You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" Google Professional Cloud Network Engineer Practice Test 3 "
0 of 52 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
Google Professional Cloud Network Engineer
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Answered
Review
Question 1 of 52
1. Question
As an Architect for a growing organisation which handles a lot of sensitive user data on GCP, you have been tasked with recommending a solution to
1. Offers automated visibility in all actions carried out in the account
2. Aids incident management
3. Offers easy-to-use integration into with popular SIEM partners
Which GCP service is best suited for this activities?
Correct
Answer: C
Option A is incorrect because VPC Service Controls is used isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks.
Option B is incorrect because this is a security management and data risk platform that helps with security vulnerabilities and threats.
Option C is correct because Cloud Audit Logs is designed to provide visibility into who did what, when, and where for all user activity on GCP and integrates into other popular SIEM partners.
Option D is incorrect because Access Transparency gives you near real-time logs when Google Cloud administrators access your content.
See https://cloud.google.com/vpc-service-controls for more information
See https://cloud.google.com/security-command-center for more information on Security Command centre.
See https://cloud.google.com/audit-logs for more information on Audit logs.
See https://cloud.google.com/access-transparency for more information on Access Transparency
Incorrect
Answer: C
Option A is incorrect because VPC Service Controls is used isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks.
Option B is incorrect because this is a security management and data risk platform that helps with security vulnerabilities and threats.
Option C is correct because Cloud Audit Logs is designed to provide visibility into who did what, when, and where for all user activity on GCP and integrates into other popular SIEM partners.
Option D is incorrect because Access Transparency gives you near real-time logs when Google Cloud administrators access your content.
See https://cloud.google.com/vpc-service-controls for more information
See https://cloud.google.com/security-command-center for more information on Security Command centre.
See https://cloud.google.com/audit-logs for more information on Audit logs.
See https://cloud.google.com/access-transparency for more information on Access Transparency
Unattempted
Answer: C
Option A is incorrect because VPC Service Controls is used isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks.
Option B is incorrect because this is a security management and data risk platform that helps with security vulnerabilities and threats.
Option C is correct because Cloud Audit Logs is designed to provide visibility into who did what, when, and where for all user activity on GCP and integrates into other popular SIEM partners.
Option D is incorrect because Access Transparency gives you near real-time logs when Google Cloud administrators access your content.
See https://cloud.google.com/vpc-service-controls for more information
See https://cloud.google.com/security-command-center for more information on Security Command centre.
See https://cloud.google.com/audit-logs for more information on Audit logs.
See https://cloud.google.com/access-transparency for more information on Access Transparency
Question 2 of 52
2. Question
An organisation is looking to utilize GCP for managing its resources for key departments such as Finance, Research, Technology, and Sales. You have been accessed to architect a solution that can help with separation of duties when it comes to assigning permissions to carry out certain tasks ensuring principle of least privilege. Which of the following solutions is most effective and scalable for this?
Correct
Answer: C
Option A is incorrect because it doesnt follow the principle of least privilege using predefined roles usually gives more permissions than is needed. Although using google groups to manage members and Folders for departments (which could have multiple projects) is effective and scalable
Option B is incorrect because it doesnt follow the principle of least privilege using predefined roles usually gives more permissions than is needed. Also using individual google accounts is cumbersome to manage and does not scale well.
Option C is correct using google groups to manage members and Folders for departments (which could have multiple projects) is effective and scalable. Also using custom IAM roles follows the principle of least privilege.
Option D is incorrect because using individual google accounts is cumbersome to manage and does not scale well.
See https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy for more information on Resource Hierarchy
Incorrect
Answer: C
Option A is incorrect because it doesnt follow the principle of least privilege using predefined roles usually gives more permissions than is needed. Although using google groups to manage members and Folders for departments (which could have multiple projects) is effective and scalable
Option B is incorrect because it doesnt follow the principle of least privilege using predefined roles usually gives more permissions than is needed. Also using individual google accounts is cumbersome to manage and does not scale well.
Option C is correct using google groups to manage members and Folders for departments (which could have multiple projects) is effective and scalable. Also using custom IAM roles follows the principle of least privilege.
Option D is incorrect because using individual google accounts is cumbersome to manage and does not scale well.
See https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy for more information on Resource Hierarchy
Unattempted
Answer: C
Option A is incorrect because it doesnt follow the principle of least privilege using predefined roles usually gives more permissions than is needed. Although using google groups to manage members and Folders for departments (which could have multiple projects) is effective and scalable
Option B is incorrect because it doesnt follow the principle of least privilege using predefined roles usually gives more permissions than is needed. Also using individual google accounts is cumbersome to manage and does not scale well.
Option C is correct using google groups to manage members and Folders for departments (which could have multiple projects) is effective and scalable. Also using custom IAM roles follows the principle of least privilege.
Option D is incorrect because using individual google accounts is cumbersome to manage and does not scale well.
See https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy for more information on Resource Hierarchy
Question 3 of 52
3. Question
Your organisation is moving its external-facing applications running on VMs in their data centre to GCP and the following requirements have been provided:
a. Applications will be deployed to private GCE instances in multiple regions with load balancing for high availability and scalability
b. Content-based routing and SSL offload must be supported.
c. IPv6 must be supported
d. Custom origin must be supported
Which of the following solutions is most suitable for this?
Correct
Answer: C
Option A is incorrect because the Internal HTTP(S) load balancer is not external facing and does not support IPv6 or custom origin and it is regional.
Option B is incorrect because it does not support content-based routing or custom origin as a backend service even though it is a global load balancer.
Option C is correct because it meets all the specified requirements
Option D is incorrect because it does not support content-based routing or custom origin as a backend service and it is a regional load balancer.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more information on GCP load balancers.
Incorrect
Answer: C
Option A is incorrect because the Internal HTTP(S) load balancer is not external facing and does not support IPv6 or custom origin and it is regional.
Option B is incorrect because it does not support content-based routing or custom origin as a backend service even though it is a global load balancer.
Option C is correct because it meets all the specified requirements
Option D is incorrect because it does not support content-based routing or custom origin as a backend service and it is a regional load balancer.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more information on GCP load balancers.
Unattempted
Answer: C
Option A is incorrect because the Internal HTTP(S) load balancer is not external facing and does not support IPv6 or custom origin and it is regional.
Option B is incorrect because it does not support content-based routing or custom origin as a backend service even though it is a global load balancer.
Option C is correct because it meets all the specified requirements
Option D is incorrect because it does not support content-based routing or custom origin as a backend service and it is a regional load balancer.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more information on GCP load balancers.
Question 4 of 52
4. Question
An organisation wants to migrate its external-facing applications running on VMs in their data centre to GCP. Its users are all in Northern Virginia (us-east4), and the following requirements have been provided to you as the Network Engineer:
a. Applications will be deployed to private GCE instances with load balancing for high availability and scalability
b. Preservation of source IP addresses must be supported.
c. SSL will be decrypted by the backend service
Which of the following solutions is most suitable for this?
Correct
Answer: D
Option A is incorrect because the Internal HTTP(S) load balancer is not external facing and it is regional.
Option B is incorrect because it does not preserve source IP and it has SSL offload even though it is a global load balancer.
Option C is incorrect because it does not preserve source IP and it has SSL offload even though it is a global load balancer
Option D is correct because it meets all the specified requirements and it is a regional load balancer.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more information on GCP load balancers.
Incorrect
Answer: D
Option A is incorrect because the Internal HTTP(S) load balancer is not external facing and it is regional.
Option B is incorrect because it does not preserve source IP and it has SSL offload even though it is a global load balancer.
Option C is incorrect because it does not preserve source IP and it has SSL offload even though it is a global load balancer
Option D is correct because it meets all the specified requirements and it is a regional load balancer.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more information on GCP load balancers.
Unattempted
Answer: D
Option A is incorrect because the Internal HTTP(S) load balancer is not external facing and it is regional.
Option B is incorrect because it does not preserve source IP and it has SSL offload even though it is a global load balancer.
Option C is incorrect because it does not preserve source IP and it has SSL offload even though it is a global load balancer
Option D is correct because it meets all the specified requirements and it is a regional load balancer.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more information on GCP load balancers.
Question 5 of 52
5. Question
An organisation has deployed an external-facing applications on a managed instance group behind a HTTP(S) load balancer in GCP. Firewall rules have been set to allow user traffic from the internet. The instances in the managed instance group keep recycling.
Which of the following could be the problem?
Correct
Answer: B
Option A is incorrect
Option B is correct because without the appropriate firewall rules to allow the health checks, GCP load balancer classifies your instances as unhealthy
Option C is incorrect
Option D is incorrect
See https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges for more information on health checks for GCP load balancers.
Incorrect
Answer: B
Option A is incorrect
Option B is correct because without the appropriate firewall rules to allow the health checks, GCP load balancer classifies your instances as unhealthy
Option C is incorrect
Option D is incorrect
See https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges for more information on health checks for GCP load balancers.
Unattempted
Answer: B
Option A is incorrect
Option B is correct because without the appropriate firewall rules to allow the health checks, GCP load balancer classifies your instances as unhealthy
Option C is incorrect
Option D is incorrect
See https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges for more information on health checks for GCP load balancers.
Question 6 of 52
6. Question
An external-facing application is deployed on GKE to maximise the benefits of containerization. There is a need to improve the performance of the application with Cloud CDN. Which of the following can be used with Cloud CDN to deliver this content closer to the users?
Correct
Answer: D
Option A is incorrect, although GKE uses instances, they are managed on your behalf.
Option B is incorrect, this used with managed services like App Engine and Cloud Run
Option C is incorrect, this is for static images or applications deployed to cloud storage
Option D is correct, this is how GKE exposes applications running on its cluster externally.
See https://cloud.google.com/cdn/docs/using-cdn for more information on Cloud CDN.
Incorrect
Answer: D
Option A is incorrect, although GKE uses instances, they are managed on your behalf.
Option B is incorrect, this used with managed services like App Engine and Cloud Run
Option C is incorrect, this is for static images or applications deployed to cloud storage
Option D is correct, this is how GKE exposes applications running on its cluster externally.
See https://cloud.google.com/cdn/docs/using-cdn for more information on Cloud CDN.
Unattempted
Answer: D
Option A is incorrect, although GKE uses instances, they are managed on your behalf.
Option B is incorrect, this used with managed services like App Engine and Cloud Run
Option C is incorrect, this is for static images or applications deployed to cloud storage
Option D is correct, this is how GKE exposes applications running on its cluster externally.
See https://cloud.google.com/cdn/docs/using-cdn for more information on Cloud CDN.
Question 7 of 52
7. Question
The design of an application, which was running on a single GCE instance, has evolved with a new requirement that it has to be highly availability and low latency performance to end-users.
Which of the following solutions best solve this?
Correct
Answer: B
Option A is incorrect
Option B is correct, this is the only load balancer that can be paired with Cloud CDN
Option C is incorrect
Option D is incorrect because Cloud Armor is used for defense against DoS and web attacks.
See https://cloud.google.com/cdn/docs/best-practices for more information on Cloud CDN.
Incorrect
Answer: B
Option A is incorrect
Option B is correct, this is the only load balancer that can be paired with Cloud CDN
Option C is incorrect
Option D is incorrect because Cloud Armor is used for defense against DoS and web attacks.
See https://cloud.google.com/cdn/docs/best-practices for more information on Cloud CDN.
Unattempted
Answer: B
Option A is incorrect
Option B is correct, this is the only load balancer that can be paired with Cloud CDN
Option C is incorrect
Option D is incorrect because Cloud Armor is used for defense against DoS and web attacks.
See https://cloud.google.com/cdn/docs/best-practices for more information on Cloud CDN.
Question 8 of 52
8. Question
A company is looking to build a cloud-native solution on GCP. The company would require flexibility in the planning and implementing the IP addressing in its VPC. They would also like to provide unique descriptive names for the subnets. Which of the following would you recommend?
Correct
Answer: C
Option A is incorrect because it does not offer flexibility in IP addressing or naming subnets
Option B is incorrect, this is an auto mode network
Option C is correct, custom mode networks allows the flexibility of choosing a CIDR block and unique names for the subnets
Option D is incorrect.
See https://cloud.google.com/solutions/best-practices-vpc-design#custom-mode for more information on custom mode networks.
Incorrect
Answer: C
Option A is incorrect because it does not offer flexibility in IP addressing or naming subnets
Option B is incorrect, this is an auto mode network
Option C is correct, custom mode networks allows the flexibility of choosing a CIDR block and unique names for the subnets
Option D is incorrect.
See https://cloud.google.com/solutions/best-practices-vpc-design#custom-mode for more information on custom mode networks.
Unattempted
Answer: C
Option A is incorrect because it does not offer flexibility in IP addressing or naming subnets
Option B is incorrect, this is an auto mode network
Option C is correct, custom mode networks allows the flexibility of choosing a CIDR block and unique names for the subnets
Option D is incorrect.
See https://cloud.google.com/solutions/best-practices-vpc-design#custom-mode for more information on custom mode networks.
Question 9 of 52
9. Question
A company is designing a new cloud-native solution on GCP which would have multiple teams working to deliver it. The different teams would have their GCP Projects within the organization. The company wants a centralized and easy way to manage networking structure while the different teams can manage the non-networking resources.
Which of the following would you recommend?
Correct
Answer: B
Options A and C are incorrect because they are just types of VPC that can be created in GCP.
Option B is correct, this is the only way to ensure that control for all networking resources (in a host project) are centralized and easy to manage. Service project departments can configure and manage non-network resources, enabling a clear separation of responsibilities for different teams in the organization.
Option D is incorrect because it is used to connect multiple VPCs together..
See https://cloud.google.com/solutions/best-practices-vpc-design#shared-vpc for more information on Shared VPC
Incorrect
Answer: B
Options A and C are incorrect because they are just types of VPC that can be created in GCP.
Option B is correct, this is the only way to ensure that control for all networking resources (in a host project) are centralized and easy to manage. Service project departments can configure and manage non-network resources, enabling a clear separation of responsibilities for different teams in the organization.
Option D is incorrect because it is used to connect multiple VPCs together..
See https://cloud.google.com/solutions/best-practices-vpc-design#shared-vpc for more information on Shared VPC
Unattempted
Answer: B
Options A and C are incorrect because they are just types of VPC that can be created in GCP.
Option B is correct, this is the only way to ensure that control for all networking resources (in a host project) are centralized and easy to manage. Service project departments can configure and manage non-network resources, enabling a clear separation of responsibilities for different teams in the organization.
Option D is incorrect because it is used to connect multiple VPCs together..
See https://cloud.google.com/solutions/best-practices-vpc-design#shared-vpc for more information on Shared VPC
Question 10 of 52
10. Question
There is a request to design a custom network in GCP with four subnets each having a 50 hosts but can grow to a maximum of 200 hosts. You are tasked with choosing the smallest CIDR block that can achieve this.
Which of the following CIDR blocks would you recommend for each subnet?
Correct
Answer: D
Options A, B and C are incorrect because they are not the smallest CIDR to give a maximum of 200 hosts and do not meet the criteria of choosing the smallest CIDR block.
Option D is correct, this is the smallest CIDR block that gives 251 useable addresses thereby suitable for a 200 host subnet design.
Incorrect
Answer: D
Options A, B and C are incorrect because they are not the smallest CIDR to give a maximum of 200 hosts and do not meet the criteria of choosing the smallest CIDR block.
Option D is correct, this is the smallest CIDR block that gives 251 useable addresses thereby suitable for a 200 host subnet design.
Unattempted
Answer: D
Options A, B and C are incorrect because they are not the smallest CIDR to give a maximum of 200 hosts and do not meet the criteria of choosing the smallest CIDR block.
Option D is correct, this is the smallest CIDR block that gives 251 useable addresses thereby suitable for a 200 host subnet design.
Question 11 of 52
11. Question
A company would like to retain the current internal IP address on its GCE instance to meet certain security obligations of having a static IP address for certain application.
Which of the following is the least disruptive actions to achieve this?
Correct
Answer: C
Option A is incorrect because stopping and restarting an instance doesnt change the internal IP address neither does it change an ephemeral IP to a static one.
Option B is incorrect as this is disruptive to the availability of the application.
Option C is correct, this is the least disruptive action to achieve the task.
Option D is incorrect. This action is impossible
See https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address to understand more on reserving IP addresses.
Incorrect
Answer: C
Option A is incorrect because stopping and restarting an instance doesnt change the internal IP address neither does it change an ephemeral IP to a static one.
Option B is incorrect as this is disruptive to the availability of the application.
Option C is correct, this is the least disruptive action to achieve the task.
Option D is incorrect. This action is impossible
See https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address to understand more on reserving IP addresses.
Unattempted
Answer: C
Option A is incorrect because stopping and restarting an instance doesnt change the internal IP address neither does it change an ephemeral IP to a static one.
Option B is incorrect as this is disruptive to the availability of the application.
Option C is correct, this is the least disruptive action to achieve the task.
Option D is incorrect. This action is impossible
See https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address to understand more on reserving IP addresses.
Question 12 of 52
12. Question
Which of the following allows GCE instances to access Cloud Storage & BigQuery, without external IP addresses? Choose two.
Correct
Answer: A & B
Options A & B are correct because they provide access to Google APIs with external IPs, for GCE instances with no external IPs in GCP subnets.
Option C is incorrect as this is used to access services like Cloud SQL which have private IPs
Option D is incorrect, this is used for on-premises to access google APIs.
See https://cloud.google.com/vpc/docs/private-access-options to understand the variety of google APIs access for private instances.
Incorrect
Answer: A & B
Options A & B are correct because they provide access to Google APIs with external IPs, for GCE instances with no external IPs in GCP subnets.
Option C is incorrect as this is used to access services like Cloud SQL which have private IPs
Option D is incorrect, this is used for on-premises to access google APIs.
See https://cloud.google.com/vpc/docs/private-access-options to understand the variety of google APIs access for private instances.
Unattempted
Answer: A & B
Options A & B are correct because they provide access to Google APIs with external IPs, for GCE instances with no external IPs in GCP subnets.
Option C is incorrect as this is used to access services like Cloud SQL which have private IPs
Option D is incorrect, this is used for on-premises to access google APIs.
See https://cloud.google.com/vpc/docs/private-access-options to understand the variety of google APIs access for private instances.
Question 13 of 52
13. Question
As the Network Engineer in your firm, there is a need to connect your local datacentre to their GCP network. The bandwidth requirement is set at 5Gbps during peak periods and dynamic routing is needed. Which of the following is the cheapest and has a faster speed of deployment? Choose two.
Correct
Answer: D
Options A & B are incorrect because Cloud Interconnect is the more expensive options and has a slower speed of deployment.
Option C is incorrect as this is use to peer multiple GCP VPCs.
Option D is correct, Cloud VPN is cheapest and fastest option for hybrid connectivity to GCP. Cloud Router is used for enabling dynamic routing via BGP.
See https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview to understand more on Cloud VPN and how to set it up.
Incorrect
Answer: D
Options A & B are incorrect because Cloud Interconnect is the more expensive options and has a slower speed of deployment.
Option C is incorrect as this is use to peer multiple GCP VPCs.
Option D is correct, Cloud VPN is cheapest and fastest option for hybrid connectivity to GCP. Cloud Router is used for enabling dynamic routing via BGP.
See https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview to understand more on Cloud VPN and how to set it up.
Unattempted
Answer: D
Options A & B are incorrect because Cloud Interconnect is the more expensive options and has a slower speed of deployment.
Option C is incorrect as this is use to peer multiple GCP VPCs.
Option D is correct, Cloud VPN is cheapest and fastest option for hybrid connectivity to GCP. Cloud Router is used for enabling dynamic routing via BGP.
See https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview to understand more on Cloud VPN and how to set it up.
Question 14 of 52
14. Question
As the Network Engineer in your firm, you have been tasked with determining the hybrid connectivity option that meets the requirements below.
1. Direct access from on-premises network to G Suite and Google APIs
2. No associated setup or maintenance costs
3. Connects directly to Googles edge network
4. Has reduced internet egress rates to your on-premises from Google cloud resources in the same continent.
Which of the options below is the correct option?
Correct
Correct Option:
A. Direct Peering: This is correct because Direct Peering allows for direct access from your on-premises network to Google’s edge network, which includes G Suite and Google APIs. It also has no associated setup or maintenance costs and can reduce internet egress rates for traffic within the same continent.
Incorrect Options:
B. Partner Interconnect: This is incorrect because Partner Interconnect involves using a service provider to connect to Google Cloud, which may have associated costs and does not necessarily connect directly to Google’s edge network.
C. Carrier Peering: This is incorrect because Carrier Peering also involves using a third-party carrier for connectivity, which may have associated costs and does not provide direct access to Google’s edge network.
D. Dedicated Interconnect: This is incorrect because Dedicated Interconnect provides a direct physical connection to Google Cloud, but it involves setup and maintenance costs, and it does not specifically address reduced internet egress rates
Incorrect
Correct Option:
A. Direct Peering: This is correct because Direct Peering allows for direct access from your on-premises network to Google’s edge network, which includes G Suite and Google APIs. It also has no associated setup or maintenance costs and can reduce internet egress rates for traffic within the same continent.
Incorrect Options:
B. Partner Interconnect: This is incorrect because Partner Interconnect involves using a service provider to connect to Google Cloud, which may have associated costs and does not necessarily connect directly to Google’s edge network.
C. Carrier Peering: This is incorrect because Carrier Peering also involves using a third-party carrier for connectivity, which may have associated costs and does not provide direct access to Google’s edge network.
D. Dedicated Interconnect: This is incorrect because Dedicated Interconnect provides a direct physical connection to Google Cloud, but it involves setup and maintenance costs, and it does not specifically address reduced internet egress rates
Unattempted
Correct Option:
A. Direct Peering: This is correct because Direct Peering allows for direct access from your on-premises network to Google’s edge network, which includes G Suite and Google APIs. It also has no associated setup or maintenance costs and can reduce internet egress rates for traffic within the same continent.
Incorrect Options:
B. Partner Interconnect: This is incorrect because Partner Interconnect involves using a service provider to connect to Google Cloud, which may have associated costs and does not necessarily connect directly to Google’s edge network.
C. Carrier Peering: This is incorrect because Carrier Peering also involves using a third-party carrier for connectivity, which may have associated costs and does not provide direct access to Google’s edge network.
D. Dedicated Interconnect: This is incorrect because Dedicated Interconnect provides a direct physical connection to Google Cloud, but it involves setup and maintenance costs, and it does not specifically address reduced internet egress rates
Question 15 of 52
15. Question
A growing firm is looking to migrate the management of its on-premises DNS server to a managed option GCP. Currently the firm is struggling with high volume DNS requests, and high latency for lookups of their domain from anywhere in the world.
As the Network Engineer in the firm which service is most appropriate to solve this problem?
Correct
Answer: B
Option A is incorrect because it is not a managed service, the firm still has to manage the availability of the instances.
Option B is the right answer, this is GCPs managed DNS service with 100% SLA
Option C is incorrect because this is used for hybrid connectivity.
Option D is incorrect because this is used to connect the on-premises to G Suite. https://cloud.google.com/dns provides more overview and in-depth documentation on the capabilities of Cloud DNS.
Incorrect
Answer: B
Option A is incorrect because it is not a managed service, the firm still has to manage the availability of the instances.
Option B is the right answer, this is GCPs managed DNS service with 100% SLA
Option C is incorrect because this is used for hybrid connectivity.
Option D is incorrect because this is used to connect the on-premises to G Suite. https://cloud.google.com/dns provides more overview and in-depth documentation on the capabilities of Cloud DNS.
Unattempted
Answer: B
Option A is incorrect because it is not a managed service, the firm still has to manage the availability of the instances.
Option B is the right answer, this is GCPs managed DNS service with 100% SLA
Option C is incorrect because this is used for hybrid connectivity.
Option D is incorrect because this is used to connect the on-premises to G Suite. https://cloud.google.com/dns provides more overview and in-depth documentation on the capabilities of Cloud DNS.
Question 16 of 52
16. Question
Your firm needs to configure the two routes for two VPN connections between GCP and your on- premises networks in Active Passive configuration, As the Network Engineer in the firm which option below can help you achieve this?
Correct
Answer: A
Option A is correct because the higher priority route with take precedence if there is more than one route to a destination IP and the correct next hop for VPN is the VPN tunnel.
Option B are incorrect because the correct next hop for VPN is the VPN tunnel not IP Address.
Option C is the incorrect because the requirement is to have two routes. Also if two routes have the same priority, traffic will be load-balanced across them that is not Active Passive.
Option D is incorrect because the correct next hop for VPN connection is the VPN tunnel not IP, also if two routes have the same priority, traffic will be load-balanced across them that is not Active Passive. https://cloud.google.com/network-connectivity/docs/vpn/concepts/order-of-routes provides more in-depth documentation on the order with which GCP handles custom routes.
Incorrect
Answer: A
Option A is correct because the higher priority route with take precedence if there is more than one route to a destination IP and the correct next hop for VPN is the VPN tunnel.
Option B are incorrect because the correct next hop for VPN is the VPN tunnel not IP Address.
Option C is the incorrect because the requirement is to have two routes. Also if two routes have the same priority, traffic will be load-balanced across them that is not Active Passive.
Option D is incorrect because the correct next hop for VPN connection is the VPN tunnel not IP, also if two routes have the same priority, traffic will be load-balanced across them that is not Active Passive. https://cloud.google.com/network-connectivity/docs/vpn/concepts/order-of-routes provides more in-depth documentation on the order with which GCP handles custom routes.
Unattempted
Answer: A
Option A is correct because the higher priority route with take precedence if there is more than one route to a destination IP and the correct next hop for VPN is the VPN tunnel.
Option B are incorrect because the correct next hop for VPN is the VPN tunnel not IP Address.
Option C is the incorrect because the requirement is to have two routes. Also if two routes have the same priority, traffic will be load-balanced across them that is not Active Passive.
Option D is incorrect because the correct next hop for VPN connection is the VPN tunnel not IP, also if two routes have the same priority, traffic will be load-balanced across them that is not Active Passive. https://cloud.google.com/network-connectivity/docs/vpn/concepts/order-of-routes provides more in-depth documentation on the order with which GCP handles custom routes.
Question 17 of 52
17. Question
You have setup a VPC network with subnets and the firm has its on-premises network. You have been tasked with setting up a hybrid connection between both networks. In the future there will be addition subnets added to both networks. The connectivity needs to be able to discover new subnets and route traffic appropriately.
As the Network Engineer in the firm which service can solve this problem?
Correct
Answer: C
Option A and B are incorrect because they are not used in connecting GCP to on-premises networks.
Option C is the right answer, this is used in conjunction with Cloud VPN or Cloud Interconnect, depending on the requirements, to provide BGP dynamic routing between GCP and the on- premises network
Option D is incorrect because this is used to connect the on-premises to G Suite. https://cloud.google.com/network-connectivity/docs/router provides more overview and in-depth documentation on the capabilities of Cloud Router.
Incorrect
Answer: C
Option A and B are incorrect because they are not used in connecting GCP to on-premises networks.
Option C is the right answer, this is used in conjunction with Cloud VPN or Cloud Interconnect, depending on the requirements, to provide BGP dynamic routing between GCP and the on- premises network
Option D is incorrect because this is used to connect the on-premises to G Suite. https://cloud.google.com/network-connectivity/docs/router provides more overview and in-depth documentation on the capabilities of Cloud Router.
Unattempted
Answer: C
Option A and B are incorrect because they are not used in connecting GCP to on-premises networks.
Option C is the right answer, this is used in conjunction with Cloud VPN or Cloud Interconnect, depending on the requirements, to provide BGP dynamic routing between GCP and the on- premises network
Option D is incorrect because this is used to connect the on-premises to G Suite. https://cloud.google.com/network-connectivity/docs/router provides more overview and in-depth documentation on the capabilities of Cloud Router.
Question 18 of 52
18. Question
In your company’s VPC there are several subnets with instances. You have been asked to configure the routes so that internet-bound traffic from all instances in that VPC used by the developers is routed to an appliance for checks. All firewall rules have been created and works perfectly.
How would you achieve this? Choose two.
Correct
Answer: B and C
Option A is incorrect because it is stated that firewall rules have been tested and work fine.
Option B and C is the right answer, assigning tags to the instances used by the developers and creating a new custom route for internet-bound traffic with a higher priority and a next hop as the instance with the appliance installed.
Option D is incorrect because this is used for hybrid connectivity.
Incorrect
Answer: B and C
Option A is incorrect because it is stated that firewall rules have been tested and work fine.
Option B and C is the right answer, assigning tags to the instances used by the developers and creating a new custom route for internet-bound traffic with a higher priority and a next hop as the instance with the appliance installed.
Option D is incorrect because this is used for hybrid connectivity.
Unattempted
Answer: B and C
Option A is incorrect because it is stated that firewall rules have been tested and work fine.
Option B and C is the right answer, assigning tags to the instances used by the developers and creating a new custom route for internet-bound traffic with a higher priority and a next hop as the instance with the appliance installed.
Option D is incorrect because this is used for hybrid connectivity.
Question 19 of 52
19. Question
You are designing the networking for your companys new GKE VPC-native public cluster. You are required to assign secondary CIDR range for the pods and services. Where can this be done in the GCP console? Choose two.
Correct
Answer: B
Option A is incorrect, you cannot assigning CIDR range at the VPC level in GCP.
Option D is incorrect, this is used to create public IPs.
Option B and C is the right answer, you can add a secondary CIDR range at the subnet level and in the GKE Cluster under Networking.
Answer: B
Option A is incorrect, you cannot assigning CIDR range at the VPC level in GCP.
Option D is incorrect, this is used to create public IPs.
Option B and C is the right answer, you can add a secondary CIDR range at the subnet level and in the GKE Cluster under Networking.
Answer: B
Option A is incorrect, you cannot assigning CIDR range at the VPC level in GCP.
Option D is incorrect, this is used to create public IPs.
Option B and C is the right answer, you can add a secondary CIDR range at the subnet level and in the GKE Cluster under Networking.
As the network engineer for a growing organisation you have been asked to implement a network appliance that will handle Intrusion Detection and Prevention (IDS/IPS) between networks.
Which of the following needs to be considered about the maximum number of interfaces the network appliance can have? Choose two.
Correct
Answer: B and C
Option A and D are incorrect because number of subnets or VPCs does not affect the number of interfaces that can be attached to a GCE instance.
Option B and C are correct because the machine type (f1-micro, n1-standard etc.) and the number of vCPUs affects the maximum number of interfaces a GCE instance can have.
See: https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces for more information on instances with multiple interfaces
Incorrect
Answer: B and C
Option A and D are incorrect because number of subnets or VPCs does not affect the number of interfaces that can be attached to a GCE instance.
Option B and C are correct because the machine type (f1-micro, n1-standard etc.) and the number of vCPUs affects the maximum number of interfaces a GCE instance can have.
See: https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces for more information on instances with multiple interfaces
Unattempted
Answer: B and C
Option A and D are incorrect because number of subnets or VPCs does not affect the number of interfaces that can be attached to a GCE instance.
Option B and C are correct because the machine type (f1-micro, n1-standard etc.) and the number of vCPUs affects the maximum number of interfaces a GCE instance can have.
See: https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces for more information on instances with multiple interfaces
Question 21 of 52
21. Question
As the network engineer in your firm. The firm has an organization in GCP, with four projects for the different departments. You are required to design a network that allows for sharing a network appliance as a DMZ to protect the GCE instances in the different projects.
Which solution can meet the criteria provided?
Correct
Answer: A
Option A is correct, because Shared VPC is created in the host project and that is where the appliance, to be shared, should also be created. Subnets are shared with Service Projects. Option B is incorrect the network appliance should be created in the host project.
Option C is incorrect because it fails to satisfy the requirement of sharing a network appliance.
Option D is incorrect because you can not create a Shared VPC in a Service project.
See https://cloud.google.com/vpc/docs/multiple-interfaces-concepts for more information on using multiple NICs
Incorrect
Answer: A
Option A is correct, because Shared VPC is created in the host project and that is where the appliance, to be shared, should also be created. Subnets are shared with Service Projects. Option B is incorrect the network appliance should be created in the host project.
Option C is incorrect because it fails to satisfy the requirement of sharing a network appliance.
Option D is incorrect because you can not create a Shared VPC in a Service project.
See https://cloud.google.com/vpc/docs/multiple-interfaces-concepts for more information on using multiple NICs
Unattempted
Answer: A
Option A is correct, because Shared VPC is created in the host project and that is where the appliance, to be shared, should also be created. Subnets are shared with Service Projects. Option B is incorrect the network appliance should be created in the host project.
Option C is incorrect because it fails to satisfy the requirement of sharing a network appliance.
Option D is incorrect because you can not create a Shared VPC in a Service project.
See https://cloud.google.com/vpc/docs/multiple-interfaces-concepts for more information on using multiple NICs
Question 22 of 52
22. Question
You are configuring the Cloud NAT, for internet-bound traffic, for GCE instances in your subnet which have no external IP. Which of the following will need to be created?
Correct
Answer: A
Option A is correct Cloud NAT needs a Cloud Router in the same region.
Option B, C & D are incorrect, there is no need to create a custom route, or External IP or VPC peering for Clout NAT. https://cloud.google.com/nat/docs/overview has more information on the Cloud NAT service.
Incorrect
Answer: A
Option A is correct Cloud NAT needs a Cloud Router in the same region.
Option B, C & D are incorrect, there is no need to create a custom route, or External IP or VPC peering for Clout NAT. https://cloud.google.com/nat/docs/overview has more information on the Cloud NAT service.
Unattempted
Answer: A
Option A is correct Cloud NAT needs a Cloud Router in the same region.
Option B, C & D are incorrect, there is no need to create a custom route, or External IP or VPC peering for Clout NAT. https://cloud.google.com/nat/docs/overview has more information on the Cloud NAT service.
Question 23 of 52
23. Question
A company needs a network design for their VPC-native cluster. You have been provided with the specifications below.
1. Initial Cluster size is 3 but will grow to a maximum of 8 nodes.
2. User-managed secondary IP ranges with the minimum CIDR blocks to achieve this.
3. Maximum number of pods per node will to be used.
4. Services could grow to 2000.
Using GCP best practice, which of the designs meets the requirements?
Correct
Answer: C
The maximum pod per is 110. Therefore for 8 nodes = 880 pods (IP addresses). A /22 has 1024 addresses and is the minimum needed for the pod IP CIDR. A /28 has 16 addresses (for a maximum of 12 nodes) is the minimum needed for a cluster of 8 nodes, also a /21 CIDR has 2048 addresses is the minimum needed for the Services IP CIDR.
Option A is incorrect because subnet size is too large with 128 addresses, pod IP is also large with 4096 addresses and services IP cidr with 8192 addresses.
Option B is incorrect because subnet size is too large with 64 addresses, pod IP is also large with 2048 addresses and services IP cidr with 4096 addresses
Option C is correct
Option D is incorrect because subnet size is large with 32 addresses, pod IP is too small with 512 addresses and services IP cidr with 1024 addresses https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips provides more insight into creating a VPC-native GKE cluster.
Incorrect
Answer: C
The maximum pod per is 110. Therefore for 8 nodes = 880 pods (IP addresses). A /22 has 1024 addresses and is the minimum needed for the pod IP CIDR. A /28 has 16 addresses (for a maximum of 12 nodes) is the minimum needed for a cluster of 8 nodes, also a /21 CIDR has 2048 addresses is the minimum needed for the Services IP CIDR.
Option A is incorrect because subnet size is too large with 128 addresses, pod IP is also large with 4096 addresses and services IP cidr with 8192 addresses.
Option B is incorrect because subnet size is too large with 64 addresses, pod IP is also large with 2048 addresses and services IP cidr with 4096 addresses
Option C is correct
Option D is incorrect because subnet size is large with 32 addresses, pod IP is too small with 512 addresses and services IP cidr with 1024 addresses https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips provides more insight into creating a VPC-native GKE cluster.
Unattempted
Answer: C
The maximum pod per is 110. Therefore for 8 nodes = 880 pods (IP addresses). A /22 has 1024 addresses and is the minimum needed for the pod IP CIDR. A /28 has 16 addresses (for a maximum of 12 nodes) is the minimum needed for a cluster of 8 nodes, also a /21 CIDR has 2048 addresses is the minimum needed for the Services IP CIDR.
Option A is incorrect because subnet size is too large with 128 addresses, pod IP is also large with 4096 addresses and services IP cidr with 8192 addresses.
Option B is incorrect because subnet size is too large with 64 addresses, pod IP is also large with 2048 addresses and services IP cidr with 4096 addresses
Option C is correct
Option D is incorrect because subnet size is large with 32 addresses, pod IP is too small with 512 addresses and services IP cidr with 1024 addresses https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips provides more insight into creating a VPC-native GKE cluster.
Question 24 of 52
24. Question
Your team has launched a number of GCE instances into a GCP VPC. The security team needs to be able to review the logs of the all traffic to and from instances in the network. Which of the following will provide the needed logs? Choose two.
Correct
Answer: C & D
Option A is incorrect because Cloud Audit logs gives visibility into user actions on GCP who did what, when and where.
Option B is incorrect because this provides information on the traffic to and from the load balancer
Option C is correct because this shows traffic (allowed or denied) that has matched a firewall rule
Option D is correct because this captures samples of the traffic flowing in and out of the subnet.
See https://cloud.google.com/vpc/docs/firewall-rules-logging for more on firewall logs
See https://cloud.google.com/vpc/docs/flow-logs for more on VPC flow logs
Incorrect
Answer: C & D
Option A is incorrect because Cloud Audit logs gives visibility into user actions on GCP who did what, when and where.
Option B is incorrect because this provides information on the traffic to and from the load balancer
Option C is correct because this shows traffic (allowed or denied) that has matched a firewall rule
Option D is correct because this captures samples of the traffic flowing in and out of the subnet.
See https://cloud.google.com/vpc/docs/firewall-rules-logging for more on firewall logs
See https://cloud.google.com/vpc/docs/flow-logs for more on VPC flow logs
Unattempted
Answer: C & D
Option A is incorrect because Cloud Audit logs gives visibility into user actions on GCP who did what, when and where.
Option B is incorrect because this provides information on the traffic to and from the load balancer
Option C is correct because this shows traffic (allowed or denied) that has matched a firewall rule
Option D is correct because this captures samples of the traffic flowing in and out of the subnet.
See https://cloud.google.com/vpc/docs/firewall-rules-logging for more on firewall logs
See https://cloud.google.com/vpc/docs/flow-logs for more on VPC flow logs
Question 25 of 52
25. Question
You are a project editor in a GCP organization. You have been tasked with the creation of a Shared VPC in your project, which will have several Service Projects utilizing the resources deployed in there such as the direct interconnect. You are unable to complete the creation of the Shared VPC. Which additional permissions do you need?
Correct
Answer: D
Option A, B & C are incorrect because none of them has the permissions to create a shared vpc.
Option D is correct because it has the permissions to create a shared vpc.
See https://cloud.google.com/iam/docs/understanding-roles#compute-engine-roles to see the permissions in the compute engine roles.
See https://cloud.google.com/vpc/docs/provisioning-shared-vpc for more on creating shared VPC.
Incorrect
Answer: D
Option A, B & C are incorrect because none of them has the permissions to create a shared vpc.
Option D is correct because it has the permissions to create a shared vpc.
See https://cloud.google.com/iam/docs/understanding-roles#compute-engine-roles to see the permissions in the compute engine roles.
See https://cloud.google.com/vpc/docs/provisioning-shared-vpc for more on creating shared VPC.
Unattempted
Answer: D
Option A, B & C are incorrect because none of them has the permissions to create a shared vpc.
Option D is correct because it has the permissions to create a shared vpc.
See https://cloud.google.com/iam/docs/understanding-roles#compute-engine-roles to see the permissions in the compute engine roles.
See https://cloud.google.com/vpc/docs/provisioning-shared-vpc for more on creating shared VPC.
Question 26 of 52
26. Question
You are a project owner in a GCP organization. You have been tasked with the assigning groups IAM permissions based on their responsibilities. You need to give permissions to your to the group managing the Interconnect connections. Following the principle of least privilege, which of the following roles would assign?
Correct
Answer: C
Options A, B are incorrect because they give more permissions than is required. It does not follow the principle of least privilege.
Option C is correct because it has just the permissions to manage the interconnect.
Option D is incorrect because roles/compute.networkUser is a predefined role and has excessive permission for the tasks specified.
See https://cloud.google.com/iam/docs/understanding-roles#compute-engine-roles to see the permissions in the compute engine roles.
Incorrect
Answer: C
Options A, B are incorrect because they give more permissions than is required. It does not follow the principle of least privilege.
Option C is correct because it has just the permissions to manage the interconnect.
Option D is incorrect because roles/compute.networkUser is a predefined role and has excessive permission for the tasks specified.
See https://cloud.google.com/iam/docs/understanding-roles#compute-engine-roles to see the permissions in the compute engine roles.
Unattempted
Answer: C
Options A, B are incorrect because they give more permissions than is required. It does not follow the principle of least privilege.
Option C is correct because it has just the permissions to manage the interconnect.
Option D is incorrect because roles/compute.networkUser is a predefined role and has excessive permission for the tasks specified.
See https://cloud.google.com/iam/docs/understanding-roles#compute-engine-roles to see the permissions in the compute engine roles.
Question 27 of 52
27. Question
As the Network engineer in your company, you have need to configure DNS security (DNSSEC), for your domain which is hosted outside GCP, on your Cloud DNS zone. What two steps need to be carried out?
Correct
Answer: A & B
Options A & B are correct, you need to enable DNSSEC on your Cloud DNS zone and also at your domain registrar.
Options C & D are incorrect because there have nothing to do with DNSSEC. https://cloud.google.com/dns/docs/dnssec for more on DNSSEC.
Incorrect
Answer: A & B
Options A & B are correct, you need to enable DNSSEC on your Cloud DNS zone and also at your domain registrar.
Options C & D are incorrect because there have nothing to do with DNSSEC. https://cloud.google.com/dns/docs/dnssec for more on DNSSEC.
Unattempted
Answer: A & B
Options A & B are correct, you need to enable DNSSEC on your Cloud DNS zone and also at your domain registrar.
Options C & D are incorrect because there have nothing to do with DNSSEC. https://cloud.google.com/dns/docs/dnssec for more on DNSSEC.
Question 28 of 52
28. Question
As the Network engineer in your company, you try to create a VPC peering between two VPC networks in different GCP organisations but it has failed.
Which of the following is a possible cause? Choose two.
Correct
Answer: B & D
Options A is incorrect, firewalls do not affect the creation of VPC peering.
Option B and D are correct, you need certain permissions to be able to create VPC peering and also the subnets in the VPCs cannot have overlapping CIDRs.
Options C is incorrect, GCP VPCs are global by default. https://cloud.google.com/vpc/docs/vpc-peering explains the properties and restrictions of creating VPC peering.
Incorrect
Answer: B & D
Options A is incorrect, firewalls do not affect the creation of VPC peering.
Option B and D are correct, you need certain permissions to be able to create VPC peering and also the subnets in the VPCs cannot have overlapping CIDRs.
Options C is incorrect, GCP VPCs are global by default. https://cloud.google.com/vpc/docs/vpc-peering explains the properties and restrictions of creating VPC peering.
Unattempted
Answer: B & D
Options A is incorrect, firewalls do not affect the creation of VPC peering.
Option B and D are correct, you need certain permissions to be able to create VPC peering and also the subnets in the VPCs cannot have overlapping CIDRs.
Options C is incorrect, GCP VPCs are global by default. https://cloud.google.com/vpc/docs/vpc-peering explains the properties and restrictions of creating VPC peering.
Question 29 of 52
29. Question
As the Network engineer in your company, you have create an ingress firewall rule for http traffic into all GCE instances hosting a public-facing application with the tag web-server. You can see the logs of all allowed http traffic but do not see the logs for denied SSH traffic from 0.0.0.0/0 to the instances.
How do you fix this?
Correct
Answer: D
Options A and C is incorrect, what is needed is an ingress rule.
Option B is incorrect, you need the firewall rule should be for specified target tags i.e. webserver.
Options D is correct, it is an ingress rule for the specified tags and firewall logs is turned on. https://cloud.google.com/vpc/docs/firewall-rules-logging explains more on firewall logging
Incorrect
Answer: D
Options A and C is incorrect, what is needed is an ingress rule.
Option B is incorrect, you need the firewall rule should be for specified target tags i.e. webserver.
Options D is correct, it is an ingress rule for the specified tags and firewall logs is turned on. https://cloud.google.com/vpc/docs/firewall-rules-logging explains more on firewall logging
Unattempted
Answer: D
Options A and C is incorrect, what is needed is an ingress rule.
Option B is incorrect, you need the firewall rule should be for specified target tags i.e. webserver.
Options D is correct, it is an ingress rule for the specified tags and firewall logs is turned on. https://cloud.google.com/vpc/docs/firewall-rules-logging explains more on firewall logging
Question 30 of 52
30. Question
You have been asked to restrict the communications between pods and services such that you can determine which pods are allowed to communicate with one another in your GKE cluster.
Which of the following can be used to achieve this?
You are in charge of setting up the interconnect provisioning for your company between the on- premises network and GCP networks. The company needs a bandwidth of 5Gbps to meet the peak demand and currently the firm doesnt want to manage the BGP session.
Which of the following can be used to achieve this?
Correct
Answer: C
Options A is incorrect, this minimum bandwidth for dedicated interconnect is 10Gbps
Option B is incorrect, the firm will have to manage their BGP sessions if this is chosen
Option C is correct, this option means the service provider manages the BGP session with your Cloud Router.
Options D is incorrect, this does not connect GCP Networks to on-premises network https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning-overview explains cloud interconnect provisioning.
Incorrect
Answer: C
Options A is incorrect, this minimum bandwidth for dedicated interconnect is 10Gbps
Option B is incorrect, the firm will have to manage their BGP sessions if this is chosen
Option C is correct, this option means the service provider manages the BGP session with your Cloud Router.
Options D is incorrect, this does not connect GCP Networks to on-premises network https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning-overview explains cloud interconnect provisioning.
Unattempted
Answer: C
Options A is incorrect, this minimum bandwidth for dedicated interconnect is 10Gbps
Option B is incorrect, the firm will have to manage their BGP sessions if this is chosen
Option C is correct, this option means the service provider manages the BGP session with your Cloud Router.
Options D is incorrect, this does not connect GCP Networks to on-premises network https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning-overview explains cloud interconnect provisioning.
Question 32 of 52
32. Question
You are in charge of configuring the partner interconnect for your company between the on- premises network and GCP networks. The company has chosen a service provider to provide bandwidth of 5Gbps to meet the peak demand and currently the firm doesnt want to manage the BGP session.
Which of the following would you configure in GCP?
Correct
Answer: A
Options A is correct.
Option B is incorrect, because not enabling the Pre-activate the VLAN attachments means the firm will manage the BGP sessions which isnt the requirement.
Option C is incorrect, because this option is for the configuration on a VLAN for direct interconnect.
Options D is incorrect, because the cloud router must be in the same region as the interconnect connection. https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning- overview explains cloud interconnect provisioning.
Incorrect
Answer: A
Options A is correct.
Option B is incorrect, because not enabling the Pre-activate the VLAN attachments means the firm will manage the BGP sessions which isnt the requirement.
Option C is incorrect, because this option is for the configuration on a VLAN for direct interconnect.
Options D is incorrect, because the cloud router must be in the same region as the interconnect connection. https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning- overview explains cloud interconnect provisioning.
Unattempted
Answer: A
Options A is correct.
Option B is incorrect, because not enabling the Pre-activate the VLAN attachments means the firm will manage the BGP sessions which isnt the requirement.
Option C is incorrect, because this option is for the configuration on a VLAN for direct interconnect.
Options D is incorrect, because the cloud router must be in the same region as the interconnect connection. https://cloud.google.com/network-connectivity/docs/interconnect/how-to/partner/provisioning- overview explains cloud interconnect provisioning.
Question 33 of 52
33. Question
As the network engineer in a small firm. You are tasked with implementing a cost-effective hybrid connectivity that can serve up to 4.5Gbps, between GCP and the on-premises networks. The GCP VPC will have subnets, with resources in several regions. You have the requirements below.
1. Speed of delivery and low cost.
2. Dynamically advertise all subnets in the VPC to the on-premises network
3. Encrypted communications between GCP and the on-premises network
Which of the following would you configure in GCP?
Correct
Answer: D
Options A is incorrect because the default dynamic routing mode is regional, this means only the subnet in the Cloud Router region will be advertised also there is no need for a static route to be created, the Cloud Router will add dynamic routes.
Option B is incorrect, because Cloud VPN tunnel has a max performance of 3Gbps which does not meet the bandwidth requirement.
Option C is incorrect, because the default dynamic routing mode is regional, this means only the subnet in the Cloud Router region will be advertised. A Cloud router is needed to dynamically learn routes to and from the GCP
Options D is correct, because Global routing mode is needed, a Cloud Router and Cloud VPN with two tunnels to meet the bandwidth requirement. https://cloud.google.com/network-connectivity/docs/router/concepts/overview explains Dynamic routing mode. https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#vpn-types explains how to choose VPN types
The diagram below shows the default Dynamic routing mode is Regional
Incorrect
Answer: D
Options A is incorrect because the default dynamic routing mode is regional, this means only the subnet in the Cloud Router region will be advertised also there is no need for a static route to be created, the Cloud Router will add dynamic routes.
Option B is incorrect, because Cloud VPN tunnel has a max performance of 3Gbps which does not meet the bandwidth requirement.
Option C is incorrect, because the default dynamic routing mode is regional, this means only the subnet in the Cloud Router region will be advertised. A Cloud router is needed to dynamically learn routes to and from the GCP
Options D is correct, because Global routing mode is needed, a Cloud Router and Cloud VPN with two tunnels to meet the bandwidth requirement. https://cloud.google.com/network-connectivity/docs/router/concepts/overview explains Dynamic routing mode. https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#vpn-types explains how to choose VPN types
The diagram below shows the default Dynamic routing mode is Regional
Unattempted
Answer: D
Options A is incorrect because the default dynamic routing mode is regional, this means only the subnet in the Cloud Router region will be advertised also there is no need for a static route to be created, the Cloud Router will add dynamic routes.
Option B is incorrect, because Cloud VPN tunnel has a max performance of 3Gbps which does not meet the bandwidth requirement.
Option C is incorrect, because the default dynamic routing mode is regional, this means only the subnet in the Cloud Router region will be advertised. A Cloud router is needed to dynamically learn routes to and from the GCP
Options D is correct, because Global routing mode is needed, a Cloud Router and Cloud VPN with two tunnels to meet the bandwidth requirement. https://cloud.google.com/network-connectivity/docs/router/concepts/overview explains Dynamic routing mode. https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#vpn-types explains how to choose VPN types
The diagram below shows the default Dynamic routing mode is Regional
Question 34 of 52
34. Question
Which network standard is used to enable dynamic routes discovery for private RFC 1918 communications between GCP and a non-GCP network?
Correct
Answer: B
Options A is incorrect, RDP allows remote users to see and use Windows on a device in another location.
Option B is correct, BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS), i.e. GCP and your on- premises network, on the Internet.
Option C is incorrect, because Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet
Options D is incorrect, because RFC1918 describes a set of network IP ranges set aside for so-called “private” use.
Incorrect
Answer: B
Options A is incorrect, RDP allows remote users to see and use Windows on a device in another location.
Option B is correct, BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS), i.e. GCP and your on- premises network, on the Internet.
Option C is incorrect, because Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet
Options D is incorrect, because RFC1918 describes a set of network IP ranges set aside for so-called “private” use.
Unattempted
Answer: B
Options A is incorrect, RDP allows remote users to see and use Windows on a device in another location.
Option B is correct, BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS), i.e. GCP and your on- premises network, on the Internet.
Option C is incorrect, because Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet
Options D is incorrect, because RFC1918 describes a set of network IP ranges set aside for so-called “private” use.
Question 35 of 52
35. Question
You are required to configure the external load balancer for your firms application in GCP. Some of the key requirements is pass-through traffic, single region backend, maintaining users session whilst ensuring a good distribution of traffic across instances.
Which configuration meets the given requirement?
Correct
Answer: A
Options A is correct, The Network load balancer is a pass-through type of load balancer and the default Session Affinity ensures that traffic (different sessions) is distributed evenly across the backend.
Option B is incorrect, all sessions from the same client to reach the same backend, as long as the backend stays healthy. In general, it will provide for better session affinity than the default method, but the overall traffic may not be as evenly distributed.
Option C and D is incorrect, because SSL Proxy load balancer cannot be used for pass- through traffic. It proxies all traffic.
See https://cloud.google.com/load-balancing/docs/target-pools#sessionaffinity for more explanation of Session Affinity option in GCP.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more on how to choose a load balancer in GCP.
Incorrect
Answer: A
Options A is correct, The Network load balancer is a pass-through type of load balancer and the default Session Affinity ensures that traffic (different sessions) is distributed evenly across the backend.
Option B is incorrect, all sessions from the same client to reach the same backend, as long as the backend stays healthy. In general, it will provide for better session affinity than the default method, but the overall traffic may not be as evenly distributed.
Option C and D is incorrect, because SSL Proxy load balancer cannot be used for pass- through traffic. It proxies all traffic.
See https://cloud.google.com/load-balancing/docs/target-pools#sessionaffinity for more explanation of Session Affinity option in GCP.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more on how to choose a load balancer in GCP.
Unattempted
Answer: A
Options A is correct, The Network load balancer is a pass-through type of load balancer and the default Session Affinity ensures that traffic (different sessions) is distributed evenly across the backend.
Option B is incorrect, all sessions from the same client to reach the same backend, as long as the backend stays healthy. In general, it will provide for better session affinity than the default method, but the overall traffic may not be as evenly distributed.
Option C and D is incorrect, because SSL Proxy load balancer cannot be used for pass- through traffic. It proxies all traffic.
See https://cloud.google.com/load-balancing/docs/target-pools#sessionaffinity for more explanation of Session Affinity option in GCP.
See https://cloud.google.com/load-balancing/docs/choosing-load-balancer for more on how to choose a load balancer in GCP.
Question 36 of 52
36. Question
As the network engineer, you are required to configure the external layer 7 load balancer for your firms application in GCP.
Which of the following ports configuration are possible destination ports?
Correct
Answer C
Options A, B & D are incorrect, ports 25 and 110 are not possible destination ports for HTTP(S) Load balancers.
Option C is correct, ports 80, 8080 & 443 are the destination ports for the HTTP(S) load balancer. https://cloud.google.com/load-balancing/docs/choosing-load-balancer provides a list of the destination ports for the different load balancers.
Incorrect
Answer C
Options A, B & D are incorrect, ports 25 and 110 are not possible destination ports for HTTP(S) Load balancers.
Option C is correct, ports 80, 8080 & 443 are the destination ports for the HTTP(S) load balancer. https://cloud.google.com/load-balancing/docs/choosing-load-balancer provides a list of the destination ports for the different load balancers.
Unattempted
Answer C
Options A, B & D are incorrect, ports 25 and 110 are not possible destination ports for HTTP(S) Load balancers.
Option C is correct, ports 80, 8080 & 443 are the destination ports for the HTTP(S) load balancer. https://cloud.google.com/load-balancing/docs/choosing-load-balancer provides a list of the destination ports for the different load balancers.
Question 37 of 52
37. Question
You are considering the best choice of Network Service Tiers for the company’s global application. There has been situations where developers have used a tier that is not in alignment with project objectives and this is an issue that needs to be minimized.
Which of the following configurations is the most efficient way to set the desired Network Service Tier for all resources in a Project within an Organization?
Correct
Answer: A
Options A is correct, see diagram below. The most efficient place to set a Network Service
Tier is at the Project-wide level, else it will have to be set in every resources deployed.
B & D are incorrect, this cannot be set at an organization (root) level but at the Project level.
Option C is incorrect, Network Service Tiers is under Networking. https://cloud.google.com/network-tiers/docs/overview explains the different services and the Network service tiers used.
Incorrect
Answer: A
Options A is correct, see diagram below. The most efficient place to set a Network Service
Tier is at the Project-wide level, else it will have to be set in every resources deployed.
B & D are incorrect, this cannot be set at an organization (root) level but at the Project level.
Option C is incorrect, Network Service Tiers is under Networking. https://cloud.google.com/network-tiers/docs/overview explains the different services and the Network service tiers used.
Unattempted
Answer: A
Options A is correct, see diagram below. The most efficient place to set a Network Service
Tier is at the Project-wide level, else it will have to be set in every resources deployed.
B & D are incorrect, this cannot be set at an organization (root) level but at the Project level.
Option C is incorrect, Network Service Tiers is under Networking. https://cloud.google.com/network-tiers/docs/overview explains the different services and the Network service tiers used.
Question 38 of 52
38. Question
You have created a custom VPC in your GCP project with three subnets. Which of the following holds true? Choose two.
Correct
Answer: B and D
Option A is incorrect because there are default routes create when subnets are created to allow inter-subnet communications.
Option B and D are correct, Custom VPCs have no firewall rules created and Private Google Access is turned off by default.
Option C is incorrect, VPC Flow logs is turned off by default
Incorrect
Answer: B and D
Option A is incorrect because there are default routes create when subnets are created to allow inter-subnet communications.
Option B and D are correct, Custom VPCs have no firewall rules created and Private Google Access is turned off by default.
Option C is incorrect, VPC Flow logs is turned off by default
Unattempted
Answer: B and D
Option A is incorrect because there are default routes create when subnets are created to allow inter-subnet communications.
Option B and D are correct, Custom VPCs have no firewall rules created and Private Google Access is turned off by default.
Option C is incorrect, VPC Flow logs is turned off by default
Question 39 of 52
39. Question
As part of an organisations IAM management, a google group for network admins has been assigned the Compute Network Admin role in a GCP Project. Which of the following is true? Choose three.
Correct
Answer: A, B and D
Option A is correct, the Compute Network Admin can list the firewall rules.
Option B is correct, the Compute Network Admin cannot create of delete firewall rules
Option C is incorrect, the Compute Network Admin cannot enable of disable a Shared VPC.
Option D is correct, the Compute Network Admin can create and delete interconnect attachments. https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin has a list of the permissions for the Compute Network Admin.
Incorrect
Answer: A, B and D
Option A is correct, the Compute Network Admin can list the firewall rules.
Option B is correct, the Compute Network Admin cannot create of delete firewall rules
Option C is incorrect, the Compute Network Admin cannot enable of disable a Shared VPC.
Option D is correct, the Compute Network Admin can create and delete interconnect attachments. https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin has a list of the permissions for the Compute Network Admin.
Unattempted
Answer: A, B and D
Option A is correct, the Compute Network Admin can list the firewall rules.
Option B is correct, the Compute Network Admin cannot create of delete firewall rules
Option C is incorrect, the Compute Network Admin cannot enable of disable a Shared VPC.
Option D is correct, the Compute Network Admin can create and delete interconnect attachments. https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin has a list of the permissions for the Compute Network Admin.
Question 40 of 52
40. Question
You are responsible for defining the permissions of a google group for network security admins at a folder level in a GCP Organization. The team need to be able create, delete firewall rules, manage SSL Certificates and SSL Policies only. Following GCP best practices, which role should you assign to the group.
You are creating a new Service Account role in your GCP Project with custom permissions. Which of the following is true about Service Accounts? Choose two.
Correct
Answer: A & C
Option A is correct, service accounts use Key-pairs to authenticate to Google.
Option B is incorrect, they do not have passwords
Option C is correct, permissions can be granted to allow users to impersonate a service account.
Option D is incorrect, they can be disabled and deleted. https://cloud.google.com/iam/docs/service-accounts has more details on service accounts.
Incorrect
Answer: A & C
Option A is correct, service accounts use Key-pairs to authenticate to Google.
Option B is incorrect, they do not have passwords
Option C is correct, permissions can be granted to allow users to impersonate a service account.
Option D is incorrect, they can be disabled and deleted. https://cloud.google.com/iam/docs/service-accounts has more details on service accounts.
Unattempted
Answer: A & C
Option A is correct, service accounts use Key-pairs to authenticate to Google.
Option B is incorrect, they do not have passwords
Option C is correct, permissions can be granted to allow users to impersonate a service account.
Option D is incorrect, they can be disabled and deleted. https://cloud.google.com/iam/docs/service-accounts has more details on service accounts.
Question 42 of 52
42. Question
You are have created a VPC with one subnet in your GCP Project. The subnet has an IP CIDR of 192.168.0.0/24. How many usable addresses are there in the range?
Correct
Answer: D
Option A is incorrect, this is the total number of addresses in the CIDR range.
Option B is incorrect, GCP reserves four IP addresses in every primary CIDR range
Option C is incorrect, GCP reserves four IP addresses in every primary CIDR range.
Option D is correct, GCP reserves four IP addresses in every primary CIDR range therefore you are left with 251 usable addresses. https://cloud.google.com/vpc/docs/vpc#reserved_ip_addresses_in_every_subnet explains the IP reservations in Subnets.
Incorrect
Answer: D
Option A is incorrect, this is the total number of addresses in the CIDR range.
Option B is incorrect, GCP reserves four IP addresses in every primary CIDR range
Option C is incorrect, GCP reserves four IP addresses in every primary CIDR range.
Option D is correct, GCP reserves four IP addresses in every primary CIDR range therefore you are left with 251 usable addresses. https://cloud.google.com/vpc/docs/vpc#reserved_ip_addresses_in_every_subnet explains the IP reservations in Subnets.
Unattempted
Answer: D
Option A is incorrect, this is the total number of addresses in the CIDR range.
Option B is incorrect, GCP reserves four IP addresses in every primary CIDR range
Option C is incorrect, GCP reserves four IP addresses in every primary CIDR range.
Option D is correct, GCP reserves four IP addresses in every primary CIDR range therefore you are left with 251 usable addresses. https://cloud.google.com/vpc/docs/vpc#reserved_ip_addresses_in_every_subnet explains the IP reservations in Subnets.
Question 43 of 52
43. Question
An Organization has a VPC with subnets in three regions which are europe-west1, europe-north1 and us-central1. GCE instances have been deployed, without external IP, into all three subnets. The appropriate firewall rules and routes are in place. A Cloud-NAT resource was created and attached to the VPC in us-central-1. The instances in two subnets are unable to download updates from the internet.
What could be the problem?
Correct
Answer: C
Option A is incorrect, firewall rules are at VPC level also we are told the firewall rules are ok.
Option B is incorrect, one subnet can raise the internet so the routes is not the problem. Also route are VPC wide not subnet specific.
Option C is correct, private GCE instances need Cloud NAT to reach the internet.
Option D is incorrect, Cloud Router is used to dynamically exchange route information between two networks.
Incorrect
Answer: C
Option A is incorrect, firewall rules are at VPC level also we are told the firewall rules are ok.
Option B is incorrect, one subnet can raise the internet so the routes is not the problem. Also route are VPC wide not subnet specific.
Option C is correct, private GCE instances need Cloud NAT to reach the internet.
Option D is incorrect, Cloud Router is used to dynamically exchange route information between two networks.
Unattempted
Answer: C
Option A is incorrect, firewall rules are at VPC level also we are told the firewall rules are ok.
Option B is incorrect, one subnet can raise the internet so the routes is not the problem. Also route are VPC wide not subnet specific.
Option C is correct, private GCE instances need Cloud NAT to reach the internet.
Option D is incorrect, Cloud Router is used to dynamically exchange route information between two networks.
Question 44 of 52
44. Question
You have been asked to configure logging on Cloud NAT to show the successful connections from the VMs to the internet. Which of the following are the two types of logs that Cloud NAT sends to Cloud Logging?
Correct
Answer: A & C
Option A is correct this shows VMs that initiates a connection that is successfully allocated to a NAT IP and port and traverses to the internet.
Option B is incorrect, this is not an option for Cloud NAT logging.
Option C is correct, it shows details of when the NAT gateway can’t allocate a NAT IP and port due to port exhaustion.
Option D is incorrect, this is not an option for Cloud NAT logging.
Incorrect
Answer: A & C
Option A is correct this shows VMs that initiates a connection that is successfully allocated to a NAT IP and port and traverses to the internet.
Option B is incorrect, this is not an option for Cloud NAT logging.
Option C is correct, it shows details of when the NAT gateway can’t allocate a NAT IP and port due to port exhaustion.
Option D is incorrect, this is not an option for Cloud NAT logging.
Unattempted
Answer: A & C
Option A is correct this shows VMs that initiates a connection that is successfully allocated to a NAT IP and port and traverses to the internet.
Option B is incorrect, this is not an option for Cloud NAT logging.
Option C is correct, it shows details of when the NAT gateway can’t allocate a NAT IP and port due to port exhaustion.
Option D is incorrect, this is not an option for Cloud NAT logging.
Question 45 of 52
45. Question
You have been tasked with configuring a GKE Cluster using in a VPC. Several requirements have been provided below:
1. Each node in the cluster is allocated a /24 range of IP
2. The cluster should have one IP range for both pods and services.
As a Network Engineer, you need to design a safe way, using best practice principle of least privilege, for the applications running in compute engine to access a cloud SQL database. Which of the following solutions would you recommend for this?
Correct
Answer: B
Option A is incorrect because it doesnt follow the principle of least privilege. The compute engine default service account has a primitive role of editor which is too permissive.
Option B is correct because it uses a custom role with permissions for selected services and it uses the Secret manager service to securely store the database password and encrypt it at rest using cloud KMS.
Option C is incorrect because hardcoding database password into the application is not best practice and using the compute engine default service account is too permissive.
Option D is incorrect because it is not possible to use IAM to store credentials.
See https://cloud.google.com/iam/docs/overview for more information on IAM Roles
See https://cloud.google.com/kms/docs/iam to understand how IAM is integrated with Cloud KMS
See https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets for more information on Secret Manager.
Incorrect
Answer: B
Option A is incorrect because it doesnt follow the principle of least privilege. The compute engine default service account has a primitive role of editor which is too permissive.
Option B is correct because it uses a custom role with permissions for selected services and it uses the Secret manager service to securely store the database password and encrypt it at rest using cloud KMS.
Option C is incorrect because hardcoding database password into the application is not best practice and using the compute engine default service account is too permissive.
Option D is incorrect because it is not possible to use IAM to store credentials.
See https://cloud.google.com/iam/docs/overview for more information on IAM Roles
See https://cloud.google.com/kms/docs/iam to understand how IAM is integrated with Cloud KMS
See https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets for more information on Secret Manager.
Unattempted
Answer: B
Option A is incorrect because it doesnt follow the principle of least privilege. The compute engine default service account has a primitive role of editor which is too permissive.
Option B is correct because it uses a custom role with permissions for selected services and it uses the Secret manager service to securely store the database password and encrypt it at rest using cloud KMS.
Option C is incorrect because hardcoding database password into the application is not best practice and using the compute engine default service account is too permissive.
Option D is incorrect because it is not possible to use IAM to store credentials.
See https://cloud.google.com/iam/docs/overview for more information on IAM Roles
See https://cloud.google.com/kms/docs/iam to understand how IAM is integrated with Cloud KMS
See https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets for more information on Secret Manager.
Question 47 of 52
47. Question
As the network engineer for a growing organisation you have been asked to implement a network appliance that will handle Intrusion Detection and Prevention (IDS/IPS) between networks. The instance require multiple network interfaces.
Which of the following is true about modifying network interfaces of GCE instances?
Correct
Answer: C
Option A and B is incorrect because you cannot add or remove network interfaces from an existing VM.
Option C is correct because adding more network interfaces can only be done at creation of instances
Option D is incorrect because IP forwarding is done at the VM level.
See https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces for more information on instances with multiple interfaces.
Incorrect
Answer: C
Option A and B is incorrect because you cannot add or remove network interfaces from an existing VM.
Option C is correct because adding more network interfaces can only be done at creation of instances
Option D is incorrect because IP forwarding is done at the VM level.
See https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces for more information on instances with multiple interfaces.
Unattempted
Answer: C
Option A and B is incorrect because you cannot add or remove network interfaces from an existing VM.
Option C is correct because adding more network interfaces can only be done at creation of instances
Option D is incorrect because IP forwarding is done at the VM level.
See https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#max-interfaces for more information on instances with multiple interfaces.
Question 48 of 52
48. Question
As the network engineer, you are tasked with automating the repeatability of certain actions in GCP such as creation of VPC, Cloud Buckets and Cloud VPN connections.
Which of the following services can you leverage?
Correct
Answer: C
Options A is incorrect, it is a managed compute platform that enables you to run stateless containers that are invocable via web requests or Pub/Sub events.
Option B is incorrect, it is a lightweight compute solution for developers to create single- purpose, stand-alone functions that respond to Cloud events without the need to manage a server or runtime environment.
Option C is correct, it allows you to specify all the resources needed for your application in a declarative format using yaml.
Option D is incorrect, this does not allow for automating repeatability. https://cloud.google.com/deployment-manager provides more information on the features and usability of deployment manager.
Incorrect
Answer: C
Options A is incorrect, it is a managed compute platform that enables you to run stateless containers that are invocable via web requests or Pub/Sub events.
Option B is incorrect, it is a lightweight compute solution for developers to create single- purpose, stand-alone functions that respond to Cloud events without the need to manage a server or runtime environment.
Option C is correct, it allows you to specify all the resources needed for your application in a declarative format using yaml.
Option D is incorrect, this does not allow for automating repeatability. https://cloud.google.com/deployment-manager provides more information on the features and usability of deployment manager.
Unattempted
Answer: C
Options A is incorrect, it is a managed compute platform that enables you to run stateless containers that are invocable via web requests or Pub/Sub events.
Option B is incorrect, it is a lightweight compute solution for developers to create single- purpose, stand-alone functions that respond to Cloud events without the need to manage a server or runtime environment.
Option C is correct, it allows you to specify all the resources needed for your application in a declarative format using yaml.
Option D is incorrect, this does not allow for automating repeatability. https://cloud.google.com/deployment-manager provides more information on the features and usability of deployment manager.
Question 49 of 52
49. Question
You have been tasked with configuring a GKE Cluster using a shared VPC. Several requirements have been provided below:
1. Flexibility in pod per node configuration
2. Using the alias IP ranges for the kubernetes resources.
3. Distinct IP ranges for Pods and Services.
Which Cluster network mode would you choose?
You are in charge of configuring the connectivity between GCP and the remote network. You are considering what encryption to implement on the VPN tunnels. Which of these is the encryption supported by Cloud VPN?
A hybrid connection has just been setup between GCP and your companys on-premises network using Cloud VPN and Cloud Router. You try pinging a GCE Instance in GCP from a VM on-premises but it failed.
Which of the following could be a possible reason? Choose two.
Correct
Correct Options:
B. There is no firewall rule to allow incoming ICMP traffic from the on-premises network: This is correct because firewall rules control the flow of traffic to and from your GCE instances. If there is no firewall rule explicitly allowing ICMP (ping) traffic from the on-premises network to the GCE instance, the traffic will be denied by default.
D. There is no route in GCP to the on-premises network: This is correct because routes define the paths that network traffic takes. If there is no route in GCP that directs traffic from the GCE instance to the on-premises network, the ping requests won’t be able to reach the GCE instance or return to the on-premises network.
Incorrect Options:
A. A Cloud Armor security policy is denying the traffic: This is incorrect because Cloud Armor primarily provides security policies for HTTP(S) traffic, and it does not manage ICMP traffic. Therefore, it is unlikely that a Cloud Armor policy is the cause of the ping failure.
C. The implied allow egress rule which permits outgoing ICMP traffic from your GCP network has been overridden: This is incorrect because even if the implied allow egress rule was overridden, it would affect outgoing traffic from GCP, not incoming ICMP traffic from the on-premises network. The issue here is related to incoming traffic, so this option does not apply.
Incorrect
Correct Options:
B. There is no firewall rule to allow incoming ICMP traffic from the on-premises network: This is correct because firewall rules control the flow of traffic to and from your GCE instances. If there is no firewall rule explicitly allowing ICMP (ping) traffic from the on-premises network to the GCE instance, the traffic will be denied by default.
D. There is no route in GCP to the on-premises network: This is correct because routes define the paths that network traffic takes. If there is no route in GCP that directs traffic from the GCE instance to the on-premises network, the ping requests won’t be able to reach the GCE instance or return to the on-premises network.
Incorrect Options:
A. A Cloud Armor security policy is denying the traffic: This is incorrect because Cloud Armor primarily provides security policies for HTTP(S) traffic, and it does not manage ICMP traffic. Therefore, it is unlikely that a Cloud Armor policy is the cause of the ping failure.
C. The implied allow egress rule which permits outgoing ICMP traffic from your GCP network has been overridden: This is incorrect because even if the implied allow egress rule was overridden, it would affect outgoing traffic from GCP, not incoming ICMP traffic from the on-premises network. The issue here is related to incoming traffic, so this option does not apply.
Unattempted
Correct Options:
B. There is no firewall rule to allow incoming ICMP traffic from the on-premises network: This is correct because firewall rules control the flow of traffic to and from your GCE instances. If there is no firewall rule explicitly allowing ICMP (ping) traffic from the on-premises network to the GCE instance, the traffic will be denied by default.
D. There is no route in GCP to the on-premises network: This is correct because routes define the paths that network traffic takes. If there is no route in GCP that directs traffic from the GCE instance to the on-premises network, the ping requests won’t be able to reach the GCE instance or return to the on-premises network.
Incorrect Options:
A. A Cloud Armor security policy is denying the traffic: This is incorrect because Cloud Armor primarily provides security policies for HTTP(S) traffic, and it does not manage ICMP traffic. Therefore, it is unlikely that a Cloud Armor policy is the cause of the ping failure.
C. The implied allow egress rule which permits outgoing ICMP traffic from your GCP network has been overridden: This is incorrect because even if the implied allow egress rule was overridden, it would affect outgoing traffic from GCP, not incoming ICMP traffic from the on-premises network. The issue here is related to incoming traffic, so this option does not apply.
Question 52 of 52
52. Question
As the network engineer on a GCP project, you tasked troubleshooting some DNS issues with the DNS forwarding setup. The on-premises resources are unable to resolve private zones in GCP through Cloud VPN. Which of these solutions can be used? Choose two.
Correct
Answer: B & D
Option A is incorrect, DNS peering is used to send records requests from one VPC to another VPC.
Option C is incorrect, it is inbound forwarding that is used to allow DNS queries from on- premises into GCP.
Option B & D is correct, if the Cloud VPN has no connectivity the DNS queries into GCP would fail. https://cloud.google.com/dns/docs/troubleshooting provides a checklist for troubleshooting Cloud DNS
Incorrect
Answer: B & D
Option A is incorrect, DNS peering is used to send records requests from one VPC to another VPC.
Option C is incorrect, it is inbound forwarding that is used to allow DNS queries from on- premises into GCP.
Option B & D is correct, if the Cloud VPN has no connectivity the DNS queries into GCP would fail. https://cloud.google.com/dns/docs/troubleshooting provides a checklist for troubleshooting Cloud DNS
Unattempted
Answer: B & D
Option A is incorrect, DNS peering is used to send records requests from one VPC to another VPC.
Option C is incorrect, it is inbound forwarding that is used to allow DNS queries from on- premises into GCP.
Option B & D is correct, if the Cloud VPN has no connectivity the DNS queries into GCP would fail. https://cloud.google.com/dns/docs/troubleshooting provides a checklist for troubleshooting Cloud DNS
X
Use Page numbers below to navigate to other practice tests