Practice Free Professional Cloud Network Engineer Exam Online Questions
You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem.
Which commands should you run?
- A . gcloud compute instances add-access-config instance-1
- B . gcloud compute firewall-rules create allow-lb –network load-balancer –allow tcp –destination-ranges 130.211.0.0/22,35.191.0.0/16 –direction EGRESS
- C . gcloud compute firewall-rules create allow-lb –network load-balancer –allow tcp –source-ranges 130.211.0.0/22,35.191.0.0/16 –direction INGRESS
- D . gcloud compute health-checks update http health-check –unhealthy-threshold 10
You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.
Always allow Secure Shell (SSH) from your corporate IP address.
Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements.
What should you do?
- A . Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.
Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1. - B . Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.
Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1. - C . Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.
Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0. - D . Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1
Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.
Your company’s web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible.
How should you deploy this service in GCP?
- A . Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.
- B . Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.
- C . Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.
- D . Use GCP’s ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?
- A . Assign members of the networking team the compute.networkUser role.
- B . Assign members of the networking team the compute.networkAdmin role.
- C . Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
- D . Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
You are responsible for designing a new connectivity solution for your organization’s enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider’s internet access. You want to set up a direct connection between your network and Google.
What should you do?
- A . Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.
- B . Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.
- C . Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.
- D . Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.
Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks.
What should you do?
- A . Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.
- B . Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
- C . Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.
- D . Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.
You work for a university that is migrating to GCP.
These are the cloud requirements:
• On-premises connectivity with 10 Gbps
• Lowest latency access to the cloud
• Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?
- A . Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
- B . Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC’s host project.
- C . Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects’ Interconnects.
- D . Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.
A
Explanation:
https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects
Using Cloud Interconnect with Shared VPC You can use Shared VPC to share your VLAN attachment in a project with other VPC networks. Choosing Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to your on-premises network. In this scenario, the host project contains a common Shared VPC network usable by VMs in service projects. Because VMs in the service projects use this network, Service Project Admins don’t need to create other VLAN attachments or Cloud Routers in the service projects. In this scenario, you must create VLAN attachments and Cloud Routers for a Cloud Interconnect connection only in the Shared VPC host project. The combination of a VLAN attachment and its associated Cloud Router are unique to a given Shared VPC network. https://cloud.google.com/network-connectivity/docs/interconnect/how-to/enabling-multiple-networks-access-same-attachment#using_with
https://cloud.google.com/vpc/docs/shared-vpc
You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?
- A . /21
- B . /22
- C . /23
- D . /25
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
- A . GetIamPolicy() via REST API
- B . setIamPolicy() via REST API
- C . gcloud pubsub add-iam-policy-binding Sprojectname –member user:Susername –role roles/editor
- D . gcloud projects add-iam-policy-binding Sprojectname –member user:Susername –role roles/editor
- E . Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights into what is occurring within Google Cloud.
What should you do?
- A . Enable the Firewall Insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.
- B . Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.
- C . Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
- D . Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.
C
Explanation:
Creating a Connectivity Test using TCP in Network Intelligence Center allows you to simulate the connection to the public SaaS provider and receive real-time data plane analysis. This will help determine whether there are any issues with the network path for the specific TCP connection.
Reference: Google Cloud Connectivity Tests Documentation