Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Google Professional-Cloud-Network-Engineer - Google Cloud Certified - Professional Cloud Network Engineer

Google Professional-Cloud-Network-Engineer Premium Access     Download Demo    
Page: 3 / 7
Total 233 questions

You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

A.

Enable firewall logs, and view the logs in Firewall Insights.

B.

Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

C.

Enable VPC Flow Logs, and view the logs in Cloud Logging.

D.

Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.

You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access.

The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

A.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub.

Import the custom routes in the spokes.

B.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

Delete the default internet gateway route of the spokes.

C.

Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

D.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Create a new route in the spoke VPC that points to IP address 10.0.0.5.

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).

Which routing option should you choose?

A.

Dynamic routing using Cloud Router

B.

Route-based routing using default traffic selectors

C.

Policy-based routing using a custom local traffic selector

D.

Policy-based routing using the default local traffic selector

You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

A.

Create a network load balancer that used backend services containing one instance group with two instances.

B.

Create a network load balancer that uses a target pool backend with two instances.

C.

Create a TCP proxy that uses a zonal network endpoint group containing one instance.

D.

Create a TCP proxy that uses backend services containing an instance group with two instances.

Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.

Which Google Cloud load balancer should you use?

A.

SSL proxy load balancer

B.

Network load balancer

C.

HTTPS load balancer

D.

TCP proxy load balancer

You want to use Partner Interconnect to connect your on-premises network with your VPC. You already have an Interconnect partner.

What should you first?

A.

Log in to your partner’s portal and request the VLAN attachment there.

B.

Ask your Interconnect partner to provision a physical connection to Google.

C.

Create a Partner Interconnect type VLAN attachment in the GCP Console and retrieve the pairing key.

D.

Run gcloud compute interconnect attachments partner update / -- region --admin-enabled.

Question:

Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag. What should you do?

A.

Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag.

B.

Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

C.

Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

D.

Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account.

You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

A.

Tune TCP parameters on the on-premises servers.

B.

Compress files using utilities like tar to reduce the size of data being sent.

C.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

D.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Your organization is migrating workloads from AWS to Google Cloud. Because a particularly critical workload will take longer to migrate, you need to set up Google Cloud CDN and point it to the existing application at AWS. What should you do?

A.

Create a hybrid NEG that points to the existing IP of the application.

• Map the NEG to a passthrough Network Load Balancer as a target pool.

• Enable Cloud CDN on the target pool.

B.

Create an internet NEG that points to the existing FQDN of the application.

• Map the NEG to an Application Load Balancer as a backend service.

• Enable Cloud CDN on the backend service.

C.

Create a hybrid NEG that points to the existing IP of the application.

• Map the NEG to an Application Load Balancer as a backend service.

• Enable Cloud CDN on the backend service.

D.

Create an internet NEG that points to the existing FQDN of the application.

• Map the NEG to a passthrough Network Load Balancer as a backend service.

• Enable Cloud CDN on the backend service.

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.

Which two actions should you take? (Choose two.)

A.

Turn on Private Google Access at the subnet level.

B.

Turn on Private Google Access at the VPC level.

C.

Turn on Private Services Access at the VPC level.

D.

Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

E.

Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.