Free Professional-Cloud-Network-Engineer Exam Braindumps

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?

1. A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
2. B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
3. C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
4. D. Create a single project, and deploy specific firewall rule
5. E. Use network tags to isolate access between the departments.

Correct Answer: C
https://cloud.google.com/vpc/docs/vpc-peering

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:
IP ranges for pods and services must be as small as possible.
The nodes and the master must not be reachable from the internet.
You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?

1. A. • Create a private cluster that uses VPC advanced routes.•Set the pod and service ranges as /24.•Set up a network proxy to access the master.
2. B. • Create a VPC-native GKE cluster using GKE-managed IP ranges.•Set the pod IP range as /21 and service IP range as /24.•Set up a network proxy to access the master.
3. C. • Create a VPC-native GKE cluster using user-managed IP ranges.•Enable a GKE cluster network policy, set the pod and service ranges as /24.•Set up a network proxy to access the master.•Enable master authorized networks.
4. D. • Create a VPC-native GKE cluster using user-managed IP ranges.•Enable privateEndpoint on the cluster master.•Set the pod and service ranges as /24.•Set up a network proxy to access the master.•Enable master authorized networks.

Correct Answer: D
Creating GKE private clusters with network proxies for controller access When you create a GKE private cluster with a private cluster controller endpoint, the cluster's controller node is inaccessible from the public internet, but it needs to be accessible for administration. By default, clusters can access the controller through its private endpoint, and authorized networks can be defined within the VPC network. To access the controller from on-premises or another VPC network, however, requires additional steps. This is because the VPC network that hosts the controller is owned by Google and cannot be accessed from resources connected through another VPC network peering connection, Cloud VPN or Cloud Interconnect. https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

1. A. Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.
2. B. Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.
3. C. Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.
4. D. Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Correct Answer: C

You recently deployed Compute Engine instances in regions us-west1 and us-east1 in a Virtual Private Cloud (VPC) with default routing configurations. Your company security policy mandates that virtual machines (VMs) must not have public IP addresses attached to them. You need to allow your instances to fetch updates from the internet while preventing external access. What should you do?

1. A. Create a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1.
2. B. Create a single global Cloud NAT gateway and global Cloud Router in the VPC.
3. C. Change the instances’ network interface external IP address from None to Ephemeral.
4. D. Create a firewall rule that allows egress to destination 0.0.0.0/0.

Correct Answer: A

You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)

1. A. Enable Private Google Access on all the subnets.
2. B. Enable Private Google Access on the VPC.
3. C. Enable Private Services Access on the VPC.
4. D. Create network peering between your VPC and BigQuery.
5. E. Create a Cloud NAT, and route the application traffic via NAT gateway.

Correct Answer: AE
https://cloud.google.com/nat/docs/overview#interaction-pga Specifications https://cloud.google.com/vpc/docs/configure-private-google-access#specifications