Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.

Always allow Secure Shell (SSH) from your corporate IP address.

Restrict SSH access from all other IP addresses.

There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?

A.

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.

Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

B.

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.

Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

C.

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.

Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.

D.

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1

Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

Full Access
Question # 5

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.

How should you design this topology?

A.

Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.

B.

Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

C.

Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.

D.

Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Full Access
Question # 6

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

A.

Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

B.

Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

C.

Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.

D.

Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

Full Access
Question # 7

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

A.

Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

B.

Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

C.

Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

D.

Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Full Access
Question # 8

You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?

A.

Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.

B.

Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

C.

Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.

D.

Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Full Access
Question # 9

Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

A.

Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

B.

Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

C.

Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

D.

Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

Full Access
Question # 10

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

• Each on-premises router is configured with a unique ASN.

• Each on-premises router is configured with the same routes and priorities.

• Both on-premises routers are configured with a VPN connected to a single Cloud Router.

• BGP sessions are established between both on-premises routers and the Cloud Router.

• Only 1 of the on-premises router’s routes are being added to the routing table.

What is the most likely cause of this problem?

A.

The on-premises routers are configured with the same routes.

B.

A firewall is blocking the traffic across the second VPN connection.

C.

You do not have a load balancer to load-balance the network traffic.

D.

The ASNs being used on the on-premises routers are different.

Full Access
Question # 11

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

A.

Configure a custom route advertisement on the Cloud Router.

B.

Enable IP forwarding in the asia-southeast1 region.

C.

Change the VPC dynamic routing mode to Global.

D.

Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Full Access
Question # 12

You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.

How should you configure the health check?

A.

Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

B.

Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

C.

Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

D.

Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

Full Access
Question # 13

You create multiple Compute Engine virtual machine instances to be used as TFTP servers.

Which type of load balancer should you use?

A.

HTTP(S) load balancer

B.

SSL proxy load balancer

C.

TCP proxy load balancer

D.

Network load balancer

Full Access
Question # 14

You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.

Which two actions should you take? (Choose two.)

A.

Activate the Service Networking API in your project.

B.

Activate the Cloud Datastore API in your project.

C.

Create a private connection to a service producer.

D.

Create a custom static route to allow the traffic to reach the Cloud SQL API.

E.

Enable Private Google Access.

Full Access
Question # 15

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.

Which connectivity model should you use?

A.

Direct Peering

B.

Dedicated Interconnect

C.

Partner Interconnect with a layer 2 partner

D.

Partner Interconnect with a layer 3 partner

Full Access
Question # 16

Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node Which Pod per node CIDR range should you use?

A.

/24

B.

/25

C.

/26

D.

/28

Full Access
Question # 17

In your Google Cloud organization, you have two folders: Dev and Prod. You want a scalable and consistent way to enforce the following firewall rules for all virtual machines (VMs) with minimal cost:

Port 8080 should always be open for VMs in the projects in the Dev folder.

Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.

What should you do?

A.

Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

B.

Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.

C.

In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

D.

Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

Full Access
Question # 18

You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run?

A.

gcloud compute instances add-access-config instance-1

B.

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

C.

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

D.

gcloud compute health-checks update http health-check --unhealthy-threshold 10

Full Access
Question # 19

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

A.

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

B.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

C.

Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

D.

Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Full Access
Question # 20

You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.

Which next hop should you choose?

A.

The default internet gateway

B.

The IP address of the Cloud VPN gateway

C.

The name and region of the Cloud VPN tunnel

D.

The IP address of the instance on the remote side of the VPN tunnel

Full Access
Question # 21

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.

How should you configure the Distribution VPC?

A.

Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

B.

Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

C.

Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

D.

Rename the default VPC as "Distribution" and peer it via network peering.

Full Access
Question # 22

You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions. The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices. What should you do?

A.

Create one VPC with one subnet in each region.

Create a regional network load balancer in each region with a static IP address.

Enable Cloud CDN on the load balancers.

Create an A record in Cloud DNS with both IP addresses for the load balancers.

B.

Create one VPC with one subnet in each region.

Create a global load balancer with a static IP address.

Enable Cloud CDN and Google Cloud Armor on the load balancer.

Create an A record using the IP address of the load balancer in Cloud DNS.

C.

Create one VPC in each region, and peer both VPCs.

Create a global load balancer.

Enable Cloud CDN on the load balancer.

Create a CNAME for the load balancer in Cloud DNS.

D.

Create one VPC with one subnet in each region.

Create an HTTP(S) load balancer with a static IP address.

Choose the standard tier for the network.

Enable Cloud CDN on the load balancer.

Create a CNAME record using the load balancer’s IP address in Cloud DNS.

Full Access
Question # 23

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

A.

Enable firewall logging, and forward all filtered egress firewall logs to the IDS.

B.

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.

C.

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

D.

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Full Access
Question # 24

Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path?

A.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

B.

Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

C.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

D.

Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Full Access
Question # 25

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.

How should you design the topology?

A.

Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.

B.

Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.

C.

Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

D.

Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Full Access
Question # 26

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

What should you do?

A.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

B.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.

C.

Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.

D.

Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.

Full Access
Question # 27

You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.

Which two actions can accomplish this? (Choose two.)

A.

Open a Cloud Support ticket under the Cloud Interconnect category.

B.

Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.

C.

Run gcloud compute interconnects describe .

D.

Check the email for the account of the NOC contact that you specified during the ordering process.

E.

Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.

Full Access
Question # 28

Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must

• Support both TCP and UDP protocols

• Provide fully automated failover

• Include health-checks

Require minimal manual Intervention In the client VMS

Which approach should you take?

A.

Create the VMS In the same zone, and configure static routes With IP addresses as next hops.

B.

Create the VMS in different zones, and configure static routes with instance names as next hops

C.

Create an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

D.

Create an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

Full Access
Question # 29

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:

    IP ranges for pods and services must be as small as possible.

    The nodes and the master must not be reachable from the internet.

    You must be able to use kubectl commands from on-premises subnets to manage the cluster.

How should you create the GKE cluster?

A.

• Create a private cluster that uses VPC advanced routes.

•Set the pod and service ranges as /24.

•Set up a network proxy to access the master.

B.

• Create a VPC-native GKE cluster using GKE-managed IP ranges.

•Set the pod IP range as /21 and service IP range as /24.

•Set up a network proxy to access the master.

C.

• Create a VPC-native GKE cluster using user-managed IP ranges.

•Enable a GKE cluster network policy, set the pod and service ranges as /24.

•Set up a network proxy to access the master.

•Enable master authorized networks.

D.

• Create a VPC-native GKE cluster using user-managed IP ranges.

•Enable privateEndpoint on the cluster master.

•Set the pod and service ranges as /24.

•Set up a network proxy to access the master.

•Enable master authorized networks.

Full Access
Question # 30

You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.

What should you do?

A.

Use a 4-byte private ASN 4200000000-4294967294.

B.

Use a 2-byte private ASN 64512-65535.

C.

Use a public Google ASN 15169.

D.

Use a public Google ASN 16550.

Full Access
Question # 31

You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.

How should you provision your instances?

A.

Create a single managed instance group, specify the desired region, and select Multiple zones for the location.

B.

Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.

C.

Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.

D.

Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.

Full Access
Question # 32

You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required. What should you do?

A.

Enable VPC Flow Logs and send the output to BigQuery for analysis.

B.

Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis.

C.

Configure Packet Mirroring to send all traffic to a VM. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC.

D.

Deploy a third-party network appliance and configure it as the default gateway. Use the third-party network appliance to identify users with high network traffic.

Full Access
Question # 33

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.

What should you do?

A.

Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

B.

Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

C.

Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

D.

Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Full Access
Question # 34

You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling. Which configuration should you use?

A.

Use global SSL Proxy Load Balancing with backends in both regions.

B.

Use global TCP Proxy Load Balancing with backends in both regions.

C.

Use global external HTTP(S) Load Balancing with backends in both regions.

D.

Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

Full Access
Question # 35

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.

Which two actions should you take? (Choose two.)

A.

Turn on Private Google Access at the subnet level.

B.

Turn on Private Google Access at the VPC level.

C.

Turn on Private Services Access at the VPC level.

D.

Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

E.

Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

Full Access
Question # 36

Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.

Which two products should you incorporate into the solution? (Choose two.)

A.

VPC flow logs

B.

Firewall logs

C.

Cloud Audit logs

D.

Stackdriver Trace

E.

Compute Engine instance system logs

Full Access
Question # 37

You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.

What is the most likely cause of this problem?

A.

The instance has been configured with multiple interfaces.

B.

An external IP address has been configured on the instance.

C.

You have created static routes that use RFC1918 ranges.

D.

The instance is accessible by a load balancer external IP address.

Full Access
Question # 38

You are migrating to Cloud DNS and want to import your BIND zone file.

Which command should you use?

A.

gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE

B.

gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE

C.

gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

D.

gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE

Full Access
Question # 39

You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range?

A.

/21

B.

/22

C.

/23

D.

/25

Full Access
Question # 40

You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.

What should you do?

A.

Configure a policy-based route rule to prioritize the traffic.

B.

Configure an HTTP load balancer, and direct the traffic to it.

C.

Configure Dynamic Routing for the subnet hosting the application.

D.

Configure the TTL for the DNS zone to decrease the time between updates.

Full Access
Question # 41

You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

A.

Enable firewall logs, and view the logs in Firewall Insights.

B.

Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

C.

Enable VPC Flow Logs, and view the logs in Cloud Logging.

D.

Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.

Full Access
Question # 42

You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

A.

Tune TCP parameters on the on-premises servers.

B.

Compress files using utilities like tar to reduce the size of data being sent.

C.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

D.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Full Access
Question # 43

You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

A.

resource.type= “gce_router”

B.

resource.type= “gce_network_region”

C.

resource.type= “vpn_tunnel”

D.

resource.type= “vpn_gateway”

Full Access
Question # 44

Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node Which Pod per node CIDR range should you

use?

A.

/24

B.

/25

C.

/26

D.

/28

Full Access
Question # 45

After a network change window one of your company’s applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

What is the most likely cause of this problem?

A.

The less specific VPC subnet route is taking priority.

B.

The more specific VPC subnet route is taking priority.

C.

The on-premises router is not advertising a route for the database server.

D.

A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

Full Access
Question # 46

You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.

Which two methods can accomplish this? (Choose two.)

A.

On the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.

B.

In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.

C.

In Stackdriver Monitoring, select Resources > Metrics Explorer and search for https/request_bytes_count metric.

D.

In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.

E.

In Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.

Full Access
Question # 47

You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.

What should you do?

A.

• Create a Cloud VPN instance.• Create a policy-based VPN tunnel per subnet.• Configure the appropriate local and remote traffic selectors to match your local and remote networks.• Create the appropriate static routes.

B.

• Create a Cloud VPN instance.• Create a policy-based VPN tunnel.• Configure the appropriate local and remote traffic selectors to match your local and remote networks.• Configure the appropriate static routes.

C.

• Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the appropriate local and remote traffic selectors to match your local and remote networks.• Configure the appropriate static routes.

D.

• Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.• Configure the appropriate static routes.

Full Access
Question # 48

You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

A.

Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.

B.

Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

C.

Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

D.

Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Full Access
Question # 49

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.

Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

A.

VPC peering

B.

Shared VPC

C.

Cloud VPN

D.

Dedicated Interconnect

E.

Cloud NAT

Full Access
Question # 50

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

A.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

B.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

C.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

D.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, —enable-ip-alias, and—enable-private-nodes

Full Access