Professional-Cloud-Network-Engineer試験無料問題集（236題）「Google Cloud Certified

出題：1

You need to create the technical architecture for hybrid connectivity from your data center to Google Cloud This will be managed by a partner. You want to follow Google-recommended practices for production-level applications. What should you do?

A. Configure two Partner Interconnect connections in one metro and two connections in another metro Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure global dynamic routing on the VPC

B. Configure two Partner Interconnect connections in one metropolitan area (metro). Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in a single region, and configure regional dynamic routing on the VPC

C. Configure two Partner Interconnect connections in one metro and two connections in another metro.Make sure the Interconnect connections are placed in different metro edge availability domains.Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure regional dynamic routing on the VPC.

D. Ask the partner to install two security appliances in the data center. Configure one VPN connection from each of these devices to Google Cloud, and ensure that the VPN devices on-premises are in separate racks on separate power and cooling systems.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：2

You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

A. Create a network load balancer that used backend services containing one instance group with two instances.

B. Create a TCP proxy that uses backend services containing an instance group with two instances.

C. Create a TCP proxy that uses a zonal network endpoint group containing one instance.

D. Create a network load balancer that uses a target pool backend with two instances.

正解：B 解答を投票する

出題：3

You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

A. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in
199.36.153.8/30.Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

B. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.
com that resolves to the addresses in 199.36.153 8/30.
Create a static route in your VPC for the range 199 .36.153.8/30 with the default internet gateway as the next hop.

C. Delete the default route in your VPC.
Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30.
Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.

D. Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.
Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199
.36.153.8/30.
Create a static route in your VPC for the range 199.36. 153.8/30 with the default internet gateway as the next hop.

正解：D 解答を投票する

出題：4

You are implementing a VPC architecture for your organization by using a Network Connectivity Center hub and spoke topology:
* There is one Network Connectivity Center hybrid spoke to receive on-premises routes.
* There is one VPC spoke that needs to be added as a Network Connectivity Center spoke.
Your organization has limited routable IP space fortheir cloud environment (192.168.0.0/20). The Network Connectivity Center spoke VPC is connected to on-premises with a Cloud Interconnect connection in the us- east4 region. The on-premises IP range is 172.16.0.0/16. You need to reach on-premises resources from multiple Google Cloud regions (us-westl, europe-centrall, and asia-southeastl) and minimize the IP addresses being used. What should you do?

A. O 1. Configure a Private NAT gateway and NAT subnet in us-westl (192.168.1.0/24), europe-centrall (192.168.2.0/24) and asia-southeastl (192.168.3.0/24).
2. Add the VPC as a spoke and configure an export include policy to advertise only 192.168.1.0/24,
192.168.2.0/24, and 192.168.3.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-westl, us-centrall and asia-southeastl to reach the on-premises location through us-east4.

B. Q 1. Configure a Private NAT gateway instance in us-east4 (192.168.1.0/24).
2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise
192.168.1.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-westl, us-centrall and asia-southeast l to reach the on-premises location through us-east 4.

C. Q 1. Configure a Private NAT gateway instance in us-westl (192.168.1.0/24), europe-centrall (192.168.2.0/24), and asia-southeastl (192.168.3.0/24).
2. Add the VPC as a spoke and configure an export exclude policy on the VPC spoke to advertise only the NAT subnets 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-westl, us-centrall, and asia-southeastl to reach the on-premises location through us-east4.

D. O 1- Configure a Private NAT gateway instance in us-westl (172.16.1.0/24), europe-centrall (172.16.2.0
/24), and asia-southeastl (172.16.3.0/24).
2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise only the NAT subnets 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 to the hub.
3. Enable global dynamic to allow resources in us-westl, us-centrall, and asia-southeastl to reach the on- premises location through us-east4.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：5

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with a unique ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* BGP sessions are established between both on-premises routers and the Cloud Router.
* Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

A. A firewall is blocking the traffic across the second VPN connection.

B. The ASNs being used on the on-premises routers are different.

C. You do not have a load balancer to load-balance the network traffic.

D. The on-premises routers are configured with the same routes.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：6

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

A. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

B. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

C. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, -enable-ip-alias, and-enable- private-nodes

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：7

Your team deployed two applications in GKE that are exposed through an external Application Load Balancer. When queries are sent to www.mountkirkgames.com/sales and www.mountkirkgames.com/get-an- analysis, the correct pages are displayed. However, you have received complaints that www.mountkirkgames.
com yields a 404 error. You need to resolve this error. What should you do?

A. Review the Ingress YAML file. Add a new path rule for the * character that directs to the base service.
Reapply the YAML.

B. Review the Ingress YAML file. Define the default backend. Reapply the YAML.

C. Review the Service YAML file. Add a new path rule for the * character that directs to the base service.Reapply the YAML.

D. Review the Service YAML file. Define a default backend. Reapply the YAML.

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：8

Your company acquired a new division. The new division's network team requires complete control over their networking infrastructure. You need to extend your existing Google Cloud network infrastructure, that consists of a single VPC, to allow workloads from all divisions to communicate with each other. You want to avoid incurring extra costs and granting unnecessary permissions to the new division's networking team.
What should you do?

A. Q * Ensure that the project hosting the existing network infrastructure is enabled as a host project.
* Create a new subnet dedicated to the new division's workloads in the existing VPC.
* Grant roles/compute. networkuser on the newly created subnet to the new division's network team group.

B. O * Create a new project for the new division's network team.
* Create a new VPC within the new project.
* Establish a VPN connection between your existing VPC and the new division's VPC.
* Grant roles/compute .networkAdmin on the newly created project to the new division's network team group.

C. O * Create a new project for the new division's network team.
* Create a new VPC within the new project.
* Establish a VPC peering between your existing VPC and the new division's VPC.
* Create a new subnet dedicated to the new division's workloads.
* Grant roles/compute .networkuser on the new project to the new division's network team group.

D. Q * Create a new project for the new division's network team.
* Create a new VPC within the new project.
* Establish a VPC peering between your existing VPC and the new division's VPC.
* Grant roles/compute. networkAdmin on the newly created project to the new division's network team group.

正解：D 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：9

You want Cloud CDN to serve the https://www.example.com/images/spacetime.png static image file that is hosted in a private Cloud Storage bucket, You are using the VSE ORIG.-X_NZADERS cache mode You receive an HTTP 403 error when opening the file In your browser and you see that the HTTP response has a Cache-control: private, max-age=O header How should you correct this Issue?

A. Enable negative caching for the backend bucket

B. Increase the default time-to-live (TTL) for the backend service.

C. Configure a Cloud Storage bucket permission that gives the Storage Legacy Object Reader role

D. Change the cache mode to cache all content.

正解：C 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：10

Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must
* Support both TCP and UDP protocols
* Provide fully automated failover
* Include health-checks
Require minimal manual Intervention In the client VMS
Which approach should you take?

A. Create an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

B. Create the VMS In the same zone, and configure static routes With IP addresses as next hops.

C. Create the VMS in different zones, and configure static routes with instance names as next hops

D. Create an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：11

You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?

A. An external IP address has been configured on the instance.

B. The instance has been configured with multiple interfaces.

C. The instance is accessible by a load balancer external IP address.

D. You have created static routes that use RFC1918 ranges.

正解：A 解答を投票する

出題：12

You are the network administrator responsible for hybrid connectivity at your organization. Your developer team wants to use Cloud SQL in the us-west1 region in your Shared VPC. You configured a Dedicated Interconnect connection and a Cloud Router in us-west1, and the connectivity between your Shared VPC and on-premises data center is working as expected. You just created the private services access connection required for Cloud SQL using the reserved IP address range and default settings. However, your developers cannot access the Cloud SQL instance from on-premises. You want to resolve the issue. What should you do?

A. Change the VPC routing mode to global.Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

B. Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.
Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.

C. Create an additional Cloud Router in us-west2.
Create a new Border Gateway Protocol (BGP) peering connection to your on-premises data center.
Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

D. Change the VPC routing mode to global.
Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.

正解：B 解答を投票する

出題：13

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

A. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

B. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

C. Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

D. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

正解：D 解答を投票する

出題：14

You have the following private Google Kubernetes Engine (GKE) cluster deployment:

You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

A. Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

B. Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.

C. Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig.Configure kubectl to communicate with the endpoint 35.224.37.17.

D. Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

正解：B 解答を投票する

出題：15

You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)

A. Create a private connection to a service producer.

B. Enable Private Google Access.

C. Create a custom static route to allow the traffic to reach the Cloud SQL API.

D. Activate the Cloud Datastore API in your project.

E. Activate the Service Networking API in your project.

正解：A,B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：16

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia- southeast1 region cannot communicate with compute resources on-premises. What should you do?

A. Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

B. Configure a custom route advertisement on the Cloud Router.

C. Enable IP forwarding in the asia-southeast1 region.

D. Change the VPC dynamic routing mode to Global.

正解：D 解答を投票する

出題：17

You have the networking configuration shown. In the diagram Two VLAN attachments associated With two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BOP) sessions associated with each Of the VLAN attachments.
You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?

A. From the Cloud CLI, run gcloud compute -protect_ID router get-status mycloudrouter --region REGION and review the results.

B. From the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.

C. From the Cloud CLI. run gcloud compute routers describe mycloudrouter
--region REGION and review the results

D. From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：18

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

A. Policy-based routing using a custom local traffic selector

B. Route-based routing using default traffic selectors

C. Policy-based routing using the default local traffic selector

D. Dynamic routing using Cloud Router

正解：A 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

出題：19

Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

A. Configure the default time to live (TTL) as O for the image file.

B. Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

C. Configure versioned IJRLs for each domain to serve users the *mage file before the cache entry expires

D. Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type

正解：B 解答を投票する

解説: (GoShiken メンバーにのみ表示されます)

Professional-Cloud-Network-Engineer試験無料問題集「Google Cloud Certified - Professional Cloud Network Engineer 認定」