Google Professional Network Engineer → Google Professional Network Engineer Part 4

Google Professional Network Engineer Part 4

Question #: 121
Topic #: 1
In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?

A. Create network tag app-server and service account sa-db@my-project.iam.gserviceaccount.com. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \
–action allow \
–direction ingress \
–rules top:3306 \
–source-tags app-server \
–target-service-accounts sa-db@my-
project.iam.gserviceaccount.com
B. Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru
–allow TCP:3306 \
–source-service-accounts sa-app@democloud-idp-
demo.iam.gserviceaccount.com \
–target-service-accounts sa-db@my-
project.iam.gserviceaccount.com
C. Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru
–allow TCP:3306 \
–source-ranges 10.128.0.0/20 \
–source-service-accounts sa-app@my-
project.iam.gserviceaccount.com \
–target-service-accounts sa-db@my-
project.iam.gserviceaccount.com
D. Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \
–action allow \
–direction ingress \
–rules tcp:3306 \
–source-ranges 10.128.0.0/20 \
–source-tags app-server \
–target-tags db-server

Selected Answer: B

Question #: 122
Topic #: 1
You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations. What should you do?

A. Use multiple VPC networks with a transit network using VPC Network Peering.
B. Use overlapping RFC 1918 ranges with multiple isolated VPC networks.
C. Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.
D. Use non-RFC 1918 ranges with a single global VPC.

Selected Answer: D

Question #: 123
Topic #: 1
Your company’s security team wants to limit the type of inbound traffic that can reach your web servers to protect against security threats. You need to configure the firewall rules on the web servers within your Virtual Private Cloud (VPC) to handle HTTP and HTTPS web traffic for TCP only. What should you do?

A. Create an allow on match ingress firewall rule with the target tag “web-server” to allow all IP addresses for TCP port 80.
B. Create an allow on match egress firewall rule with the target tag “web-server” to allow all IP addresses for TCP port 80.
C. Create an allow on match ingress firewall rule with the target tag “web-server” to allow all IP addresses for TCP ports 80 and 443.
D. Create an allow on match egress firewall rule with the target tag “web-server” to allow web server IP addresses for TCP ports 80 and 443.

Selected Answer: C

Question #: 124
Topic #: 1
You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You need to minimize data transfer costs when deploying VLAN attachments. What should you do?

A. Keep the existing Dedicated interconnect. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.
B. Keep the existing Dedicated Interconnect. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.
C. Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC global routing to access workloads in us-central1.
D. Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

Selected Answer: C

Question #: 125
Topic #: 1
You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

A. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
4. Configure VPC peering in the spoke VPCs to peer with the hub VPC.
B. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.
2. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.
3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
C. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
4. Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.
D. 1. Create a private forwarding zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC.
2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
3. Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.
4. Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.

Selected Answer: A

Question #: 126
Topic #: 1
You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

A. Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.
B. Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.
C. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.
D. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Selected Answer: A

Question #: 127
Topic #: 1
Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

A. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.
B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
C. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.
D. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

Selected Answer: B

Question #: 128
Topic #: 1
Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

A. Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.
B. Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.
C. Use the default Cloud NAT gateway’s NAT proxy to dynamically scale using a single NAT IP address.
D. Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.
E. Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

Selected Answer: DE

Question #: 129
Topic #: 1
You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

A. Configure a custom route advertisement on the Cloud Router.
B. Enable IP forwarding in the asia-southeast1 region.
C. Change the VPC dynamic routing mode to Global.
D. Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Selected Answer: C

Question #: 130
Topic #: 1
You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

A. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.
2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.
3. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24
B. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.
2. Configure your on-premises firewall to accept traffic from 35.199.192.0/19
3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
C. 1. Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.
2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.
3. Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88
D. 1. Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.
2. Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.
3. Configure your on-premises firewall to accept traffic from 35.199.192.0/19.
4. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Selected Answer: B

Question #: 131
Topic #: 1
Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?

A. Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.
B. Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.
C. Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.
D. Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

Selected Answer: A

Question #: 132
Topic #: 1
You built a web application with several containerized microservices. You want to run those microservices on Cloud Run. You must also ensure that the services are highly available to your customers with low latency. What should you do?

A. Deploy the Cloud Run services to multiple availability zones. Create a global TCP load balancer. Add the Cloud Run endpoints to its backend service.
B. Deploy the Cloud Run services to multiple regions. Create serverless network endpoint groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach the serverless NEGs as backend services of the load balancer.
C. Deploy the Cloud Run services to multiple availability zones. Create Cloud Endpoints that point to the services. Create a global HTTPS load balancer, and attach the Cloud Endpoints to its backend
D. Deploy the Cloud Run services to multiple regions. Configure a round-robin A record in Cloud DNS.

Selected Answer: B

Question #: 133
Topic #: 1
You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

A. Configure the remote autonomous system number (ASN) to 4096.
B. Configure a second Cloud Router to scale bandwidth in and out of the VPC.
C. Configure the maximum transmission unit (MTU) to its highest supported value.
D. Configure a second set of active/passive VPN tunnels.

Selected Answer: D

Question #: 134
Topic #: 1
You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements:

• All access to your on-premises network must go through the network virtual appliances.
• Allow on-premises access in the event of a single network virtual appliance failure.
• Both network virtual appliances must be used simultaneously.

Which method should you use to accomplish this?

A. Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances.
B. Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.
C. Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0/8 with the network load balancer as the next hop.
D. Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

Selected Answer: D

Question #: 135
Topic #: 1
You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

A. 1. Delete the default route in your VPC.
2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30.
3. Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.
B. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
2. Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30.
3. Create a static route in your VPC for the range 199 .36.153.8/30 with the default internet gateway as the next hop.
C. 1. Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.
2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199 .36.153.8/30.
3. Create a static route in your VPC for the range 199.36. 153.8/30 with the default internet gateway as the next hop.
D. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.
3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

Selected Answer: D

Question #: 136
Topic #: 1
You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub’s virtual appliance for internet access. The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

A. 1. Create a default route in the hub VPC that points to IP address 10.0.0.5.
2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.
3. Export the custom routes in the hub.
4. Import the custom routes in the spokes.
B. 1. Create a default route in the hub VPC that points to IP address 10.0.0.5.
2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.
3. Export the custom routes in the hub. Import the custom routes in the spokes.
4. Delete the default internet gateway route of the spokes.
C. 1. Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.
2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.
3. Export the custom routes in the hub. Import the custom routes in the spokes.
D. 1. Create a default route in the hub VPC that points to IP address 10.0.0.5.
2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.
3. Create a new route in the spoke VPC that points to IP address 10.0.0.5.

Selected Answer: B

Question #: 137
Topic #: 1
You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

A. resource.type= “gce_router”
B. resource.type= “gce_network_region”
C. resource.type= “vpn_tunnel”
D. resource.type= “vpn_gateway”

Selected Answer: A

Question #: 138
Topic #: 1
Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do?

A. Use the default public domains for all Google APIs and services.
B. Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.
C. Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.
D. Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

Selected Answer: C

Question #: 139
Topic #: 1
Your organization has a Google Cloud Virtual Private Cloud (VPC) with subnets in us-east1, us-west4, and europe-west4 that use the default VPC configuration. Employees in a branch office in Europe need to access the resources in the VPC using HA VPN. You configured the HA VPN associated with the Google Cloud VPC for your organization with a Cloud Router deployed in europe-west4. You need to ensure that the users in the branch office can quickly and easily access all resources in the VPC. What should you do?

A. Create custom advertised routes for each subnet.
B. Configure each subnet’s VPN connections to use Cloud VPN to connect to the branch office.
C. Configure the VPC dynamic routing mode to Global.
D. Set the advertised routes to Global for the Cloud Router.

Selected Answer: C

Question #: 140
Topic #: 1
Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

A. 1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.
2. In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.
B. 1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.
2. In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.
C. 1. Configure a Cloud DNS private zone in the host project of the Shared VPC.
2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project
3. In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.
D. 1.Configure a Cloud DNS private zone in the host project of the Shared VPC.
2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.
3. Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.

Selected Answer: A

Question #: 141
Topic #: 1
Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

A. Firewall rule direction: ingress

Action: allow –

Target: VM B service account –
Source ranges: VM A service account
Priority: 1000
B. Firewall rule direction: ingress

Action: allow –

Target: specific VM B tag –
Source ranges: VM A tag and VM A source IP address
Priority: 1000
C. Firewall rule direction: ingress

Action: allow –

Target: VM A service account –
Source ranges: VM B service account and VM B source IP address
Priority: 100
D. Firewall rule direction: ingress

Action: allow –

Target: specific VM A tag –
Source ranges: VM B tag and VM B source IP address
Priority: 100

Selected Answer: A

Question #: 142
Topic #: 1
You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

A. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.
B. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.
C. Configure VPC Flow Logs. Review the logs by filtering on the source and destination.
D. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

Selected Answer: A

Question #: 143
Topic #: 1
You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

A. Use Network Load Balancing
B. Use TCP Proxy Load Balancing with PROXY protocol enabled
C. Use External HTTP(S) Load Balancing with URL Maps and custom headers
D. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

Selected Answer: D

Question #: 144
Topic #: 1
You are reviewing and tuning Secure Web Proxy at your organization, Mount Kirk Games. Users have reported that they are unable to reach the documents they need on the Terram Earth website (https://www.terramearth.com/docs/*). The Secure Web Proxy rules configuration is as follows:

You need to enable access to these documents. What should you do?

A. Delete the updates-limiter rule.
B. Modify the updates-1 rule to perform the TLS inspection.
C. Review Cloud Logging for errors with Cloud NAT. If there are no errors, assign the VM a public IP address.
D. Modify the priority of the updates-limiter rule to 1000.

Selected Answer: B

Question #: 145
Topic #: 1
Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer. You need to protect the application from potential application-level attacks. What should you do?

A. Enable Cloud CDN on the backend service.
B. Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer.
C. Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service
D. Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service.

Selected Answer: C

Question #: 146
Topic #: 1
You are responsible for designing a new connectivity solution for your organization’s enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider’s internet access. You want to set up a direct connection between your network and Google. What should you do?

A. Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.
B. Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.
C. Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.
D. Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Selected Answer: B

Question #: 147
Topic #: 1
You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

A. Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.
B. Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.
C. Enable VPC Flow Logs for the VPAnalyze the logs and get the source IP addresses from the src_location field.
D. Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

Selected Answer: B

Question #: 148
Topic #: 1
You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.

• Always allow Secure Shell (SSH) from your corporate IP address.
• Restrict SSH access from all other IP addresses.

There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?

A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.
2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.
B. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.
2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.
C. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.
2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.
D. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1
2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

Selected Answer: A

Question #: 149
Topic #: 1
You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

A. Create a network load balancer that used backend services containing one instance group with two instances.
B. Create a network load balancer that uses a target pool backend with two instances.
C. Create a TCP proxy that uses a zonal network endpoint group containing one instance.
D. Create a TCP proxy that uses backend services containing an instance group with two instances.

Selected Answer: A

Question #: 150
Topic #: 1
You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do?

A. Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
B. Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices.
C. Deploy your serverless services to the existing VPConfigure firewall rules to allow traffic between the serverless services and your existing microservices.
D. Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.

Selected Answer: D

Cart

Practice Exam

Install openssl-1.0.2k on Amazon Linux 2023

Protect Your System: Understanding CVE-2024-3400 Zero-Day Vulnerability

Cart