Professional-Cloud-Network-Engineer Practice Test

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC.
You cannot meet Google at one of its point-of-presence (POP) locations, and your onpremises
router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?

A.

Direct Peering

B.

Dedicated Interconnect

C.

Partner Interconnect with a layer 2 partner

D.

Partner Interconnect with a layer 3 partner

Your company has recently installed a Cloud VPN tunnel between your on-premises data
center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access
to the Cloud Functions API for your on-premises servers. The configuration must meet the
following requirements:
Certain data must stay in the project where it is stored and not be exfiltrated to other
projects.
Traffic from servers in your data center with RFC 1918 addresses do not use the internet to
access Google Cloud APIs.
All DNS resolution must be done on-premises.
The solution should only provide access to APIs that are compatible with VPC Service
Controls.
What should you do?

A.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel
terminates.

B.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com
addresses.

C.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel
terminates.

D.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the private.googleapis.com
addresses.

You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are
using a non BGP-capable on-premises VPN device. You want to minimize downtime and
operational overhead when your network grows. The device supports only IKEv2, and you
want to follow Google-recommended practices.
What should you do?

A.

• Create a Cloud VPN instance.• Create a policy-based VPN tunnel per subnet.•
Configure the appropriate local and remote traffic selectors to match your local and remote
networks.• Create the appropriate static routes.

B.

• Create a Cloud VPN instance.• Create a policy-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to match your local and remote networks.•
Configure the appropriate static routes.

C.

• Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to match your local and remote networks.•
Configure the appropriate static routes.

D.

Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to 0.0.0.0/0.• Configure the appropriate static routes.

Your company has just launched a new critical revenue-generating web application. You
deployed the application for scalability using managed instance groups, autoscaling, and a
network load balancer as frontend. One day, you notice severe bursty traffic that the
caused autoscaling to reach the maximum number of instances, and users of your
application cannot complete transactions. After an investigation, you think it as a DDOS
attack. You want to quickly restore user access to your application and allow successful
transactions while minimizing cost.
Which two steps should you take? (Choose two.)

A.

Use Cloud Armor to blacklist the attacker’s IP addresses

B.

Increase the maximum autoscaling backend to accommodate the severe bursty traffic

C.

Create a global HTTP(s) load balancer and move your application backend to this load
balancer.

D.

Shut down the entire application in GCP for a few hours. The attack will stop when the
application is offline

E.

SSH into the backend compute engine instances, and view the auth logs and syslogs to
further understand the nature of the attack.

You are trying to update firewall rules in a shared VPC for which you have been assigned
only Network Admin permissions. You cannot modify the firewall rules. Your organization
requires using the least privilege necessary. Which level of permissions should you request?

A.

Security Admin privileges from the Shared VPC Admin

B.

Service Project Admin privileges from the Shared VPC Admin

C.

Shared VPC Admin privileges from the Organization Admin

D.

Organization Admin privileges from the Organization Admin