GOOGLE-PROFESSIONAL-CLOUD-NETWORK-ENGINEER

Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?

You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

You recently deployed Compute Engine instances in regions us-west1 and us-east1 in a Virtual Private Cloud (VPC) with default routing configurations. Your company security policy mandates that virtual machines (VMs) must not have public IP addresses attached to them. You need to allow your instances to fetch updates from the internet while preventing external access. What should you do?

You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary. Which level of permissions should you request?

You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments. "¢ Each organization has enabled full connectivity between all of its projects by using Shared VPC. "¢ Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic. "¢ There are no prefix overlaps between the two organizations. "¢ Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space. "¢ Neither organization has Interconnects to their on-premises environment. You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime. Which two steps should you take? (Choose two.)

Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect. What should you do?

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic. What should you do?

You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead. How should you design this topology?

Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements: • Your on-premises resources should resolve your Google Cloud zones. • Your Google Cloud resources should resolve your on-premises zones. • You need the ability to resolve “.internal” zones provisioned by Google Cloud. What should you do?

You are configuring HA VPN for your organization to connect your on-premises environment to your Google Cloud network. Your on-premises environment is closest to the us-west1 Google Cloud region. You have Google Cloud resources in us-west2, which requires a throughput of 300,000 packets per second (PPS) and an approximate bandwidth of 4 Gbps. You need to have predictable bandwidth management and maintain an SLA of 99.99% with minimal costs. What should you do?

Your organization mandates that all internal IP addresses used by all database VMs must be statically allocated. While analyzing your VPC IP address allocations, you observed that the database VMs do not have static IP addresses. You need to configure the VPC to follow your organization's mandate without causing any disruption to current operations. What should you do?

Your organization deployed a mission critical application that is expected to be a new revenue source. As part of the planning and deployment process, you have recently implemented a security profile with the default set of threat signatures provided by Cloud Next Generation Firewall (Cloud NGFW). This application is the only application running on this project. You need to increase the security posture of the application to log the threat and drop the related packets. What should you do?

You are configuring a Cross-Cloud Interconnect connection for your Google Cloud organization with two public cloud service providers (CSPs)–CSP 1 and CSP 2. The CSP 1 and CSP 2 environments are closest to Frankfurt, Germany. You can choose between two common colocation locations, Frankfurt and Munich. Your organization's Google Cloud infrastructure is deployed in the North American region, us-east4, which is located in Virginia, USA. The VPC dynamic routing mode has been set to GLOBAL. Your organization requires 20 Gbps of protected bandwidth with a 99.9% Google Cloud SLA. You want to minimize costs where possible. What should you do?

Your organization's application is running on a VPC-native GKE Standard cluster with public IP addresses. You need to configure access to the remote address range 35.100.0.0/16 through Cloud NAT, instead of using the GKE nodes' external IP addresses. SNAT is enabled on the cluster and needs to be configured. What should you do?

Your organization's current architecture has one Shared VPC host project (SH_HOST_PRJ) that contains a single VPC (SH_VPC) and two Shared VPC service projects (SP_ONE_PRJ and SP_TWO_PRJ) that do not contain any VPCs. Each Shared VPC service project belongs to a different team: TEAM_ONE manages SP_ONE_PRJ and TEAM_TWO manages SP_TWO_PRJ. You must design a solution that allows each team to create their own DNS private zones and DNS records only in their respective Shared VPC service projects. Workloads in SP_ONE_PRJ must be able to resolve all the DNS private zones defined in SP_TWO_PRJ and conversely. Your design must have the least amount of set up effort. What should you do?

You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?

You recently reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in the rate of client requests. You need to limit the concurrent sessions and return an HTTP 429 Too Many Requests response back to the client while following Google-recommended practices. What should you do?

Your company uses web application firewall (WAF) capabilities from a third-party cloud WAF provider. This WAF provider proxies all the HTTPS connections from internet clients, applies security policies, and then opens a new HTTPS connection to the public IP address of your global Application Load Balancer in Google Cloud. Your Google Cloud workloads are the backend of this global Application Load Balancer. Currently, Cloud Am1or is not configured. You need to create a Cloud Armor security policy that blocks sessions that originate from internet clients with source IP addresses that belong to the IP_RANGE_BLOCK IP range. The block must be executed by the Cloud Armor security policy; it will not be done by the third-party cloud WAF provider. Whal should you do?

Your organization, TerramEarth, is launching a global application to manage credit card payments. There are some client VMs inside the same VPC as the application that need to access this application privately. Due to compliance requirements, the internal clients cannot use the global external IP address of the application. Currently, Cloud DNS only resolves myglobalapp.terramearth.com to the public IP address with a public zone. The clients will need to reach myglobalapp.example.com, without using its external IP address. You need to configure Cloud DNS to follow this requirement while following Google-recommended practices. What should you do?