• Home
  • Articles
  • Verified & Correct Professional-Cloud-Network-Engineer Practice Test Reliable Source Jun 07, 2026 Updated [Q99-Q116]

Verified & Correct Professional-Cloud-Network-Engineer Practice Test Reliable Source Jun 07, 2026 Updated [Q99-Q116]

Share

Verified & Correct Professional-Cloud-Network-Engineer Practice Test Reliable Source Jun 07, 2026 Updated

Free Google Professional-Cloud-Network-Engineer Exam Files Downloaded Instantly


Earning the Google Professional-Cloud-Network-Engineer certification demonstrates that the candidate has the skills and knowledge required to design and manage complex networks in the cloud. Google Cloud Certified - Professional Cloud Network Engineer certification is highly valued in the industry and is recognized as a standard of excellence for cloud network engineers. It is a great way for professionals to enhance their careers and improve their job prospects by demonstrating their expertise in cloud networking.

 

NEW QUESTION # 99
Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments:
Sales and Finance. The Sales department's VPC network already has connectivity to on-premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on- premises locations. What should you do?

  • A. Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router's custom route advertisements to announce a default route to the on-premises locations.
  • B. Peer the two VPCs, and use Cloud Router's custom route advertisements to announce the peered VPC network ranges to the on-premises locations.
  • C. Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router's custom route advertisements to announce the peered VPC network ranges to the on-premises locations.
  • D. Peer the two VPCs, and use the default configuration for the Cloud Routers.

Answer: D


NEW QUESTION # 100
You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

  • A. Configure the maximum transmission unit (MTU) to its highest supported value.
  • B. Configure a second set of active/passive VPN tunnels.
  • C. Configure a second Cloud Router to scale bandwidth in and out of the VPC.
  • D. Configure the remote autonomous system number (ASN) to 4096.

Answer: B


NEW QUESTION # 101
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

  • A. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
  • B. Turn on Private Google Access at the VPC level.
  • C. Turn on Private Services Access at the VPC level.
  • D. Turn on Private Google Access at the subnet level.
  • E. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

Answer: D,E


NEW QUESTION # 102
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.
How should you design this topology?

  • A. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
  • B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  • C. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
  • D. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/shared-vpc


NEW QUESTION # 103
You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do?

  • A. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.
  • B. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service.
  • C. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.
  • D. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/.

Answer: B


NEW QUESTION # 104
You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions. The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices. What should you do?

  • A. Create one VPC with one subnet in each region.
    Create a global load balancer with a static IP address.
    Enable Cloud CDN and Google Cloud Armor on the load balancer.
    Create an A record using the IP address of the load balancer in Cloud DNS.
  • B. Create one VPC with one subnet in each region.
    Create a regional network load balancer in each region with a static IP address.
    Enable Cloud CDN on the load balancers.
    Create an A record in Cloud DNS with both IP addresses for the load balancers.
  • C. Create one VPC in each region, and peer both VPCs.
    Create a global load balancer.
    Enable Cloud CDN on the load balancer.
    Create a CNAME for the load balancer in Cloud DNS.
  • D. Create one VPC with one subnet in each region.
    Create an HTTP(S) load balancer with a static IP address.
    Choose the standard tier for the network.
    Enable Cloud CDN on the load balancer.
    Create a CNAME record using the load balancer's IP address in Cloud DNS.

Answer: C


NEW QUESTION # 105
Question:
Your organization has distributed geographic applications with significant data volumes. You need to create a design that exposes the HTTPS workloads globally and keeps traffic costs to a minimum. What should you do?

  • A. Deploy a regional external Application Load Balancer with Standard Network Service Tier.
  • B. Deploy a regional external Application Load Balancer with Premium Network Service Tier.
  • C. Deploy a global external proxy Network Load Balancer with Standard Network Service Tier.
  • D. Deploy a global external Application Load Balancer with Premium Network Service Tier.

Answer: D

Explanation:
The global external Application Load Balancer with Premium Network Service Tier provides optimized routing and lower latency for HTTPS workloads on a global scale. Premium tier minimizes costs by avoiding multiple regional configurations while ensuring reliable performance for global users.
Reference: Google Cloud - Network Service Tiers


NEW QUESTION # 106
There are two established Partner Interconnect connections between your on-premises network and Google Cloud. The VPC that hosts the Partner Interconnect connections is named "vpc-a" and contains three VPC subnets across three regions, Compute Engine instances, and a GKE cluster. Your on-premises users would like to resolve records hosted in a Cloud DNS private zone following Google-recommended practices. You need to implement a solution that allows your on-premises users to resolve records that are hosted in Google Cloud. What should you do?

  • A. Use custom route advertisements to announce 169.254.169.254 via BGP to the on-premises environment. Configure the on-premises DNS servers to forward DNS requests to 169.254.169.254.
  • B. Associate the private zone to "vpc-a." Create an outbound forwarding policy and associate the policy to "vpc-a." Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to "vpc-a."
  • C. Configure a DNS proxy service inside one of the GKE clusters. Expose the DNS proxy service in GKE as an internal load balancer. Configure the on-premises DNS servers to forward queries for the private zone to the IP address of the internal load balancer.
  • D. Associate the private zone to "vpc-a." Create an inbound forwarding policy and associate the policy to "vpc-a." Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to "vpc-a."

Answer: B

Explanation:
Associating the private zone to "vpc-a" and creating an outbound forwarding policy allows DNS queries to be forwarded from on-premises to Google Cloud DNS. The on-premises DNS servers will forward queries to the entry points created when the forwarding policy was applied to "vpc-a," enabling proper name resolution.


NEW QUESTION # 107
Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer You need to protect the application from potential application-level attacks. What should you do?

  • A. Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service
  • B. Enable Cloud CDN on the backend service.
  • C. Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service.
  • D. Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer

Answer: C

Explanation:
The correct answer is C because it meets the requirement of protecting the application from potential application-level attacks. Google Cloud Armor security policies are sets of rules that match on attributes from Layer 3 to Layer 7 to protect externally facing applications1. Web application firewall (WAF) rules are predefined rules that detect and mitigate common web attacks such as cross-site scripting (XSS), SQL injection, remote file inclusion, and more2. By applying a Google Cloud Armor security policy with WAF rules to the backend service, you can filter out malicious requests before they reach your application.
Option A is incorrect because Cloud CDN is a content delivery network that caches static content at the edge of Google's network, but it does not provide any protection against application-level attacks3. Option B is incorrect because firewall rules are applied at the VPC network level, not at the load balancer level4. Firewall rules also only match on Layer 3 and 4 attributes, not on Layer 7 attributes that are relevant for application- level attacks4. Option D is incorrect because VPC Service Controls perimeter is a feature that helps you secure your data from unauthorized access by users outside your organization, but it does not protect your application from external attacks.


NEW QUESTION # 108
You configured a single IPSec Cloud VPN tunnel for your organization to a third-party customer. You confirmed that the VPN tunnel is established; however, the BGP session status states that BGP is not configured. The customer has provided you with their BGP settings:
* Local BGP address: 169.254.11.1/30
* Local ASN: 64515
* Peer BGP address: 169.254.11.2
* Peer ASN: 64517
* Base MED: 1000
* MD5 Authentication: Disabled
You need to configure the local BGP session for this tunnel based on the settings provided by the customer.
You already associated the Cloud Router with the Cloud VPN Tunnel. What settings should you use for the BGP session?

  • A. Peer ASN: 64515
    Advertised Route Priority (MED): 100
    Local BGP IP: 169.254.11.1
    Peer BGP IP: 169.254.11.2
    MD5 Authentication: Disabled
  • B. Peer ASN: 64515
    Advertised Route Priority (MED): 100
    Local BGP IP: 169.254.11.2
    Peer BGP IP: 169.254.11.1
    MD5 Authentication: Disabled
  • C. Peer ASN: 64517
    Advertised Route Priority (MED): 100
    Local BGP IP: 169.254.11.2
    Peer BGP IP: 169.254.11.1
    MD5 Authentication: Disabled
  • D. Peer ASN: 64515
    Advertised Route Priority (MED): 1000
    Local BGP IP: 169.254.11.2
    Peer BGP IP: 169.254.11.1
    MD5 Authentication: Enabled

Answer: C

Explanation:
Explanation: The correct configuration requires setting the Peer ASN as 64517 (as this is the ASN of the third-party customer). The local and peer BGP IP addresses should also be set correctly based on the provided information, and MD5 authentication should be disabled. The route priority should be set to 100 to reflect standard behavior.


NEW QUESTION # 109
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

  • A. * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
  • B. * Create a Cloud VPN instance.* Create a policy-based VPN tunnel per subnet.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Create the appropriate static routes.
  • C. * Create a Cloud VPN instance.* Create a policy-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.
  • D. * Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.* Configure the appropriate static routes.

Answer: C

Explanation:
https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns#creating_a_gateway_and_tunnel


NEW QUESTION # 110
Your organization requires that metrics from all applications be retained for 5 years for future analysis in possible legal proceedings. Which approach should you use?

  • A. Configure Stackdriver Monitoring for all Projects, and export to Google Cloud Storage.
  • B. Configure Stackdriver Monitoring for all Projects, and export to BigQuery.
  • C. Grant the security team access to the logs in each Project.
  • D. Configure Stackdriver Monitoring for all Projects with the default retention policies.

Answer: A

Explanation:
B and D can be quickly ruled out because none of them is good solution for the requirements
"retained for 5 years"
Between A and C, the different is where to store, BigQuery or Cloud Storage. Since the main concern is extended storing period, C (Correct Answer) is better answer, and the "retained for 5 years for future analysis" further qualifies it, for example, using Coldline storage class.
With regards of BigQuery, while it is also a low-cost storage, but the main purpose is for analysis.
Also, logs in Cloud Storage is easy to transport to BigQuery whenever needed.


NEW QUESTION # 111
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

  • A. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
  • B. Turn on Private Google Access at the VPC level.
  • C. Turn on Private Services Access at the VPC level.
  • D. Turn on Private Google Access at the subnet level.
  • E. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

Answer: D,E

Explanation:
https://cloud.google.com/vpc/docs/private-access-options#pga Private Google Access VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the
_external IP addresses_ of Google APIs and services.


NEW QUESTION # 112
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

  • A. Shared VPC
  • B. Cloud VPN
  • C. VPC peering
  • D. Cloud NAT
  • E. Dedicated Interconnect

Answer: B,E


NEW QUESTION # 113
Question:
Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue.
What should you do?

  • A. Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.
  • B. Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.
  • C. Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.
  • D. Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

Answer: A

Explanation:
Creating custom learned routes at the hub's Cloud Router is required for advertising VPC spokes' subnets to the on-premises environment. This centralizes route configuration and ensures that all spoke subnet routes are propagated to the hybrid network.
Reference: Google Cloud - Cloud Router Custom Routes


NEW QUESTION # 114
You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.
What should you do?

  • A. Ensure that the object you don't want to be cached anymore is not shared publicly.
  • B. Add an appropriate lifecycle rule on the storage bucket containing the two objects.
  • C. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the privateattribute.
  • D. Add a Cache-Controlentry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.

Answer: A

Explanation:
Explanation/Reference: https://developers.google.com/web/ilt/pwa/caching-files-with-service-worker


NEW QUESTION # 115
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
- Each on-premises router is configured with a unique ASN. ?Each on-
premises router is configured with the same routes and priorities.
- Both on-premises routers are configured with a VPN connected to a
single Cloud Router.
- BGP sessions are established between both on-premises routers and the Cloud Router.
- Only 1 of the on-premises router's routes are being added to the
routing table.
What is the most likely cause of this problem?

  • A. The ASNs being used on the on-premises routers are different.
  • B. The on-premises routers are configured with the same routes.
  • C. A firewall is blocking the traffic across the second VPN connection.
  • D. You do not have a load balancer to load-balance the network traffic.

Answer: D


NEW QUESTION # 116
......


Google Professional-Cloud-Network-Engineer certification exam is designed to assess the candidate’s understanding and expertise in solving networking challenges using Google Cloud Platform. Passing this certification demonstrates that the individual has the ability to design, implement and manage networks leveraging Google Cloud Platform, and can provide solutions to complex networking problems. Professional-Cloud-Network-Engineer exam measures proficiency, hands-on experience, and the ability to apply concepts to real-world scenarios. To prepare for the exam, Google provides various study guides, documentation, and training materials to help professionals enhance their skills and knowledge.


How to book Google Professional Cloud Network Engineer Exams

The registration for the Google Professional Cloud Network Engineer Exam follows the steps given below.

  • Step 1: Visit the Google Cloud Webassessor Website
  • Step 2: Sign in or sign up to your Google Cloud Webassessor account
  • Step 3: Search for the exam name Google Professional Cloud Network Engineer
  • Step 4: Take the date of the exam, choose exam center and make further payment using payment method like credit/debit etc.

 

Pass Google Professional-Cloud-Network-Engineer exam Dumps 100 Pass Guarantee With Latest Demo: https://www.trainingdump.com/Google/Professional-Cloud-Network-Engineer-practice-exam-dumps.html

The  Professional-Cloud-Network-Engineer PDF Dumps Greatest for the Google Exam Study Guide!: https://drive.google.com/open?id=17W-1tjXwG7qlHCxnaJDZl33xNd56jqkJ

Related Articles

more
Go To Professional-Cloud-Network-Engineer Questions
0
0
0
0