Google Certified Professional Cloud Network Engineer Practice Questions Second Edition Part 4

Your company has a regional Compute Engine software as a service (SaaS) application that recently lets traffic from the entire internet. The application must not be accessible from the public internet. You also want to let only certain virtual machines (VMs) access your application by using Secure Shell (SSH). What must you do to meet the requirements?

You work at an enterprise company that wants to enforce central management of all Google Cloud firewall rules. Recently, each internal business unit has used folders to manage its Google Cloud projects and network. You want the ability to deny incoming requests to the business unit’s Compute Engine VMs. What must you do?

Your customer has SaaS applications on Google Cloud. You want your services to be available to the customers’ application most securely and cost-effectively. What must you do?

You need to form a GKE cluster that prevents inbound external access. You want the cluster to let certain nodes have outbound internet access. What must you do?

Your company recently has a routes-based VPC-native cluster formed in Google Kubernetes Engine (GKE). Next year, you plan to install significantly more applications on GKE, which will use all the available IP addresses. You want to follow Google-recommended practices for better scaling. What must you do?

Your company works with an external vendor who uses Google Cloud. You need to offer the vendor access to your private Cloud SQL instance. You want to offer high-performance access while minimizing costs. What measures should be taken?

Your company is planning an upcoming migration from a large enterprise on-premises data center to Google Cloud. Because the recent on-premises network is managed by the local network team, you want to design the cloud network for future growth while ensuring that several internal teams can start working quickly on Google Cloud. What must you do?

Your organization recently installed several private Google Kubernetes Engine (GKE) clusters. You notice that the control planes of some of your GKE clusters can be accessed from any IP address. You want to restrict network access to the control plane while minimizing infrastructure changes. What must you do?

You have installed an application that has static data on Cloud CDN. You need to enable DDoS protection for your origin server. What must you do?

Your organization offers a digital streaming service in several regions worldwide. Customer feedback indicates that performance is inconsistent. You set up Cloud CDN with Cloud Storage backend buckets and want to form the most efficient configuration to improve performance. What must you do to optimize performance?

Your organization has moved several workloads to Google Cloud. Your recent DNS server is on-premises, and you determine how DNS resolution is performed. You want to follow Google-recommended practices and make DNS changes to support the hybrid environment without affecting the latency. What must you do?

You recently have several hundred Compute Engine instances running in Google Cloud. Your security officer has formed a new security policy: No VMs in your cloud environment are allowed to have external (public) IP addresses. After running a report, you discover several production applications on Compute Engine instances with assigned external IP addresses. VMs must be allowed to form external outbound connections after their external IP addresses are removed without a reduction in networking performance. What must you do?

You need to form a new Cloud Router for a VPN installment. After creating the Cloud Router, you receive an error that the Border Gateway Protocol (BGP) session failed to be established. You need to troubleshoot the problem. What must you do?

Your network administrator has formed several HA VPNs in Google Cloud. However, several applications that use the HA VPN are demonstrating a delayed response at unexpected times. You need to troubleshoot the problem. What must you do?

You need to form a new Cloud Router to connect your on-premises network to Google Cloud. You want to ensure that no services will be disrupted if you have a link failure. What must you do?

After a recent GKE upgrade, you notice that some of your applications are not receiving expected traffic from the ingress. What must you do to troubleshoot the applications?

You formed a new VPC and configured a firewall to be used for an upcoming Compute Engine application. After you installed the application, you noticed that your pre-existing Compute Engine instances could not connect to resources in the new VPC. What could be causing this problem?

Your company has several internal teams that form and manage their projects and resources in Google Cloud. After a new vulnerability report exposes suspicious network activity, your manager needs to secure and monitor the network usage of Google Cloud services. You need to follow Google-recommended practices to only let external ingress VPC traffic based on specific API requests. What must you do?

Your financial organization wants to migrate 5 PB of data to Google Cloud while also continuing the same level of network performance as your on-premises network. You need to set up a cost-effective Cloud Interconnect connection that will offer sufficient capacity and failover protection. What must you do?

You are configuring the service for a new Google Cloud HTTPS load balancer. The application wants high availability and multiple subnets and needs to scale automatically. Which backend configuration must you select?

You are using a Cloud Router to exchange routes between your VPC and on-premises network with Dedicated Interconnect. You need to make sure you can still forward traffic, even if all the Cloud Routers in an area go down. What must you do?

You have a Dedicated Interconnect with two 10-Gbps links. You want to form a Stackdriver alerting policy that will inform you if either of the two links goes down. Which alerts must you add to the policy?

Your company uses a physical security appliance for intrusion discovery in its on-premises data center. Your company wants to fold telemetry data using a VPN that links the GCP environment with the on-premises data center. You want to implement a solution that mixes the GCP environment and transfers telemetry data to the on-premises physical security appliance as quickly and effectively as possible. What must you do?

Your new project recently needs 5 Gbps of egress traffic from your Google Cloud environment to your company’s private data center but may scale up to 80 Gbps of traffic in the future. You do not have any public addresses to use. Your company is looking for a cost-effective long-term solution. Which type of linking must you use?

One of the web applications in your GCP project is only serving users in North America. All of the application’s resources are hosted in a single GCP region. The application uses a large catalog of graphical assets from a Cloud Storage bucket. You are informed that the application now needs to serve global clients without adding any additional GCP regions or Compute Engine instances. What must you do?

You are designing a new VPC network that will route traffic to networks in your company’s private data center. You want to confirm that your VPC can support high availability in the future. The data center team requires you to use a routing protocol that can dynamically fail over if there is a link failure in the data center. Your management needs your design to use only native cloud services. Which routing protocol must you use?

You formed two subnets named Test and Web in the same VPC network. You allowed VPC Flow Logs for the Web subnet are trying to link instances in the Test subnet to the web servers running in the Web subnet, but all of the connections are failing. You do not see any entries in the Stackdriver logs. What must you do?

Your application development team is beta-testing a new application over Dedicated Interconnect. This application uses a single TCP socket and needs 7 Gbps bandwidth for best performance. The development team noticed that the connectivity speed of the application is capped at 3 Gbps over Dedicated Interconnect. You want to resolve this issue. What must you do to resolve this issue?

Your manager has asked for a list of all Custom Roles with stage General Availability within Identity Access Management. What must you do?

You are shifting to Cloud DNS and need to import your BIND zone file. Which command must you use?

You have organized a new internal application that offers HTTP and TFTP services to on-premises hosts. You need to be able to distribute traffic across multiple Compute Engine instances, but need to confirm that clients are sticky to a particular instance across both services. Which session affinity must you select?

You are trying to update firewall rules in a shared VPC for which you have been allocated only Network Admin permissions. You cannot change the firewall rules. Your organization needs using the least privilege necessary. Which level of permissions would you request?

You need to form a service in GCP using IPv6. What would you do?

You need to set up two Cloud Routers so that one has an active BGP session, and the other one acts as a standby. Which BGP quality would you use on your on-premises router?