Professional Cloud Network Engineer v1.0 (Professional Cloud Network Engineer)

Page:    1 / 11   
Total 153 questions

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

  • A. Carrier Peering
  • B. Direct Peering
  • C. Dedicated Interconnect
  • D. Partner Interconnect


Answer : B

Reference:
https://cloud.google.com/interconnect/docs/how-to/direct-peering

You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization's host project.
Where should you create the Cloud Router instance?

  • A. VPC network in all projects
  • B. VPC network in the IT Project
  • C. VPC network in the Host Project
  • D. VPC network in the Sales, Marketing, and IT Projects


Answer : C

Reference:
https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects

You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?

  • A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
  • B. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
  • C. Create a single firewall rule to allow port 22 with priority 1000.
  • D. Create a single firewall rule to allow port 3389 with priority 1000.


Answer : C

Reference:
https://geekflare.com/gcp-firewall-configuration/

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
"¢ Each on-premises router is configured with the same ASN.
"¢ Each on-premises router is configured with the same routes and priorities.
"¢ Both on-premises routers are configured with a VPN connected to a single Cloud Router.
"¢ The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
"¢ BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

  • A. One of the VPN sessions is configured incorrectly.
  • B. A firewall is blocking the traffic across the second VPN connection.
  • C. You do not have a load balancer to load-balance the network traffic.
  • D. BGP sessions are not established between both on-premises routers and the Cloud Router.


Answer : C

You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

  • A. /21
  • B. /22
  • C. /23
  • D. /25


Answer : D

Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

  • A. Enable logging on the default Deny Any Firewall Rule.
  • B. Enable logging on the VM Instances that receive traffic.
  • C. Create a logging sink forwarding all firewall logs with no filters.
  • D. Create an explicit Deny Any rule and enable logging on the new rule.


Answer : B

In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)

  • A. Connect both projects using Cloud VPN.
  • B. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
  • C. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
  • D. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
  • E. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.


Answer : CE

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:
✑ IP ranges for pods and services must be as small as possible.
✑ The nodes and the master must not be reachable from the internet.
✑ You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?

  • A. "¢ Create a private cluster that uses VPC advanced routes. "¢ Set the pod and service ranges as /24. "¢ Set up a network proxy to access the master.
  • B. "¢ Create a VPC-native GKE cluster using GKE-managed IP ranges. "¢ Set the pod IP range as /21 and service IP range as /24. "¢ Set up a network proxy to access the master.
  • C. "¢ Create a VPC-native GKE cluster using user-managed IP ranges. "¢ Enable a GKE cluster network policy, set the pod and service ranges as /24. "¢ Set up a network proxy to access the master. "¢ Enable master authorized networks.
  • D. "¢ Create a VPC-native GKE cluster using user-managed IP ranges. "¢ Enable privateEndpoint on the cluster master. "¢ Set the pod and service ranges as /24. "¢ Set up a network proxy to access the master. "¢ Enable master authorized networks.


Answer : C

Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

You are creating an instance group and need to create a new health check for HTTP(s) load balancing.
Which two methods can you use to accomplish this? (Choose two.)

  • A. Create a new health check using the gcloud command line tool.
  • B. Create a new health check using the VPC Network section in the GCP Console.
  • C. Create a new health check, or select an existing one, when you complete the load balancer"™s backend configuration in the GCP Console.
  • D. Create a new legacy health check using the gcloud command line tool.
  • E. Create a new legacy health check using the Health checks section in the GCP Console.


Answer : AE

Reference:
https://cloud.google.com/load-balancing/docs/health-checks

You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private
IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.
Which connectivity method should you choose?

  • A. Cloud VPN
  • B. 50-Mbps Partner VLAN attachment
  • C. Dedicated Interconnect with a single VLAN attachment
  • D. Dedicated Interconnect, but don"™t provision any VLAN attachments


Answer : A

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

  • A. Dynamic routing using Cloud Router
  • B. Route-based routing using default traffic selectors
  • C. Policy-based routing using a custom local traffic selector
  • D. Policy-based routing using the default local traffic selector


Answer : A

Reference:
https://cloud.google.com/vpn/docs/concepts/overview

You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.
Which two methods can accomplish this? (Choose two.)

  • A. On the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.
  • B. In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.
  • C. In Stackdriver Monitoring, select Resources > Metrics Explorer and search for https/request_bytes_count metric.
  • D. In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.
  • E. In Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.


Answer : AD

You want to use Partner Interconnect to connect your on-premises network with your VPC. You already have an Interconnect partner.
What should you first?

  • A. Log in to your partner"™s portal and request the VLAN attachment there.
  • B. Ask your Interconnect partner to provision a physical connection to Google.
  • C. Create a Partner Interconnect type VLAN attachment in the GCP Console and retrieve the pairing key.
  • D. Run gcloud compute interconnect attachments partner update <attachment> / --region <region> --admin-enabled.


Answer : B

Reference:
https://cloudplatform.googleblog.com/2018/06/Partner-Interconnect-now-generally-available.html

You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.
What should you do?

  • A. Create a Google Group for the WebServices Team.
  • B. Create a G Suite Domain for the WebServices Team.
  • C. Create a new Cloud Identity Domain for the WebServices Team.
  • D. Create a new Custom Role for all members of the WebServices Team.


Answer : A

You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid
What should you do?

  • A. Add the resourcemanager.projects.get permission, and try again.
  • B. Try again with a different role with a new name but the same permissions.
  • C. Remove the resourcemanager.projects.list permission, and try again.
  • D. Add the resourcemanager.projects.setIamPolicy permission, and try again.


Answer : C

Reference:
https://cloud.google.com/iam/docs/understanding-custom-roles

Page:    1 / 11   
Total 153 questions