Google Professional Cloud Network Engineer Practice Test - Questions Answers, Page 18
Question list
List of questions
Related questions
You need to create the technical architecture for hybrid connectivity from your data center to Google Cloud This will be managed by a partner. You want to follow Google-recommended practices for production-level applications. What should you do?
You have the following Shared VPC design VPC Flow Logs is configured for Subnet-1 In the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?
You are designing a packet mirroring policy as pan of your network security architecture for your gaming workload. Your Infrastructure is located in the us-west2 region and deployed across several zones: us-west2-a. us-west2-b. and us-west2-c The Infrastructure Is running a web-based application on TCP ports 80 and 443 with other game servers that utilize the UDP protocol. You need to deploy packet mirroring policies and collector instances to monitor web application traffic while minimizing inter-zonal network egress costs.
Following Google-recommended practices, how should you deploy the packet mirroring policies and collector instances?
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption in transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?
Enable MACsec on Partner Interconnect.
Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same Cloud Router used for the Cloud Interconnect tier.
Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router peer VPN gateway resources and HA VPN tunnels.
Enable MACsec for Cloud Interconnect on the VLAN attachments.
Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected. What should you do?
Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs.
Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the tls-inspect flag and associate the firewall rules with the VMs.
Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content.
Use Cloud NGFW Essentials. Create a firewall rule for egress traffic and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities.
Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team and ensure the solution can scale. What should you do?
Configure VPC Network Peering and peer one of the VPCs to the service project.
Configure Policy-based Routing for each team.
Configure a Shared VPC and create a VPC network in the host project.
Configure a Shared VPC, and create a VPC network in the service project.
You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps. What should you do?
Configure Private Google Access on the VPC resource. Create a default route to the internet.
Configure Private Google Access on the subnet resource. Create a default route to the internet.
Configure Cloud NAT and remove the default route to the internet.
Configure a global Secure Web Proxy and remove the default route to the internet.
Your multi-region VPC has had a long-standing HA VPN configured in 'region 1' connected to your corporate network. You are planning to add two 10 Gbps Dedicated Interconnect connections and VLAN attachments in 'region 2' to connect to the same corporate network. You need to plan for connectivity between your VPC and corporate network to ensure that traffic uses the Dedicated Interconnect connections as the primary path and the HA VPN as the secondary path. What should you do?
Enable regional dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 100. Configure BGP associated with the VLAN attachments to use a base priority of 20000. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.
Enable global dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 100. Configure BGP associated with the VLAN attachments to use a base priority of 20000. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.
Enable regional dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 20000. Configure BGP associated with the VLAN attachments to use a base priority of 100. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.
Enable global dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 20000. Configure BGP associated with the VLAN attachments to use a base priority of 100. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.
Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag. What should you do?
Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag.
Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account.
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights into what is occurring within Google Cloud. What should you do?
Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.
Enable the Firewall insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.
Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.
Question