As a Google Cloud Certified Professional Network Engineer, you will be responsible for managing cloud networks in a large enterprise environment. This two hours network engineer exam validates your skills to build network architectures for scalable Google cloud implementation.
While Preparing for a network engineer Exam you must focus on building the following skills
- Design, plan, and prototype a Google Cloud network
- Implement Virtual Private Cloud (VPC) instances
- Configure network services
- Implement hybrid interconnectivity
- Manage, monitor, and optimize network operations
This is an intermediate-level exam and we recommend that you have a working knowledge of Networking on Google cloud. Google suggests a minimum of 1 year of experience in the GCP environment. These 25 questions offer you a glimpse of how a real exam would look like, however before booking the exam slot, you should practice further with a good Network Engineer practice exam.
Google Cloud Certified Professional Network Engineer Exam Questions
Designing, planning, and prototyping a GCP network
Q 1. The design of an application, which was running on a single GCE instance, has evolved with a new requirement that it has to be high availability and low latency performance to end-users.
Which of the following solutions best solve this?
A. Instance group, Network load balancer, and Cloud CDN.
B. Instance group, HTTP(s) load balancer, and Cloud CDN.
C. Instance group, SSL Proxy load balancer, and Cloud CDN.
D. Instance group, HTTP(S) load balancer, and Cloud Armor.
Answer: B
Option A is incorrect
Option B is correct, this is the only load balancer that can be paired with Cloud CDN
Option C is incorrect
Option D is incorrect because Cloud Armor is used for defense against DoS and web attacks.
Q 2. Which of the following allows GCE instances to access Cloud Storage & BigQuery, without external IP addresses? Choose two.
A. Cloud NAT.
B. Private Google Access.
C. Google Services Access
D. Google Private Access for on-premises hosts.
Answer: A & B
Options A & B are correct because they provide access to Google APIs with external IPs, for GCE instances with no external IPs in GCP subnets.
Option C is incorrect as this is used to access services like Cloud SQL which have private IPs
Option D is incorrect, this is used for on-premises to access Google APIs.
Q 3. In your company’s VPC there are several subnets with instances. You have been asked to configure the routes so that internet-bound traffic from all instances in that VPC used by the developers is routed to an appliance for checks. All firewall rules have been created and work perfectly.
How would you achieve this? Choose two.
A. Firewalls.
B. Tags.
C. Routes
D. Cloud Router.
Answer: B and C
Option A is incorrect because it is stated that firewall rules have been tested and work fine.
Options B and C is the right answer, assigning tags to the instances used by the developers and creating a new custom route for internet-bound traffic with a higher priority and a next-hop as the instance with the appliance installed.
Option D is incorrect because this is used for hybrid connectivity.
Q 4. You are the network engineer for a large corporation using GCP. They have designed an external-facing streaming application running on three GCE instances that are widely used by thousands of users in the country. The application is been moved from standalone GCE instances to a managed instance group to leverage auto-scaling.
You are required to choose a load balancer for the application that preserves source IP and supports UDP. Which Load balancer type supports the use case?
A. External HTTP(S) load balancer.
B. SSL Proxy load balancer
C. External Network load balancer
D. Internal TCP/UDP load balancer
Answer: C
Option A is incorrect because this load balancer type doesn’t support UDP or preserve source IP.
Option B is incorrect, this load balance does not support UDP or preserve source IP.
Option C is correct, this load balancer meets all the requirements
Option D is incorrect, this load balancer is not for external-facing applications
Implementing a GCP Virtual Private Cloud (VPC)
Q 5. You have been asked to restrict the communications between pods and services such that you can determine which pods are allowed to communicate with one another in your GKE cluster.
Which of the following can be used to achieve this?
A. Network Policy.
B. Ingress.
C. master authorised networks.
D. firewall rules.
Answer: A
Option A is correct, this is how to restrict pod communications in GKE
Option B is incorrect, ingress is used to expose services externally via an HTTPS Load balancing.
Option C is incorrect, Enable master authorized networks is used to block untrusted non- GCP source IPs from accessing the Kubernetes master through HTTPS
Options D is incorrect, this does not apply to inter-pods communications
Q 6. You have been asked to configure logging on Cloud NAT to show the successful connections from the VMs to the internet. Which of the following are the two types of logs that Cloud NAT sends to Cloud Logging?
A. Translation logs.
B. Connection logs.
C. Errors logs.
D. NAT logs
Answer: A & C
Option A is correct this shows VMs that initiates a connection that is successfully allocated to a NAT IP and port and traverses to the internet.
Option B is incorrect, this is not an option for Cloud NAT logging.
Option C is correct, it shows details of when the NAT gateway can’t allocate a NAT IP and port due to port exhaustion.
Option D is incorrect, this is not an option for Cloud NAT logging.
Q 7. There is a requirement to design a GCP routes-based GKE Cluster with four nodes. The nodes are expected to have the maximum number of pods allowed. Given the above configuration, what is the maximum number of pods the cluster will have and what CIDR blocks would you recommend for the cluster’s pod address range?
A. 1024 pods and /22.
B. 1008 pods and /22.
C. 440 pods and /22.
D. 440 pods and /23.
Answer: C
Options A, B are incorrect because the maximum number of pods on each node is 110, therefore a total of 440 pods is expected.
Option C is correct. The maximum number of pods on each node is 110, therefore a total of 440 pods is expected, also because it is a route-based cluster, GKE assigns a /24 to each node (256 addresses) so the design for the cluster needs a /22 (1024 == 256*4 addresses)
Option D is incorrect, the /23 CIDR range gives 512 addresses i.e two /24 CIDR blocks so it is insufficient.
Configuring network services
Q 8. You manage an application that is growing in popularity. It is currently deployed behind an HTTP(S) load balance in a Managed Instance Group. You have been asked to consider using a content distribution network to improve the performance of the app which has a lot of streaming content.
What is the default time-to-live (TTL) for content caching in Cloud CDN cache?
A. 300 seconds
B. 3000 seconds
C. 1800 seconds
D. 3600 seconds
Answer: D
Options A, B & C are incorrect.
Options D is correct. The default time-to-live (TTL) for content caching is 3600 seconds (1 hour).
Q 9. Your team is responsible for configuring the backend services for a HTTP(S) Load Balancer which has a managed instance group as the backend. The servers are located in the London, but users are expected to connect to the application globally.
Which of the following services provide a cost-effective way to increase performance and lower latency for users by reducing the traffic going to the instances?
A. Create managed instance groups in various regions and attach to the HTTP(S) load balancing
B. Cloud Armor policies to allow traffic from all IP globally
C. Turn on Cloud CDN to cache information closer to users
D. Turn on caching on the HTTP(S) load balancer
Answer: C
Option A is incorrect, this is not a cost-effective way as deploying more instances will incur costs.
Option B is incorrect. This cannot be used for improving performance, it is used for edge security.
Option C is correct.
Option D is incorrect, the HTTP(S) load balancer does not have this capability.
Q 10. As the Network engineer in your company, you have need to configure DNS security (DNSSEC), for your domain which is hosted outside GCP, on your Cloud DNS zone. What two steps need to be carried out?
A. Enable DNSSEC with your domain registrar.
B. Enable DNSSEC in Cloud DNS zone.
C. Enable DNSSEC in Cloud Armor.
D. Enable DNSSEC on Cloud CDN.
Answer: A & B
Options A & B are correct, you need to enable DNSSEC on your Cloud DNS zone and also at your domain registrar.
Options C & D are incorrect because there have nothing to do with DNSSEC.
Q 11. Your team manages the networking resources for an application both on GCP and the on-premises network. The company is decided on having all DNS resolution, in GCP and the on-premises, for its private hosted zone handled by the on-premises DNS server.
Which of the following is not needed for this approach to work?
A. Hybrid connectivity
B. Firewall rules
C. DNS forwarding
D. Endpoints
Answer: D
Option A, B & C are incorrect, these are needed for DNS resolution between GCP and the on-premises DNS server.
Option D is incorrect, this is not needed.
Implementing hybrid interconnectivity
Q 12. Which network standard is used to enable dynamic routes discovery for private RFC 1918 communications between GCP and a non-GCP network?
A. Remote Desktop Protocol (RDP)
B. Border Gateway Protocol (BGP).
C. Secure Shell (SSH).
D. RFC 1918
Answer: B
Options A is incorrect, RDP allows remote users to see and use Windows on a device in another location.
Option B is correct, BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS), i.e. GCP and your on- premises network, on the Internet.
Option C is incorrect, because Secure Shell, is a remote administration protocol that allows users to control and modify their remote servers over the Internet
Options D is incorrect because RFC1918 describes a set of network IP ranges set aside for so-called “private” use.
Q 13. Hybrid connectivity has been set up between GCP and on-premises networks using Cloud VPN. They need to increase the throughput of the connection, which of the following configurations give the highest throughput and redundancy?
A. Two Cloud VPN gateways and two tunnels each
B. Two Cloud VPN gateways and one tunnel each
C. Single Cloud VPN gateways and three tunnels
D. Single Cloud VPN gateway and two tunnels each.
Answer: A
Option A is correct, this provides four tunnels between GCP and the on-premises network. This gives a maximum throughput of 12 Gbps (3 Gbps per tunnel) and redundancy on both sides.
Option B is incorrect, this does not give the maximum throughput
Option C is incorrect, this does not give the maximum throughput and there is no redundancy on GCP’s end.
Options D is incorrect, this does not give the maximum throughput and there is no redundancy on GCP’s end
Q 14. An organization is considering using Cloud VPN as hybrid connectivity between GCP and its on-premises network. The on-premises VPN router does not support Border Gateway Protocol (BGP).
Which of the following are the possible static routing options in Classic Cloud VPN that the company can use?
A. Policy-based
B. Dynamic
C. Route-based
D. Region-based
Answer: A & C
Option A and C is correct, this are the possible routing options in Cloud VPN that does not require BGP.
Option B is incorrect, this requires BGP.
Option D is incorrect, this is not a type of routing option in Cloud VPN.
Q 15. Your company has a Dedicated Interconnect as the hybrid connectivity between its VPC, with default dynamic routing, and the on-premises network. A single Cloud Router is used to dynamically exchange routes between both networks. The GCP VPC has one subnet with resources deployed. You have been asked to improve the availability of the Cloud Router in case of a region-wide failure.
Which of these will improve the current availability of the Cloud Router?
A. Configure a static route to the Interconnect as a backup for the Cloud Router
B. Create another Cloud Router in a different region and switch to a global dynamic routing mode in the VPC.
C. Create another Cloud Router in the same region and switch to a global dynamic routing mode in the VPC.
D. Create another Cloud Router in the same region and configure it to exchange routes with a second on-premises device.
Answer: B
Option A is incorrect, Interconnect only supports dynamic routing using BGP.
Option B is correct, a second Cloud Router in a different region can learn of other region’s routes when global routing is turned on.
Option C is incorrect, this does not protect Cloud Router from a region-wide disaster.
Option D is incorrect, this does not protect Cloud Router from a region-wide disaster and a second on-premises device does not improve the availability of Cloud Router.
Q 16. As the network engineer on a GCP hybrid connectivity project, which of the following is not a technical requirement in your on-premises devices to create a 10 Gbps GCP Dedicated Interconnect connection?
A. Single-mode Fiber
B. 802.1Q VLANs
C. Border Gateway Protocol (BGP)
D. Open Shortest Path First (OSPF)
Answer: D
Option A, B and C are incorrect, they are the technical requirements of the on-premises device at the co-location facility.
Option D is correct because Dedicated Interconnect uses BGP.
Q 17. Your company has tasked you with setting up a VPN connection from GCP to the on-premises network. You are leveraging Cloud HA VPN on the GCP end and will have to buy a new VPN termination device for the on-premises network. Which of the following must be supported on the hardware chosen to be deployed in the on-premises network for VPN termination? Choose two.
A. 802.1Q encapsulation standard
B. SSL protocol
C. IPsec protocol
D. BGP routing protocol
Answer: C and D
Options A and B are incorrect, they are not used in VPN termination.
Options C & D are correct because Cloud HA VPN uses BGP to dynamically exchange routes with the on-premises network and it uses IPsec to encrypt the tunnels.
Q 18. You have been asked to suggest a hybrid connectivity option between GCP VPC and the on-premises network which offers a range of bandwidth between 100 Mbps to 5 Gbps and doesn’t require the company to install and maintain routing equipment in a colocation facility.
Which of these connectivity options meets the requirements?
A. Cloud VPN
B. Dedicated Interconnect
C. Partner Interconnect
D. Cloud Peering
Answer: C
Options A & B are incorrect because Cloud VPN has a max bandwidth of 3 Gbps and the bandwidths on Dedicated Interconnect is either in increments of 10 Gbps or 100 Gbps.
Option C is correct, this does not require the company to manage a device at the co-location facility and offers bandwidths from 50 Mbps to 50 Gbps.
Option D is incorrect, this is not used to connect to GCP VPC.
Managing and monitoring network operations
Q 19. Your team has launched a number of GCE instances into a GCP VPC. The security team needs to be able to review the logs of all traffic to and from instances in the network. Which of the following will provide the needed logs? Choose two.
A. Cloud Audit logs.
B. Load Balancer logs
C. Firewall logs.
D. VPC Flow logs.
Answer: C & D
Option A is incorrect because Cloud Audit logs give visibility into user actions on GCP who did what, when and where.
Option B is incorrect because this provides information on the traffic to and from the load balancer
Option C is correct because this shows traffic (allowed or denied) that has matched a firewall rule
Option D is correct because this captures samples of the traffic flowing in and out of the subnet.
Optimizing network resources
Q 20. As the network engineer, you are tasked with automating the repeatability of certain actions in GCP such as the creation of VPC, Cloud Buckets, and Cloud VPN connections.
Which of the following services can you leverage?
A. Cloud Run.
B. Cloud Functions.
C. Cloud Deployment Manager.
D. Cloud Console.
Answer: C
Options A is incorrect, it is a managed compute platform that enables you to run stateless containers that are invocable via web requests or Pub/Sub events.
Option B is incorrect, it is a lightweight compute solution for developers to create single- purpose, stand-alone functions that respond to cloud events without the need to manage a server or runtime environment.
Option C is correct, it allows you to specify all the resources needed for your application in a declarative format using yaml.
Option D is incorrect, this does not allow for automating repeatability.
Q 21. As the network engineer for a firm considering using Cloud VPN for connectivity between GCP and its on-premises network. What is the recommended Maximum Transmission Unit (bytes) to be configured on your peer VPN gateway?
A. 1500
B. 1530
C. 1460
D. 1490.
Answer: C
Option A, B and D are incorrect, the MTU must not be greater than 1460 bytes.
Option C is correct.
Q 22. You are tasked with copying over a large number of small files from the on-premises network (my-ntk-folder) to GCP Cloud Storage (my-gcp-bucket). Which of the following commands optimizes the transfer time?
A. gcloud -m cp -r /my-ntk-folder gs://my-gcp-bucket
B. gsutil cp –r /my-ntk-folder gs://my-gcp-bucket.
C. gcloud cp -r /my-ntk-folder gs://my-gcp-bucket.
D. gsutil –m cp -r /my-ntk-folder gs://my-gcp-bucket
Answer: D
Options A and C are incorrect, the gsutil tool is used to interact with Cloud Storage from the CLI.
Option B is incorrect because it does not use the multi-threading option (–m) for copying multiple files at the same time
Option D is correct because it uses the multi-threading option (–m) for copying multiple files at the same time along with performing recursive directory copies, object names are constructed to mirror the source directory structure starting at the point of recursive processing
Q 23. A company that has a GCP project with 10 custom GCP networks has subnets in multiple regions. There is a requirement to that all instances be made private and access the internet through the third-party firewall. You are in the process of creating the multi-NIC GCE instance to be used as the next hop in the custom route to be created for the networks.
What is the maximum number of NICs that can be attached to a GCE instance?
A. 7
B. 8
C. 9
D. 10
Answer: B
Options A, C and D are incorrect, the maximum number of NICs per instance is 8
Option B is correct
Q 24. A growing firm has opted to use Cloud CDN with its HTTP(S) load balancer to protect its applications from DDoS attacks. You have been requested to create the Cloud Armor security policies.
Which of the following can not be policies be based on?
A. Allow or deny traffic based on IP addresses or ranges
B. Allow or deny traffic based on rules expressions
C. Allow or deny traffic based on country
D. Allow or deny traffic based on traffic type
Answer: D
The policy can be created on the basis of
- Expression matches against requests from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:
- Expression matches against requests that have a cookie with a specific value
- Expression matches against requests from the region AU, US, etc.
- Expression matches against requests from the region AU that are not in the specified IP range
- Expression matches against requests if the URI matches a regular expression
- Expression matches against requests if the Base64 decoded value of the user-id the header contains a specific value
- The expression uses a preconfigured expression set to match against SQLi attacks
Options A, B, and C are incorrect because the question is asking which one we can not create policy.
Q 25. As the GCP network engineer for a growing organization. You have been asked to design an Identity and Access system for the company’s over five thousand staff that will be using the new GCP platform for development and deployment.
Which of the following is the most efficient way of assigning permissions and follows the principle of least privilege? Choose two.
A. Google Accounts
B. Pre-defined roles
C. Custom roles
D. Google groups
Answer: C & D
Option A is incorrect, this is not an efficient way of managing five thousand users
Option B is incorrect, this type of role always have more permissions than might be needed hence does not follow the principle of least privilege
Option C is correct, this type of role is designed to have only the needed permissions.
Option D is correct, this is the easiest way to manage lots of users
Conclusion
How is your experience attempting the above 25 GCP network Engineer questions? Some questions may be tough for you if you have not worked in a Google cloud environment in the past. Whizlabs has a suite of Google cloud labs in case you need to practice more in a demo environment. When you take the actual exam we always recommend that you take a good network engineer practice exam and understand your weak and strong areas clearly.
Reference Links:
- https://cloud.google.com/certification/cloud-network-engineer
- https://cloud.google.com/cdn/docs/best-practices
- https://cloud.google.com/dns/docs/dnssec
- 25 Free Questions – Certificate of Cloud Security Knowledge V.4 - December 13, 2021
- 25 Free Questions on PL-900 Exam Certification - December 3, 2021
- 50 Free Terraform Certification Exam Questions - December 2, 2021
- 25 Free Questions – GCP Certified Professional Cloud Network Engineer - December 2, 2021
- 25 Free Questions – Microsoft Power BI PL-300 (DA-100) Certification - December 2, 2021
- 25 Free Questions – Google Cloud Developer Certification Exam - November 30, 2021
- 25 Free Questions – Google Cloud Certified Professional Security Engineer - November 30, 2021
- 25 Free Questions – Google Cloud Certified Professional Machine Learning Engineer - November 30, 2021