Google Professional Cloud Network Engineer Practice Test

Question 1

You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your
instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?

A. Assign a public IP address to the instance.
B. Create a route to reach the Master, pointing to the default internet gateway.
C. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
D. Create the appropriate master authorized network entries to allow the instance to communicate to the master.

Answer:

C

User Votes:

A

50%

B

50%

C

50%

D

50%

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 2

You create multiple Compute Engine virtual machine instances to be used at TFTP servers.
Which type of load balancer should you use?

A. HTTP(S) load balancer
B. SSL proxy load balancer
C. TCP proxy load balancer
D. Network load balancer

Answer:

D

User Votes:

A

50%

B

50%

C

50%

D

50%

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 3

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress
traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud
Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

A. Turn on Private Google Access at the subnet level.
B. Turn on Private Google Access at the VPC level.
C. Turn on Private Services Access at the VPC level.
D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

Answer:

C E

User Votes:

A

50%

B

50%

C

50%

D

50%

E

50%

Explanation:
Reference: https://cloud.google.com/vpc/docs/private-access-options

Discussions

vote your answer:

A

B

C

D

E

0 / 1000

Question 4

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been
successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be
served to the internet directly from the origin.
What should you do?

A. Ensure that the object you don’t want to be cached anymore is not shared publicly.
B. Create a new storage bucket, and move the object you dont want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.
C. Add an appropriate lifecycle rule on the storage bucket containing the two objects.
D. Add a Cache-Control entry with value private to the metadata of the object you dont want to be cached anymore. Invalidate all the previously cached copies.

Answer:

A

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://developers.google.com/web/ilt/pwa/caching-files-with-service-worker

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 5

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages
the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create,
modify, or delete them.
How should you set up permissions for the networking team?

A. Assign members of the networking team the compute.networkUser role.
B. Assign members of the networking team the compute.networkAdmin role.
C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Answer:

B

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/compute/docs/access/iam

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 6

You work for a university that is migrating to GCP.
These are the cloud requirements:
On-premises connectivity with 10 Gbps
Lowest latency access to the cloud
Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient
interconnect solution for connecting the campus to Google Cloud.
What should you do?

A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
B. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
C. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.
D. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Answer:

A

User Votes:

A

50%

B

50%

C

50%

D

50%

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 7

You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation
the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

A. Grant the compute.instanceAdmin to your user account.
B. Grant the iam.serviceAccountUser to your user account.
C. Grant the read-only privilege to the service account for the Cloud Storage bucket.
D. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.

Answer:

B

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/compute/docs/access/iam

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 8

You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one
acts as a standby.
Which BGP attribute should you use on your on-premises router?

A. AS-Path
B. Community
C. Local Preference
D. Multi-exit Discriminator

Answer:

D

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/router/docs/concepts/overview

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 9

You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the
default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP
address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of
three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

A. /21
B. /22
C. /23
D. /25

Answer:

D

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 10

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are
working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2
connections as desired.
During troubleshooting you find:
Each on-premises router is configured with the same ASN.
Each on-premises router is configured with the same routes and priorities.
Both on-premises routers are configured with a VPN connected to a single Cloud Router.
The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

A. One of the VPN sessions is configured incorrectly.
B. A firewall is blocking the traffic across the second VPN connection.
C. You do not have a load balancer to load-balance the network traffic.
D. BGP sessions are not established between both on-premises routers and the Cloud Router.

Answer:

C

User Votes:

A

50%

B

50%

C

50%

D

50%

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 11

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate
organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host
names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP
environments.
Each organization has enabled full connectivity between all of its projects by using Shared VPC.
Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the
instances) and load balancers for serving web traffic.
There are no prefix overlaps between the two organizations.
Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address
space.
Neither organization has Interconnects to their on-premises environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal
downtime.
Which two steps should you take? (Choose two.)

A. Provision Cloud Interconnect to connect both organizations together.
B. Set up some variant of DNS forwarding and zone transfers in each organization.
C. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.
D. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
E. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

Answer:

C D

User Votes:

A

50%

B

50%

C

50%

D

50%

E

50%

Discussions

vote your answer:

A

B

C

D

E

0 / 1000

Question 12

You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-
based routing using the gcloud command.
Which next hop should you choose?

A. The default internet gateway
B. The IP address of the Cloud VPN gateway
C. The name and region of the Cloud VPN tunnel
D. The IP address of the instance on the remote side of the VPN tunnel

Answer:

C

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/vpn/docs/how-to/creating-static-vpns

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 13

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All
applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced
across the 2 connections as desired.
During troubleshooting you find:
Each on-premises router is configured with a unique ASN.
Each on-premises router is configured with the same routes and priorities.
Both on-premises routers are configured with a VPN connected to a single Cloud Router.
BGP sessions are established between both on-premises routers and the Cloud Router.
Only 1 of the on-premises routers routes are being added to the routing table.
What is the most likely cause of this problem?

A. The on-premises routers are configured with the same routes.
B. A firewall is blocking the traffic across the second VPN connection.
C. You do not have a load balancer to load-balance the network traffic.
D. The ASNs being used on the on-premises routers are different.

Answer:

D

User Votes:

A

50%

B

50%

C

50%

D

50%

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 14

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict
reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway
Protocol (BGP).
Which routing option should you choose?

A. Dynamic routing using Cloud Router
B. Route-based routing using default traffic selectors
C. Policy-based routing using a custom local traffic selector
D. Policy-based routing using the default local traffic selector

Answer:

A

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/vpn/docs/concepts/overview

Discussions

vote your answer:

A

B

C

D

0 / 1000

Question 15

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of
its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP)
configuration.
Which connectivity model should you use?

A. Direct Peering
B. Dedicated Interconnect
C. Partner Interconnect with a layer 2 partner
D. Partner Interconnect with a layer 3 partner

Answer:

B

User Votes:

A

50%

B

50%

C

50%

D

50%

Explanation:
Reference: https://cloud.google.com/interconnect/docs/support/faq

Discussions

vote your answer:

A

B

C

D

0 / 1000

google professional cloud network engineer practice test

Professional Cloud Network Engineer

Last exam update: Apr 18 ,2024

Page 1 out of 6. Viewing questions 1-15 out of 80

Question 1

Answer:

User Votes:

Question 2

Answer:

User Votes:

Question 3

Answer:

User Votes:

Question 4

Answer:

User Votes:

Question 5

Answer:

User Votes:

Question 6

Answer:

User Votes:

Question 7

Answer:

User Votes:

Question 8

Answer:

User Votes:

Question 9

Answer:

User Votes:

Question 10

Answer:

User Votes:

Question 11

Answer:

User Votes:

Question 12

Answer:

User Votes:

Question 13

Answer:

User Votes:

Question 14

Answer:

User Votes:

Question 15

Answer:

User Votes: