[2022年更新]合格できるGoogle Professional-Cloud-Network-Engineerテスト練習問題試験問題集
高合格率Professional-Cloud-Network-Engineer問題集解答でProfessional-Cloud-Network-Engineer問題集と正解回答
Google Professional-Cloud-Network-Engineer 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
| トピック 6 |
|
| トピック 7 |
|
質問 17
You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?
- A. Create an explicit Deny Any rule and enable logging on the new rule.
- B. Enable logging on the default Deny Any Firewall Rule.
- C. Enable logging on the VM Instances that receive traffic.
- D. Create a logging sink forwarding all firewall logs with no filters.
正解: C
質問 18
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose?
- A. The name and region of the Cloud VPN tunnel
- B. The IP address of the Cloud VPN gateway
- C. The IP address of the instance on the remote side of the VPN tunnel
- D. The default internet gateway
正解: A
解説:
Reference:
https://cloud.google.com/vpn/docs/how-to/creating-static-vpns
質問 19
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)
- A. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
- B. Turn on Private Services Access at the VPC level.
- C. Turn on Private Google Access at the subnet level.
- D. Turn on Private Google Access at the VPC level.
- E. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
正解: A,B
解説:
https://cloud.google.com/vpc/docs/private-access-options
質問 20
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?
- A. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
- B. Assign members of the networking team the compute.networkUser role.
- C. Assign members of the networking team the compute.networkAdmin role.
- D. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
正解: C
解説:
Explanation/Reference: https://cloud.google.com/compute/docs/access/iam
質問 21
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?
- A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
- B. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
- C. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
- D. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
正解: A
解説:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation helps you implement the principle of least privilege. For example, a centralized network team can administer the network without having any permissions into the participating projects. Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.
質問 22
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
How should you design this topology?
- A. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
- B. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
- C. Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.
- D. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
正解: A
解説:
The service range setting is permanent and cannot be changed. Please see https://stackoverflow.com/questions/60957040/how-to-increase-the-service-address-range-of-a-gke-cluster I think the correc tanswer is A since: Grow is expected to up to 100 nodes (that would be /25), then up to 200 pods per node (100 times 200 = 20000 so /17 is 32768), then 1500 services in a /21 (up to 2048)
https://docs.netgate.com/pfsense/en/latest/book/network/understanding-cidr-subnet-mask-notation.html
質問 23
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?
- A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.
- B. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.
- C. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.
- D. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.
正解: A
解説:
Global load balancer will proxy the connection . thus no trace of session origin IP. you should use Cloud Armor to geofence your service.
https://cloud.google.com/load-balancing/docs/https
質問 24
You are creating an instance group and need to create a new health check for HTTP(s) load balancing.
Which two methods can you use to accomplish this? (Choose two.)
- A. Create a new health check using the gcloud command line tool.
- B. Create a new legacy health check using the Health checks section in the GCP Console.
- C. Create a new legacy health check using the gcloud command line tool.
- D. Create a new health check using the VPC Network section in the GCP Console.
- E. Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console.
正解: A,B
解説:
Reference:
https://cloud.google.com/load-balancing/docs/health-checks
質問 25
You want to create a service in GCP using IPv6.
What should you do?
- A. Create the instance with the designated IPv6 address.
- B. Configure an internal load balancer with the designated IPv6 address.
- C. Configure a global load balancer with the designated IPv6 address.
- D. Configure a TCP Proxy with the designated IPv6 address.
正解: D
質問 26
You work for a multinational enterprise that is moving to GCP.
These are the cloud requirements:
* An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary HQ) and us-east4 (backup)
* Multiple regional offices in Europe and APAC
* Regional data processing is required in europe-west1 and australia-southeast1
* Centralized Network Administration Team
Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us-west1.
What should you do?
- A. * Create 1 VPC in a Shared VPC Service Project.
* Configure a 2-NIC instance in zone us-west1-a in the Service Project.
* Attach NIC0 in us-west1 subnet of the Service Project.
* Attach NIC1 in us-west1 subnet of the Service Project
* Deploy the instance.
* Configure the necessary routes and firewall rules to pass traffic through the instance. - B. * Create 1 VPC in a Shared VPC Host Project.
* Configure a 2-NIC instance in zone us-west1-a in the Host Project.
* Attach NIC0 in us-west1 subnet of the Host Project.
* Attach NIC1 in us-west1 subnet of the Host Project
* Deploy the instance.
* Configure the necessary routes and firewall rules to pass traffic through the instance. - C. * Create 2 VPCs in a Shared VPC Host Project.
* Configure a 2-NIC instance in zone us-west1-a in the Service Project.
* Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.
* Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.
* Deploy the instance.
* Configure the necessary routes and firewall rules to pass traffic through the instance. - D. * Create 2 VPCs in a Shared VPC Host Project.
* Configure a 2-NIC instance in zone us-west1-a in the Host Project.
* Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.
* Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.
* Deploy the instance.
* Configure the necessary routes and firewall rules to pass traffic through the instance.
正解: D
質問 27
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?
- A. Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
- B. Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.
- C. Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.
- D. Manually patch some of the instances, and then perform a rolling restart on the instance group.
正解: C
解説:
Explanation/Reference: https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-managed-instances
質問 28
You are using the gcloudcommand line tool to create a new custom role in a project by copying a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?
- A. Remove the resourcemanager.projects.listpermission, and try again.
- B. Add the resourcemanager.projects.setIamPolicypermission, and try again.
- C. Try again with a different role with a new name but the same permissions.
- D. Add the resourcemanager.projects.getpermission, and try again.
正解: A
解説:
Explanation/Reference: https://cloud.google.com/iam/docs/understanding-custom-roles
質問 29
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)
- A. Stackdriver Trace
- B. Firewall logs
- C. Compute Engine instance system logs
- D. VPC flow logs
- E. Cloud Audit logs
正解: A,E
質問 30
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?
gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
- A. MANAGED_ZONE
gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE - B. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone
- C. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone
- D. MANAGED_ZONE
正解: B
解説:
Once you have the exported file from your other provider, you can use the gcloud dns record-sets import command to import it into your managed zone.
To import record-sets, you use the dns record-sets import command. The --zone-file-format flag tells importto expect a BIND zone formatted file. If you omit this flag, import expects a YAML-formatted records file.
Reference: https://medium.com/@prashantapaudel/gcp-certification-series-2-4-planning-and-configuring- network-resources-8045ac2cc2ac
質問 31
In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)
- A. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
- B. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
- C. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
- D. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
- E. Connect both projects using Cloud VPN.
正解: B,C
質問 32
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods.
In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?
- A. Create a route to reach the Master, pointing to the default internet gateway.
- B. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
- C. Create the appropriate master authorized network entries to allow the instance to communicate to the master.
- D. Assign a public IP address to the instance.
正解: B
質問 33
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?
- A. Set request-pathto a specific URL used for health checking, and set proxy-headerto PROXY_V1.
- B. Set request-path to a specific URL used for health checking, and set hostto include a custom host header that identifies the health check.
- C. Set request-path to a specific URL used for health checking, and set responseto a string that the backend service will always return in the response body.
- D. Set proxy-header to the default value, and set hostto include a custom host header that identifies the health check.
正解: B
解説:
https://cloud.google.com/load-balancing/docs/health-checks
質問 34
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?
- A. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
- B. Issue a cache invalidation command with pattern /folder-a/*.
- C. Make sure that all the objects with prefix folder-a are not shared publicly.
- D. Add an appropriate lifecycle rule on the storage bucket.
正解: B
解説:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
質問 35
......
Professional-Cloud-Network-Engineer認証試験問題集ガイド解答は練習専門GoShiken:https://www.goshiken.com/Google/Professional-Cloud-Network-Engineer-mondaishu.html
最高のベストGoogle Cloud Platform学習試験問題集ガイドは最高のProfessional-Cloud-Network-Engineer試験:https://drive.google.com/open?id=1tIoAsFqH-dlIy7-r4v4tzj9jcfRg7k2P