Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Google Professional-Cloud-Network-Engineer - Google Cloud Certified - Professional Cloud Network Engineer

Google Professional-Cloud-Network-Engineer Premium Access     Download Demo    
Page: 6 / 7
Total 233 questions

You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.

Which next hop should you choose?

A.

The default internet gateway

B.

The IP address of the Cloud VPN gateway

C.

The name and region of the Cloud VPN tunnel

D.

The IP address of the instance on the remote side of the VPN tunnel

There are two established Partner Interconnect connections between your on-premises network and Google Cloud. The VPC that hosts the Partner Interconnect connections is named "vpc-a" and contains three VPC subnets across three regions, Compute Engine instances, and a GKE cluster. Your on-premises users would like to resolve records hosted in a Cloud DNS private zone following Google-recommended practices. You need to implement a solution that allows your on-premises users to resolve records that are hosted in Google Cloud. What should you do?

A.

Associate the private zone to "vpc-a." Create an outbound forwarding policy and associate the policy to "vpc-a." Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to "vpc-a."

B.

Configure a DNS proxy service inside one of the GKE clusters. Expose the DNS proxy service in GKE as an internal load balancer. Configure the on-premises DNS servers to forward queries for the private zone to the IP address of the internal load balancer.

C.

Use custom route advertisements to announce 169.254.169.254 via BGP to the on-premises environment. Configure the on-premises DNS servers to forward DNS requests to 169.254.169.254.

D.

Associate the private zone to "vpc-a." Create an inbound forwarding policy and associate the policy to "vpc-a." Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to "vpc-a."

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

A.

Enable firewall logging, and forward all filtered egress firewall logs to the IDS.

B.

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.

C.

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

D.

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:

    Your ISP is a Google Partner Interconnect provider.

    Your on-premises VPN device’s internet uplink and downlink speeds are 10 Gbps.

    A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.

    Most of the data transfer will be from GCP to the on-premises environment.

    The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.

    Cost and the complexity of the solution should be minimal.

How should you provision the connectivity solution?

A.

Provision a Partner Interconnect through your ISP.

B.

Provision a Dedicated Interconnect instead of a VPN.

C.

Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

D.

Use network compression over your VPN to increase the amount of data you can send over your VPN.

You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.

Which two methods can you use to accomplish this? (Choose two.)

A.

GetIamPolicy() via REST API

B.

setIamPolicy() via REST API

C.

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

D.

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

E.

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

You are planning to use Terraform to deploy the Google Cloud infrastructure for your company The design must meet the following requirements

• Each Google Cloud project must represent an Internal project that your team Will work on

• After an internal project is finished, the infrastructure must be deleted

• Each Internal project must have Its own Google Cloud project owner to manage the Google Cloud resources-

• You have 10-100 projects deployed at a time,

While you are writing the Terraform code, you need to ensure that the deployment IS Simple, and the code IS reusable With

centralized management What should you doo

A.

Create a Single pt0Ject and additional VPCs for each Internal project

B.

Create a Single Project and Single VPC for each internal project

C.

Create a single Shared VPC and attach each Google Cloud project as a service project

D.

Create a Shared VPC and service project for each Internal project

Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?

A.

Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.

B.

Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.

C.

Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.

D.

Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.

You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

A.

Review the VPC audit logs in Cloud Logging for the affected instances.

B.

Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.

C.

Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.

D.

Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from your on-premises network using Cloud Interconnect. You must configure access only to Google APIs and services that are supported by VPC Service Controls through hybrid connectivity with a service level agreement (SLA) in place. What should you do?

A.

Configure the existing Cloud Routers to advertise the Google API's public virtual IP addresses.

B.

Use Private Google Access for on-premises hosts with restricted.googleapis.com virtual IP addresses.

C.

Configure the existing Cloud Routers to advertise a default route, and use Cloud NAT to translate traffic from your on-premises network.

D.

Add Direct Peering links, and use them for connectivity to Google APIs that use public virtual IP addresses.

Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

A.

Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

B.

Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

C.

Use the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

D.

Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

E.

Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.