Question No. 1

You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

AConfigure the remote autonomous system number (ASN) to 4096.

BConfigure a second Cloud Router to scale bandwidth in and out of the VPC.

CConfigure the maximum transmission unit (MTU) to its highest supported value.

DConfigure a second set of active/passive VPN tunnels.

Show Answer

Correct Answer: D

Question No. 2

You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible, To ease the transition, you decided to use the same architecture as your on-premises network' a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic IS sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?

AConnect all the spokes to the hub with Cloud VPN.

BConnect all the spokes to the hub with VPC Network Peering.

CConnect all the spokes to the hub With Cloud VPN. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes

DConnect all the spokes to the hub with VPC Network Peering. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.

Show Answer

Correct Answer: D

The correct answer is D because it meets the following requirements:

It matches the hub-and-spoke model of the on-premises network, where each spoke is a separate VPC network that is connected to a central hub VPC network.

It minimizes management overhead and cost, because VPC Network Peering is a simple and low-cost way to connect VPC networks without using any external IP addresses or VPN gateways1.

It uses default networking quotas and limits, because VPC Network Peering does not consume any quota or limit for VPN tunnels, external IP addresses, or forwarding rules2.

It prevents connectivity between the spokes, because VPC Network Peering is non-transitive by default, meaning that a spoke can only communicate with the hub, not with other spokes1.To enforce this restriction, a third-party network appliance can be used as a default gateway in each spoke VPC network, which can filter out any traffic destined for other spokes3.

Option A is incorrect because it does not minimize cost, as Cloud VPN charges for egress traffic and requires external IP addresses for the VPN gateways4.Option B is incorrect because it does not prevent connectivity between the spokes, as VPC Network Peering allows direct communication between peered VPC networks by default1. Option C is incorrect because it does not minimize cost or use default quotas and limits, for the same reasons as option A.

VPC Network Peering overview | VPC

Quotas and limits | VPC

Hub-and-spoke network architecture | Cloud Architecture Center

Cloud VPN overview | Google Cloud

Question No. 3

Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.

Which two steps should you take? (Choose two.)

AUse Cloud Armor to blacklist the attacker's IP addresses.

BIncrease the maximum autoscaling backend to accommodate the severe bursty traffic.

CCreate a global HTTP(s) load balancer and move your application backend to this load balancer.

DShut down the entire application in GCP for a few hours. The attack will stop when the application is offline.

ESSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Show Answer

Correct Answer: B, E

Question No. 4

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.

Which session affinity should you choose?

ANone

BClient IP

CClient IP and protocol

DClient IP, port and protocol

Show Answer

Correct Answer: B

Question No. 5

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

ASet up the engineer with Compute Shared VPC Admin IAM role at the folder level.

BSet up the engineer with Compute Shared VPC Admin IAM role at the organization level.

CSet up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

DSet up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Show Answer

Correct Answer: B

Free Google Professional-Cloud-Network-Engineer Exam Actual Questions

The questions for Professional-Cloud-Network-Engineer were last updated On Dec 19, 2024