Professional Cloud Network Engineer Practice Exam (v20200227)

There is also “Professional Cloud Network Engineer 模擬問題集（v20200227）” of Japanese translation.

Google Cloud Certified – Professional Cloud Network Engineer Practice Exam (25 Q)

(v2020-02-27)

QUESTION 1

Your organization is deploying a single project for 3 separate departments.
Two of these departments require network connectivity between each other, but the third department should remain in isolation.
Your design should create separate network administrative domains between these departments.
You want to minimize operational overhead.
How should you design the topology ?

• A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
• B. Create 3 separate VPCs, and use Google Cloud VPN to establish connectivity between the two appropriate VPCs.
• C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
• D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Correct Answer: A

Explanation:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation helps you implement the principle of least privilege. For example, a centralized network team can administer the network without having any permissions into the participating projects. Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.

Reference:
– Best practices for enterprise organizations

QUESTION 2

You are using a third-party next-generation firewall to inspect traffic.
You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the Google BigQuery and Google Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

• A. Turn on Private Google Access at the subnet level.
• B. Turn on Private Google Access at the VPC level.
• C. Turn on Private Services Access at the VPC level.
• D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
• E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

Correct Answer: C, E

Reference:
– Private access options for services

QUESTION 3

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys.
None of the instances are set with any SSH key, and no project-wide SSH keys have been configured.
Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do ?

• A. Open the Google Cloud Shell SSH into the instance using gcloud compute ssh.
• B. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
• C. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
• D. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.