Free GCP-PCNE Sample Questions — Google Cloud Platform - Professional Cloud Network Engineer

You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem. What should you do?

• A. Configure VPC peering in a full mesh
• B. Alter the routing table to resolve the asymmetric route
• C. Create network tags to allow connectivity between all three VPCs
• D. Delete the legacy network and recreate it to allow transitive peering

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin. What should you do?

• A. Ensure that the object you don't want to be cached anymore is not shared publicly
• B. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute
• C. Add an appropriate lifecycle rule on the storage bucket containing the two objects
• D. Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies

You have applications running in the us-west1 and us-east1 regions. You want to build a highly available VPN that provides 99.99% availability to connect your applications from your project to the cloud services provided by your partner's project while minimizing the amount of infrastructure required. Your partner's services are also in the us-west1 and us-east1 regions. You want to implement the simplest solution. What should you do?

• A. Create one Cloud Router and one HA VPN gateway in each region of your VPC and your partner's VPC. Connect your VPN gateways to the partner's gateways. Enable global dynamic routing in each VPC
• B. Create one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC. Create one OpenVPN Access Server in each region of your partner's VPC. Connect your VPN gateway to your partner's servers
• C. Create one OpenVPN Access Server in each region of your VPC and your partner's VPConnect your servers to the partner's servers
• D. Create one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC and your partner's VPC. Connect your VPN gateways to the partner's gateways with a pair of tunnels. Enable global dynamic routing in each VPC

You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

• A. Use Network Load Balancing
• B. Use TCP Proxy Load Balancing with PROXY protocol enabled
• C. Use External HTTP(S) Load Balancing with URL Maps and custom headers
• D. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

You want Cloud CDN to serve the https://www.example.com/images/spacetime.png static image file that is hosted in a private Cloud Storage bucket. You are using the USE_ORIGIN_HEADERS cache mode. You receive an HTTP 403 error when opening the file in your browser, and you see that the HTTP response has a Cache-Control: private, max-age=0 header. How should you correct this issue?

• A. Enable negative caching for the backend bucket
• B. Change the cache mode to Force cache all content. C Configure a Cloud Storage bucket permission that gives allUsers the Storage Legacy Object Reader role
• C. Increase the default time-to-live (TTL) for the backend service

Your organization recently exposed a set of services through a global external Application Load Balancer. After conducting some testing, you observed that responses would intermittently yield HTTP 4xx or 5xx error response codes. You already enabled and reviewed the health check logs. You need to identify the error. What should you do?

• A. Access a VM in the VPC through SSH to access the backend VM directly. If the request is successful from the VM, increase the quantity of backends
• B. Delete the load balancer and backend services. Create a new Passthrough Network Load Balancer. Configure a failover group of VMs for the backend
• C. Validate the health of the backend service. Enable logging for the backend service and identify the error response in Cloud Logging. Review the statusDetails log field
• D. Validate the health of the backend service. Disable any Cloud Armor policies on the backend service, and identify any error response in Cloud Logging. Review the statusDetails log field

You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection. Which two actions can accomplish this? (Choose two.)

• A. Open a Cloud Support ticket under the Cloud Interconnect category
• B. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console
• C. Run gcloud compute interconnects describe <interconnect>
• D. Check the email for the account of the NOC contact that you specified during the ordering process
• E. Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection

You are setting up a Dedicated Interconnect connection from your organization’s on-premises data center in Frankfurt, Germany, towards the europe-west3 region, which is also in the Frankfurt metropolitan area. The AI team lead expressed their concern regarding connectivity to the europe-west4 region because their team wants to use Google Cloud TPUs for their workloads. You need to ensure that low latency network connectivity is established for this team’s workloads. You want to minimize costs and operational overhead. What should you do?

• A. Set up the Dedicated Interconnect connection towards the europe-west4 region instead of the europe-west3 region
• B. Set up an additional Partner Interconnect connection between your data center and the europe-west4 region
• C. Set up a remote VLAN attachment to the europe-west4 region on the Dedicated Interconnect connection
• D. Use Cloud VPN instead of Dedicated Interconnect to send traffic over the internet

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead. How should you design the topology?

• A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments
• B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs
• C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs
• D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments

You recently deployed Compute Engine instances in regions us-west1 and us-east1 in a Virtual Private Cloud (VPC) with default routing configurations. Your company security policy mandates that virtual machines (VMs) must not have public IP addresses attached to them. You need to allow your instances to fetch updates from the internet while preventing external access. What should you do?

• A. Create a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1
• B. Create a single global Cloud NAT gateway and global Cloud Router in the VPC
• C. Change the instances’ network interface external IP address from None to Ephemeral
• D. Create a firewall rule that allows egress to destination 0.0.0.0/0.

You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy. Which GKE resource should you use?

• A. GKE Node
• B. GKE Pod
• C. GKE Cluster
• D. GKE Ingress

Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost. Which two steps should you take? (Choose two.)

• A. Use Cloud Armor to blacklist the attacker's IP addresses
• B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic
• C. Create a global HTTP(s) load balancer and move your application backend to this load balancer
• D. Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline
• E. SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack

You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

• A. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. 2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24. 3. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24
• B. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88. 2. Configure your on-premises firewall to accept traffic from 35.199.192.0/19 3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
• C. 1. Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. 2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24. 3. Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88
• D. 1. Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com. 2. Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88. 3. Configure your on-premises firewall to accept traffic from 35.199.192.0/19. 4. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

• A. Firewall rule direction: ingress Action: allow - Target: VM B service account - Source ranges: VM A service account Priority: 1000
• B. Firewall rule direction: ingress Action: allow - Target: specific VM B tag - Source ranges: VM A tag and VM A source IP address Priority: 1000
• C. Firewall rule direction: ingress Action: allow - Target: VM A service account - Source ranges: VM B service account and VM B source IP address Priority: 100
• D. Firewall rule direction: ingress Action: allow - Target: specific VM A tag - Source ranges: VM B tag and VM B source IP address Priority: 100

You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) instances. What two prerequisite tasks must be completed before creating the load balancer? (Choose two.)

• A. Choose a region
• B. Create firewall rules for health checks
• C. Reserve a static IP address for the load balancer
• D. Determine the subnet mask for a proxy-only subnet
• E. Determine the subnet mask for Serverless VPC Access

You are configuring a Cross-Cloud Interconnect connection for your Google Cloud organization with two public cloud service providers (CSPs)–CSP 1 and CSP 2. The CSP 1 and CSP 2 environments are closest to Frankfurt, Germany. You can choose between two common colocation locations, Frankfurt and Munich. Your organization's Google Cloud infrastructure is deployed in the North American region, us-east4, which is located in Virginia, USA. The VPC dynamic routing mode has been set to GLOBAL. Your organization requires 20 Gbps of protected bandwidth with a 99.9% Google Cloud SLA. You want to minimize costs where possible. What should you do?

• A. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany. 2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany. 3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2
• B. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany. 2. Create two Cross-Cloud Interconnect connections to CSP 2, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany. 3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2
• C. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1) in a common co-location facility located in Frankfurt, Germany and (20 Gbps in zone 2) in a common co-location facility located in Munich, Germany. 2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1) in a common co-location facility located in Frankfurt, Germany and (20 Gbps in zone 2) in a common co-location facility located in Munich, Germany. 3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2
• D. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany. 2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany. 3. Create a Cloud Router in us-east4 (Ashburn, Virginia, USA), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2

Your organization's application is running on a VPC-native GKE Standard cluster with public IP addresses. You need to configure access to the remote address range 35.100.0.0/16 through Cloud NAT, instead of using the GKE nodes' external IP addresses. SNAT is enabled on the cluster and needs to be configured. What should you do?

• A. Configure nonMasqueradeCIDRs in the ip-masq-agent ConfigMap. Include the 35.100.0.0/16 range in the list
• B. Configure nonMasqueradeCIDRs in the ip-masq-agent ConfigMap. Remove the 35.100.0.0/16 range from the list
• C. Configure Cloud NAT and create an exclusion rule for any SNAT address translation
• D. Configure Cloud NAT with nonMasqueradeCIDRs, and enable SNAT with the same configuration to allow traffic to 35.100.0.0/16.

Your organization's on-premises networking team is reporting frequent BGP session flaps toward your Google Cloud environment. You need to review the BGP configuration. What should you do?

• A. Switch to static routing
• B. Increase the BGP hold timer to 36000 seconds max
• C. Ensure that graceful restart is enabled on the on-premises router
• D. Ask the on-premises team to enable Bidirectional Forwarding Detection (BFD)

You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps. What should you do?

• A. Configure Private Google Access on the VPC resource. Create a default route to the internet
• B. Configure Private Google Access on the subnet resource. Create a default route to the internet
• C. Configure Cloud NAT, and remove the default route to the internet
• D. Configure a global Secure Web Proxy, and remove the default route to the internet

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

• A. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters
• B. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters, Re-use the secondary address range for the services across multiple private GKE clusters
• C. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --enable-ip-alias and --enable-private-nodes
• D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-private-nodes