• Home
  • Articles
  • Easy To Download Google Professional-Cloud-Network-Engineer Exam Dumps Updated 236 Questions [Q135-Q159]

Easy To Download Google Professional-Cloud-Network-Engineer Exam Dumps Updated 236 Questions [Q135-Q159]

Share

Easy To Download Google Professional-Cloud-Network-Engineer Exam Dumps Updated 236 Questions

New Updated Professional-Cloud-Network-Engineer Exam Questions 2026

NEW QUESTION # 135
Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

  • A. Firewall rule direction: ingress
    Action: allow
    Target: VM B service account
    Source ranges: VM A service account
    Priority: 1000
  • B. Firewall rule direction: ingress
    Action: allow
    Target: specific VM A tag
    Source ranges: VM B tag and VM B source IP address
    Priority: 100
  • C. Firewall rule direction: ingress
    Action: allow
    Target: VM A service account
    Source ranges: VM B service account and VM B source IP address
    Priority: 100
  • D. Firewall rule direction: ingress
    Action: allow
    Target: specific VM B tag
    Source ranges: VM A tag and VM A source IP address
    Priority: 1000

Answer: B


NEW QUESTION # 136
You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?

  • A. Dedicated Interconnect
  • B. Partner Interconnect with a layer 3 partner
  • C. Partner Interconnect with a layer 2 partner
  • D. Direct Peering

Answer: B

Explanation:
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview For Layer 3 connections, your service provider establishes a BGP session between your Cloud Routers and their edge routers for each VLAN attachment. You don't need to configure BGP on your on-premises router. Google and your service provider automatically set the correct configurations.
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview#connectivity-type


NEW QUESTION # 137
You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

  • A. Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.
  • B. Configure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.
  • C. Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.
  • D. Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

Answer: C


NEW QUESTION # 138
Question:
You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

  • A. Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.
  • B. Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.
  • C. Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.
  • D. Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Answer: D

Explanation:
For Cloud NGFW in Google Cloud, firewall endpoints are typically created at the regional level, allowing you to associate these with your VPC network for Layer 7 traffic inspection. This regional setup ensures high availability and scales the inspection service across the network.
Reference: Google Cloud - Cloud NGFW


NEW QUESTION # 139
You recently deployed Cloud VPN to connect your on-premises data center to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

  • A. In the Google Cloud console, use Monitoring Query Language to create a custom alert for bandwidth utilization.
  • B. In Network Intelligence Center, check for the number of packet drops on the VPN.
  • C. In the Monitoring section of the Google Cloud console, use the Dashboard section to select a default dashboard for VPN usage.
  • D. In the VPN section of the Google Cloud console, select the VPN under hybrid connectivity and then select monitoring to display utilization on the dashboard.

Answer: A

Explanation:
Using Monitoring Query Language (MQL) to create a custom alert for bandwidth utilization gives you flexibility and precision in setting thresholds. This helps you quickly determine when VPN traffic exceeds the limits, allowing for timely decisions about adding more links or transitioning to a Dedicated Interconnect.


NEW QUESTION # 140
Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.
* Each organization has enabled full connectivity between all of its projects by using Shared VPC.
* Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.
* There are no prefix overlaps between the two organizations.
* Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.
* Neither organization has Interconnects to their on-premises environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.
Which two steps should you take? (Choose two.)

  • A. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
  • B. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.
  • C. Provision Cloud Interconnect to connect both organizations together.
  • D. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC
  • E. Set up some variant of DNS forwarding and zone transfers in each organization.

Answer: A,C


NEW QUESTION # 141
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
GetIamPolicy() via REST API

  • A. role roles/editor
    gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --
  • B. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --
  • C. setIamPolicy() via REST API
  • D. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
  • E. role roles/editor

Answer: D,E

Explanation:
Explanation/Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access


NEW QUESTION # 142
Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

  • A. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.
    Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
  • B. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.
    Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.
  • C. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.
    Configure DNS peering from the spoke VPCs to the hub VPC.
  • D. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.
    Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

Answer: B


NEW QUESTION # 143
You have the following private Google Kubernetes Engine (GKE) cluster deployment:

You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

  • A. Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2
  • B. Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 35.224.37.17.
  • C. Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2
  • D. Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.

Answer: D


NEW QUESTION # 144
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?

  • A. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
  • B. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
  • C. Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
  • D. Add a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.

Answer: C

Explanation:
https://cloud.google.com/network-connectivity/docs/vpn/concepts/classic-topologies#redundancy-options


NEW QUESTION # 145
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?

  • A. Assign members of the networking team the compute.networkAdmin role.
  • B. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
  • C. Assign members of the networking team the compute.networkUser role.
  • D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/access/iam


NEW QUESTION # 146
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

  • A. Direct Peering
  • B. Carrier Peering
  • C. Dedicated Interconnect
  • D. Partner Interconnect

Answer: A

Explanation:
When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.


NEW QUESTION # 147
(You need to migrate multiple PostgreSQL databases from your on-premises data center to Google Cloud.
You want to significantly improve the performance of your databases while minimizing changes to your data schema and application code. You expect to exceed 150 TB of data per geographical region. You want to follow Google-recommended practices and minimize your operational costs. What should you do?)

  • A. Migrate your data to Bigtable.
  • B. Migrate your data to AlloyDB.
  • C. Migrate your data to Spanner.
  • D. Migrate your data to Firebase.

Answer: B

Explanation:
Comprehensive and Detailed In Depth Explanation:
Let's analyze each option based on the requirements: PostgreSQL compatibility, significant performance improvement, minimal schema/code changes, handling large data volumes, Google-recommended practices, and cost minimization:
A). Migrate your data to AlloyDB: AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service that offers significant performance improvements over standard PostgreSQL due to its architectural optimizations. It is designed to handle large data volumes and minimizes the need for schema and application code changes as it's wire-compatible with PostgreSQL. This aligns well with the requirements for performance improvement, minimal changes, large data, and being a Google-recommended option for PostgreSQL workloads.
B). Migrate your data to Spanner: Spanner is a globally distributed, horizontally scalable database with strong consistency. While it offers excellent scalability and performance, it's not directly PostgreSQL-compatible.
Migrating to Spanner would likely require significant schema and application code changes due to differences in data modeling and SQL dialect.
C). Migrate your data to Firebase: Firebase is a suite of mobile and web development tools, with its primary database offering being Firestore (a NoSQL document database) and Realtime Database. These are not PostgreSQL-compatible and would require substantial changes to the data model and application code.
D). Migrate your data to Bigtable: Bigtable is a highly scalable NoSQL wide-column store. It's not compatible with PostgreSQL and requires a completely different data model and application logic.
Therefore, AlloyDB is the most suitable option as it provides PostgreSQL compatibility for minimal migration effort, significant performance improvements, scalability for large data volumes, and is a recommended Google Cloud database service for PostgreSQL workloads.
Google Cloud Documentation References:
AlloyDB for PostgreSQL Overview: https://cloud.google.com/alloydb/docs/overview - This document highlights AlloyDB's PostgreSQL compatibility, performance benefits, scalability, and suitability for migrating existing PostgreSQL workloads.
Spanner Overview: https://cloud.google.com/spanner/docs/overview - This emphasizes Spanner's unique features and differences from traditional relational databases like PostgreSQL.
Firebase Documentation: https://firebase.google.com/docs - This outlines the features of Firebase, including Firestore and Realtime Database, highlighting their NoSQL nature and incompatibility with PostgreSQL.
Cloud Bigtable Overview: https://cloud.google.com/bigtable/docs/overview - This describes Bigtable as a NoSQL database, emphasizing its differences from relational databases like PostgreSQL.


NEW QUESTION # 148
You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization's host project.
Where should you create the Cloud Router instance?

  • A. VPC network in all projects
  • B. VPC network in the Host Project
  • C. VPC network in the IT Project
  • D. VPC network in the Sales, Marketing, and IT Projects

Answer: B


NEW QUESTION # 149
You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the object in the storage bucket can be served by the CDN.
What should you do in the GCP Console?

  • A. Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
  • B. Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
  • C. Create a new cloud storage bucket, and then enable Cloud CDN on it.
  • D. Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.

Answer: C


NEW QUESTION # 150
You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

  • A. Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.
  • B. Enable firewall logs, and view the logs in Firewall Insights.
  • C. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.
  • D. Enable VPC Flow Logs, and view the logs in Cloud Logging.

Answer: B


NEW QUESTION # 151
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?

  • A. An instance with IP forwarding enabled
  • B. An instance configured with iptables SNAT rules
  • C. An instance configured with iptables DNAT rules
  • D. Cloud NAT

Answer: D


NEW QUESTION # 152
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?

  • A. Configure the TTL for the DNS zone to decrease the time between updates.
  • B. Configure a policy-based route rule to prioritize the traffic.
  • C. Configure Dynamic Routing for the subnet hosting the application.
  • D. Configure an HTTP load balancer, and direct the traffic to it.

Answer: D


NEW QUESTION # 153
You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Igal and int-Iga2) terminate on the same Cloud Router. The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection fails, you want the passive Interconnect connection to automatically begin routing all traffic Which two actions should you take to meet this requirement? (Choose Two)

  • A. Configure the advertised route priority > 10,200 on the active Interconnect connection.
  • B. Advertise a lower MED on the passive Interconnect connection from the on-premises router
  • C. Configure the advertised route priority as 200 for the BGP session associated with the active Interconnect connection.
  • D. Configure the advertised route priority as 200 for the BGP session associated with the passive Interconnect connection.
  • E. Advertise a lower MED on the active Interconnect connection from the on-premises router

Answer: C,E

Explanation:
This answer meets the requirement of configuring one connection as Active for both ingress and egress traffic, and enabling automatic failover to the passive connection in case of failure. The reason is:
* The advertised route priority is a value that Cloud Router uses to set the route priority when advertising routes to your on-premises router. The lower the value, the higher the priority1. By setting the advertised route priority as 200 for the active connection, you ensure that it has a higher priority than the passive connection, which has the default value of 1001. This way, your on-premises router will prefer the routes from the active connection over the passive one for ingress traffic.
* The MED (Multi-Exit Discriminator) is a value that your on-premises router uses to indicate its preference for receiving traffic from Cloud Router. The lower the value, the higher the preference2. By advertising a lower MED on the active connection from your on-premises router, you ensure that Cloud Router will prefer sending traffic to the active connection over the passive one for egress traffic.
* If the active connection fails, Cloud Router will stop receiving routes from it and will start using the routes from the passive connection for egress traffic. Similarly, your on-premises router will stop receiving routes with priority 200 from the active connection and will start using the routes with priority
100 from the passive connection for ingress traffic. This achieves automatic failover without any manual intervention.
Option A is incorrect because setting the advertised route priority > 10,200 on the active connection would deprioritize it globally in your VPC network, which is not what you want1. Option B is incorrect because advertising a lower MED on the passive connection would make Cloud Router prefer sending traffic to it over the active one, which is not what you want2. Option D is incorrect because setting the advertised route priority as 200 for both connections would make them equally preferred by your on-premises router, which is not what you want1.


NEW QUESTION # 154
Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag. What should you do?

  • A. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag.
  • B. Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
  • C. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account.
  • D. Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

Answer: D

Explanation:
To control internet access on a per-URL basis (including hostname and path), you should deploy Secure Web Proxy with global access enabled. The Secure Web Proxy will allow policy-based filtering of web traffic, allowing control over which URLs can be accessed based on the URL list defined in the policy. Unlike Cloud NAT, which does not support FQDN filtering, Secure Web Proxy is designed to provide such control, especially for scenarios with sensitive or controlled internet access requirements.


NEW QUESTION # 155
You create multiple Compute Engine virtual machine instances to be used as TFTP servers.
Which type of load balancer should you use?

  • A. SSL proxy load balancer
  • B. Network load balancer
  • C. TCP proxy load balancer
  • D. HTTP(S) load balancer

Answer: B


NEW QUESTION # 156
You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.
What is the most likely cause of the problem?

  • A. You have to configure the web servers to compress responses even if the request has a Via header.
  • B. You have configured the web servers and Cloud CDN with different compression types.
  • C. The web servers behind the load balancer are configured with different compression types.
  • D. You have not configured compression in Cloud CDN.

Answer: A

Explanation:
If responses served by Cloud CDN are not compressed but should be, check that the web server software running on your instances is configured to compress responses. By default, some web server software will automatically disable compression for requests that include a Via header. The presence of a Via header indicates the request was forwarded by a proxy. HTTP proxies such as HTTP(S) load balancing add a Via header to each request as required by the HTTP specification. To enable compression, you may have to override your web server's default configuration to tell it to compress responses even if the request had a Via header.


NEW QUESTION # 157
You want to create a service in GCP using IPv6.
What should you do?

  • A. Configure an internal load balancer with the designated IPv6 address.
  • B. Create the instance with the designated IPv6 address.
  • C. Configure a TCP Proxy with the designated IPv6 address.
  • D. Configure a global load balancer with the designated IPv6 address.

Answer: D

Explanation:
https://cloud.google.com/load-balancing/docs/ipv6


NEW QUESTION # 158
You recently deployed your application in Google Cloud. You need to verify your Google Cloud network configuration before deploying your on-premises workloads. You want to confirm that your Google Cloud network configuration allows traffic to flow from your cloud resources to your on- premises network. This validation should also analyze and diagnose potential failure points in your Google Cloud network configurations without sending any data plane test traffic. What should you do?

  • A. Enable Packet Mirroring on your application and send test traffic.
  • B. Use Network Intelligence Center's Connectivity Tests.
  • C. Enable VPC Flow Logs and send test traffic.
  • D. Use Network Intelligence Center's Network Topology visualizations.

Answer: D


NEW QUESTION # 159
......

Updated Free Google Professional-Cloud-Network-Engineer Test Engine Questions with 236 Q&As: https://actualtorrent.pdfdumps.com/Professional-Cloud-Network-Engineer-valid-exam.html

Related Articles

more
Google Professional-Cloud-Network-Engineer Certification Practice Exam

Updated Pdf Study Questions & Free Download Demo is the Reliable Study Material for you to rely on. Free try the Pdf Demo for a pre-test and choose our Exam Study Pdf Torrent for successfully pass. 100% Pass is the guarantee of our Exam Practice Material.

Latest PDF Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 PDFDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy