• Home
  • Articles
  • Pass Exam With Full Sureness - Professional-Cloud-Network-Engineer Dumps with 80 Questions [Q20-Q36]

Pass Exam With Full Sureness - Professional-Cloud-Network-Engineer Dumps with 80 Questions [Q20-Q36]

Share

Pass Exam With Full Sureness - Professional-Cloud-Network-Engineer Dumps with 80 Questions

Verified Professional-Cloud-Network-Engineer dumps Q&As - 100% Pass from BraindumpsPrep

NEW QUESTION 20
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

  • A. /22
  • B. /23
  • C. /21
  • D. /25

Answer: A

Explanation:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips#cluster_sizing_secondary_range_pods Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr
https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#defaults_limits

 

NEW QUESTION 21
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?

  • A. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
  • B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
  • C. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
  • D. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

Answer: B

Explanation:
https://cloud.google.com/armor/docs/security-policy-concepts#preview_mode

 

NEW QUESTION 22
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

  • A. * Create a Cloud VPN instance.* Create a policy-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
  • B. * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
  • C. * Create a Cloud VPN instance.* Create a policy-based VPN tunnel per subnet.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Create the appropriate static routes.
  • D. * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.* Configure the appropriate static routes.

Answer: A

Explanation:
https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns#creating_a_gateway_and_tunnel

 

NEW QUESTION 23
You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?

  • A. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
  • B. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
  • C. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
  • D. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Answer: B

Explanation:
Explanation/Reference: https://link.springer.com/chapter/10.1007/978-1-4842-1004-8_4

 

NEW QUESTION 24
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?

  • A. Disable DNSSEC at your domain registar.
  • B. Update the TTL for the zone.
  • C. Transfer ownership of the domain to a new registar.
  • D. Set the zone to the TRANSFER state.

Answer: A

Explanation:
Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.

 

NEW QUESTION 25
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with a unique ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* BGP sessions are established between both on-premises routers and the Cloud Router.
* Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

  • A. A firewall is blocking the traffic across the second VPN connection.
  • B. The on-premises routers are configured with the same routes.
  • C. The ASNs being used on the on-premises routers are different.
  • D. You do not have a load balancer to load-balance the network traffic.

Answer: C

 

NEW QUESTION 26
Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution.
Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year.
These are the assumptions for both GCP environments.
- Each organization has enabled full connectivity between all of its
projects by using Shared VPC.
- Both organizations strictly use the 10.0.0.0/8 address space for
their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.
- There are no prefix overlaps between the two organizations.
- Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.
- Neither organization has Interconnects to their on-premises
environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.
Which two steps should you take? (Choose two.)

  • A. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.
  • B. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
  • C. Set up some variant of DNS forwarding and zone transfers in each organization.
  • D. Provision Cloud Interconnect to connect both organizations together.
  • E. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

Answer: B,D

 

NEW QUESTION 27
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?

  • A. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
  • B. Check the VPC flow logs for the instance.
  • C. Create a new firewall rule to allow traffic from port 22, and enable logs.
  • D. Try connecting to the instance via SSH, and check the logs.

Answer: B

 

NEW QUESTION 28
You are creating an instance group and need to create a new health check for HTTP(s) load balancing.
Which two methods can you use to accomplish this? (Choose two.)

  • A. Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console.
  • B. Create a new health check using the gcloud command line tool.
  • C. Create a new legacy health check using the Health checks section in the GCP Console.
  • D. Create a new legacy health check using the gcloud command line tool.
  • E. Create a new health check using the VPC Network section in the GCP Console.

Answer: A,B

Explanation:
https://cloud.google.com/load-balancing/docs/health-checks#creating_and_modifying_health_checks

 

NEW QUESTION 29
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?

  • A. Organization Admin privileges from the Organization Admin.
  • B. Service Project Admin privileges from the Shared VPC Admin.
  • C. Shared VPC Admin privileges from the Organization Admin.
  • D. Security Admin privileges from the Shared VPC Admin.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/shared-vpc

 

NEW QUESTION 30
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?

  • A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.
  • B. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.
  • C. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.
  • D. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

Answer: D

 

NEW QUESTION 31
You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.
What should you do?

  • A. Configure global load balancing to point 172.16.45.0/24 to the correct instance.
  • B. Create unique DNS records for each service that sends traffic to the desired IP address.
  • C. Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
  • D. Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

Answer: C

 

NEW QUESTION 32
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?

  • A. An instance with IP forwarding enabled
  • B. Cloud NAT
  • C. An instance configured with iptables DNAT rules
  • D. An instance configured with iptables SNAT rules

Answer: B

 

NEW QUESTION 33
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
GetIamPolicy() via REST API

  • A. setIamPolicy() via REST API
  • B. role roles/editor
    gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --
  • C. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
  • D. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --
  • E. role roles/editor

Answer: C,E

Explanation:
Explanation/Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access

 

NEW QUESTION 34
You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application.
Which type of load balancer should you use?

  • A. TCP/SSL proxy load balancer
  • B. Network load balancer
  • C. HTTP(S) load balancer
  • D. Internal TCP/UDP load balancer

Answer: D

 

NEW QUESTION 35
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)

  • A. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername -- role roles/editor
  • B. setIamPolicy() via REST API
  • C. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
  • D. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
  • E. GetIamPolicy() via REST API

Answer: C,D

Explanation:
https://cloud.google.com/iam/docs/granting-changing-revoking-access

 

NEW QUESTION 36
......

Professional-Cloud-Network-Engineer Dumps Full Questions - Exam Study Guide: https://www.briandumpsprep.com/Professional-Cloud-Network-Engineer-prep-exam-braindumps.html

Pass Professional-Cloud-Network-Engineer Exam in First Attempt Guaranteed 2021 Dumps: https://drive.google.com/open?id=1_e-YY6NIcjqJiPUdBqCl09Bg0ZQbdsqi

Related Articles

more
Google Professional-Cloud-Network-Engineer Certification Practice Exam

Our exam braindumps and prep exam torrent are with the high quality and can help you pass with guaranteed pass score. 365 days free update is the privilege for you after purchase of our exam training dumps. 100% pass is an easy thigh for you.

Tags

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 BraindumpsPrep NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy