Practice Free Professional Cloud Network Engineer Exam Online Questions
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?
- A . Assign a public IP address to the instance.
- B . Create a route to reach the Master, pointing to the default internet gateway.
- C . Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
- D . Create the appropriate master authorized network entries to allow the instance to communicate to the master.
D
Explanation:
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#cant_reach_cluster
https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks
You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead.
How should you design this topology?
- A . Configure a host project with a Shared VPC. Create service projects for Web, App, and Database.
- B . Configure one VPC for Web, one VPC for App, and one VPC for Database. Configure HA VPN between each VPC.
- C . Configure three Shared VPC host projects, each with a service project: one for Web, one for App, and one for Database.
- D . Configure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC Network Peering to connect all VPCs in a full mesh.
You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.
What should you do?
- A . Ensure that the object you don’t want to be cached anymore is not shared publicly.
- B . Create a new storage bucket, and move the object you don’t want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.
- C . Add an appropriate lifecycle rule on the storage bucket containing the two objects.
- D . Add a Cache-Control entry with value private to the metadata of the object you don’t want to be cached anymore. Invalidate all the previously cached copies.
D
Explanation:
https://cloud.google.com/cdn/docs/invalidating-cached-content
Your company’s security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead.
What should you do?
- A . Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.
- B . Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.
- C . Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.
- D . Configure Packet Mirroring on the VPC. Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.
You are configuring the final elements of a migration effort where resources have been moved from on-premises to Google Cloud. While reviewing the deployed architecture, you noticed that DNS resolution is failing when queries are being sent to the on-premises environment. You log in to a Compute Engine instance, try to resolve an on-premises hostname, and the query fails. DNS queries are not arriving at the on-premises DNS server. You need to use managed services to reconfigure Cloud DNS to resolve the DNS error.
What should you do?
- A . Validate that the Compute Engine instances are using the Metadata Service IP address as their resolver. Configure an outbound forwarding zone for the on-premises domain pointing to the on-premises DNS server. Configure Cloud Router to advertise the Cloud DNS proxy range to the on-premises network.
- B . Validate that there is network connectivity to the on-premises environment and that the Compute Engine instances can reach other on-premises resources. If errors persist, remove the VPC Network Peerings and recreate the peerings after validating the routes.
- C . Review the existing Cloud DNS zones, and validate that there is a route in the VPC directing traffic destined to the IP address of the DNS servers. Recreate the existing DNS forwarding zones to forward all queries to the on-premises DNS servers.
- D . Ensure that the operating systems of the Compute Engine instances are configured to send DNS queries to the on-premises DNS servers directly.
A
Explanation:
To resolve DNS resolution issues for on-premises domains from Google Cloud, you should use Cloud DNS outbound forwarding zones. This setup forwards DNS requests for specific domains to on-premises DNS servers. Cloud Router is needed to advertise the range for the DNS proxy service back to the on-premises environment, ensuring that DNS queries from Compute Engine instances reach the on-premises DNS servers.
Reference: Google Cloud – DNS Forwarding
Your organization is migrating workloads from AWS to Google Cloud. Because a particularly critical workload will take longer to migrate, you need to set up Google Cloud CDN and point it to the existing application at AWS.
What should you do?
- A . Create a hybrid NEG that points to the existing IP of the application.
• Map the NEG to a passthrough Network Load Balancer as a target pool.
• Enable Cloud CDN on the target pool. - B . Create an internet NEG that points to the existing FQDN of the application.
• Map the NEG to an Application Load Balancer as a backend service.
• Enable Cloud CDN on the backend service. - C . Create a hybrid NEG that points to the existing IP of the application.
• Map the NEG to an Application Load Balancer as a backend service.
• Enable Cloud CDN on the backend service. - D . Create an internet NEG that points to the existing FQDN of the application.
• Map the NEG to a passthrough Network Load Balancer as a backend service.
• Enable Cloud CDN on the backend service.
B
Explanation:
To configure Cloud CDN for an application hosted outside of Google Cloud (e.g., in AWS), you need to use an internet network endpoint group (NEG). An internet NEG allows you to point to external endpoints using their FQDN or IP address. Cloud CDN works with external HTTP(S) Load Balancers, and you enable CDN on the backend service associated with the load balancer. A Network Load Balancer (passthrough) does not support Cloud CDN.
Exact Extract:
"To enable Cloud CDN for content hosted outside of Google Cloud, you must use an external HTTP(S) Load Balancer with an internet network endpoint group (NEG)."
"An internet NEG specifies one or more external endpoints that can be reached by an external HTTP(S) Load Balancer. You can specify endpoints using an IP address and port, or a fully qualified domain name (FQDN) and port."
"Cloud CDN is enabled on the backend service of an external HTTP(S) Load Balancer.”
Reference: Google Cloud CDN Documentation – Caching external content, Internet NEGs overview
You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps.
What should you do?
- A . Configure the remote autonomous system number (ASN) to 4096.
- B . Configure a second Cloud Router to scale bandwidth in and out of the VPC.
- C . Configure the maximum transmission unit (MTU) to its highest supported value.
- D . Configure a second set of active/passive VPN tunnels.
You configured a single IPSec Cloud VPN tunnel for your organization to a third-party customer. You confirmed that the VPN tunnel is established; however, the BGP session status states that BGP is not configured.
The customer has provided you with their BGP settings:
Local BGP address: 169.254.11.1/30
Local ASN: 64515
Peer BGP address: 169.254.11.2
Peer ASN: 64517
Base MED: 1000
MD5 Authentication: Disabled
You need to configure the local BGP session for this tunnel based on the settings provided by the customer. You already associated the Cloud Router with the Cloud VPN Tunnel.
What settings should you use for the BGP session?
- A . Peer ASN: 64517
Advertised Route Priority (MED): 100
Local BGP IP: 169.254.11.2
Peer BGP IP: 169.254.11.1
MD5 Authentication: Disabled - B . Peer ASN: 64515
Advertised Route Priority (MED): 100
Local BGP IP: 169.254.11.2
Peer BGP IP: 169.254.11.1
MD5 Authentication: Disabled - C . Peer ASN: 64515
Advertised Route Priority (MED): 1000
Local BGP IP: 169.254.11.2
Peer BGP IP: 169.254.11.1
MD5 Authentication: Enabled - D . Peer ASN: 64515
Advertised Route Priority (MED): 100
Local BGP IP: 169.254.11.1
Peer BGP IP: 169.254.11.2
MD5 Authentication: Disabled
A
Explanation:
The correct configuration requires setting the Peer ASN as 64517 (as this is the ASN of the third-party customer). The local and peer BGP IP addresses should also be set correctly based on the provided information, and MD5 authentication should be disabled. The route priority should be set to 100 to reflect standard behavior.
Reference: Google Cloud VPN BGP Configuration
You have a storage bucket that contains the following objects:
– folder-a/image-a-1.jpg
– folder-a/image-a-2.jpg
– folder-b/image-b-1.jpg
– folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?
- A . Add an appropriate lifecycle rule on the storage bucket.
- B . Issue a cache invalidation command with pattern /folder-a/*.
- C . Make sure that all the objects with prefix folder-a are not shared publicly.
- D . Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
B
Explanation:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from.
What should you do?
- A . Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.
- B . Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.
- C . Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.
- D . Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.