View All Professional-Cloud-Network-Engineer Actual Exam Questions Answers and Explanations for Free Apr-2025 [Q30-Q47]

View All Professional-Cloud-Network-Engineer Actual Exam Questions Answers and Explanations for Free Apr-2025

The Most In-Demand Google Professional-Cloud-Network-Engineer Pass Guaranteed Quiz 

NEW QUESTION # 30
You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Igal and int-Iga2) terminate on the same Cloud Router The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection fails, you want the passive Interconnect connection to automatically begin routing all traffic Which two actions should you take to meet this requirement? (Choose Two)

• A. Configure the advertised route priority > 10,200 on the active Interconnect connection.
• B. Advertise a lower MED on the passive Interconnect connection from the on-premises router
• C. Configure the advertised route priority as 200 for the BGP session associated Wlth the active Interconnect connection.
• D. Advertise a lower MED on the active Interconnect connection from the on-premises router
• E. Configure the advertised route priority as 200 for the BGP session associated With the passive Interconnect connection.

Answer: C,D

Explanation:
This answer meets the requirement of configuring one connection as Active for both ingress and egress traffic, and enabling automatic failover to the passive connection in case of failure. The reason is:
The advertised route priority is a value that Cloud Router uses to set the route priority when advertising routes to your on-premises router. The lower the value, the higher the priority1. By setting the advertised route priority as 200 for the active connection, you ensure that it has a higher priority than the passive connection, which has the default value of 1001. This way, your on-premises router will prefer the routes from the active connection over the passive one for ingress traffic.
The MED (Multi-Exit Discriminator) is a value that your on-premises router uses to indicate its preference for receiving traffic from Cloud Router. The lower the value, the higher the preference2. By advertising a lower MED on the active connection from your on-premises router, you ensure that Cloud Router will prefer sending traffic to the active connection over the passive one for egress traffic.
If the active connection fails, Cloud Router will stop receiving routes from it and will start using the routes from the passive connection for egress traffic. Similarly, your on-premises router will stop receiving routes with priority 200 from the active connection and will start using the routes with priority 100 from the passive connection for ingress traffic. This achieves automatic failover without any manual intervention.
Option A is incorrect because setting the advertised route priority > 10,200 on the active connection would deprioritize it globally in your VPC network, which is not what you want1. Option B is incorrect because advertising a lower MED on the passive connection would make Cloud Router prefer sending traffic to it over the active one, which is not what you want2. Option D is incorrect because setting the advertised route priority as 200 for both connections would make them equally preferred by your on-premises router, which is not what you want1.
Reference:
Update the base route priority | Cloud Router | Google Cloud
Configuring BGP sessions | Cloud Router | Google Cloud

NEW QUESTION # 31
In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.
What should you do?

• A. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
• B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
• C. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
• D. Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.

Answer: B

NEW QUESTION # 32
One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance.
In the GCP Console, what should you do?

• A. Add custom metadata to the instance with key internal-address and value reserved.
• B. Change the instance's current internal IP address to static.
• C. Assign a new reserved internal IP address to the instance.
• D. Assign a public IP address to the instance.

Answer: C

NEW QUESTION # 33
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?

• A. Multi-exit Discriminator
• B. AS-Path
• C. Community
• D. Local Preference

Answer: A

Explanation:
https://cloud.google.com/router/docs/concepts/overview

NEW QUESTION # 34
You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.
Always allow Secure Shell (SSH) from your corporate IP address.
Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team's requirements. What should you do?

• A. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.
  Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.
• B. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1 Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.
• C. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.
  Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.
• D. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.
  Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

Answer: D

NEW QUESTION # 35
Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B.
You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

• A. Firewall rule direction: ingress
  Action: allow
  Target: specific VM B tag
  Source ranges: VM A tag and VM A source IP address
  Priority: 1000
• B. Firewall rule direction: ingress
  Action: allow
  Target: VM B service account
  Source ranges: VM A service account
  Priority: 1000
• C. Firewall rule direction: ingress
  Action: allow
  Target: VM A service account
  Source ranges: VM B service account and VM B source IP address
  Priority: 100
• D. Firewall rule direction: ingress
  Action: allow
  Target: specific VM A tag
  Source ranges: VM B tag and VM B source IP address
  Priority: 100

Answer: D

NEW QUESTION # 36
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.
What should you do?

• A. Alter the routing table to resolve the asymmetric route.
• B. Delete the legacy network and recreate it to allow transitive peering.
• C. Configure VPC peering in a full mesh.
• D. Create network tags to allow connectivity between all three VPCs.

Answer: C

NEW QUESTION # 37
You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

• A. Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.
• B. Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.
• C. Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.
• D. Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

Answer: D

NEW QUESTION # 38
You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application.
Which type of load balancer should you use?

• A. Internal TCP/UDP load balancer
• B. HTTP(S) load balancer
• C. TCP/SSL proxy load balancer
• D. Network load balancer

Answer: D

NEW QUESTION # 39
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?

• A. Configure Dynamic Routing for the subnet hosting the application.
• B. Configure a policy-based route rule to prioritize the traffic.
• C. Configure the TTL for the DNS zone to decrease the time between updates.
• D. Configure an HTTP load balancer, and direct the traffic to it.

Answer: D

Explanation:
https://cloud.google.com/load-balancing/docs/tutorials/optimize-app-latency

NEW QUESTION # 40
You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router. What should you do?

• A. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.
• B. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.
• C. Configure the route advertisement to the default setting.
• D. On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.

Answer: A

NEW QUESTION # 41
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
GetIamPolicy() via REST API

• A. gcloud pubsub add-iam-policy-binding $projectname --member user:$username --
• B. role roles/editor
  gcloud projects add-iam-policy-binding $projectname --member user:$username --
• C. role roles/editor
• D. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
• E. setIamPolicy() via REST API

Answer: C,D

Explanation:
Explanation/Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access

NEW QUESTION # 42
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?

• A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
• B. Create a single firewall rule to allow port 3389 with priority 1000.
• C. Create a single firewall rule to allow port 22 with priority 1000.
• D. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.

Answer: C

NEW QUESTION # 43
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption in transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?

• A. Enable MACsec on Partner Interconnect.
• B. Enable MACsec for Cloud Interconnect on the VLAN attachments.
• C. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same Cloud Router used for the Cloud Interconnect tier.
• D. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router peer VPN gateway resources and HA VPN tunnels.

Answer: C

Explanation:
For secure traffic over Cloud Interconnect, you configure an HA VPN gateway to work with existing VLAN attachments and use the same Cloud Router. This setup integrates seamlessly, leveraging the established BGP sessions for VPN tunnel configurations.

NEW QUESTION # 44
You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) Instances What two prerequisite tasks must be completed before creating the load balancer?
Choose 2 answers

• A. Determine the subnet mask for Serverless VPC Access.
• B. reate firewall rules for health checks
• C. Choose a region.
• D. Reserve a static IP address for the load balancer
• E. Determine the subnet mask for a proxy-only subnet.

Answer: B,D

Explanation:
The correct answer is B and C. You must create firewall rules for health checks and reserve a static IP address for the load balancer before creating the internal HTTP(S) load balancer.
The other options are not correct because:
Option A is not a prerequisite task. You can choose a region when you create the load balancer, but you do not need to do it beforehand.
Option D is not a prerequisite task. You can determine the subnet mask for a proxy-only subnet when you create the subnet, but you do not need to do it beforehand.
Option E is not related to the internal HTTP(S) load balancer. Serverless VPC Access is a feature that allows you to connect your serverless applications to your VPC network, but it is not required for the load balancer.

NEW QUESTION # 45
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

• A. Cloud NAT
• B. Cloud VPN
• C. Dedicated Interconnect
• D. Shared VPC
• E. VPC peering

Answer: B,C

Explanation:
https://cloud.google.com/vpc/docs/vpc

NEW QUESTION # 46
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

• A. /22
• B. /25
• C. /23
• D. /21

Answer: B

Explanation:
Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

NEW QUESTION # 47
......

Professional-Cloud-Network-Engineer Free Certification Exam Material with 213 Q&As : https://prep4sure.dumpexams.com/Professional-Cloud-Network-Engineer-vce-torrent.html