NotJustExam Interactive Question Bank | [Google] GCP-PCNE

Question 1

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?

A. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
B. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
C. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
D. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Correct Answer: C

Explanation:

The AI recommends to agree with the suggested answer.

The suggested answer is C: Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

Reasoning:

Firewall rules in Google Cloud allow you to control network traffic to and from your instances. By creating a firewall rule with a specific target tag, you can apply the rule to all instances with that tag. This allows you to restrict access to your application based on the source IP address.
Tagging backend instances and creating a firewall rule with the specified source IP range of allowed clients and Google health check IP ranges is an effective method to restrict access to a Google Cloud load-balanced application.

Reasons for not choosing the other options:

Option A: VPC Service Controls and Access Context Manager are designed to create secure perimeters around Google Cloud resources, but they are more complex to set up and manage than firewall rules. They are also not the most appropriate solution for simply restricting access based on IP addresses.
Option B: Similar to option A, VPC Service Controls are more suitable for complex perimeter security scenarios than simple IP-based restrictions. Marking the load balancer as a service restricted to specific IP ranges is not the correct way to apply firewall rules.
Option D: Target labels are not a valid option in Google Cloud firewall rules. Target tags are the correct mechanism for applying firewall rules to specific instances.

Citations:

Google Cloud Firewall Rules, https://cloud.google.com/firewall/docs/firewalls
VPC Service Controls Overview, https://cloud.google.com/vpc-service-controls/docs/overview
Access Context Manager, https://cloud.google.com/access-context-manager/docs/overview

Question 2

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.
How should you design this topology?

A. Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
B. Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
C. Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
D. Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Correct Answer: D

Explanation:

The AI agrees with the suggested answer, which is D.

Reasoning:
Option D suggests creating one VPC with two regional subnets. This is the most efficient and cost-effective solution because VPCs in Google Cloud are global resources, allowing regional subnets within the same VPC to communicate directly using private RFC1918 IP addresses without the need for VPNs, external IPs, or global load balancers. This approach leverages Google's internal network backbone for communication.

Why other options are not suitable:

A: Creating two VPCs and connecting them with VPN gateways adds unnecessary complexity and cost. VPNs introduce overhead and management overhead.
B: Using external IP addresses exposes the instances to the public internet, which increases security risks and is generally not recommended for internal communication.
C: Using a global load balancer for inter-region communication within a VPC is an overkill. Global load balancers are designed to distribute traffic from users across different regions, not for internal workload communication.

In summary, option D is preferred due to its simplicity, cost-effectiveness, and security.

Title: Google Cloud VPC Overview, https://cloud.google.com/vpc/docs/vpc
Title: RFC1918 - Address Allocation for Private Internets, https://datatracker.ietf.org/doc/html/rfc1918

Question 3

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?

A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Correct Answer: C

Explanation:

The AI recommends answer C: Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

The suggested answer aligns with the recommended answer.

Reasoning:
VPC peering is the most suitable option because it allows direct connectivity between separate VPCs within the same organization, enabling the creation of separate network administrative domains while facilitating the required connectivity between two departments. Each department gets its own VPC, providing network isolation, and VPC peering is used to selectively allow communication between the two departments that need it. This approach minimizes operational overhead by avoiding the complexity of managing a shared VPC or VPN connections.

Why other options are not suitable:

A: Shared VPCs are designed to connect resources from different projects, but the problem specifies a single project. Also, it does not inherently provide network isolation between departments within the same project.
B: Cloud VPN is used for connecting networks over the internet or between different organizations, which is unnecessary overhead for this scenario. It also introduces more operational complexity than VPC peering.
D: While firewall rules and network tags can achieve isolation within a single VPC, this approach increases operational overhead as it requires constant maintenance of firewall rules to ensure proper isolation. Also, it doesn't create truly separate network administrative domains.

Citations:

VPC Peering, https://cloud.google.com/vpc/docs/vpc-peering
Shared VPC, https://cloud.google.com/vpc/docs/shared-vpc
Cloud VPN, https://cloud.google.com/vpn/docs/concepts/overview

Question 4

You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?

A. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
B. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
C. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
D. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE

Correct Answer: C

Explanation:

The AI agrees with the suggested answer C.

Reasoning:
The correct command to import a BIND zone file into Cloud DNS is: gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE. The --zone-file-format flag is essential because it specifies that the input ZONE_FILE is in the BIND zone file format.

This command correctly imports the DNS records from the BIND zone file into the specified Cloud DNS managed zone.

Reasons for not choosing the other options:

Option A: gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE is incorrect because it lacks the --zone-file-format flag. Without this flag, the gcloud command will not recognize the input file as a BIND zone file.
Option B: gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE is incorrect because while --replace-origin-ns might be useful in some scenarios, the command still misses the crucial --zone-file-format flag to indicate the BIND zone file format.
Option D: gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE is incorrect. While --delete-all-existing might be useful in some scenarios, the command still misses the crucial --zone-file-format flag to indicate the BIND zone file format. Also, using --delete-all-existing can lead to unintended data loss if not carefully managed.

The most important flag for correctly importing a BIND zone file is --zone-file-format.

Question 5

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?

A. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.
B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
C. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
D. Rename the default VPC as "Distribution" and peer it via network peering.

Correct Answer: B

Explanation:

The AI agrees with the suggested answer B.
Reasoning: Option B suggests creating a custom mode VPC with a CIDR range of 10.0.0.0/9. This is a valid, non-overlapping CIDR range suitable for a peered network. Custom mode is necessary to define the IP address range, which is crucial for avoiding conflicts with the existing "Retail" VPC and any default subnets.
Why other options are incorrect:

Option A is incorrect because auto mode VPCs automatically create subnets with predefined IP ranges. This could lead to overlapping IP ranges with the existing "Retail" VPC, causing peering to fail or function unpredictably. Auto mode doesn't allow for specifying the IP range.
Option C is incorrect because the CIDR range 10.128.0.0/9 overlaps with the auto mode IP ranges (specifically, 10.128.0.0/20 in us-central1, for instance). This overlap would cause issues when attempting to peer the networks.
Option D is incorrect because renaming the default VPC does not create a new VPC with a unique IP address range and does not allow the specification of new CIDR blocks, therefore doesn't solve the initial problem.

Therefore, the only viable solution is to create a custom mode VPC with a non-overlapping CIDR range.

Citations:

VPC Network Peering, https://cloud.google.com/vpc/docs/vpc-peering
VPC Overview, https://cloud.google.com/vpc/docs/vpc

Question 6

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

A. Turn on Private Google Access at the subnet level.
B. Turn on Private Google Access at the VPC level.
C. Turn on Private Services Access at the VPC level.
D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

Correct Answer: AD

Explanation:

The AI assistant agrees with the suggested answer of A and D.

Reasoning:
The question specifies that VPC instances without public IP addresses need to access BigQuery and Cloud Pub/Sub APIs without going through the third-party firewall. This requires two key steps:
1. **Private Google Access:** Instances without external IP addresses cannot directly access external services. Private Google Access allows these instances to use the Google Cloud network to reach Google APIs and services. This needs to be enabled at the subnet level, as stated in Option A.
2. **Bypassing the Firewall:** Since a default route (0.0.0.0/0) sends all egress traffic to the firewall, a more specific route is needed to bypass it for Google API traffic. Option D suggests creating custom static routes to send traffic to the *external* IP addresses of Google APIs and services via the default internet gateway. This will bypass the firewall and allow instances to directly access these APIs.

Reasons for not choosing other options:
* **Option B:** Private Google Access is configured at the subnet level, not the VPC level. * **Option C:** Private Service Access is used for connecting to services like Memorystore or Cloud SQL, not for general access to Google APIs like BigQuery or Pub/Sub. It's also used for VPC Peering, which isn't the scenario here. * **Option E:** Google APIs are generally accessed via external IP addresses, not internal IP addresses. While Private Google Access utilizes Google's internal network, the actual API endpoints are still resolved to public IPs.

Citations:

Private Google Access, https://cloud.google.com/vpc/docs/private-google-access

Question 7

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

A. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
B. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
C. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
D. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.

Correct Answer: A

Explanation:

The AI suggests that the answer should be A.
Reasoning: The question states that OS Login is disabled and project-wide SSH keys are blocked. Instances also don't have any pre-configured SSH keys. The most straightforward way to SSH into the instance is using the `gcloud compute ssh` command from Cloud Shell. This command automatically handles the SSH key deployment, working even when OS Login is disabled and project-wide keys are blocked. `gcloud compute ssh` creates an SSH key pair, uploads the public key to the instance metadata, and saves the private key locally within Cloud Shell, allowing a successful SSH connection.
Reasons for not choosing other options:

Option B is incorrect because it involves enabling OS Login, which is contrary to the problem statement specifying that OS Login is disabled. Attempting to use a third-party tool with OS Login enabled would also not work without further configuration not described in the problem.
Option C is incorrect because the instances are configured to block SSH access using keys, so adding an SSH key pair directly to the instance would not work.
Option D is incorrect because even if a public key is added to the project, the instance is configured to block project-wide SSH keys, so this action would not enable SSH access.

Citations:

Using SSH with Compute Engine, https://cloud.google.com/compute/docs/connect/ssh

Question 8

You work for a university that is migrating to GCP.
These are the cloud requirements:
"¢ On-premises connectivity with 10 Gbps
"¢ Lowest latency access to the cloud
"¢ Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
B. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
C. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.
D. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Correct Answer: A

Explanation:

The AI recommends answer A: Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.

Reasoning:
The AI agrees with the suggested answer (A). This approach centralizes network administration within the Shared VPC's host project, satisfying the requirement for a centralized Networking Administration Team. By deploying the VLAN attachments and Interconnect in the host project, different departments (service projects) can connect to the on-premises network through this centralized point, achieving the required 10 Gbps connectivity and low latency access. Centralizing the Interconnect also reduces costs compared to deploying multiple Interconnects in separate projects.

Reasons for not choosing other answers:

B: Deploying VLAN attachments in service projects would distribute network management and not align with the centralized Networking Administration Team requirement.
C and D: Using standalone projects and deploying VLAN attachments and/or Interconnects in individual projects would lead to a decentralized and less cost-efficient solution. This is because each department would need its own Interconnect connection, increasing complexity and cost. Furthermore, it doesn't align with the requirement for a centralized Networking Administration Team.

In summary, the best approach is to use Shared VPC with the Interconnect and VLAN attachments deployed in the host project to ensure centralized management, cost efficiency, and low-latency connectivity.

Citations:

Shared VPC, https://cloud.google.com/vpc/docs/shared-vpc
Cloud Interconnect, https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview

Question 9

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?

A. None
B. Client IP
C. Client IP and protocol
D. Client IP, port and protocol

Correct Answer: B

Explanation:

The AI agrees with the suggested answer.
The suggested answer is B. Client IP.
Reasoning: The question specifies that clients need to be sticky to a particular instance across both HTTP and TFTP services. Client IP affinity ensures that all traffic from the same client IP address is consistently directed to the same backend instance. This fulfills the requirement for session stickiness without unnecessarily differentiating between the two services.
Reasons for not choosing other options:

A. None: This option would not provide any session affinity, and requests from the same client might be routed to different backend instances, which violates the stickiness requirement.
C. Client IP and protocol: Including the protocol (TCP for HTTP, UDP for TFTP) might seem helpful, but it's unnecessary. The goal is to maintain stickiness regardless of the protocol used. Using the protocol, in addition to IP, can split workloads across servers. Since the requirement is to keep the client on the same instance regardless of protocol, this is not a good choice.
D. Client IP, port and protocol: This is the most granular option, and also the least suitable. It would differentiate sessions based not only on the protocol but also on the client's source port. This could lead to multiple sessions from the same client IP being routed to different backend instances, defeating the purpose of session stickiness. Also, TFTP uses UDP, and session affinity typically only applies to TCP-based protocols.

Therefore, Client IP is the most appropriate choice.

Citations:

Google Cloud Load Balancing documentation on session affinity: https://cloud.google.com/load-balancing/docs/backend-service#session_affinity

Question 10

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.
When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?

A. Check the VPC flow logs for the instance.
B. Try connecting to the instance via SSH, and check the logs.
C. Create a new firewall rule to allow traffic from port 22, and enable logs.
D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

Correct Answer: D

Explanation:

The AI assistant agrees with the suggested answer, which is D: Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

Reasoning:
The problem states that the user wants to see logs for blocked traffic, specifically the blocked RDP traffic. The existing firewall rule allows HTTP traffic, but RDP is being blocked, presumably by the default implicit deny rule. However, the default implicit deny rule does not have logging enabled. To see logs of blocked traffic, a new firewall rule that explicitly denies traffic *and* has logging enabled must be created. A lower priority number (higher precedence) needs to be set to ensure it's evaluated before the default rule. 65500 is the lowest priority number, thus ensuring the new rule is evaluated last which captures *all* denied traffic.

Why other options are not correct:

Option A: Check the VPC flow logs for the instance. VPC Flow Logs record network traffic sent from and received by VM instances. However, firewall logs, specifically the logs showing which firewall rule blocked the traffic, are different from VPC Flow Logs. Also, VPC flow logs sample traffic, and may not capture every blocked packet.
Option B: Try connecting to the instance via SSH, and check the logs. Trying to connect via SSH doesn't solve the problem of not seeing logs for the blocked RDP traffic. Also, checking logs on the instance requires the instance to be accessible.
Option C: Create a new firewall rule to allow traffic from port 22, and enable logs. This would allow SSH traffic, but it doesn't address the issue of logging blocked RDP traffic. Furthermore, allowing SSH traffic is not the goal; the goal is to understand why RDP is blocked and to see the logs of that blocked traffic.

Citations:

Firewall Rules Logging, https://cloud.google.com/vpc/docs/firewall-rules-logging

[Google] GCP-PCNE - Professional Cloud Network Engineer Exam Dumps & Study Guide

Free [Google] GCP-PCNE - Professional Cloud Network Engineer Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10