Professional-Cloud-Network-Engineer Practice Test

You have deployed a new internal application that provides HTTP and TFTP services to
on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine
instances, but need to ensure that clients are sticky to a particular instance across both
services.
Which session affinity should you choose?

A.

None

B.

Client IP

C.

Client IP and protocol

D.

Client IP, port and protocol

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud
(VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the
VM to understand where the traffic is coming from. What should you do?

A.

Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP
addresses from the subnetworks.get field.

B.

Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP
addresses from the connection field.

C.

Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses
from the src_location field.

D.

Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP
addresses from the networks.get field.

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and
on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to
restrict VPN tunnels created in the project to only connect to your on-premises VPN public
IP address: 203.0.113.1/32. What should you do?

A.

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to
VPN_GATEWAY_1.

B.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to
use an allowList consisting of only the 203.0.113.1/32 address.

C.

Configure a Google Cloud Armor security policy, and create a policy rule to allow
203.0.113.1/32.

D.

Configure an access control list on the peer VPN gateway to deny all traffic except
203.0.113.1/32, and attach it to the primary external interface.

You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?

A.

Add an appropriate lifecycle rule on the storage bucket.

B.

Issue a cache invalidation command with pattern /folder-a/*.

C.

Make sure that all the objects with prefix folder-a are not shared publicly.

D.

Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on
the storage bucket.

You want to implement an IPSec tunnel between your on-premises network and a VPC via
Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and
you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

A.

Dynamic routing using Cloud Router

B.

Route-based routing using default traffic selectors

C.

Policy-based routing using a custom local traffic selector

D.

Policy-based routing using the default local traffic selector