ExamGecko
Login
Ask Question

Google Professional Cloud Network Engineer Practice Test - Questions Answers, Page 7

List of questions

Question 61

Report
Export
Collapse

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

Which connection type should you choose?

Carrier Peering
Carrier Peering
Direct Peering
Direct Peering
Dedicated Interconnect
Dedicated Interconnect
Partner Interconnect
Partner Interconnect
Suggested answer: B

Explanation:

When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

Reference: https://cloud.google.com/interconnect/docs/how-to/direct-peering

asked 18/09/2024
Miguel Angel Rico Márquez
30 questions

Question 62

Report
Export
Collapse

You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization's host project.

Where should you create the Cloud Router instance?

VPC network in all projects
VPC network in all projects
VPC network in the IT Project
VPC network in the IT Project
VPC network in the Host Project
VPC network in the Host Project
VPC network in the Sales, Marketing, and IT Projects
VPC network in the Sales, Marketing, and IT Projects
Suggested answer: C

Explanation:

Reference: https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnectsother-projects

asked 18/09/2024
Ariel Acosta
35 questions

Question 63

Report
Export
Collapse

You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.

How should you configure your firewall rules?

Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
Create a single firewall rule to allow port 22 with priority 1000.
Create a single firewall rule to allow port 22 with priority 1000.
Create a single firewall rule to allow port 3389 with priority 1000.
Create a single firewall rule to allow port 3389 with priority 1000.
Suggested answer: C

Explanation:

Reference: https://geekflare.com/gcp-firewall-configuration/

asked 18/09/2024
Emanuele Facchini
30 questions

Question 64

Report
Export
Collapse

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

• Each on-premises router is configured with the same ASN.

• Each on-premises router is configured with the same routes and priorities.

• Both on-premises routers are configured with a VPN connected to a single Cloud Router.

• The VPN logs have no-proposal-chosen lines when the VPNs are connecting.

• BGP session is not established between one on-premises router and the Cloud Router.

What is the most likely cause of this problem?

One of the VPN sessions is configured incorrectly.
One of the VPN sessions is configured incorrectly.
A firewall is blocking the traffic across the second VPN connection.
A firewall is blocking the traffic across the second VPN connection.
You do not have a load balancer to load-balance the network traffic.
You do not have a load balancer to load-balance the network traffic.
BGP sessions are not established between both on-premises routers and the Cloud Router.
BGP sessions are not established between both on-premises routers and the Cloud Router.
Suggested answer: A

Explanation:

If the VPN logs show a no-proposal-chosen error, this error indicates that Cloud VPN and your peer VPN gateway were unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. For IKEv2, there must be at least one common cipher proposed by each gateway. Make sure that you use supported ciphers to configure your peer VPN gateway.

https://cloud.google.com/networkconnectivity/docs/vpn/support/troubleshooting#:~:text=If%20the%20VPN%20logs%20show,of%20ciphers%20must%20match%20exactly.&text=Make%20sure%20that%20you%20use,configure%20your%20peer%20VPN%20gateway.

asked 18/09/2024
Demilson Mantegazine
37 questions

Question 65

Report
Export
Collapse

You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.

Which subnet mask should you use for the Pod IP address range?

/21
/21
/22
/22
/23
/23
/25
/25
Suggested answer: B

Explanation:

https://cloud.google.com/kubernetes-engine/docs/how-to/aliasips#cluster_sizing_secondary_range_pods

Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr

https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#defaults_limits

asked 18/09/2024
Nick Daniel
37 questions

Question 66

Report
Export
Collapse

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. Whiletesting, you specifically try to reach the server over multiple ports and protocols; however, you donot see any denied connections in the firewall logs. You want to resolve the issue.

What should you do?

Enable logging on the default Deny Any Firewall Rule.
Enable logging on the default Deny Any Firewall Rule.
Enable logging on the VM Instances that receive traffic.
Enable logging on the VM Instances that receive traffic.
Create a logging sink forwarding all firewall logs with no filters.
Create a logging sink forwarding all firewall logs with no filters.
Create an explicit Deny Any rule and enable logging on the new rule.
Create an explicit Deny Any rule and enable logging on the new rule.
Suggested answer: D

Explanation:

https://cloud.google.com/vpc/docs/firewall-rules-logging#egress_deny_example

You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM.

Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-ruleslogging#specifications

asked 18/09/2024
Justin Whelan
35 questions

Question 67

Report
Export
Collapse

In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP.

Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.

Which two steps should you take? (Choose two.)

Connect both projects using Cloud VPN.
Connect both projects using Cloud VPN.
Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
Suggested answer: B, D
asked 18/09/2024
Jennifer Okai Addey
36 questions

Question 68

Report
Export
Collapse

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:

IP ranges for pods and services must be as small as possible.

The nodes and the master must not be reachable from the internet.

You must be able to use kubectl commands from on-premises subnets to manage the cluster.

How should you create the GKE cluster?

• Create a private cluster that uses VPC advanced routes.• Set the pod and service ranges as /24.• Set up a network proxy to access the master.
• Create a private cluster that uses VPC advanced routes.• Set the pod and service ranges as /24.• Set up a network proxy to access the master.
• Create a VPC-native GKE cluster using GKE-managed IP ranges.• Set the pod IP range as /21 and service IP range as /24.• Set up a network proxy to access the master.
• Create a VPC-native GKE cluster using GKE-managed IP ranges.• Set the pod IP range as /21 and service IP range as /24.• Set up a network proxy to access the master.
• Create a VPC-native GKE cluster using user-managed IP ranges.• Enable a GKE cluster network policy, set the pod and service ranges as /24.• Set up a network proxy to access the master.• Enable master authorized networks.
• Create a VPC-native GKE cluster using user-managed IP ranges.• Enable a GKE cluster network policy, set the pod and service ranges as /24.• Set up a network proxy to access the master.• Enable master authorized networks.
• Create a VPC-native GKE cluster using user-managed IP ranges.• Enable privateEndpoint on the cluster master.• Set the pod and service ranges as /24.• Set up a network proxy to access the master.• Enable master authorized networks.
• Create a VPC-native GKE cluster using user-managed IP ranges.• Enable privateEndpoint on the cluster master.• Set the pod and service ranges as /24.• Set up a network proxy to access the master.• Enable master authorized networks.
Suggested answer: D

Explanation:

Creating GKE private clusters with network proxies for controller access When you create a GKE private cluster with a private cluster controller endpoint, the cluster's controller node is inaccessible from the public internet, but it needs to be accessible for administration. By default, clusters can access the controller through its private endpoint, and authorized networks can be defined within the VPC network. To access the controller from on-premises or another VPC network, however, requires additional steps. This is because the VPC network that hosts the controller is owned by Google and cannot be accessed from resources connected through another VPC network peering connection, Cloud VPN or Cloud Interconnect. https://cloud.google.com/solutions/creatingkubernetes- engine-private-clusters-with-net-proxies

asked 18/09/2024
Ilya Shadrin
37 questions

Question 69

Report
Export
Collapse

You are creating an instance group and need to create a new health check for HTTP(s) load balancing.

Which two methods can you use to accomplish this? (Choose two.)

Create a new health check using the gcloud command line tool.
Create a new health check using the gcloud command line tool.
Create a new health check using the VPC Network section in the GCP Console.
Create a new health check using the VPC Network section in the GCP Console.
Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console.
Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console.
Create a new legacy health check using the gcloud command line tool.
Create a new legacy health check using the gcloud command line tool.
Create a new legacy health check using the Health checks section in the GCP Console.
Create a new legacy health check using the Health checks section in the GCP Console.
Suggested answer: A, C

Explanation:

https://cloud.google.com/load-balancing/docs/healthchecks#creating_and_modifying_health_checks

asked 18/09/2024
chanon witchajutakul
28 questions

Question 70

Report
Export
Collapse

You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.

Which connectivity method should you choose?

Cloud VPN
Cloud VPN
50-Mbps Partner VLAN attachment
50-Mbps Partner VLAN attachment
Dedicated Interconnect with a single VLAN attachment
Dedicated Interconnect with a single VLAN attachment
Dedicated Interconnect, but don't provision any VLAN attachments
Dedicated Interconnect, but don't provision any VLAN attachments
Suggested answer: A
asked 18/09/2024
Dawn Silva
27 questions
Total 215 questions
Go to page: of 22
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs. Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)
You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements: IP ranges for pods and services must be as small as possible. The nodes and the master must not be reachable from the internet. You must be able to use kubectl commands from on-premises subnets to manage the cluster. How should you create the GKE cluster?
You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?
Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?
You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances. Which two products should you incorporate into the solution? (Choose two.)
You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a second Cloud Router (router-2) in the 172.16.0.0/16 network. Which configuration should you use for the BGP session?
You have a storage bucket that contains the following objects: - folder-a/image-a-1.jpg - folder-a/image-a-2.jpg - folder-b/image-b-1.jpg - folder-b/image-b-2.jpg Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands. What should you do?
You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed. What is the most likely cause of the problem?
You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements: All access to your on-premises network must go through the network virtual appliances. Allow on-premises access in the event of a single network virtual appliance failure. Both network virtual appliances must be used simultaneously. Which method should you use to accomplish this?