Free Sample — 15 Practice Questions
Preview 15 of 245 questions from the Professional Cloud Network Engineer exam.
Try before you buy — purchase the full study guide for all 245 questions with answers and explanations.
Question 46
Your organization is using a Shared VPC model. Service project owners want to independently manage their DNS zones in service projects. All service project workloads must be able to resolve all private zones that are defined in other service projects. You need to create a solution that meets these goals. What should you do?
A. Create a Cloud DNS private zone in each service project. Use a Cloud DNS forwarding zone to forward queries to the Shared VPC in the host project.
B. Create a Cloud DNS private zone in each service project. Use Cloud DNS peering zones that target the Shared VPC in the host project.
C. Create a Cloud DNS response policy zone in each service project. Use Cloud DNS peering zones that target the Shared VPC in the host project.
D. Create a Cloud DNS private zone in each service project. Use cross-project binding to associate the zones to the Shared VPC in the host project.
Show Answer
Correct Answer: D
Explanation:
In a Shared VPC, private Cloud DNS zones are only visible to the VPC networks they are associated with. Using cross-project binding allows each service project to independently own and manage its private DNS zones while associating those zones with the Shared VPC network in the host project. This makes the zones resolvable by all workloads attached to the Shared VPC, including those in other service projects. Forwarding or peering zones are unnecessary and do not provide full bidirectional visibility across all service projects.
Question 223
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?
A. The instance has been configured with multiple interfaces.
B. An external IP address has been configured on the instance.
C. You have created static routes that use RFC1918 ranges.
D. The instance is accessible by a load balancer external IP address.
Show Answer
Correct Answer: B
Explanation:
Cloud NAT is only used by instances that do not have an external IP address. If an instance has an external IP configured on its network interface, that external IP always takes precedence and performs one-to-one NAT for outbound traffic, bypassing Cloud NAT entirely.
Question 23
You recently reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in the rate of client requests. You need to limit the concurrent sessions and return an HTTP 429 Too Many Requests response back to the client while following Google-recommended practices. What should you do?
A. Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle; conform action: allow; exceed action: deny-429.
B. Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic.
C. Create a Cloud Armor security policy, and apply the predefined Open Worldwide Security Application Project (OWASP) rules to automatically implement the rate limit per client IP address.
D. Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application.
Show Answer
Correct Answer: A
Explanation:
Google-recommended practice for limiting request rates and concurrent sessions on a global external Application Load Balancer is to use Cloud Armor rate limiting. A Cloud Armor security policy with action set to throttle allows compliant traffic and applies an exceed_action of deny-429 when limits are exceeded, returning HTTP 429 Too Many Requests. This natively integrates with the load balancer, handles erratic spikes, and avoids custom backends or VM-level controls.
Question 196
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose?
A. The default internet gateway
B. The IP address of the Cloud VPN gateway
C. The name and region of the Cloud VPN tunnel
D. The IP address of the instance on the remote side of the VPN tunnel
Show Answer
Correct Answer: C
Explanation:
For a policy‑based (static) Cloud VPN, custom static routes are created with the VPN tunnel as the next hop. Using gcloud, this is specified with --next-hop-vpn-tunnel and its region. You do not route to the VPN gateway IP or the default internet gateway; traffic is forwarded to the VPN tunnel itself.
Question 79
You are designing a packet mirroring policy as part of your network security architecture for your gaming workload. Your infrastructure is located in the us-west2 region and deployed across several zones: us-west2-a, us-west2-b, and us-west2-c. The infrastructure is running a web-based application on TCP ports 80 and 443 with other game servers that utilize the UDP protocol. You need to deploy packet mirroring policies and collector instances to monitor web application traffic while minimizing inter-zonal network egress costs.
Following Google-recommended practices, how should you deploy the packet mirroring policies and collector instances?
A. Crate three packet mirroring policies: one for each zone. Create one group of collector instances for the us-west2 region. Configure each packet mirroring policy to match traffic for its zone based on instance-tags, and create a filter for TCP traffic.
B. Create one packet mirroring policy for the us-west2 region. Create one group of collector instances for the us-west2 region. Configure the packet mirroring policy to match traffic for web server instances based on instance-tags, and create a filter for TCP traffic.
C. Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure each policy to match traffic for its zone based on instance-tags, and create a filter for TCP traffic.
D. Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure each policy to match traffic for its zone based on subnets, and create a filter for TCP traffic.
Show Answer
Correct Answer: C
Explanation:
To minimize inter-zonal network egress costs, mirrored traffic should remain within the same zone whenever possible. Google-recommended practices therefore suggest deploying packet mirroring policies and collector instances on a per-zone basis. By creating one packet mirroring policy and one collector instance group in each zone (us-west2-a, us-west2-b, us-west2-c), mirrored traffic does not cross zone boundaries. Using instance-tags precisely targets only the web server instances, and applying a TCP filter ensures that only ports 80 and 443 traffic is mirrored, excluding UDP-based game traffic. This design is both cost-efficient and aligned with Google Cloud best practices.
Question 213
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
"¢ Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
"¢ The subnetwork logs are not excluded from Stackdriver.
"¢ The instance that is hosting the application can communicate outside the subnet.
"¢ Other instances within the subnet can communicate outside the subnet.
"¢ The external resource initiates communication.
What is the most likely cause of the missing log lines?
A. The traffic is matching the expected ingress rule.
B. The traffic is matching the expected egress rule.
C. The traffic is not matching the expected ingress rule.
D. The traffic is not matching the expected egress rule.
Show Answer
Correct Answer: C
Explanation:
The external resource initiates the connection, so the problematic traffic is ingress. In Google Cloud, traffic that does not match an explicit ingress allow rule falls to the implicit deny ingress rule, which is not logged. Hence no denied entries appear despite logging being enabled.
Question 72
Your frontend application VMs and your backend database VMs are all deployed in the same VPC but across different subnets. Global network firewall policy rules are configured to allow traffic from the frontend VMs to the backend VMs. Based on a recent compliance requirement, this traffic must now be inspected by network virtual appliances (NVAs) firewalls that are deployed in the same VPC. The NVAs are configured to be full network proxies and will source NAT-allowed traffic. You need to configure VPC routing to allow the NVAs to inspect the traffic between subnets. What should you do?
A. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add the global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the backend VM subnet, destination IP range of the frontend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the backend network tag. Add a backend network tag to your backend servers.
B. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ILB1. Add a frontend network tag to your frontend VMs.
C. Create your NVA with multiple interfaces. Configure NIC0 for NVA in the backend subnet. Configure NIC1 for NVA in the frontend subnet. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ILB1. Add a frontend network tag to your frontend VMs.
D. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the frontend VM subnet, destination IP range of the backend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the frontend network tag. Add a frontend network tag to your frontend servers.
Show Answer
Correct Answer: D
Explanation:
To force inter-subnet traffic through NVAs that act as full network proxies with SNAT, you must steer only the initiating traffic (from frontend to backend) to the NVAs. The correct approach is to place the NVAs behind an internal passthrough Network Load Balancer and use a policy-based route (PBR) that matches source = frontend subnet and destination = backend subnet, with the next hop set to the ILB. Scoping the PBR to frontend VMs ensures only this traffic is inspected. Because the NVAs SNAT the traffic, return traffic from the backend will automatically flow back through the NVAs without requiring routing on the backend. Static tag-based routes are inappropriate here, and dual-NIC designs are unnecessary.
Question 75
Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team. You must also make sure the solution can scale. What should you do?
A. Configure Policy-based Routing for each team.
B. Configure a Shared VPC, and create a VPC network in the host project.
C. Configure VPC Network Peering, and peer one of the VPC's to the service project.
D. Configure a Shared VPC, and create a VPC network in the service project.
Show Answer
Correct Answer: B
Explanation:
A Shared VPC is designed for large-scale, multi-team environments where a central team manages networking while individual teams operate in separate projects. Creating the VPC network in a host project and attaching multiple service projects allows centralized control, strong isolation, and scalability to hundreds of teams. The other options either do not scale well or do not provide centralized network governance.
Question 145
Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?
A. Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.
B. Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.
C. Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.
D. Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.
Show Answer
Correct Answer: A
Explanation:
To restrict access to the GKE control plane to the VPC and on‑premises over private connectivity, you must use a GKE private cluster with a private control plane endpoint. Because the control plane resides in a Google‑managed VPC, you must enable VPC peering route export/import and advertise on‑premises routes via Cloud Router so return traffic reaches on‑prem. Authorized networks are then used to limit control plane access to the specific on‑premises subnets. Other options either expose a public endpoint or omit required routing configuration.
Question 174
You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.
What should you do?
A. Create a Google Group for the WebServices Team.
B. Create a G Suite Domain for the WebServices Team.
C. Create a new Cloud Identity Domain for the WebServices Team.
D. Create a new Custom Role for all members of the WebServices Team.
Show Answer
Correct Answer: A
Explanation:
Creating a Google Group is the most efficient way to centralize both IAM permissions and email distribution for a team. Google Groups can be used as principals in Google Cloud IAM, allowing you to grant roles once at the group level and manage access by adding or removing members. At the same time, the group provides a single email address for team-wide communication. Creating a new domain or Cloud Identity domain is unnecessary overhead for a single team, and a custom role does not address email distribution or centralized membership management.
Question 110
Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?
A. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.
B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
C. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.
D. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.
Show Answer
Correct Answer: B
Explanation:
VPC Service Controls are designed to restrict access to Google managed services like Cloud Storage and BigQuery based on service perimeters and access context (such as source IP ranges). Creating a single service perimeter at the project level applies consistently across all VPCs in the project and allows you to permit access only from your corporate public IP ranges. Firewall rules cannot control managed service APIs, and per‑VPC perimeters are unnecessary and less efficient.
Question 180
You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization's host project.
Where should you create the Cloud Router instance?
A. VPC network in all projects
B. VPC network in the IT Project
C. VPC network in the Host Project
D. VPC network in the Sales, Marketing, and IT Projects
Show Answer
Correct Answer: C
Explanation:
In a Shared VPC architecture, Dedicated Interconnect and Cloud Router resources must be created in the host project because the host project owns the VPC network. Service projects (Sales, Marketing, IT) attach to and use the host project’s VPC but cannot host the Cloud Router for the interconnect. Therefore, the Cloud Router should be created in the VPC network of the host project.
Question 81
You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.
Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)
A. Create a single Cloud VPN tunnel that uses route-based VPN.
B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors.
C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses.
D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors.
E. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to the same peer IP address.
Show Answer
Correct Answer: A, C
Explanation:
Google-recommended practice prefers route-based VPNs when possible because they avoid traffic-selector scaling limits. Even without BGP, a single route-based Cloud VPN tunnel can be used with static routes, and route-based VPNs use 0.0.0.0/0 traffic selectors while allowing more specific routes in Cloud Router/VPC (A). When policy-based routing is required due to peer constraints (unique child SA per CIDR), Google recommends creating multiple policy-based tunnels, each with exactly one local and one remote CIDR per tunnel, which aligns SAs cleanly. This requires multiple tunnels, each mapped one-to-one with CIDRs, and peers must provide distinct external IPs per tunnel (C). Other options either exceed recommended selector limits or do not follow Google’s route-alignment guidance.
Question 201
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)
A. VPC peering
B. Shared VPC
C. Cloud VPN
D. Dedicated Interconnect
E. Cloud NAT
Show Answer
Correct Answer: A, C
Explanation:
VPC Peering allows private, internal-IP connectivity between two GCP VPC networks in different projects and even different organizations as long as there is no CIDR overlap, meeting the requirement without exposing resources publicly. Cloud VPN provides an encrypted tunnel over the public internet between the partner’s network and your VPC, which also works across organizations and does not require CIDR overlap. Shared VPC requires the same organization, Dedicated Interconnect is for on‑premises connectivity, and Cloud NAT is only for outbound internet access.
Question 212
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?
A. Cloud NAT
B. An instance with IP forwarding enabled
C. An instance configured with iptables DNAT rules
D. An instance configured with iptables SNAT rules
Show Answer
Correct Answer: A
Explanation:
Cloud NAT is the correct solution. Google Cloud provides Cloud NAT not only for internet egress but also for hybrid/private NAT use cases (Private NAT), enabling address translation between on‑premises network blocks and GCP over Cloud VPN or Interconnect. It is a managed, scalable, and highly available service designed specifically for this purpose. The instance-based options (B, C, D) require building and operating a custom NAT gateway and are not the recommended or intended solution.