Professional-Cloud-Network-Engineer Dumps By Pros - 1st Attempt Guaranteed Success [Q18-Q38]

Professional-Cloud-Network-Engineer Dumps By Pros - 1st Attempt Guaranteed Success

100% Guarantee Download Professional-Cloud-Network-Engineer Exam Dumps PDF Q&A

NEW QUESTION 18
You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?

A. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
B. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
C. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
D. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

Answer: A

Explanation:
https://link.springer.com/chapter/10.1007/978-1-4842-1004-8_4

NEW QUESTION 19
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?

A. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
B. Add a second Cloud VPN gateway in a different region than the existing VPN gateway.
Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
C. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
D. Add a second on-premises VPN gateway with a different public IP address.
Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.

Answer: A

Explanation:
https://cloud.google.com/vpn/docs/concepts/classic-topologies

NEW QUESTION 20
You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.
What should you do?

A. Create a new Custom Role for all members of the WebServices Team.
B. Create a new Cloud Identity Domain for the WebServices Team.
C. Create a Google Group for the WebServices Team.
D. Create a G Suite Domain for the WebServices Team.

Answer: C

NEW QUESTION 21
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)

A. Create a private connection to a service producer.
B. Activate the Cloud Datastore API in your project.
C. Activate the Service Networking API in your project.
D. Create a custom static route to allow the traffic to reach the Cloud SQL API.
E. Enable Private Google Access.

Answer: A,C

Explanation:
Explanation/Reference: https://cloud.google.com/sql/docs/mysql/private-ip

NEW QUESTION 22
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?

A. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
B. Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.
C. Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.
D. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

Answer: A

NEW QUESTION 23
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

A. Direct Peering
B. Dedicated Interconnect
C. Partner Interconnect
D. Carrier Peering

Answer: A

Explanation:
When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

NEW QUESTION 24
You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization's host project.
Where should you create the Cloud Router instance?

A. VPC network in the Host Project
B. VPC network in the IT Project
C. VPC network in the Sales, Marketing, and IT Projects
D. VPC network in all projects

Answer: A

NEW QUESTION 25
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?

A. Using the new instance template, perform a rolling update across all instances in the instance group.
Verify the new feature once the rollout completes.
B. Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template.
Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
C. Deploy a new instance group and canary the updated template in that group.
Verify the new feature in the new canary instance group, and then update the original instance group.
D. Manually patch some of the instances, and then perform a rolling restart on the instance group.

Answer: C

Explanation:
https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-managed-instances

NEW QUESTION 26
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

A. Grant the read-only privilege to the service account for the Cloud Storage bucket.
B. Grant the compute.instanceAdmin to your user account.
C. Grant the iam.serviceAccountUser to your user account.
D. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.

Answer: C

NEW QUESTION 27
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?

A. Assign each user the editor role.
B. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
C. Assign each user the compute.networkAdmin role.
D. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

Answer: B

NEW QUESTION 28
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

A. Grant the compute.instanceAdminto your user account.
B. Grant the iam.serviceAccountUserto your user account.
C. Grant the cloud-platformprivilege to the service account for the Cloud Storage bucket.
D. Grant the read-onlyprivilege to the service account for the Cloud Storage bucket.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/access/iam

NEW QUESTION 29
All the instances in your project are configured with the custom metadata enable-osloginvalue set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project- wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

A. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
B. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
C. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
D. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata

NEW QUESTION 30
Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.
Which Google Cloud load balancer should you use?

A. HTTPS load balancer
B. SSL proxy load balancer
C. TCP proxy load balancer
D. Network load balancer

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/security/encryption-in-transit/

NEW QUESTION 31
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?

A. Service Project Admin privileges from the Shared VPC Admin.
B. Security Admin privileges from the Shared VPC Admin.
C. Organization Admin privileges from the Organization Admin.
D. Shared VPC Admin privileges from the Organization Admin.

Answer: B

Explanation:
A Shared VPC Admin can define a Security Admin by granting an IAM member the Security Admin (compute.securityAdmin) role to the host project. Security Admins manage firewall rules and SSL certificates.

NEW QUESTION 32
In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)

A. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
B. Connect both projects using Cloud VPN.
C. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
D. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
E. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.

Answer: A,D

NEW QUESTION 33
You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.
Which GKE resource should you use?

A. GKE Node
B. GKE Pod
C. GKE Cluster
D. GKE Ingress

Answer: D

Explanation:
Cloud Armour is applied at load balancers Configuring Google Cloud Armor through Ingress. https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features Security policy features Google Cloud Armor security policies have the following core features: You can optionally use the QUIC protocol with load balancers that use Google Cloud Armor. You can use Google Cloud Armor with external HTTP(S) load balancers that are in either Premium Tier or Standard Tier. You can use security policies with GKE and the default Ingress controller.

NEW QUESTION 34
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
How should you design this topology?

A. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
B. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
C. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
D. Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.

Answer: A

Explanation:
The service range setting is permanent and cannot be changed. Please see https://stackoverflow.com/questions/60957040/how-to-increase-the-service-address-range-of-a-gke-cluster I think the correc tanswer is A since: Grow is expected to up to 100 nodes (that would be /25), then up to 200 pods per node (100 times 200 = 20000 so /17 is 32768), then 1500 services in a /21 (up to 2048)
https://docs.netgate.com/pfsense/en/latest/book/network/understanding-cidr-subnet-mask-notation.html

NEW QUESTION 35
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

A. Turn on Private Services Access at the VPC level.
B. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
C. Turn on Private Google Access at the VPC level.
D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
E. Turn on Private Google Access at the subnet level.

Answer: A,B

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/private-access-options

NEW QUESTION 36
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached.
You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?

A. Issue a cache invalidation command with pattern /folder-a/*.
B. Add an appropriate lifecycle rule on the storage bucket.
C. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
D. Make sure that all the objects with prefix folder-a are not shared publicly.

Answer: D

NEW QUESTION 37
You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.
Which GKE resource should you use?