Apr-2023 Google Professional-Cloud-Network-Engineer Actual Questions and Braindumps
Professional-Cloud-Network-Engineer Dumps To Pass Google Exam in 24 Hours - Lead1Pass
NEW QUESTION 54
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
- Each on-premises router is configured with a unique ASN. ?Each on-
premises router is configured with the same routes and priorities.
- Both on-premises routers are configured with a VPN connected to a
single Cloud Router.
- BGP sessions are established between both on-premises routers and the Cloud Router.
- Only 1 of the on-premises router's routes are being added to the
routing table.
What is the most likely cause of this problem?
- A. You do not have a load balancer to load-balance the network traffic.
- B. The on-premises routers are configured with the same routes.
- C. The ASNs being used on the on-premises routers are different.
- D. A firewall is blocking the traffic across the second VPN connection.
Answer: A
NEW QUESTION 55
You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive dat a. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?
- A. Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.
- B. Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.
- C. Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.
- D. Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.
Answer: D
NEW QUESTION 56
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)
- A. Cloud Audit logs
- B. VPC flow logs
- C. Stackdriver Trace
- D. Compute Engine instance system logs
- E. Firewall logs
Answer: A,C
Explanation:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
NEW QUESTION 57
Your company's security team wants to limit the type of inbound traffic that can reach your web servers to protect against security threats. You need to configure the firewall rules on the web servers within your Virtual Private Cloud (VPC) to handle HTTP and HTTPS web traffic for TCP only. What should you do?
- A. Create an allow on match ingress firewall rule with the target tag "web-server" to allow all IP addresses for TCP port 80.
- B. Create an allow on match egress firewall rule with the target tag "web-server" to allow web server IP addresses for TCP ports 60 and 443.
- C. Create an allow on match ingress firewall rule with the target tag "web-server" to allow all IP addresses for TCP ports 80 and 443.
- D. Create an allow on match egress firewall rule with the target tag "web-server" to allow all IP addresses for TCP port 80.
Answer: C
NEW QUESTION 58
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?
- A. Set the zone to the TRANSFER state.
- B. Transfer ownership of the domain to a new registrar.
- C. Disable DNSSEC at your domain registrar.
- D. Update the TTL for the zone.
Answer: C
Explanation:
Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
Reference: https://cloud.google.com/dns/docs/dnssec-config
NEW QUESTION 59
You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?
- A. Configure a custom route advertisement on the Cloud Router.
- B. Enable IP forwarding in the asia-southeast1 region.
- C. Change the VPC dynamic routing mode to Global.
- D. Add a second Border Gateway Protocol (BGP) session to the Cloud Router.
Answer: C
NEW QUESTION 60
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
GetIamPolicy() via REST API
- A. role roles/editor
gcloud projects add-iam-policy-binding Sprojectname --member user:Susername -- - B. role roles/editor
- C. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --
- D. setIamPolicy() via REST API
- E. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
Answer: B,E
Explanation:
Explanation/Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access
NEW QUESTION 61
You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.
What should you do?
- A. Configure global load balancing to point 172.16.45.0/24 to the correct instance.
- B. Create unique DNS records for each service that sends traffic to the desired IP address.
- C. Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.
- D. Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
Answer: B
Explanation:
Explanation/Reference:
NEW QUESTION 62
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.
What should you do?
- A. Configure VPC peering in a full mesh.
- B. Create network tags to allow connectivity between all three VPCs.
- C. Alter the routing table to resolve the asymmetric route.
- D. Delete the legacy network and recreate it to allow transitive peering.
Answer: A
Explanation:
https://cloud.google.com/vpc/docs/using-vpc-peering
NEW QUESTION 63
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?
- A. Check the VPC flow logs for the instance.
- B. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
- C. Create a new firewall rule to allow traffic from port 22, and enable logs.
- D. Try connecting to the instance via SSH, and check the logs.
Answer: B
Explanation:
Ingress packets in VPC Flow Logs are sampled after ingress firewall rules. If an ingress firewall rule denies inbound packets, those packets are not sampled by VPC Flow Logs. We want to see the logs for blocked traffic so we have to look for them in firewall logs. https://cloud.google.com/vpc/docs/flow-logs#key_properties
NEW QUESTION 64
Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible.
How should you deploy this service in GCP?
- A. Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.
- B. Use GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.
- C. Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.
- D. Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.
Answer: D
NEW QUESTION 65
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?
- A. Set proxy-header to the default value, and set hostto include a custom host header that identifies the health check.
- B. Set request-path to a specific URL used for health checking, and set hostto include a custom host header that identifies the health check.
- C. Set request-path to a specific URL used for health checking, and set responseto a string that the backend service will always return in the response body.
- D. Set request-pathto a specific URL used for health checking, and set proxy-headerto PROXY_V1.
Answer: B
Explanation:
https://cloud.google.com/load-balancing/docs/health-checks
NEW QUESTION 66
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?
- A. Set the zone to the TRANSFER state.
- B. Transfer ownership of the domain to a new registar.
- C. Update the TTL for the zone.
- D. Disable DNSSEC at your domain registar.
Answer: D
Explanation:
Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
NEW QUESTION 67
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?
- A. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
- B. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
- C. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
- D. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE
Answer: A
Explanation:
Once you have the exported file from your other provider, you can use the gcloud dns record-sets import command to import it into your managed zone.
To import record-sets, you use the dns record-sets import command. The --zone-file-format flag tells importto expect a BIND zone formatted file. If you omit this flag, import expects a YAML- formatted records file.
https://medium.com/@prashantapaudel/gcp-certification-series-2-4-planning-and-configuring- network-resources-8045ac2cc2ac
NEW QUESTION 68
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?
- A. Community
- B. Local Preference
- C. Multi-exit Discriminator
- D. AS-Path
Answer: C
Explanation:
Explanation/Reference: https://cloud.google.com/router/docs/concepts/overview
NEW QUESTION 69
You have created several preemptible Linux virtual machine instances using Google Compute Engine. You want to properly shut down your application before the virtual machines are preempted. What should you do?
- A. Create a shutdown script and use it as the value for a new metadata entry with the key shutdown- script in the Cloud Platform Console when you create the new virtual machine instance.
- B. Create a shutdown script named shutdown in the /etc/ directory.
- C. Create a shutdown script registered as a xinetd service in Linux and configure a StackDriver endpoint check to call the service.
- D. Create a shutdown script, registered as a xinetd service in Linux, and use the gcloud compute instances add-metadata command to specify the service URL as the value for a new metadata entry with the key shutdown-script-url
Answer: A
Explanation:
Running Shutdown Scripts "Create and run shutdown scripts that execute commands right before an instance is terminated or restarted, on a best-effort basis. This is useful if you rely on automated scripts to start up and shut down instances, allowing instances time to clean up or perform tasks, such as exporting logs, or syncing with other systems."
https://cloud.google.com/compute/docs/shutdownscript
To setup Shutdown Scripts, go to GCP console and follow the steps:
Compute Engine -> VM instance -> Create Instance -> (Expand) Management, disks, networking, SSH keys Enter the key "shutdown-script" and proper value
NEW QUESTION 70
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway. Which command should you execute?
- A. gcloud compute instances add-tags [existing-instance] --tags no-ip
- B. gcloud compute instances create example-instance --network custom-network1 \
--subnet subnet-us-central \
--no-address \
--zone us-central1-a \
--image-family debian-9 \
--image-project debian-cloud \
--tags no-ip - C. sudo sysctl -w net.ipv4.ip_forward=1
- D. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip
Answer: B
Explanation:
Reference:
https://cloud.google.com/vpc/docs/special-configurations
NEW QUESTION 71
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?
- A. Shared VPC Admin privileges from the Organization Admin.
- B. Organization Admin privileges from the Organization Admin.
- C. Service Project Admin privileges from the Shared VPC Admin.
- D. Security Admin privileges from the Shared VPC Admin.
Answer: D
Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/shared-vpc
NEW QUESTION 72
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?
- A. Grant the cloud-platformprivilege to the service account for the Cloud Storage bucket.
- B. Grant the compute.instanceAdminto your user account.
- C. Grant the iam.serviceAccountUserto your user account.
- D. Grant the read-onlyprivilege to the service account for the Cloud Storage bucket.
Answer: C
Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/access/iam
NEW QUESTION 73
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are
100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.
What should you do on your on-premises servers?
- A. Remove the -m flag from the gsutil command to enable single-threaded transfers.
- B. Tune TCP parameters on the on-premises servers.
- C. Compress files using utilities like tar to reduce the size of data being sent.
- D. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].
Answer: D
Explanation:
https://cloud.google.com/solutions/transferring-big-data-sets-to-gcp
NEW QUESTION 74
Your developer group works on a set of VM's frequently throughout the day. To save costs, you terminate the VM when it is not in use. However, you need to preserve the contents of the disk when the VM is terminated so users can resume where they left off when a new one is created.
What is the most cost-effective way to do? (Choose two)
- A. Set the disk to no-auto-delete to preserve contents.
- B. When not in use, only stop the instance instead of deleting it.
- C. Back up the disk contents to Cloud Storage before deleting.
- D. Take a snapshot of the disk before terminating the VM.
Answer: A,B
Explanation:
A (Correct Answer) - Set the disk to no-auto-delete to preserve contents. Setting your instance to not delete the root disk when deleting the instance will preserve the disk contents to attach to a new instance.
C (Correct Answer) - When not in use, only stop the instance instead of deleting it. Alternatively, you can merely stop the instance instead of deleting it, during which time you will not be billed for Machine Type usage (just disk storage).
B and D may work but are not suitable solutions since the VMs may need frequently stop and resume throughout the day.
More Information:
https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-disk-auto-delete
NEW QUESTION 75
You have installed Apache Tomcat 8.X on a compute engine in google cloud on port 8085 and you have also installed Jenkins on the same machine on a custom port .You have created a firewall rule that allows traffic to port 8085 .You can see the Apache Tomcat page when you browse X.X.X.X:8085 , but when you browse X.X.X.X:custom port , the Jenkins page doesn't load . What could be the possible solution? Please select the right choice.
- A. Create a firewall rule; select the correct subnet , create a target tag attach it to the compute engine instance and allow all protocols and ports.
- B. Create a firewall rule; select the correct network and select the target as all instances in the network and specify the custom port and protocol.
- C. Create a firewall rule; select the correct network , create a target tag and attach the tag to the compute engine instance and allow traffic to custom port that is mapped with Jenkins.
- D. Create a firewall rule; select the correct subnet which has the compute engine and allow all protocols and ports .
Answer: C
Explanation:
Option B is the Correct choice because, creating a tag and attaching it to the compute engine instance and also allowing traffic to custom port is is less permissive.
Option A is Incorrect because , selecting the target as all instances in the network allows traffic to all instances .
Option C is Incorrect because allowing all protocols and ports is a security scare and always follow principle of least permissive.
Option D is Incorrect because, allowing all protocols and ports could lead to a security disaster, always follow the principle of least permissive.
NEW QUESTION 76
Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?
- A. Configure your VPC routing in global mode.
Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2. - B. Configure your VPC routing in global mode.
Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1. - C. Configure your VPC routing in regional mode.
Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1. - D. Configure your VPC routing in regional mode.
Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.
Answer: B
NEW QUESTION 77
......
Download the Latest Professional-Cloud-Network-Engineer Dump - 2023 Professional-Cloud-Network-Engineer Exam Question Bank: https://www.lead1pass.com/Google/Professional-Cloud-Network-Engineer-practice-exam-dumps.html
Buy Latest Professional-Cloud-Network-Engineer Exam Q&A PDF - One Year Free Update: https://drive.google.com/open?id=16bV8ZS32A5F41ceF3tv-uRzW_IPjvsvW