Chat with AI
Deck 15: Professional Cloud Network Engineer
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/57
Play
Full screen (f)
Deck 15: Professional Cloud Network Engineer
1
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption. How should you design this topology?
A) Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
B) Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
C) Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
D) Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster. gcloud container clusters create [CLUSTER NAME]
A) Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
B) Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
C) Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
D) Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster. gcloud container clusters create [CLUSTER NAME]
Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
2
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT. What is the most likely cause of this problem?
A) The instance has been configured with multiple interfaces.
B) An external IP address has been configured on the instance.
C) You have created static routes that use RFC1918 ranges.
D) The instance is accessible by a load balancer external IP address.
A) The instance has been configured with multiple interfaces.
B) An external IP address has been configured on the instance.
C) You have created static routes that use RFC1918 ranges.
D) The instance is accessible by a load balancer external IP address.
An external IP address has been configured on the instance.
3
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency. What should you do?
A) Configure a policy-based route rule to prioritize the traffic.
B) Configure an HTTP load balancer, and direct the traffic to it.
C) Configure Dynamic Routing for the subnet hosting the application.
D) Configure the TTL for the DNS zone to decrease the time between updates.
A) Configure a policy-based route rule to prioritize the traffic.
B) Configure an HTTP load balancer, and direct the traffic to it.
C) Configure Dynamic Routing for the subnet hosting the application.
D) Configure the TTL for the DNS zone to decrease the time between updates.
Configure an HTTP load balancer, and direct the traffic to it.
4
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall. Which two actions should you take? (Choose two.)
A) Turn on Private Google Access at the subnet level.
B) Turn on Private Google Access at the VPC level.
C) Turn on Private Services Access at the VPC level.
D) Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
E) Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
A) Turn on Private Google Access at the subnet level.
B) Turn on Private Google Access at the VPC level.
C) Turn on Private Services Access at the VPC level.
D) Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
E) Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
5
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users. What should you do?
A) Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
B) Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
C) Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
D) Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.
A) Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
B) Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
C) Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
D) Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
6
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection. What should you do on your on-premises servers?
A) Tune TCP parameters on the on-premises servers.
B) Compress files using utilities like tar to reduce the size of data being sent.
C) Remove the -m flag from the gsutil command to enable single-threaded transfers.
D) Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME]. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].
A) Tune TCP parameters on the on-premises servers.
B) Compress files using utilities like tar to reduce the size of data being sent.
C) Remove the -m flag from the gsutil command to enable single-threaded transfers.
D) Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME]. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
7
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices. How should you design this topology?
A) Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
B) Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
C) Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
D) Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
A) Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
B) Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
C) Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
D) Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
8
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs. Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)
A) VPC peering
B) Shared VPC
C) Cloud VPN
D) Dedicated Interconnect
E) Cloud NAT
A) VPC peering
B) Shared VPC
C) Cloud VPN
D) Dedicated Interconnect
E) Cloud NAT
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
9
You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect. What should you do?
A) Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
B) Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
C) Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
D) Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
A) Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
B) Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
C) Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
D) Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
10
You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working. You want to resolve the problem. What should you do?
A) Apply an additional IAM role to the Google API's service account to allow custom mode networks.
B) Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks.
C) Explicitly reference the custom mode networks in the Cloud Armor whitelist.
D) Explicitly reference the custom mode networks in the Deployment Manager templates.
A) Apply an additional IAM role to the Google API's service account to allow custom mode networks.
B) Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks.
C) Explicitly reference the custom mode networks in the Cloud Armor whitelist.
D) Explicitly reference the custom mode networks in the Deployment Manager templates.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
11
Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates. Which Google Cloud load balancer should you use?
A) SSL proxy load balancer
B) Network load balancer
C) HTTPS load balancer
D) TCP proxy load balancer
A) SSL proxy load balancer
B) Network load balancer
C) HTTPS load balancer
D) TCP proxy load balancer
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
12
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead. How should you design the topology?
A) Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
B) Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
C) Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
D) Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
A) Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
B) Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
C) Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
D) Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
13
You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection. Which two actions can accomplish this? (Choose two.)
A) Open a Cloud Support ticket under the Cloud Interconnect category.
B) Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.
C) Run gcloud compute interconnects describe . Run gcloud compute interconnects describe .
D) Check the email for the account of the NOC contact that you specified during the ordering process.
E) Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.
A) Open a Cloud Support ticket under the Cloud Interconnect category.
B) Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.
C) Run gcloud compute interconnects describe
D) Check the email for the account of the NOC contact that you specified during the ordering process.
E) Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
14
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance. What should you do?
A) Open the Cloud Shell SSH into the instance using gcloud compute ssh. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
B) Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
C) Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
D) Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
A) Open the Cloud Shell SSH into the instance using gcloud compute ssh. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
B) Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
C) Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
D) Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
15
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired. During troubleshooting you find: • Each on-premises router is configured with a unique ASN.
• Each on-premises router is configured with the same routes and priorities.
• Both on-premises routers are configured with a VPN connected to a single Cloud Router.
• BGP sessions are established between both on-premises routers and the Cloud Router.
• Only 1 of the on-premises router's routes are being added to the routing table. What is the most likely cause of this problem?
A) The on-premises routers are configured with the same routes.
B) A firewall is blocking the traffic across the second VPN connection.
C) You do not have a load balancer to load-balance the network traffic.
D) The ASNs being used on the on-premises routers are different.
• Each on-premises router is configured with the same routes and priorities.
• Both on-premises routers are configured with a VPN connected to a single Cloud Router.
• BGP sessions are established between both on-premises routers and the Cloud Router.
• Only 1 of the on-premises router's routes are being added to the routing table. What is the most likely cause of this problem?
A) The on-premises routers are configured with the same routes.
B) A firewall is blocking the traffic across the second VPN connection.
C) You do not have a load balancer to load-balance the network traffic.
D) The ASNs being used on the on-premises routers are different.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
16
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible. What should you do?
A) Grant the compute.instanceAdmin to your user account. Grant the compute.instanceAdmin to your user account.
B) Grant the iam.serviceAccountUser to your user account. iam.serviceAccountUser
C) Grant the read-only privilege to the service account for the Cloud Storage bucket. read-only privilege to the service account for the Cloud Storage bucket.
D) Grant the cloud-platform privilege to the service account for the Cloud Storage bucket. cloud-platform
A) Grant the compute.instanceAdmin to your user account. Grant the compute.instanceAdmin to your user account.
B) Grant the iam.serviceAccountUser to your user account. iam.serviceAccountUser
C) Grant the read-only privilege to the service account for the Cloud Storage bucket. read-only privilege to the service account for the Cloud Storage bucket.
D) Grant the cloud-platform privilege to the service account for the Cloud Storage bucket. cloud-platform
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
17
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary. Which level of permissions should you request?
A) Security Admin privileges from the Shared VPC Admin.
B) Service Project Admin privileges from the Shared VPC Admin.
C) Shared VPC Admin privileges from the Organization Admin.
D) Organization Admin privileges from the Organization Admin.
A) Security Admin privileges from the Shared VPC Admin.
B) Service Project Admin privileges from the Shared VPC Admin.
C) Shared VPC Admin privileges from the Organization Admin.
D) Organization Admin privileges from the Organization Admin.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
18
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency. How should you design this topology?
A) Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
B) Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
C) Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
D) Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
A) Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
B) Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
C) Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
D) Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
19
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed. During troubleshooting you find: • Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
• The subnetwork logs are not excluded from Stackdriver.
• The instance that is hosting the application can communicate outside the subnet.
• Other instances within the subnet can communicate outside the subnet.
• The external resource initiates communication. What is the most likely cause of the missing log lines?
A) The traffic is matching the expected ingress rule.
B) The traffic is matching the expected egress rule.
C) The traffic is not matching the expected ingress rule.
D) The traffic is not matching the expected egress rule.
• The subnetwork logs are not excluded from Stackdriver.
• The instance that is hosting the application can communicate outside the subnet.
• Other instances within the subnet can communicate outside the subnet.
• The external resource initiates communication. What is the most likely cause of the missing log lines?
A) The traffic is matching the expected ingress rule.
B) The traffic is matching the expected egress rule.
C) The traffic is not matching the expected ingress rule.
D) The traffic is not matching the expected egress rule.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
20
You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC. How should you configure the Distribution VPC?
A) Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.
B) Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
C) Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
D) Rename the default VPC as "Distribution" and peer it via network peering.
A) Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.
B) Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
C) Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
D) Rename the default VPC as "Distribution" and peer it via network peering.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
21
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic. What should you do?
A) Check the VPC flow logs for the instance.
B) Try connecting to the instance via SSH, and check the logs.
C) Create a new firewall rule to allow traffic from port 22, and enable logs.
D) Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
A) Check the VPC flow logs for the instance.
B) Try connecting to the instance via SSH, and check the logs.
C) Create a new firewall rule to allow traffic from port 22, and enable logs.
D) Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
22
You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy. Which GKE resource should you use?
A) GKE Node
B) GKE Pod
C) GKE Cluster
D) GKE Ingress
A) GKE Node
B) GKE Pod
C) GKE Cluster
D) GKE Ingress
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
23
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale. How should you provision your instances?
A) Create a single managed instance group, specify the desired region, and select Multiple zones for the location.
B) Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.
C) Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
D) Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
A) Create a single managed instance group, specify the desired region, and select Multiple zones for the location.
B) Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.
C) Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
D) Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
24
You are migrating to Cloud DNS and want to import your BIND zone file. Which command should you use?
A) gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
B) gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
C) gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
D) gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED_ZONE
A) gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
B) gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
C) gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
D) gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED_ZONE
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
25
In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet. What should you do?
A) Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
B) Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
C) Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
D) Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.
A) Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
B) Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
C) Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
D) Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
26
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member. Which two methods can you use to accomplish this? (Choose two.)
A) GetIamPolicy() via REST API
B) setIamPolicy() via REST API
C) gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
D) gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
E) Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
A) GetIamPolicy() via REST API
B) setIamPolicy() via REST API
C) gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
D) gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
E) Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
27
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly. How should you configure the health check?
A) Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1 . Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1 .
B) Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check. request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
C) Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body. response to a string that the backend service will always return in the response body.
D) Set proxy-header to the default value, and set host to include a custom host header that identifies the health check. proxy-header to the default value, and set
A) Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1 . Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1 .
B) Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check. request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
C) Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body. response to a string that the backend service will always return in the response body.
D) Set proxy-header to the default value, and set host to include a custom host header that identifies the health check. proxy-header to the default value, and set
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
28
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments. What should you do?
A) Assign each user the editor role.
B) Assign each user the compute.networkAdmin role.
C) Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
D) Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
A) Assign each user the editor role.
B) Assign each user the compute.networkAdmin role.
C) Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
D) Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
29
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running. What should you do to solve the problem?
A) Assign a public IP address to the instance.
B) Create a route to reach the Master, pointing to the default internet gateway.
C) Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
D) Create the appropriate master authorized network entries to allow the instance to communicate to the master.
A) Assign a public IP address to the instance.
B) Create a route to reach the Master, pointing to the default internet gateway.
C) Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
D) Create the appropriate master authorized network entries to allow the instance to communicate to the master.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
30
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP. Which NAT solution should you use?
A) Cloud NAT
B) An instance with IP forwarding enabled
C) An instance configured with iptables DNAT rules
D) An instance configured with iptables SNAT rules
A) Cloud NAT
B) An instance with IP forwarding enabled
C) An instance configured with iptables DNAT rules
D) An instance configured with iptables SNAT rules
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
31
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem. What should you do?
A) Configure VPC peering in a full mesh.
B) Alter the routing table to resolve the asymmetric route.
C) Create network tags to allow connectivity between all three VPCs.
D) Delete the legacy network and recreate it to allow transitive peering.
A) Configure VPC peering in a full mesh.
B) Alter the routing table to resolve the asymmetric route.
C) Create network tags to allow connectivity between all three VPCs.
D) Delete the legacy network and recreate it to allow transitive peering.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
32
You work for a university that is migrating to GCP. These are the cloud requirements: • On-premises connectivity with 10 Gbps
• Lowest latency access to the cloud
• Centralized Networking Administration Team New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud. What should you do?
A) Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
B) Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
C) Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.
D) Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.
• Lowest latency access to the cloud
• Centralized Networking Administration Team New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud. What should you do?
A) Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
B) Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
C) Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.
D) Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
33
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them. How should you set up permissions for the networking team?
A) Assign members of the networking team the compute.networkUser role.
B) Assign members of the networking team the compute.networkAdmin role.
C) Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
D) Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
A) Assign members of the networking team the compute.networkUser role.
B) Assign members of the networking team the compute.networkAdmin role.
C) Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
D) Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
34
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances. Which two products should you incorporate into the solution? (Choose two.)
A) VPC flow logs
B) Firewall logs
C) Cloud Audit logs
D) Stackdriver Trace
E) Compute Engine instance system logs
A) VPC flow logs
B) Firewall logs
C) Cloud Audit logs
D) Stackdriver Trace
E) Compute Engine instance system logs
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
35
You want to create a service in GCP using IPv6. What should you do?
A) Create the instance with the designated IPv6 address.
B) Configure a TCP Proxy with the designated IPv6 address.
C) Configure a global load balancer with the designated IPv6 address.
D) Configure an internal load balancer with the designated IPv6 address.
A) Create the instance with the designated IPv6 address.
B) Configure a TCP Proxy with the designated IPv6 address.
C) Configure a global load balancer with the designated IPv6 address.
D) Configure an internal load balancer with the designated IPv6 address.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
36
Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible. How should you deploy this service in GCP?
A) Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.
B) Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.
C) Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.
D) Use GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.
A) Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.
B) Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.
C) Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.
D) Use GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
37
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services. Which session affinity should you choose?
A) None
B) Client IP
C) Client IP and protocol
D) Client IP, port and protocol
A) None
B) Client IP
C) Client IP and protocol
D) Client IP, port and protocol
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
38
You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible. What should you do?
A) Upload your public ssh key to the project Metadata.
B) Upload your public ssh key to each instance Metadata.
C) Create a custom Google Compute Engine image with your public ssh key embedded.
D) Use gcloud compute ssh to automatically copy your public ssh key to the instance. Use gcloud compute ssh to automatically copy your public ssh key to the instance.
A) Upload your public ssh key to the project Metadata.
B) Upload your public ssh key to each instance Metadata.
C) Create a custom Google Compute Engine image with your public ssh key embedded.
D) Use gcloud compute ssh to automatically copy your public ssh key to the instance. Use gcloud compute ssh to automatically copy your public ssh key to the instance.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
39
You create multiple Compute Engine virtual machine instances to be used at TFTP servers. Which type of load balancer should you use?
A) HTTP(S) load balancer
B) SSL proxy load balancer
C) TCP proxy load balancer
D) Network load balancer
A) HTTP(S) load balancer
B) SSL proxy load balancer
C) TCP proxy load balancer
D) Network load balancer
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
40
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby. Which BGP attribute should you use on your on-premises router?
A) AS-Path
B) Community
C) Local Preference
D) Multi-exit Discriminator
A) AS-Path
B) Community
C) Local Preference
D) Multi-exit Discriminator
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
41
Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure: /fr/video /en/video /es/video /../video /fr/audio /en/audio /es/audio /../audio Which solution should you recommend?
A) Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.
B) Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
C) Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z]{2}\/audio.
D) Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/audio.
A) Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.
B) Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
C) Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z]{2}\/audio.
D) Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/audio.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
42
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired. During troubleshooting you find: • Each on-premises router is configured with the same ASN.
• Each on-premises router is configured with the same routes and priorities.
• Both on-premises routers are configured with a VPN connected to a single Cloud Router.
• The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
• BGP session is not established between one on-premises router and the Cloud Router. What is the most likely cause of this problem?
A) One of the VPN sessions is configured incorrectly.
B) A firewall is blocking the traffic across the second VPN connection.
C) You do not have a load balancer to load-balance the network traffic.
D) BGP sessions are not established between both on-premises routers and the Cloud Router.
• Each on-premises router is configured with the same routes and priorities.
• Both on-premises routers are configured with a VPN connected to a single Cloud Router.
• The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
• BGP session is not established between one on-premises router and the Cloud Router. What is the most likely cause of this problem?
A) One of the VPN sessions is configured incorrectly.
B) A firewall is blocking the traffic across the second VPN connection.
C) You do not have a load balancer to load-balance the network traffic.
D) BGP sessions are not established between both on-premises routers and the Cloud Router.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
43
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses. Which two actions should you take? (Choose two.)
A) Activate the Service Networking API in your project.
B) Activate the Cloud Datastore API in your project.
C) Create a private connection to a service producer.
D) Create a custom static route to allow the traffic to reach the Cloud SQL API.
E) Enable Private Google Access.
A) Activate the Service Networking API in your project.
B) Activate the Cloud Datastore API in your project.
C) Create a private connection to a service producer.
D) Create a custom static route to allow the traffic to reach the Cloud SQL API.
E) Enable Private Google Access.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
44
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only. How should you configure your firewall rules?
A) Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
B) Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
C) Create a single firewall rule to allow port 22 with priority 1000.
D) Create a single firewall rule to allow port 3389 with priority 1000.
A) Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
B) Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
C) Create a single firewall rule to allow port 22 with priority 1000.
D) Create a single firewall rule to allow port 3389 with priority 1000.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
45
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications: Your ISP is a Google Partner Interconnect provider. Your on-premises VPN device's internet uplink and downlink speeds are 10 Gbps. A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses. Most of the data transfer will be from GCP to the on-premises environment. The application can burst up to 1.5 Gbps during peak transfers over the Interconnect. Cost and the complexity of the solution should be minimal. How should you provision the connectivity solution?
A) Provision a Partner Interconnect through your ISP.
B) Provision a Dedicated Interconnect instead of a VPN.
C) Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.
D) Use network compression over your VPN to increase the amount of data you can send over your VPN.
A) Provision a Partner Interconnect through your ISP.
B) Provision a Dedicated Interconnect instead of a VPN.
C) Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.
D) Use network compression over your VPN to increase the amount of data you can send over your VPN.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
46
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member. Which two methods can you use to accomplish this? (Choose two.)
A) GetIamPolicy() via REST API
B) setIamPolicy() via REST API
C) gcloud pubsub add-iam-policy-binding $projectname --member user:$username --role roles/editor
D) gcloud projects add-iam-policy-binding $projectname --member user:$username --role roles/editor
E) Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
A) GetIamPolicy() via REST API
B) setIamPolicy() via REST API
C) gcloud pubsub add-iam-policy-binding $projectname --member user:$username --role roles/editor
D) gcloud projects add-iam-policy-binding $projectname --member user:$username --role roles/editor
E) Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
47
You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network. What should you do?
A) Configure global load balancing to point 172.16.45.0/24 to the correct instance.
B) Create unique DNS records for each service that sends traffic to the desired IP address.
C) Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
D) Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.
A) Configure global load balancing to point 172.16.45.0/24 to the correct instance.
B) Create unique DNS records for each service that sends traffic to the desired IP address.
C) Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
D) Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
48
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN. What should you do?
A) Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
B) Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
C) Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
D) Add a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
A) Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
B) Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
C) Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
D) Add a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
49
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone. What should you do?
A) Update the TTL for the zone.
B) Set the zone to the TRANSFER state.
C) Disable DNSSEC at your domain registrar.
D) Transfer ownership of the domain to a new registrar.
A) Update the TTL for the zone.
B) Set the zone to the TRANSFER state.
C) Disable DNSSEC at your domain registrar.
D) Transfer ownership of the domain to a new registrar.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
50
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range?
A) /21
B) /22
C) /23
D) /25
A) /21
B) /22
C) /23
D) /25
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
51
You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the objects in the storage bucket can be served by the CDN. What should you do in the GCP Console?
A) Create a new cloud storage bucket, and then enable Cloud CDN on it.
B) Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
C) Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
D) Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.
A) Create a new cloud storage bucket, and then enable Cloud CDN on it.
B) Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
C) Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
D) Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
52
You are using the gcloud command line tool to create a new custom role in a project by copying a predefined role. You receive this error message: INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?
A) Add the resourcemanager.projects.get permission, and try again. Add the resourcemanager.projects.get permission, and try again.
B) Try again with a different role with a new name but the same permissions.
C) Remove the resourcemanager.projects.list permission, and try again. Remove the resourcemanager.projects.list
D) Add the resourcemanager.projects.setIamPolicy permission, and try again. resourcemanager.projects.setIamPolicy
A) Add the resourcemanager.projects.get permission, and try again. Add the resourcemanager.projects.get permission, and try again.
B) Try again with a different role with a new name but the same permissions.
C) Remove the resourcemanager.projects.list permission, and try again. Remove the resourcemanager.projects.list
D) Add the resourcemanager.projects.setIamPolicy permission, and try again. resourcemanager.projects.setIamPolicy
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
53
You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin. What should you do?
A) Ensure that the object you don't want to be cached anymore is not shared publicly.
B) Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.
C) Add an appropriate lifecycle rule on the storage bucket containing the two objects.
D) Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies. Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.
A) Ensure that the object you don't want to be cached anymore is not shared publicly.
B) Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.
C) Add an appropriate lifecycle rule on the storage bucket containing the two objects.
D) Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies. Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
54
Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it is a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost. Which two steps should you take? (Choose two.)
A) Use Cloud Armor to blacklist the attacker's IP addresses.
B) Increase the maximum autoscaling backend to accommodate the severe bursty traffic.
C) Create a global HTTP(s) load balancer and move your application backend to this load balancer.
D) Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.
E) SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.
A) Use Cloud Armor to blacklist the attacker's IP addresses.
B) Increase the maximum autoscaling backend to accommodate the severe bursty traffic.
C) Create a global HTTP(s) load balancer and move your application backend to this load balancer.
D) Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.
E) SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
55
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses. Which two methods can you use to accomplish this? (Choose two.)
A) Enable Private Google Access on all the subnets.
B) Enable Private Google Access on the VPC.
C) Enable Private Services Access on the VPC.
D) Create network peering between your VPC and BigQuery.
E) Create a Cloud NAT, and route the application traffic via NAT gateway.
A) Enable Private Google Access on all the subnets.
B) Enable Private Google Access on the VPC.
C) Enable Private Services Access on the VPC.
D) Create network peering between your VPC and BigQuery.
E) Create a Cloud NAT, and route the application traffic via NAT gateway.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
56
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template. How should you update your instances?
A) Manually patch some of the instances, and then perform a rolling restart on the instance group.
B) Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.
C) Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.
D) Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
A) Manually patch some of the instances, and then perform a rolling restart on the instance group.
B) Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.
C) Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.
D) Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
57
In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost. Which two steps should you take? (Choose two.)
A) Connect both projects using Cloud VPN.
B) Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
C) Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
D) Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
E) Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
A) Connect both projects using Cloud VPN.
B) Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
C) Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
D) Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
E) Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 57 flashcards in this deck.
