Professional-Cloud-Network-Engineer Training & Certification Get Latest Google Cloud Platform Updated on Oct 19, 2021 [Q43-Q66]

Share

Professional-Cloud-Network-Engineer Training & Certification Get Latest Google Cloud Platform Updated on Oct 19, 2021

Certification Training for Professional-Cloud-Network-Engineer Exam Dumps Test Engine

NEW QUESTION 43
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.
How should you provision your instances?

  • A. Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
  • B. Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
  • C. Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.
  • D. Create a single managed instance group, specify the desired region, and select Multiple zones for the location.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance- groups

 

NEW QUESTION 44
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with the same ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
* BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

  • A. You do not have a load balancer to load-balance the network traffic.
  • B. BGP sessions are not established between both on-premises routers and the Cloud Router.
  • C. One of the VPN sessions is configured incorrectly.
  • D. A firewall is blocking the traffic across the second VPN connection.

Answer: A

 

NEW QUESTION 45
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.
How should you design this topology?

  • A. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  • B. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
  • C. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
  • D. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/shared-vpc

 

NEW QUESTION 46
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.
What should you do on your on-premises servers?

  • A. Remove the -m flag from the gsutil command to enable single-threaded transfers.
  • B. Tune TCP parameters on the on-premises servers.
  • C. Compress files using utilities like tar to reduce the size of data being sent.
  • D. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Answer: D

 

NEW QUESTION 47
Your developer group works on a set of VM's frequently throughout the day. To save costs, you terminate the VM when it is not in use. However, you need to preserve the contents of the disk when the VM is terminated so users can resume where they left off when a new one is created.
What is the most cost-effective way to do? (Choose two)

  • A. When not in use, only stop the instance instead of deleting it.
  • B. Take a snapshot of the disk before terminating the VM.
  • C. Back up the disk contents to Cloud Storage before deleting.
  • D. Set the disk to no-auto-delete to preserve contents.

Answer: A,D

Explanation:
A (Correct Answer) - Set the disk to no-auto-delete to preserve contents. Setting your instance to not delete the root disk when deleting the instance will preserve the disk contents to attach to a new instance.
C (Correct Answer) - When not in use, only stop the instance instead of deleting it. Alternatively, you can merely stop the instance instead of deleting it, during which time you will not be billed for Machine Type usage (just disk storage).
B and D may work but are not suitable solutions since the VMs may need frequently stop and resume throughout the day.
More Information:
https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-disk-auto-delete

 

NEW QUESTION 48
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

  • A. Dedicated Interconnect
  • B. Cloud NAT
  • C. VPC peering
  • D. Cloud VPN
  • E. Shared VPC

Answer: C,D

Explanation:
Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.

 

NEW QUESTION 49
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

  • A. Cloud NAT
  • B. Dedicated Interconnect
  • C. VPC peering
  • D. Cloud VPN
  • E. Shared VPC

Answer: B,D

Explanation:
https://cloud.google.com/vpc/docs/vpc

 

NEW QUESTION 50
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
- Each on-premises router is configured with a unique ASN. ?Each on-
premises router is configured with the same routes and priorities.
- Both on-premises routers are configured with a VPN connected to a
single Cloud Router.
- BGP sessions are established between both on-premises routers and the Cloud Router.
- Only 1 of the on-premises router's routes are being added to the
routing table.
What is the most likely cause of this problem?

  • A. The ASNs being used on the on-premises routers are different.
  • B. You do not have a load balancer to load-balance the network traffic.
  • C. The on-premises routers are configured with the same routes.
  • D. A firewall is blocking the traffic across the second VPN connection.

Answer: B

 

NEW QUESTION 51
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?

  • A. The instance is accessible by a load balancer external IP address.
  • B. The instance has been configured with multiple interfaces.
  • C. You have created static routes that use RFC1918 ranges.
  • D. An external IP address has been configured on the instance.

Answer: D

 

NEW QUESTION 52
You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?

  • A. Dedicated Interconnect
  • B. Partner Interconnect with a layer 2 partner
  • C. Direct Peering
  • D. Partner Interconnect with a layer 3 partner

Answer: A

Explanation:
Reference:
https://cloud.google.com/interconnect/docs/support/faq

 

NEW QUESTION 53
You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?

  • A. Add the resourcemanager.projects.setIamPolicy permission, and try again.
  • B. Add the resourcemanager.projects.get permission, and try again.
  • C. Try again with a different role with a new name but the same permissions.
  • D. Remove the resourcemanager.projects.list permission, and try again.

Answer: D

 

NEW QUESTION 54
You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.
What should you do?

  • A. Add an appropriate lifecycle rule on the storage bucket containing the two objects.
  • B. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.
  • C. Ensure that the object you don't want to be cached anymore is not shared publicly.
  • D. Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.

Answer: D

Explanation:
https://cloud.google.com/cdn/docs/invalidating-cached-content

 

NEW QUESTION 55
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

  • A. * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.* Configure the appropriate static routes.
  • B. * Create a Cloud VPN instance.* Create a policy-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
  • C. * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
  • D. * Create a Cloud VPN instance.* Create a policy-based VPN tunnel per subnet.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Create the appropriate static routes.

Answer: B

Explanation:
https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns#creating_a_gateway_and_tunnel

 

NEW QUESTION 56
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)

  • A. Enable Private Google Access.
  • B. Activate the Cloud Datastore API in your project.
  • C. Create a private connection to a service producer.
  • D. Create a custom static route to allow the traffic to reach the Cloud SQL API.
  • E. Activate the Service Networking API in your project.

Answer: C,E

Explanation:
Reference:
https://cloud.google.com/sql/docs/mysql/private-ip

 

NEW QUESTION 57
You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.
What should you do?

  • A. Use gcloud compute ssh to automatically copy your public ssh key to the instance.
  • B. Create a custom Google Compute Engine image with your public ssh key embedded.
  • C. Upload your public ssh key to each instance Metadata.
  • D. Upload your public ssh key to the project Metadata.

Answer: D

 

NEW QUESTION 58
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)

  • A. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
  • B. GetIamPolicy() via REST API
  • C. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
  • D. setIamPolicy() via REST API
  • E. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Answer: C,E

 

NEW QUESTION 59
You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working. You want to resolve the problem.
What should you do?

  • A. Explicitly reference the custom mode networks in the Deployment Manager templates.
  • B. Explicitly reference the custom mode networks in the Cloud Armor whitelist.
  • C. Apply an additional IAM role to the Google API's service account to allow custom mode networks.
  • D. Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks.

Answer: A

 

NEW QUESTION 60
Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:
/fr/video
/en/video
/es/video
/../video
/fr/audio
/en/audio
/es/audio
/../audio
Which solution should you recommend?

  • A. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and
    \/[a-z]{2}\/audio.
  • B. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
  • C. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/
    *.
  • D. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

Answer: D

 

NEW QUESTION 61
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway. Which command should you execute?

  • A. gcloud compute instances add-tags [existing-instance] --tags no-ip
  • B. gcloud compute instances create example-instance --network custom-network1 \
    --subnet subnet-us-central \
    --no-address \
    --zone us-central1-a \
    --image-family debian-9 \
    --image-project debian-cloud \
    --tags no-ip
  • C. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip
  • D. sudo sysctl -w net.ipv4.ip_forward=1

Answer: A

Explanation:
https://cloud.google.com/sdk/gcloud/reference/compute/routes/create
In order to apply a route to an existing instance we should use a tag to bind the route to it.

 

NEW QUESTION 62
You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

  • A. Enable logging on the VM Instances that receive traffic.
  • B. Create an explicit Deny Any rule and enable logging on the new rule.
  • C. Create a logging sink forwarding all firewall logs with no filters.
  • D. Enable logging on the default Deny Any Firewall Rule.

Answer: A

 

NEW QUESTION 63
You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:
IP ranges for pods and services must be as small as possible.
The nodes and the master must not be reachable from the internet.
You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?

  • A. * Create a private cluster that uses VPC advanced routes.
    * Set the pod and service ranges as /24.
    * Set up a network proxy to access the master.
  • B. * Create a VPC-native GKE cluster using GKE-managed IP ranges.
    * Set the pod IP range as /21 and service IP range as /24.
    * Set up a network proxy to access the master.
  • C. * Create a VPC-native GKE cluster using user-managed IP ranges.
    * Enable privateEndpoint on the cluster master.
    * Set the pod and service ranges as /24.
    * Set up a network proxy to access the master.
    * Enable master authorized networks.
  • D. * Create a VPC-native GKE cluster using user-managed IP ranges.
    * Enable a GKE cluster network policy, set the pod and service ranges as /24.
    * Set up a network proxy to access the master.
    * Enable master authorized networks.

Answer: C

Explanation:
Creating GKE private clusters with network proxies for controller access When you create a GKE private cluster with a private cluster controller endpoint, the cluster's controller node is inaccessible from the public internet, but it needs to be accessible for administration. By default, clusters can access the controller through its private endpoint, and authorized networks can be defined within the VPC network. To access the controller from on-premises or another VPC network, however, requires additional steps. This is because the VPC network that hosts the controller is owned by Google and cannot be accessed from resources connected through another VPC network peering connection, Cloud VPN or Cloud Interconnect. https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies

 

NEW QUESTION 64
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?

  • A. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
  • B. Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.
  • C. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.
  • D. Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

Answer: C

Explanation:
https://cloud.google.com/load-balancing/docs/health-check-concepts#content-based_health_checks

 

NEW QUESTION 65
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?

  • A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
  • B. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
  • C. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
  • D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Answer: A

Explanation:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation helps you implement the principle of least privilege. For example, a centralized network team can administer the network without having any permissions into the participating projects. Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.
Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

 

NEW QUESTION 66
......

Step by Step Guide to Prepare for Professional-Cloud-Network-Engineer Exam: https://www.examslabs.com/Google/Google-Cloud-Platform/best-Professional-Cloud-Network-Engineer-exam-dumps.html

Google Cloud Platform Professional-Cloud-Network-Engineer Real Exam Questions and Answers FREE Updated: https://drive.google.com/open?id=1GCIvnwedW0Nenbdz5JTutTGodyeFmlyC