Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

Professional-Cloud-Network-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Network Engineer

Go to page:
Question # 57

Question:

You need to enable Private Google Access for some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on-premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?

A.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google’s private API address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

B.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google’s private API address range.

Create a custom route that points Google’s private API address range to the default internet gateway as the next hop.

C.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google’s restricted API address range.

Create a custom route that points Google’s restricted API address range to the default internet gateway as the next hop.

D.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google’s restricted API address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

Full Access
Question # 58

You are migrating to Cloud DNS and want to import your BIND zone file.

Which command should you use?

A.

gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE

B.

gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE

C.

gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

D.

gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE

Full Access
Question # 59

Your organization is developing a landing zone architecture with the following requirements:

    There should be no communication between production and non-production environments.

    Communication between applications within an environment may be necessary.

    Network administrators should centrally manage all network resources, including subnets, routes, and firewall rules.

    Each application should be billed separately.

    Developers of an application within a project should have the autonomy to create their compute resources.

    Up to 1000 applications are expected per environment.

You need to create a design that accommodates these requirements. What should you do?

A.

Create a design where each project has its own VPC. Ensure all VPCs are connected by a Network Connectivity Center hub that is centrally managed by the network team.

B.

Create a design that implements a single Shared VPC. Use VPC firewall rules with secure tags to enforce micro-segmentation between environments.

C.

Create a design that has one host project with a Shared VPC for the production environment, another host project with a Shared VPC for the non-production environment, and a service project that is associated with the corresponding host project for each initiative.

D.

Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.

Full Access
Question # 60

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from your on-premises network using Cloud Interconnect. You must configure access only to Google APIs and services that are supported by VPC Service Controls through hybrid connectivity with a service level agreement (SLA) in place. What should you do?

A.

Configure the existing Cloud Routers to advertise the Google API's public virtual IP addresses.

B.

Use Private Google Access for on-premises hosts with restricted.googleapis.com virtual IP addresses.

C.

Configure the existing Cloud Routers to advertise a default route, and use Cloud NAT to translate traffic from your on-premises network.

D.

Add Direct Peering links, and use them for connectivity to Google APIs that use public virtual IP addresses.

Full Access
Question # 61

Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?

A.

Configure your VPC routing in regional mode.

Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

B.

Configure your VPC routing in global mode.

Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

C.

Configure your VPC routing in global mode.

Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.

D.

Configure your VPC routing in regional mode.

Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.

Full Access
Question # 62

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.

What should you do?

A.

Ensure that the object you don’t want to be cached anymore is not shared publicly.

B.

Create a new storage bucket, and move the object you don’t want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.

C.

Add an appropriate lifecycle rule on the storage bucket containing the two objects.

D.

Add a Cache-Control entry with value private to the metadata of the object you don’t want to be cached anymore. Invalidate all the previously cached copies.

Full Access
Question # 63

You have two Google Cloud projects in a perimeter to prevent data exfiltration. You need to move a third project inside the perimeter; however, the move could negatively impact the existing environment. You need to validate the impact of the change. What should you do?

A.

Enable Firewall Rules Logging inside the third project.

B.

Modify the existing VPC Service Controls policy to include the new project in dry run mode.

C.

Monitor the Resource Manager audit logs inside the perimeter.

D.

Enable VPC Flow Logs inside the third project, and monitor the logs for negative impact.

Full Access
Question # 64

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.

What should you do?

A.

Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

B.

Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

C.

Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.

D.

Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.

Full Access
Go to page: