• Home
  • Articles
  • Download Free Google Professional-Cloud-Network-Engineer Exam Questions & Answer [Q26-Q47]

Download Free Google Professional-Cloud-Network-Engineer Exam Questions & Answer [Q26-Q47]

Share

Download Free Google Professional-Cloud-Network-Engineer Exam Questions & Answer 

Online VALID Professional-Cloud-Network-Engineer Exam Dumps File Instantly


The Google Professional-Cloud-Network-Engineer certification is an excellent way for IT professionals to demonstrate their expertise in networking technologies and solutions on the Google Cloud Platform. By passing this certification exam, candidates can validate their skills and knowledge in this area, which can help them to advance their careers and open up new opportunities in the rapidly growing cloud computing industry.


Manage & Monitor Network Operations

In this part of the exam content, the students should be able to log and monitor with the use of GCP Console or Stackdriver. They must have competence in the management and maintenance of security, which includes firewalls and diagnosing & resolving IAM problems. Besides that, they need to be able to deal with the following objective:

  • Maintain & Troubleshoot Connectivity Issues: It includes the identification of traffic flow topology, redirecting and draining of traffic flows, and cross-connect hand-off for interconnect. It also measures one’s knowledge of the monitoring of egress and ingress traffic with the use of flow logs as well as monitoring firewall logs. This section will also evaluate the learners’ skills in troubleshooting and managing VPNs and troubleshooting peering issues with Cloud Router BGP.

The applicants should also demonstrate competence in troubleshooting, monitoring, and maintaining traffic flow and latency, which include routing issues, network latency testing & throughput, and tracing traffic flow.

 

NEW QUESTION # 26
You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?

  • A. Add the resourcemanager.projects.setIamPolicy permission, and try again.
  • B. Try again with a different role with a new name but the same permissions.
  • C. Remove the resourcemanager.projects.list permission, and try again.
  • D. Add the resourcemanager.projects.get permission, and try again.

Answer: C

Explanation:
Reference:
https://cloud.google.com/iam/docs/understanding-custom-roles


NEW QUESTION # 27
You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

  • A. Use Network Load Balancing
  • B. Use External HTTP(S) Load Balancing with URL Maps and custom headers
  • C. Use TCP Proxy Load Balancing with PROXY protocol enabled
  • D. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

Answer: D


NEW QUESTION # 28
You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

  • A. Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.
  • B. Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.
  • C. Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.
  • D. Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

Answer: D


NEW QUESTION # 29
You work for a university that is migrating to GCP.
These are the cloud requirements:
- On-premises connectivity with 10 Gbps
- Lowest latency access to the cloud
- Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects.
You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

  • A. Use standalone projects, and deploy the VLAN attachments in the individual projects.
    Connect the VLAN attachment to the standalone projects' Interconnects.
  • B. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
  • C. Use Shared VPC, and deploy the VLAN attachments in the service projects.
    Connect the VLAN attachment to the Shared VPC's host project.
  • D. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Answer: C


NEW QUESTION # 30
You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a second Cloud Router (router-2) in the 172.16.0.0/16 network. Which configuration should you use for the BGP session?

  • A.
  • B.
  • C.
  • D.

Answer: B


NEW QUESTION # 31
You want to use Partner Interconnect to connect your on-premises network with your VPC. You already have an Interconnect partner.
What should you first?

  • A. Log in to your partner's portal and request the VLAN attachment there.
  • B. Ask your Interconnect partner to provision a physical connection to Google.
  • C. Run gcloud compute interconnect attachments partner update <attachment> / -- region <region> --admin-enabled.
  • D. Create a Partner Interconnect type VLAN attachment in the GCP Console and retrieve the pairing key.

Answer: B

Explanation:
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview?hl=En#provisioning "To provision a Partner Interconnect connection with a service provider, you start by connecting your on-premises network to a supported service provider. Work with the service provider to establish connectivity.


NEW QUESTION # 32
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

  • A. Generate a new SSH key pair. Verify the format of the private key and add it to the instance.
    SSH into the instance using a third-party tool like putty or ssh.
  • B. Generate a new SSH key pair. Verify the format of the public key and add it to the project.
    SSH into the instance using a third-party tool like putty or ssh.
  • C. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
  • D. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.

Answer: D

Explanation:
https://cloud.google.com/compute/docs/storing-retrieving-metadata


NEW QUESTION # 33
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?

  • A. Community
  • B. Local Preference
  • C. AS-Path
  • D. Multi-exit Discriminator

Answer: D


NEW QUESTION # 34
You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

  • A. Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.
  • B. Review the VPC audit logs in Cloud Logging for the affected instances.
  • C. Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.
  • D. Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.

Answer: C


NEW QUESTION # 35
You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?

  • A. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
  • B. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
  • C. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
  • D. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

Answer: B


NEW QUESTION # 36
Your company is running out of network capacity to run a critical application in the on-premises data center.
You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)

  • A. Firewall logs
  • B. Stackdriver Trace
  • C. VPC flow logs
  • D. Cloud Audit logs
  • E. Compute Engine instance system logs

Answer: B,D

Explanation:
Explanation/Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations


NEW QUESTION # 37
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

  • A. VPC peering
  • B. Shared VPC
  • C. Cloud NAT
  • D. Cloud VPN
  • E. Dedicated Interconnect

Answer: D,E

Explanation:
https://cloud.google.com/vpc/docs/vpc


NEW QUESTION # 38
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are
100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.
What should you do on your on-premises servers?

  • A. Remove the -m flag from the gsutil command to enable single-threaded transfers.
  • B. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].
  • C. Compress files using utilities like tar to reduce the size of data being sent.
  • D. Tune TCP parameters on the on-premises servers.

Answer: B

Explanation:
https://cloud.google.com/solutions/transferring-big-data-sets-to-gcp


NEW QUESTION # 39
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?

  • A. Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.
  • B. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.
  • C. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
  • D. Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

Answer: C


NEW QUESTION # 40
You want to create a service in GCP using IPv6.
What should you do?

  • A. Configure an internal load balancer with the designated IPv6 address.
  • B. Create the instance with the designated IPv6 address.
  • C. Configure a global load balancer with the designated IPv6 address.
  • D. Configure a TCP Proxy with the designated IPv6 address.

Answer: C


NEW QUESTION # 41
Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B.
You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

  • A. Firewall rule direction: ingress
    Action: allow
    Target: VM A service account
    Source ranges: VM B service account and VM B source IP address
    Priority: 100
  • B. Firewall rule direction: ingress
    Action: allow
    Target: specific VM B tag
    Source ranges: VM A tag and VM A source IP address
    Priority: 1000
  • C. Firewall rule direction: ingress
    Action: allow
    Target: VM B service account
    Source ranges: VM A service account
    Priority: 1000
  • D. Firewall rule direction: ingress
    Action: allow
    Target: specific VM A tag
    Source ranges: VM B tag and VM B source IP address
    Priority: 100

Answer: D


NEW QUESTION # 42
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google- recommended practices.
How should you design this topology?

  • A. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them.
    Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  • B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them.
    Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  • C. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
  • D. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them.
    Use firewall rules to filter access between the specific networks.

Answer: C

Explanation:
https://cloud.google.com/vpc/docs/shared-vpc


NEW QUESTION # 43
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

  • A. Turn on Private Services Access at the VPC level.
  • B. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
  • C. Turn on Private Google Access at the VPC level.
  • D. Turn on Private Google Access at the subnet level.
  • E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

Answer: A,E

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/private-access-options


NEW QUESTION # 44
Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

  • A. Configure a Cloud DNS private zone in the host project of the Shared VPC.
    Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.
  • B. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.
    In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.
  • C. Configure a Cloud DNS private zone in the host project of the Shared VPC.
    Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.
    Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.
  • D. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.
    In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.

Answer: C


NEW QUESTION # 45
All the instances in your project are configured with the custom metadata enable-osloginvalue set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project- wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

  • A. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
  • B. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
  • C. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
  • D. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata


NEW QUESTION # 46
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?

  • A. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.
  • B. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.
  • C. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.
  • D. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

Answer: D

Explanation:
Global load balancer will proxy the connection . thus no trace of session origin IP. you should use Cloud Armor to geofence your service.
https://cloud.google.com/load-balancing/docs/https


NEW QUESTION # 47
......

Professional-Cloud-Network-Engineer Exam Dumps For Certification Exam Preparation: https://www.prep4pass.com/Professional-Cloud-Network-Engineer_exam-braindumps.html

100% Pass Guaranteed Download Google Cloud Platform Exam PDF Q&A: https://drive.google.com/open?id=1FNs2J1jF36e5QGL9GJGEYPYDL8BuI8su

Related Articles

more
Google Professional-Cloud-Network-Engineer Certification Practice Exam

Prep4pass is experienced IT certification exam prep provider with high passing rate, our accurate and valid exam preparation help candidates pass exam 100%.

Latest Exam Prep

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Prep4pass NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy