Google Certified Professional Cloud Network Engineer Practice Questions Second Edition Part 2

You have been tasked as an Architect for a growing organization that handles a lot of sensitive user data on GCP to recommend a solution that:
• Provides automated visibility into all account actions
• Assists with incident management
• Provides simple integration into popular SIEM partners
Which GCP service is most appropriate for these activities?

As a Network Engineer, you must design a secure method for applications running in compute engines to access a cloud SQL database while adhering to the least privilege’s best practice principle. Which of the following solutions do you think would be best for this?

An organization wishes to use GCP to manage its resources in key departments such as finance, research, technology, and sales. You have been granted access to design a solution that can aid in the separation of duties when assigning permissions to carry out specific tasks while adhering to the principle of least privilege. Which of the following solutions is the most efficient and scalable in this situation?

Your company is migrating its external-facing applications that are currently running on VMs in their data center to GCP, and the following requirements have been provided:
• For high availability and scalability, applications will be deployed to private GCE instances in multiple regions with load balancing
• IPv6 Support is required
• Support for custom origin is required
Which of the following solutions is most suitable for this?

An organization wishes to migrate its external-facing applications to GCP, currently running on VMs in its data center. Its users are all in Northern Virginia (us-east4), and you have been given the following requirements as the Network Engineer:

In GCP, an organization has deployed external-facing applications on a managed instance group behind an HTTP(S) load balancer. User traffic from the Internet has been allowed through the firewall. The instances in the organized instance group continue to recycle.
Which of the following could be the source of the problem?

An external-facing application is deployed on GKE to maximize the benefits of containerization. With Cloud CDN, there is a need to improve the application’s performance. Which of the following can be used in conjunction with Cloud CDN to bring this content closer to users?

The design of an application that was previously running on a single GCE instance has evolved to include a new requirement for high availability and low latency performance to end-users. Which of the following solutions best solves this?

A business wants to build a cloud-native solution on GCP. In order to plan and implement IP addressing in its VPC, the company would need flexibility. They would also like to provide subnets with unique descriptive names. Which of the following do you think is the best option?

A company is developing a new cloud-native solution on GCP that multiple teams will deliver. The company desires a centralized and simple method of managing networking structure, while different teams work non-networking resources. Within the organization, the various groups would have their GCP Projects. Which of the following do you think is the best option?

There is a request to design a custom network in GCP with four subnets, each with 50 hosts but with a maximum capacity of 200 hosts. You must select the smallest CIDR block that can accomplish this.

A company wishes to keep its current internal IP address on its GCE instance to meet certain security obligations requiring a static IP address for a specific application. Which of the following is the least disruptive action to achieve this?

Which of the following enables GCE instances to access Cloud Storage and BigQuery without using external IP addresses? Choose two options.

As the Network Engineer for your company, you must connect your local data center to their GCP network. During peak periods, the bandwidth requirement is set at 2.5 Gbps, and dynamic routing is required. Which of the following is the cheapest and has the fastest deployment time?

You wish to set up a dedicated connection to Google that is free of third-party service providers, can access Cloud SQL via a public IP address, and is able to use Cloud SQL.
Which type of connection should you select?

A growing company wishes to outsource the management of its on-premises DNS server to a managed service such as GCP. The company is currently dealing with high-volume DNS requests and high latency for domain lookups from anywhere in the world. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this?

Your company must configure two routes in Active-Passive mode for two VPN connections between GCP and your on-premises networks. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this?

You have set up a VPC network with subnets, and the company has its network. You have been tasked with establishing a hybrid connection between the two networks. Both networks will receive additional subnets in the future. The connectivity must be capable of discovering new subnets and properly routing traffic. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this?

There are several subnets with instances in your company’s VPC. You have been asked to configure the routes so that all internet-bound traffic from the developers’ instances in that VPC is routed to an appliance for checks. All firewall rules have been created and are fully functional. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this? (Choose two options)

You are responsible for designing the networking for your company’s new GKE VPC-native public cluster. You must assign secondary CIDR ranges to the pods and services. Where can you do this in the GCP console? Choose two options.

As the network engineer for a growing company, you have been tasked with putting in place a network appliance that will handle Intrusion Detection and Prevention (IDS/IPS) between networks. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this? (Choose two options)

As the network engineer for a growing company, you have been tasked with implementing a network appliance that will handle Intrusion Detection and Prevention (IDS/IPS) between networks. The instance necessitates the use of multiple network interfaces. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this?

As the network engineer for your company, the company has a GCP organization with four projects for the various departments. To protect the GCE instances in multiple projects, you must design a network that allows for sharing a network appliance as a DMZ. Which of the following options, as the firm’s Network Engineer, can assist you in accomplishing this?

You are configuring Cloud NAT for internet-bound traffic for GCE instances in your subnet that do not have an external IP address. Which of the following must be created?

A network design is required for a company’s VPC-native cluster. The specifications listed below have been provided to you.
• The initial Cluster size is three, but it can grow to a maximum of eight nodes
• User-managed secondary IP ranges with the fewest CIDR blocks are used to accomplish this
• A maximum number of pods will be used per node
• Services may expand to 2000

Your team has set up several GCE instances in a GCP VPC. The security team must be able to review logs of all network traffic to and from instances. Which of the following will supply the required logs? Choose two options.

You work for a GCP company as a project editor. You have been tasked with creating a Shared VPC in your project that will house several Service Projects that will use the resources deployed there, such as the direct interconnect. You are unable to finish creating the Shared VPC. What other permissions do you require?

You work in a GCP organization as a project manager. You have been tasked with assigning IAM permissions to groups based on their responsibilities. You must grant consent to the group in charge of the Interconnect connections. Which of the following roles would you assign based on the principle of least privilege?

As a network engineer in your company, you must configure DNS security (DNSSEC) on your Cloud DNS zone for your domain hosted outside of GCP. What are the two steps that must be taken?

You attempted to set up a VPC peering between two VPC networks in different GCP organizations, but it failed as a network engineer.
Which of the following is a possible cause? Choose two options.

As your company’s network engineer, you have set up an ingress firewall rule for http traffic into all GCE instances hosting a public-facing application with the tag web-server. The logs for all allowed http traffic are visible, but the logs for denied SSH traffic from 0.0.0.0/0 to the instances are not.
Which of the following would you set up in the Google Cloud Platform?

You have been asked to limit communication between pods and services so that you can determine which pods in your GKE cluster are allowed to communicate with one another.

You are in charge of establishing your company’s interconnect provisioning between its on-premises network and GCP networks. The company requires 5Gbps of bandwidth to meet peak demand, and the company currently does not want to manage the BGP session. Which of the following can be utilized to fulfill this requirement?

You are in charge of configuring your company’s partner interconnect between the on-premises and GCP networks. The company has chosen a service provider to provide 5Gbps bandwidth to meet peak demand, and the company currently does not want to manage the BGP session.
Which of the following would you configure in GCP?

As a network engineer in a small company, you are tasked with implementing a low-cost hybrid connectivity solution capable of serving up to 4.5Gbps between GCP and on-premises networks. The GCP VPC will have subnets with resources spread across multiple regions. You must meet the requirements listed below.
• Speed of delivery and low cost
• Encrypted communications between GCP and the on-premises network
• Dynamically advertise all subnets in the VPC to the on-premises network
Which of the following would you configure in GCP?

Which network standard enables dynamic route discovery between a GCP and a non-GCP network for private RFC 1918 communications?

In GCP, you must configure the external load balancer for your firm’s application. Some of the key requirements are pass-through traffic, a single region backend, and maintaining user sessions while ensuring good traffic distribution across instances.
Which configuration satisfies the given criteria?

As the network engineer, you must configure the external layer 7 load balancer for your firm’s application in GCP.
Which of the following port configurations could be used as a destination port?

You are debating the best Network Service Tiers for the company’s global application. There have been instances where developers have used a tier that is not in line with project objectives, which must be avoided.
Which of the following configurations is the most efficient way to set the desired Network Service Tier for all resources in an Organization’s Project?

You are tasked as a network engineer with automating the repeatability of certain GCP actions, such as the creation of VPCs, Cloud Buckets, and Cloud VPN connections.
Which of the following services are available to you?

In your GCP project, you have created a custom VPC with three subnets. Which of the following statements is correct? Choose two options.

A Google group for network administrators has been assigned the Compute Network Admin role in a GCP Project as part of an organization’s IAM management. Which of the following statements is correct? Pick three.

In a GCP Organization, you are responsible for defining the permissions of a Google Group for network security admins at the folder level. The team must only be able to create and delete firewall rules and manage SSL Certificates and SSL Policies. Which role should you assign to the group based on GCP best practices?

In your GCP Project, you are creating a new Service Account role with custom permissions. Which of the following statements about Service Accounts is correct? Select two.

In your GCP Project, you have created a VPC with one subnet. The primary IP CIDR for the subnet is 192.168.0.0/24. How many addresses are available in the Primary IP range?

A company has a VPC with subnets in three regions: Europe-west1, Europe-north1, and US-central1. GCE instances have been deployed into all three subnets without an external IP address. The necessary firewall rules and routes have been implemented. In us-central-1, a Cloud-NAT resource was created and attached to the VPC. Two subnets’ instances are unable to download updates from the Internet.
What could be the problem?

You have been asked to configure Cloud NAT logging to show the successful connections from the VMs to the Internet. Which of the following are the two types of logs sent to Cloud Logging by Cloud NAT? (Choose two options)

You have been tasked with setting up a GKE Cluster with a shared VPC. Several requirements are listed below:
• Pod per node configuration flexibility
• Making use of alias IP ranges for Kubernetes resources
• Separate IP ranges for Pods and Services
Which Cluster network mode would you choose?

You have been tasked with setting up a GKE Cluster in a VPC. Several requirements are listed below:
• Each node in the cluster is assigned an IP address in the /24 range
• For both pods and services, the cluster should have a single IP range

You are in charge of configuring GCP’s connectivity with the remote network. You are debating which encryption to use on the VPN tunnels. Which of these encryption methods does Cloud VPN support?