Google Professional Cloud Network Engineer 시험

Question No : 1

Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments: Sales and Finance. The Sales department's VPC network already has connectivity to on-
premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on-premises locations.
What should you do?

• A.Peer the two VPCs, and use the default configuration for the Cloud Routers.
• B.Peer the two VPCs, and use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.
• C.Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce a default route to the on-premises locations.
• D.Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

답을 확인하기

정답:

Question No : 2

You are the network administrator responsible for hybrid connectivity at your organization. Your developer team wants to use Cloud SQL in the us-west1 region in your Shared VPC. You configured a Dedicated Interconnect connection and a Cloud Router in us-west1, and the connectivity between your Shared VPC and on-premises data center is working as expected. You just created the private services access connection required for Cloud SQL using the reserved IP address range and default settings. However, your developers cannot access the Cloud SQL instance from on-premises. You want to resolve the issue.
What should you do?

• A.Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes. Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.
• B.Change the VPC routing mode to global. Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.
• C.Create an additional Cloud Router in us-west2. Create a new Border Gateway Protocol (BGP) peering connection to your on-premises data center. Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.
• D.Change the VPC routing mode to global. Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

답을 확인하기

정답:

Question No : 3

You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions. The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices.
What should you do?

• A.Create one VPC with one subnet in each region. Create a regional network load balancer in each region with a static IP address. Enable Cloud CDN on the load balancers. Create an A record in Cloud DNS with both IP addresses for the load balancers.
• B.Create one VPC with one subnet in each region. Create a global load balancer with a static IP address. Enable Cloud CDN and Google Cloud Armor on the load balancer. Create an A record using the IP address of the load balancer in Cloud DN
• C.Create one VPC in each region, and peer both VPCs. Create a global load balancer. Enable Cloud CDN on the load balancer. Create a CNAME for the load balancer in Cloud DN
• D.Create one VPC with one subnet in each region. Create an HTTP(S) load balancer with a static IP address. Choose the standard tier for the network. Enable Cloud CDN on the load balancer. Create a CNAME record using the load balancer’s IP address in Cloud DN

답을 확인하기

정답:

Question No : 4

You have applications running in the us-west1 and us-east1 regions. You want to build a highly available VPN that provides 99.99% availability to connect your applications from your project to the cloud services provided by your partner's project while minimizing the amount of infrastructure required. Your partner's services are also in the us-west1 and us-east1 regions. You want to implement the simplest solution.
What should you do?

• A.Create one Cloud Router and one HA VPN gateway in each region of your VPC and your partner's VP
• B.Connect your VPN gateways to the partner's gateways. Enable global dynamic routing in each VP
• C.Create one Cloud Router and one HA VPN gateway in the us-west1 region of your VP
• D.Create one OpenVPN Access Server in each region of your partner's VP
• E.Connect your VPN gateway to your partner's servers.
• F.Create one OpenVPN Access Server in each region of your VPC and your partner's VP
• G.Connect your servers to the partner's servers.
• H.Create one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC and your partner's VP
• I.Connect your VPN gateways to the partner's gateways with a pair of tunnels. Enable global dynamic routing in each VP

답을 확인하기

정답:

Question No : 5

You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect.
What should you do?

• A.In the Network Intelligence Canter, check for the number of packet drops on the VP
• B.In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.
• C.In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.
• D.In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

답을 확인하기

정답:

Question No : 6

You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service.
What should you do?

• A.Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.
• B.Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.
• C.Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DN
• D.Clients should use the name of the A record to connect to the service.
• E.Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/.

답을 확인하기

정답:

Question No : 7

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2.
What should you do?

• A.Enable firewall logging, and forward all filtered egress firewall logs to the ID
• B.Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the ID
• C.Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
• D.Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

답을 확인하기

정답:

Question No : 8

You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers.
What should you do?

• A.Configure a forwarding rule on the existing load balancer for the application tier.
• B.Configure equal cost multi-path routing on the application servers.
• C.Configure a new internal HTTP(S) load balancer for the application tier.
• D.Configure a URL map on the existing load balancer to route traffic to the application tier.

답을 확인하기

정답:

Question No : 9

36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.

답을 확인하기

정답: C

Question No : 10

Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead.
What should you do?

• A.Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.
• B.Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.
• C.Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.
• D.Configure Packet Mirroring on the VP
• E.Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

답을 확인하기

정답:

Question No : 11

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from your on-premises network using Cloud Interconnect. You must configure access only to Google APIs and services that are supported by VPC Service Controls through hybrid connectivity with a service level agreement (SLA) in place.
What should you do?

• A.Configure the existing Cloud Routers to advertise the Google API's public virtual IP addresses.
• B.Use Private Google Access for on-premises hosts with restricted.googleapis.com virtual IP addresses.
• C.Configure the existing Cloud Routers to advertise a default route, and use Cloud NAT to translate traffic from your on-premises network.
• D.Add Direct Peering links, and use them for connectivity to Google APIs that use public virtual IP addresses.

답을 확인하기

정답:

Question No : 12

You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.
Which type of load balancer should you use?

• A.HTTP(S) load balancer
• B.Network load balancer
• C.Internal load balancer
• D.TCP/SSL proxy load balancer

답을 확인하기

정답:
Explanation:
By default TCP/SSL proxy load balancer original client IP address and port information is not preserved, but it can be preserved using the PROXY protocol: https://cloud.google.com/load-balancing/docs/tcp#target-proxies
https://medium.com/google-cloud/preserving-client-ips-through-google-clouds-global-tcp-and-ssl-proxy-load-balancers-3697d76feeb1
Reference: https://cloud.google.com/load-balancing/docs/network

Question No : 13

You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.
What should you do?

• A.Configure global load balancing to point 172.16.45.0/24 to the correct instance.
• B.Create unique DNS records for each service that sends traffic to the desired IP address.
• C.Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
• D.Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

답을 확인하기

정답:

Question No : 14

After a network change window one of your company’s applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.
What is the most likely cause of this problem?

• A.The less specific VPC subnet route is taking priority.
• B.The more specific VPC subnet route is taking priority.
• C.The on-premises router is not advertising a route for the database server.
• D.A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

답을 확인하기

정답:

Question No : 15

One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance.
In the GCP Console, what should you do?

• A.Assign a public IP address to the instance.
• B.Assign a new reserved internal IP address to the instance.
• C.Change the instance’s current internal IP address to static.
• D.Add custom metadata to the instance with key internal-address and value reserved.

답을 확인하기

정답:
Explanation:
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address#reservenewip Since here
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address#reservenewip it is written that "automatically allocated or an unused address from an existing subnet".