy the GKE cluster with public cluster nodes. Deploy Secure Web Proxy, and configure the pods to use Secure Web Proxy as an HTTP(S) proxy.

Q Deploy the GKE cluster with private cluster nodes. Deploy Cloud NAT for the primary subnet of the cluster.

Full Access

Question # 29

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

Full Access

Question # 30

You recently deployed your application in Google Cloud. You need to verify your Google Cloud network configuration before deploying your on-premises workloads. You want to confirm that your Google Cloud network configuration allows traffic to flow from your cloud resources to your on- premises network. This validation should also analyze and diagnose potential failure points in your Google Cloud network configurations without sending any data plane test traffic. What should you do?

Use Network Intelligence Center's Connectivity Tests.

Enable Packet Mirroring on your application and send test traffic.

Use Network Intelligence Center's Network Topology visualizations.

Enable VPC Flow Logs and send test traffic.

Full Access

Question # 31

You create multiple Compute Engine virtual machine instances to be used as TFTP servers.

Which type of load balancer should you use?

HTTP(S) load balancer

SSL proxy load balancer

TCP proxy load balancer

Network load balancer

Full Access

Question # 32

You want to create a service in GCP using IPv6.

What should you do?

Create the instance with the designated IPv6 address.

Configure a TCP Proxy with the designated IPv6 address.

Configure a global load balancer with the designated IPv6 address.

Configure an internal load balancer with the designated IPv6 address.

Full Access

Question # 33

Question:

You reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in client requests. You need to limit concurrent sessions and return an HTTP 429 "Too Many Requests" response back to the client while following Google-recommended practices. What should you do?

Create a Cloud Armor security policy, and apply the predefined Open Worldwide Application Security Project (OWASP) rules to automatically implement the rate limit per client IP address.

Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic.

Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application.

Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle, conform-action: allow, exceed-action: deny-429.

Full Access

Question # 34

You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

In the Network Intelligence Canter, check for the number of packet drops on the VPN.

In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.

In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

Full Access

Question # 35

You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.

What should you do?

Configure VPC peering in a full mesh.

Alter the routing table to resolve the asymmetric route.

Create network tags to allow connectivity between all three VPCs.

Delete the legacy network and recreate it to allow transitive peering.

Full Access

Question # 36

You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.

What should you do?

Create a Google Group for the WebServices Team.

Create a G Suite Domain for the WebServices Team.

Create a new Cloud Identity Domain for the WebServices Team.

Create a new Custom Role for all members of the WebServices Team.

Full Access

Question # 37

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:

IP ranges for pods and services must be as small as possible.

The nodes and the master must not be reachable from the internet.

You must be able to use kubectl commands from on-premises subnets to manage the cluster.

How should you create the GKE cluster?

• Create a private cluster that uses VPC advanced routes.

•Set the pod and service ranges as /24.

•Set up a network proxy to access the master.

• Create a VPC-native GKE cluster using GKE-managed IP ranges.

•Set the pod IP range as /21 and service IP range as /24.

•Set up a network proxy to access the master.

• Create a VPC-native GKE cluster using user-managed IP ranges.

•Enable a GKE cluster network policy, set the pod and service ranges as /24.

•Set up a network proxy to access the master.

•Enable master authorized networks.

• Create a VPC-native GKE cluster using user-managed IP ranges.

•Enable privateEndpoint on the cluster master.

•Set the pod and service ranges as /24.

•Set up a network proxy to access the master.

•Enable master authorized networks.

Full Access

Question # 38

You are migrating to Cloud DNS and want to import your BIND zone file.

Which command should you use?

gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE

Full Access

Question # 39

In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.

Which two steps should you take? (Choose two.)

Connect both projects using Cloud VPN.

Connect the VPCs in project code-dev and data-dev using VPC Network Peering.

Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.

Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.

Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.

Full Access

Question # 40

You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.

What should you do?

Assign each user the editor role.

Assign each user the compute.networkAdmin role.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

Full Access

Question # 41

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.

Which connectivity model should you use?

Direct Peering

Dedicated Interconnect

Partner Interconnect with a layer 2 partner

Partner Interconnect with a layer 3 partner

Full Access

Question # 42

You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a second Cloud Router (router-2) in the 172.16.0.0/16 network. Which configuration should you use for the BGP session?

Full Access

Question # 43

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Full Access

Question # 44

You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router. What should you do?

Configure the route advertisement to the default setting.

On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.

Full Access

Question # 45

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

Which connection type should you choose?

Carrier Peering

Direct Peering

Dedicated Interconnect

Partner Interconnect

Full Access

Question # 46

Question:

Your organization wants to seamlessly migrate a global external web application from Compute Engine to GKE. You need to deploy a simple, cloud-first solution that exposes both applications and sends 10% of the requests to the new application. What should you do?

Configure a global external Application Load Balancer with a Service Extension that points to an application running in a VM, which controls which requests go to each application.

Configure a global external Application Load Balancer with weighted traffic splitting.

Configure two separate global external Application Load Balancers, and use Cloud DNS geolocation routing policies.

Configure a global external Application Load Balancer with weighted request mirroring.

Full Access

Question # 47

Question:

Your organization recently exposed a set of services through a global external Application Load Balancer. After conducting some testing, you observed that responses would intermittently yield a non-HTTP 200 response. You need to identify the error. What should you do? (Choose 2 answers)

Access a VM in the VPC through SSH, and try to access a backend VM directly. If the request is successful from the VM, increase the quantity of backends.

Enable and review the health check logs. Review the error responses in Cloud Logging.

Validate the health of the backend service. Enable logging on the load balancer, and identify the error response in Cloud Logging. Determine the cause of the error by reviewing the statusDetails log field.

Delete the load balancer and backend services. Create a new passthrough Network Load Balancer. Configure a failover group of VMs for the backend.

Validate the health of the backend service. Enable logging for the backend service, and identify the error response in Cloud Logging. Determine the cause of the error by reviewing the statusDetails log field.

Full Access

Question # 48

Question:

Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue. What should you do?

Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.

Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

Full Access

Question # 49

You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.

Full Access

Question # 50

Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.

Which two steps should you take? (Choose two.)

Use Cloud Armor to blacklist the attacker’s IP addresses.

Increase the maximum autoscaling backend to accommodate the severe bursty traffic.

Create a global HTTP(s) load balancer and move your application backend to this load balancer.

Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.

SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Full Access

Question # 51

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

•Each on-premises router is configured with the same ASN.

•Each on-premises router is configured with the same routes and priorities.

•Both on-premises routers are configured with a VPN connected to a single Cloud Router.

•The VPN logs have no-proposal-chosen lines when the VPNs are connecting.

•BGP session is not established between one on-premises router and the Cloud Router.

What is the most likely cause of this problem?

One of the VPN sessions is configured incorrectly.

A firewall is blocking the traffic across the second VPN connection.

You do not have a load balancer to load-balance the network traffic.

BGP sessions are not established between both on-premises routers and the Cloud Router.

Full Access

Question # 52

You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

Create a network load balancer that used backend services containing one instance group with two instances.

Create a network load balancer that uses a target pool backend with two instances.

Create a TCP proxy that uses a zonal network endpoint group containing one instance.

Create a TCP proxy that uses backend services containing an instance group with two instances.

Full Access

Question # 53

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

• Each on-premises router is configured with a unique ASN.

• Each on-premises router is configured with the same routes and priorities.

• Both on-premises routers are configured with a VPN connected to a single Cloud Router.

• BGP sessions are established between both on-premises routers and the Cloud Router.

• Only 1 of the on-premises router’s routes are being added to the routing table.

What is the most likely cause of this problem?

The on-premises routers are configured with the same routes.

A firewall is blocking the traffic across the second VPN connection.

You do not have a load balancer to load-balance the network traffic.

The ASNs being used on the on-premises routers are different.

Full Access

Question # 54

You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You need to minimize data transfer costs when deploying VLAN attachments. What should you do?

Keep the existing Dedicated interconnect. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.

Keep the existing Dedicated Interconnect. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.

Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC global routing to access workloads in us-central1.

Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

Full Access

Question # 55

You need to configure a Google Kubernetes Engine (GKE) cluster. The initial deployment should have 5 nodes with the potential to scale to 10 nodes. The maximum number of Pods per node is 8. The number of services could grow from 100 to up to 1024. How should you design the IP schema to optimally meet this requirement?

Configure a /28 primary IP address range for the node IP addresses. Configure a (25 secondary IP range for the Pods. Configure a /22 secondary IP range for the Services.

Configure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.

Configure a /28 primary IP address range for the node IP addresses. Configure a /28 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.

Configure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services.

Full Access

Question # 56

Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer You need to protect the application from potential application-level attacks. What should you do?

Enable Cloud CDN on the backend service.

Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer

Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service.

Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service

Full Access

Question # 57

You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.

Which two actions should you take? (Choose two.)

Activate the Service Networking API in your project.

Activate the Cloud Datastore API in your project.

Create a private connection to a service producer.

Create a custom static route to allow the traffic to reach the Cloud SQL API.

Enable Private Google Access.

Full Access

Question # 58

Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

Use the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

Full Access

Question # 59

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.

How should you design the topology?

Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.

Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.

Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Full Access

Question # 60

You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 10.204.0.0/24.

Set a custom route advertisement on the Cloud Router for 10.204.0.0/24

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.

Configure your on-premises firewall to accept traffic from 35.199.192.0/19

Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 10.204.0.0/24.

Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88

Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.

Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 35.199.192.0/19.

Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Full Access

Question # 61

Question:

Your organization has distributed geographic applications with significant data volumes. You need to create a design that exposes the HTTPS workloads globally and keeps traffic costs to a minimum. What should you do?

Deploy a regional external Application Load Balancer with Standard Network Service Tier.

Deploy a regional external Application Load Balancer with Premium Network Service Tier.

Deploy a global external proxy Network Load Balancer with Standard Network Service Tier.

Deploy a global external Application Load Balancer with Premium Network Service Tier.

Full Access

Question # 62

You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?

Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures.

Enable VPC Flow Logs on the subnet that the VM is deployed in with sample_rate = 1.0, and run a query in Logs Explorer to analyze the packet flow.

Enable Firewall Rules Logging on your firewall rules and review the logs.

Verify the network/attachment/egress_dropped_packet.s_count Cloud Interconnect VLAN attachment metric.

Full Access

Question # 63

You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

Enable firewall logs, and view the logs in Firewall Insights.

Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

Enable VPC Flow Logs, and view the logs in Cloud Logging.

Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.

Full Access

Question # 64

Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.

Configure DNS peering from the spoke VPCs to the hub VPC.

Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.

Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.

Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.

Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.

Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

Full Access

Question # 65

Your company’s Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:

/fr/video

/en/video

/es/video

/../video

/fr/audio

/en/audio

/es/audio

/../audio

Which solution should you recommend?

Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and

\/[a-z]{2}\/audio.

Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

Full Access

Question # 66

You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.

Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

Full Access

Question # 67

You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

Tune TCP parameters on the on-premises servers.

Compress files using utilities like tar to reduce the size of data being sent.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Full Access

Summer Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Exact2Pass

Answer:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer: