[Q61-Q86] Ensure Success With Updated Verified Professional-Cloud-Network-Engineer Exam Dumps [2024]

Ensure Success With Updated Verified Professional-Cloud-Network-Engineer Exam Dumps [2024]

Exam Materials for You to Prepare & Pass Professional-Cloud-Network-Engineer Exam.

NEW QUESTION # 61
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.
How should you provision your instances?

• A. Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
• B. Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.
• C. Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
• D. Create a single managed instance group, specify the desired region, and select Multiple zones for the location.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance- groups

NEW QUESTION # 62
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway. Which command should you execute?

• A. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip
• B. gcloud compute instances create example-instance --network custom-network1 \
  --subnet subnet-us-central \
  --no-address \
  --zone us-central1-a \
  --image-family debian-9 \
  --image-project debian-cloud \
  --tags no-ip
• C. sudo sysctl -w net.ipv4.ip_forward=1
• D. gcloud compute instances add-tags [existing-instance] --tags no-ip

Answer: B

Explanation:
Reference:
https://cloud.google.com/vpc/docs/special-configurations

NEW QUESTION # 63
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?

• A. Configure a policy-based route rule to prioritize the traffic.
• B. Configure Dynamic Routing for the subnet hosting the application.
• C. Configure an HTTP load balancer, and direct the traffic to it.
• D. Configure the TTL for the DNS zone to decrease the time between updates.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/load-balancing/docs/tutorials/optimize-app-latency

NEW QUESTION # 64
You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

• A. resource.type= "gce_router"
• B. resource.type= "vpn_gateway"
• C. resource.type= "vpn_tunnel"
• D. resource.type= "gce_network_region"

Answer: C

NEW QUESTION # 65
You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?

• A. Rename the default VPC as "Distribution" and peer it via network peering.
• B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
• C. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.
• D. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

Answer: B

NEW QUESTION # 66
Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

• A. Enable firewall logging, and forward all filtered egress firewall logs to the IDS.
• B. Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
• C. Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.
• D. Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Answer: C

NEW QUESTION # 67
You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

• A. In the Network Intelligence Canter, check for the number of packet drops on the VPN.
• B. In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.
• C. In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.
• D. In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

Answer: A

NEW QUESTION # 68
Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution.
Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year.
These are the assumptions for both GCP environments.
- Each organization has enabled full connectivity between all of its
projects by using Shared VPC.
- Both organizations strictly use the 10.0.0.0/8 address space for
their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.
- There are no prefix overlaps between the two organizations.
- Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.
- Neither organization has Interconnects to their on-premises
environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.
Which two steps should you take? (Choose two.)

• A. Set up some variant of DNS forwarding and zone transfers in each organization.
• B. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.
• C. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.
• D. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
• E. Provision Cloud Interconnect to connect both organizations together.

Answer: D,E

NEW QUESTION # 69
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)

• A. Create a Cloud NAT, and route the application traffic via NAT gateway.
• B. Enable Private Google Access on the VPC.
• C. Enable Private Google Access on all the subnets.
• D. Create network peering between your VPC and BigQuery.
• E. Enable Private Services Access on the VPC.

Answer: A,B

NEW QUESTION # 70
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are
100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.
What should you do on your on-premises servers?

• A. Tune TCP parameters on the on-premises servers.
• B. Remove the -m flag from the gsutil command to enable single-threaded transfers.
• C. Compress files using utilities like tar to reduce the size of data being sent.
• D. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Answer: D

Explanation:
https://cloud.google.com/solutions/transferring-big-data-sets-to-gcp

NEW QUESTION # 71
You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.
What should you do?

• A. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the privateattribute.
• B. Ensure that the object you don't want to be cached anymore is not shared publicly.
• C. Add an appropriate lifecycle rule on the storage bucket containing the two objects.
• D. Add a Cache-Controlentry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.

Answer: B

Explanation:
Explanation/Reference: https://developers.google.com/web/ilt/pwa/caching-files-with-service-worker

NEW QUESTION # 72
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?

• A. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
• B. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
• C. Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
• D. Add a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.

Answer: C

Explanation:
Explanation/Reference:

NEW QUESTION # 73
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?

• A. Create the appropriate master authorized network entries to allow the instance to communicate to the master.
• B. Assign a public IP address to the instance.
• C. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
• D. Create a route to reach the Master, pointing to the default internet gateway.

Answer: C

NEW QUESTION # 74
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

• A. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.
• B. Grant the read-only privilege to the service account for the Cloud Storage bucket.
• C. Grant the iam.serviceAccountUser to your user account.
• D. Grant the compute.instanceAdmin to your user account.

Answer: B

NEW QUESTION # 75
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

• A. Create a Cloud VPN instance.
  Create a policy-based VPN tunnel per subnet.
  Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  Create the appropriate static routes.
• B. Create a Cloud VPN instance.
  Create a route-based VPN tunnel.
  Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.
  Configure the appropriate static routes.
• C. Create a Cloud VPN instance.
  Create a policy-based VPN tunnel.
  Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  Configure the appropriate static routes.
• D. Create a Cloud VPN instance.
  Create a route-based VPN tunnel.
  Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  Configure the appropriate static routes.

Answer: B

Explanation:
https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

NEW QUESTION # 76
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
- Flow logs are enabled for the VPC subnet, and all firewall rules are
set to log.
- The subnetwork logs are not excluded from Stackdriver.
- The instance that is hosting the application can communicate outside
the subnet.
- Other instances within the subnet can communicate outside the subnet.
- The external resource initiates communication.
What is the most likely cause of the missing log lines?

• A. The traffic is not matching the expected ingress rule.
• B. The traffic is not matching the expected egress rule.
• C. The traffic is matching the expected egress rule.
• D. The traffic is matching the expected ingress rule.

Answer: A

NEW QUESTION # 77
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

• A. Shared VPC
• B. Cloud NAT
• C. VPC peering
• D. Cloud VPN
• E. Dedicated Interconnect

Answer: C,D

Explanation:
Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.

NEW QUESTION # 78
You have the networking configuration shown In the diagram Two VLAN attachments associated With two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BOP) sessions associated With each Of the VLAN attachments.
You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?

• A. From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results
• B. From the Cloud CLI. run gcloud compute routers describe mycloudrouter
• C. From the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.
• D. From the Cloud CLI, run gcloud compute -protect_ID router get-status mycloudrouter --region REGION and review the results.

Answer: D

Explanation:
--region REGION and review the results
Explanation:
The correct answer is B. From the Cloud CLI, run gcloud compute --project_ID router get-status mycloudrouter --region REGION and review the results.
This command will show you the BGP session status, the advertised and learned routes, and the last error for each VLAN attachment. You can use this information to troubleshoot the asymmetric traffic flow and identify any issues with the BGP configuration or the Interconnect connections.
The other options are not correct because:
Option A will only show you the BGP session status, but not the advertised and learned routes or the last error for each VLAN attachment.
Option C will only show you the VPC Flow Logs, which are useful for monitoring and troubleshooting network performance and security issues within your VPC network, but not for your Interconnect connections.
Option D will only show you the basic information about the Cloud Router, such as its name, region, network, and BGP settings, but not the detailed status of each VLAN attachment.

NEW QUESTION # 79
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

• A. Shared VPC
• B. VPC peering
• C. Cloud NAT
• D. Dedicated Interconnect
• E. Cloud VPN

Answer: D,E

Explanation:
https://cloud.google.com/vpc/docs/vpc

NEW QUESTION # 80
You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/ Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.
Which two actions can accomplish this? (Choose two.)

• A. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.
• B. Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.
• C. Run gcloud compute interconnects describe <interconnect>.
• D. Check the email for the account of the NOC contact that you specified during the ordering process.
• E. Open a Cloud Support ticket under the Cloud Interconnect category.

Answer: B,D

NEW QUESTION # 81
You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.
Which two actions can accomplish this? (Choose two.)

• A. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.
• B. Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.
• C. Run gcloud compute interconnects describe <interconnect>.
• D. Check the email for the account of the NOC contact that you specified during the ordering process.
• E. Open a Cloud Support ticket under the Cloud Interconnect category.

Answer: A,D

NEW QUESTION # 82
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?

• A. AS-Path
• B. Community
• C. Local Preference
• D. Multi-exit Discriminator

Answer: D

Explanation:
https://cloud.google.com/router/docs/concepts/overview

NEW QUESTION # 83
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
* Your ISP is a Google Partner Interconnect provider.
* Your on-premises VPN device's internet uplink and downlink speeds are 10 Gbps.
* A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of
500 Mbps due to packet losses.
* Most of the data transfer will be from GCP to the on-premises environment.
* The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
* Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?

• A. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.
• B. Use network compression over your VPN to increase the amount of data you can send over your VPN.
• C. Provision a Dedicated Interconnect instead of a VPN.
• D. Provision a Partner Interconnect through your ISP.

Answer: A

NEW QUESTION # 84
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)

• A. Create a private connection to a service producer.
• B. Create a custom static route to allow the traffic to reach the Cloud SQL API.
• C. Activate the Service Networking API in your project.
• D. Activate the Cloud Datastore API in your project.
• E. Enable Private Google Access.

Answer: A,C

Explanation:
Reference:
https://cloud.google.com/sql/docs/mysql/private-ip

NEW QUESTION # 85
You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:
* IP ranges for pods and services must be as small as possible.
* The nodes and the master must not be reachable from the internet.
* You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?

• A. * Create a VPC-native GKE cluster using GKE-managed IP ranges.
  * Set the pod IP range as /21 and service IP range as /24.
  * Set up a network proxy to access the master.
• B. * Create a VPC-native GKE cluster using user-managed IP ranges.
  * Enable privateEndpoint on the cluster master.
  * Set the pod and service ranges as /24.
  * Set up a network proxy to access the master.
  * Enable master authorized networks.
• C. * Create a private cluster that uses VPC advanced routes.
  * Set the pod and service ranges as /24.
  * Set up a network proxy to access the master.
• D. * Create a VPC-native GKE cluster using user-managed IP ranges.
  * Enable a GKE cluster network policy, set the pod and service ranges as /24.
  * Set up a network proxy to access the master.
  * Enable master authorized networks.

Answer: D

Explanation:
Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

NEW QUESTION # 86
......

Google Professional-Cloud-Network-Engineer certification is an excellent way for network engineers and architects to demonstrate their proficiency in cloud networking and gain recognition from the industry. Achieving this certification helps professionals to differentiate themselves from their peers and opens up new career opportunities. It also helps professionals to gain credibility with clients and employers, who recognize the value of cloud networking skills and expertise.

 

Updated Professional-Cloud-Network-Engineer Certification Exam Sample Questions: https://testking.vcetorrent.com/Professional-Cloud-Network-Engineer-valid-vce-torrent.html