Google Professional-Cloud-Network exam revealed answer (P. 20)

Question 191

You are implementing firewall controls to protect your computer resources in a newly created VPC. To make the protection process easier to manage and control, you've defined the hierarchical firewall policies, global network firewall policies, and VPC firewall rules. The configuration of rules defines the following characteristics:
• The hierarchical firewall policy, bound at the organization level, is allowing/denying spe-cific external traffic.
• There is a global network firewall policy with rules that enforce intrusion prevention sys-tem (IPS) capabilities for specific external inbound/outbound traffic.
• The VPC firewall rules allow internal communication from RFC 1918 defined subnets communications.
• The VPC firewall contains an explicit deny rule with logs enabled.
This configuration was successful in multiple preexisting VF'Cs. However, you noticed that the logs were missing when you were reviewing a newly created VPC. All external communications are hanging, but internal traffic is working as expected. You want to fix the connectivity issue.
What should you do?

A. Create a new VPC and migrate existing resources to the new VPC. Delete the old VPC, and reapply the firewall policies and rules in the newVPC.

B. Raise the priority numbers of the firewall policy rules and lower the priority numbers of the VPC firewall rules.

C. Review the order in which the VPC firewall rules and policies are evaluated. If the VPC firewall rules are being evaluated before firewall policies, switch the order.

D. Lower the priority numbers of the firewall policy rules and raise the priority numbers of the VPC firewall rules.

Question 192

You are configuring the intrusion prevention service (IPS) feature on Cloud Next Generation Firewall Enterprise. You deployed your firewall endpoints and you need to inspect the traffic of the VMs. What should you do?

A. Configure Packet Mirroring to match the source/destination IP addresses of the VMs.

B. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the goto_next action.

C. Configure a firewall rule to match the hostnames of the VMs, and use the apply_security_profile_group action.

D. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the apply_security_profile_group action.

Question 193

Your organization recently exposed a set of services through a global external Application Load Balancer. After conducting some testing, you observed that responses would intermittently yield HTTP 4xx or 5xx error response codes. You already enabled and reviewed the health check logs. You need to identify the error. What should you do?

A. Access a VM in the VPC through SSH to access the backend VM directly. If the request is successful from the VM, increase the quantity of backends.

B. Delete the load balancer and backend services. Create a new Passthrough Network Load Balancer. Configure a failover group of VMs for the backend.

C. Validate the health of the backend service. Enable logging for the backend service and identify the error response in Cloud Logging. Review the statusDetails log field.

D. Validate the health of the backend service. Disable any Cloud Armor policies on the backend service, and identify any error response in Cloud Logging. Review the statusDetails log field.

Question 194

Your company's current network architecture has two VPCs that are connected by a dual-NIC instance that acts as a bump-in-the-wire firewall between the two VPCs. Flows between pairs of subnets across the two VPCs are working correctly. Suddenly, you receive an alert that none of the flows between the two VPCs are working anymore. You need to troubleshoot the problem. What should you do? (Choose two.)

A. Verify that a VPC Service Controls perimeter has not been enabled for the project that contains the two VPCs and the dual-NIC instance.

B. Use Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance.

C. Verify that a public IP address has not been assigned to any network interface of the dual-NIC instance.

D. Verify that the dual-NIC instance has the --can-Ip-Forward attribute enabled.

E. Verify that the dual-NIC instance has not been added to a backend service.

Question 195

Your company deployed Cloud Next Generation Firewall Enterprise (Cloud NGFW Enterprise). You have already created a CA pool and a CA in Certificate Authority Service. You need to enable TLS inspection. What should you do?

A. Grant the network security service agent service account the privateca.certificateRequester role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.

B. Grant the network security service agent service account the privateca.poolReader role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.

C. Grant the network security service agent service account the privateca.certificateRequester role. Create a trust config in Certificate Manager Flip the TLS inspection flag in your firewall policy rules to true.

D. Grant the network security service agent service account the privateca.certificateRequester role. Create a trust config in Certificate Manager. Flip the TLS inspection flag in your firewall policy rules to true.

Question 196

You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations and ensure there are no rules that are allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work. What should you do?

A. Review the firewall policy rules associated with the VPC, and filter for rules that allow ingress from 0.0.0.0/0.

B. Enable "Overly permissive rules insights" in Firewall Insights. Review results for rules that show allowed ingress traffic from internet sources.

C. Run Connectivity Tests from multiple external sources to double-check ingress traffic settings.

D. Enable the Network Analyzer API and review the "VPC Network" category insights.

Question 197

Your company's cloud network has hybrid connectivity to an on-premises environment through Cloud Interconnect in two regions (us-east4 and us-west1). You received complaints that some on-premises destinations are no longer reachable from us-east4, after changes were made to advertise additional routes to us-west1. You need to troubleshoot to see if any routes were dropped. What should you do?

A. Query the dynamic_routes/learned_routes/dropped_unique_destinations metric and review the global routing_mode metric attribute.

B. Query the dynamic_routes/learned_routes/unique_destinations_limit metric and review the global routing_mode metric attribute.

C. Query the dynamic_routes/learned_routes/any_dropped_unique_destinations metric and review the regional routing_mode metric attribute.

D. Query the dynamic_routes/learned_routes/dropped_unique_destinations metric and review the regional routing_mode metric attribute.

Question 198

Your organization has resources in two different VPCs, each in different Google Cloud projects, which require connectivity between them. You have already determined that there is no IP address overlap; however, one VPC uses privately used public IP (PUPI) ranges. You would like to enable connectivity between these resources by using a lower cost and higher performance method. What should you do?

A. Create a HA VPN between the two VPCs that includes the PUPI ranges in the Custom Route Advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using network tags as the source filter.

B. Create a HA VPN between the two VPCs that includes the PUPI ranges in the Custom Route Advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

C. Create a VPC Peering between the two VPCs that allows the export and import of custom routes. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter.

D. Create a VPC Peering between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

Question 199

Your organization recently re-architected your cloud environment to use Network Connectivity Center. However, an error occurred when you tried to add a new VPC, named vpc-dev, as a spoke. The error indicated that there was an issue with an existing spoke and the IP space of a VPC, named vpc-pre-prod. You must complete the migration quickly and efficiently. What should you do?

A. Delete the VMs associated with the conflicting subnets, then delete the conflicting subnets in vpc-dev. Recreate the subnets with a new IP range and redeploy the previously-deleted VMs in the new subnets. Add the VPC spoke for vpc-dev.

B. Exclude the conflicting IP range by using the --exclude-export-ranges flag when creating the VPC spoke for vpc-dev.

C. Exclude the conflicting IP range by using the --exclude-export-ranges flag in the hub when attaching the VPC spoke for vpc-dev.

D. Remove the conflicting VPC spoke for vpc-pre-prod from the set of VPC spokes in Network Connectivity Center. Add the VPC spoke for vpc-dev. Add the previously removed vpc-pre-prod as a VPC spoke.

Question 200

Recently, your networking team enabled Cloud CDN for one of the external-facing services that is exposed through an external Application Load Balancer. The application team has already defined which content should be cached within the responses. Upon testing the load balancer, you did not observe any change in performance after the Cloud CDN enablement. You need to resolve the issue. What should you do?

A. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.

B. Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.

C. Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses to requests from the backends.

D. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN cache content depending on responses to requests from the backends.

Win IT Exam with Last Dumps 2025

Google Professional-Cloud-Network Exam

Page 20/25

Viewing Questions 191 200 out of 248 Questions

A. Create a new VPC and migrate existing resources to the new VPC. Delete the old VPC, and reapply the firewall policies and rules in the newVPC.

B. Raise the priority numbers of the firewall policy rules and lower the priority numbers of the VPC firewall rules.

C. Review the order in which the VPC firewall rules and policies are evaluated. If the VPC firewall rules are being evaluated before firewall policies, switch the order.

D. Lower the priority numbers of the firewall policy rules and raise the priority numbers of the VPC firewall rules.

You are configuring the intrusion prevention service (IPS) feature on Cloud Next Generation Firewall Enterprise. You deployed your firewall endpoints and you need to inspect the traffic of the VMs. What should you do?

A. Configure Packet Mirroring to match the source/destination IP addresses of the VMs.

B. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the goto_next action.

C. Configure a firewall rule to match the hostnames of the VMs, and use the apply_security_profile_group action.

D. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the apply_security_profile_group action.

A. Access a VM in the VPC through SSH to access the backend VM directly. If the request is successful from the VM, increase the quantity of backends.

B. Delete the load balancer and backend services. Create a new Passthrough Network Load Balancer. Configure a failover group of VMs for the backend.

C. Validate the health of the backend service. Enable logging for the backend service and identify the error response in Cloud Logging. Review the statusDetails log field.

D. Validate the health of the backend service. Disable any Cloud Armor policies on the backend service, and identify any error response in Cloud Logging. Review the statusDetails log field.

A. Verify that a VPC Service Controls perimeter has not been enabled for the project that contains the two VPCs and the dual-NIC instance.

B. Use Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance.

C. Verify that a public IP address has not been assigned to any network interface of the dual-NIC instance.

D. Verify that the dual-NIC instance has the --can-Ip-Forward attribute enabled.

E. Verify that the dual-NIC instance has not been added to a backend service.

Your company deployed Cloud Next Generation Firewall Enterprise (Cloud NGFW Enterprise). You have already created a CA pool and a CA in Certificate Authority Service. You need to enable TLS inspection. What should you do?

A. Grant the network security service agent service account the privateca.certificateRequester role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.

B. Grant the network security service agent service account the privateca.poolReader role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.

C. Grant the network security service agent service account the privateca.certificateRequester role. Create a trust config in Certificate Manager Flip the TLS inspection flag in your firewall policy rules to true.

D. Grant the network security service agent service account the privateca.certificateRequester role. Create a trust config in Certificate Manager. Flip the TLS inspection flag in your firewall policy rules to true.

A. Review the firewall policy rules associated with the VPC, and filter for rules that allow ingress from 0.0.0.0/0.

B. Enable "Overly permissive rules insights" in Firewall Insights. Review results for rules that show allowed ingress traffic from internet sources.

C. Run Connectivity Tests from multiple external sources to double-check ingress traffic settings.

D. Enable the Network Analyzer API and review the "VPC Network" category insights.

A. Query the dynamic_routes/learned_routes/dropped_unique_destinations metric and review the global routing_mode metric attribute.

B. Query the dynamic_routes/learned_routes/unique_destinations_limit metric and review the global routing_mode metric attribute.

C. Query the dynamic_routes/learned_routes/any_dropped_unique_destinations metric and review the regional routing_mode metric attribute.

D. Query the dynamic_routes/learned_routes/dropped_unique_destinations metric and review the regional routing_mode metric attribute.

A. Create a HA VPN between the two VPCs that includes the PUPI ranges in the Custom Route Advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using network tags as the source filter.

B. Create a HA VPN between the two VPCs that includes the PUPI ranges in the Custom Route Advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

C. Create a VPC Peering between the two VPCs that allows the export and import of custom routes. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter.

D. Create a VPC Peering between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

A. Delete the VMs associated with the conflicting subnets, then delete the conflicting subnets in vpc-dev. Recreate the subnets with a new IP range and redeploy the previously-deleted VMs in the new subnets. Add the VPC spoke for vpc-dev.

B. Exclude the conflicting IP range by using the --exclude-export-ranges flag when creating the VPC spoke for vpc-dev.

C. Exclude the conflicting IP range by using the --exclude-export-ranges flag in the hub when attaching the VPC spoke for vpc-dev.

D. Remove the conflicting VPC spoke for vpc-pre-prod from the set of VPC spokes in Network Connectivity Center. Add the VPC spoke for vpc-dev. Add the previously removed vpc-pre-prod as a VPC spoke.

A. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.

B. Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.

C. Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses to requests from the backends.

D. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN cache content depending on responses to requests from the backends.