The Secret Of Google Professional-Cloud-Network-Engineer Test Engine

NEW QUESTION 1
You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.
Which connectivity method should you choose?

• A. Cloud VPN
• B. 50-Mbps Partner VLAN attachment
• C. Dedicated Interconnect with a single VLAN attachment
• D. Dedicated Interconnect, but don’t provision any VLAN attachments

Answer: A

NEW QUESTION 2
You need to configure a Google Kubernetes Engine (GKE) cluster. The initial deployment should have 5 nodes with the potential to scale to 10 nodes. The maximum number of Pods per node is 8. The number of services could grow from 100 to up to 1024. How should you design the IP schema to optimally meet this requirement?

• A. Configure a /28 primary IP address range for the node IP addresse
• B. Configure a (25 secondary IP range for the Pod
• C. Configure a /22 secondary IP range for the Services.
• D. Configure a /28 primary IP address range for the node IP addresse
• E. Configure a /25 secondary IP range for the Pod
• F. Configure a /21 secondary IP range for the Services.
• G. Configure a /28 primary IP address range for the node IP addresse
• H. Configure a /28 secondary IP range for the Pod
• I. Configure a /21 secondary IP range for the Services.
• J. Configure a /28 primary IP address range for the node IP addresse
• K. Configure a /24 secondary IP range for the Pad
• L. Configure a /22 secondary IP range for the Services.

Answer: A

NEW QUESTION 3
You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.
What should you do?

• A. Use a 4-byte private ASN 4200000000-4294967294.
• B. Use a 2-byte private ASN 64512-65535.
• C. Use a public Google ASN 15169.
• D. Use a public Google ASN 16550.

Answer: B

NEW QUESTION 4
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?

• A. Assign a public IP address to the instance.
• B. Create a route to reach the Master, pointing to the default internet gateway.
• C. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
• D. Create the appropriate master authorized network entries to allow the instance to communicate to the master.

Answer: D

Explanation:
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#cant_reach_cluster https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks

NEW QUESTION 5
Your company’s Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:
/fr/video
/en/video
/es/video
/../video
/fr/audio
/en/audio
/es/audio
/../audio
Which solution should you recommend?

• A. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and/audio/*.
• B. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
• C. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z]{2}\/audio.
• D. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

Answer: A

Explanation:
https://cloud.google.com/load-balancing/docs/url-map#configuring_url_maps
Path matcher constraints Path matchers and path rules have the following constraints: A path rule can only include a wildcard character (*) after a forward slash character (/). For example, /videos/* and /videos/hd/* are valid for path rules, but /videos* and /videos/hd* are not. Path rules do not use regular expression or substring matching. For example, path rules for either /videos/hd or /videos/hd/* do not apply to a URL with the path /video/hd-abcd. However, a path rule for /video/* does apply to that path. https://cloud.google.com/load-balancing/docs/url-map-concepts#pm-constraints

NEW QUESTION 6
You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.
Which type of load balancer should you use?

• A. HTTP(S) load balancer
• B. Network load balancer
• C. Internal load balancer
• D. TCP/SSL proxy load balancer

Answer: D

Explanation:
By default TCP/SSL proxy load balancer original client IP address and port information is not preserved, but it can be preserved using the PROXY protocol: https://cloud.google.com/load-balancing/docs/tcp#target-proxies
https://medium.com/google-cloud/preserving-client-ips-through-google-clouds-global-tcp-and-ssl-proxy-load-ba

NEW QUESTION 7
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?

• A. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
• B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
• C. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
• D. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

Answer: B

Explanation:
https://cloud.google.com/armor/docs/security-policy-concepts#preview_mode

NEW QUESTION 8
You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a second Cloud Router (router-2) in the 172.16.0.0/16 network. Which configuration should you use for the BGP session?

• A. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
• B. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
• C. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
• D. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg

Answer: C

NEW QUESTION 9
You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required. What should you do?

• A. Enable VPC Flow Logs and send the output to BigQuery for analysis.
• B. Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis.
• C. Configure Packet Mirroring to send all traffic to a V
• D. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC.
• E. Deploy a third-party network appliance and configure it as the default gatewa
• F. Use the third-party network appliance to identify users with high network traffic.

Answer: C

NEW QUESTION 10
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?

• A. The instance has been configured with multiple interfaces.
• B. An external IP address has been configured on the instance.
• C. You have created static routes that use RFC1918 ranges.
• D. The instance is accessible by a load balancer external IP address.

Answer: B

NEW QUESTION 11
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
•Each on-premises router is configured with the same ASN.
•Each on-premises router is configured with the same routes and priorities.
•Both on-premises routers are configured with a VPN connected to a single Cloud Router.
•The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
•BGP session is not established between one on-premises router and the Cloud Router. What is the most likely cause of this problem?

• A. One of the VPN sessions is configured incorrectly.
• B. A firewall is blocking the traffic across the second VPN connection.
• C. You do not have a load balancer to load-balance the network traffic.
• D. BGP sessions are not established between both on-premises routers and the Cloud Router.

Answer: A

Explanation:
If the VPN logs show a no-proposal-chosen error, this error indicates that Cloud VPN and your peer VPN gateway were unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. For IKEv2, there must be at least one common cipher proposed by each gateway. Make sure that you use supported ciphers to configure your peer VPN gateway.
https://cloud.google.com/network-connectivity/docs/vpn/support/troubleshooting#:~:text=If%20the%20VPN%2

NEW QUESTION 12
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?

• A. AS-Path
• B. Community
• C. Local Preference
• D. Multi-exit Discriminator

Answer: D

NEW QUESTION 13
In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.
What should you do?

• A. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
• B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
• C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
• D. Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's networ
• E. Configure the appropriate routes to force traffic through to instance-A.

Answer: B

NEW QUESTION 14
You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access.
The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

• A. Create a default route in the hub VPC that points to IP address 10.0.0.5.Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.Export the custom routes in the hu
• B. Import the custom routes in the spokes.
• C. Create a default route in the hub VPC that points to IP address 10.0.0.5.Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.Export the custom routes in the hu
• D. Import the custom routes in the spoke
• E. Delete the default internet gateway route of the spokes.
• F. Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.Export the custom routes in the hu
• G. Import the custom routes in the spokes.
• H. Create a default route in the hub VPC that points to IP address 10.0.0.5.Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.Create a new route in the spoke VPC that points to IP address 10.0.0.5.

Answer: B

NEW QUESTION 15
You create multiple Compute Engine virtual machine instances to be used as TFTP servers. Which type of load balancer should you use?

• A. HTTP(S) load balancer
• B. SSL proxy load balancer
• C. TCP proxy load balancer
• D. Network load balancer

Answer: D

Explanation:
"TFTP is a UDP-based protocol. Servers listen on port 69 for the initial client-to-server packet to establish the TFTP session, then use a port above 1023 for all further packets during that session. Clients use ports above 1023" https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch17_02.htm Besides, Google Cloud external TCP/UDP Network Load Balancing (after this referred to as Network Load Balancing) is a regional,
non-proxied load balancer. Network Load Balancing distributes traffic among virtual machine (VM) instances in the same region in a Virtual Private Cloud (VPC) netw

NEW QUESTION 16
Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

• A. Firewall rule direction: ingress Action: allowTarget: VM B service accountSource ranges: VM A service account Priority: 1000
• B. Firewall rule direction: ingress Action: allowTarget: specific VM B tagSource ranges: VM A tag and VM A source IP address Priority: 1000
• C. Firewall rule direction: ingress Action: allowTarget: VM A service accountSource ranges: VM B service account and VM B source IP address Priority: 100
• D. Firewall rule direction: ingress Action: allowTarget: specific VM A tagSource ranges: VM B tag and VM B source IP address Priority: 100

Answer: D

NEW QUESTION 17
......