Questions for the PROFESSIONAL CLOUD NETWORK ENGINEER were updated on : Oct 04 ,2024
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be
able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular
instance across both services.
Which session affinity should you choose?
B
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block
project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been
configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?
B
Explanation:
Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the
cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?
C
Your organization is deploying a single project for 3 separate departments. Two of these departments require network
connectivity between each other, but the third department should remain in isolation. Your design should create separate
network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?
A
Explanation:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other
securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as
subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies
across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation
helps you implement the principle of least privilege. For example, a centralized network team can administer the network
without having any permissions into the participating projects. Similarly, the project admins can manage their project
resources without any permissions to manipulate the shared network.
Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway.
Which command should you execute?
D
Explanation:
Reference: https://cloud.google.com/vpc/docs/special-configurations
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?
A
Explanation:
Reference: https://cloud.google.com/nat/docs/overview
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with
each other. You want to minimize cost and increase network efficiency.
How should you design this topology?
D
Explanation:
VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in
private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.
Reference: https://cloud.google.com/vpc/docs/vpc-peering
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are
exposed between departments. Your Production and Staging departments can communicate with each other, but only via
specific networks. You want to follow Google-recommended practices.
How should you design this topology?
D
Explanation:
Reference: https://cloud.google.com/vpc/docs/shared-vpc
You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team
as efficiently as possible.
What should you do?
A
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-
premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device
supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?
D
Explanation:
Reference: https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine
Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises
environment to GCP, given these specifications:
Your ISP is a Google Partner Interconnect provider.
Your on-premises VPN devices internet uplink and downlink speeds are 10 Gbps.
A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due
to packet losses. Most of the data transfer will be from GCP to the on-premises environment.
The application can burst up to 1.5 Gbps during peak transfers over the Interconnect. Cost and the complexity of the
solution should be minimal.
How should you provision the connectivity solution?
C
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud
Interconnect VLAN attachments.
What should you do?
C
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud
Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)
B E
You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the
172.16.45.0/24 network.
What should you do?
B
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage
buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You
notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth
utilization of the connection.
What should you do on your on-premises servers?
A