Free Professional Cloud Network Engineer Exam Professional-Cloud-Network-Engineer Exam Practice Test

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.Which session affinity should you choose?

• None
• Client IP
• Client IP and protocol
• Client IP, port and protocol

You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

• Configure a forwarding rule on the existing load balancer for the application tier.
• Configure equal cost multi-path routing on the application servers.
• Configure a new internal HTTP(S) load balancer for the application tier.
• Configure a URL map on the existing load balancer to route traffic to the application tier.

You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

• Configure the remote autonomous system number (ASN) to 4096.
• Configure a second Cloud Router to scale bandwidth in and out of the VPC.
• Configure the maximum transmission unit (MTU) to its highest supported value.
• Configure a second set of active/passive VPN tunnels.

You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.What should you do?

• Configure a policy-based route rule to prioritize the traffic.
• Configure an HTTP load balancer, and direct the traffic to it.
• Configure Dynamic Routing for the subnet hosting the application.
• Configure the TTL for the DNS zone to decrease the time between updates.

You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.During troubleshooting you find:* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.* The subnetwork logs are not excluded from Stackdriver.* The instance that is hosting the application can communicate outside the subnet.* Other instances within the subnet can communicate outside the subnet.* The external resource initiates communication.What is the most likely cause of the missing log lines?

• The traffic is matching the expected ingress rule.
• The traffic is matching the expected egress rule.
• The traffic is not matching the expected ingress rule.
• The traffic is not matching the expected egress rule.

You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.What should you do?

• Assign each user the editor role.
• Assign each user the compute.networkAdmin role.
• Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
• Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?

• Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.
• Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.
• Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.
• Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.

Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

• Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.
• Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
• Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.
• Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do?

• Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
• Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices.
• Deploy your serverless services to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
• Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.

You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.What should you do?

• * Create a Cloud VPN instance.* Create a policy-based VPN tunnel per subnet.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Create the appropriate static routes.
• * Create a Cloud VPN instance.* Create a policy-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
• * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
• * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.* Configure the appropriate static routes.