GCP Network Engineer Sample Questions
Question 1. If you need to migrate to Cloud DNS and wish to import your BIND zone file, which command should would use?
- A. gcloud dns record-sets import ZONE_FILE –zone MANAGED_ZONE
- B. gcloud dns record-sets import ZONE_FILE –replace-origin-ns –zone MANAGED_ZONE
- C. gcloud dns record-sets import ZONE_FILE –zone-file-format –zone MANAGED_ZONE
- D. gcloud dns record-sets import ZONE_FILE –delete-all-existing –zone MANAGED ZONE
Correct Answer: C
Explanation: Using the gcloud dns record-set import command, you can import the exported file from your other provider into your managed zone. The dns record-sets import command allows you to import records. When you omit the –zone-file-format flag, import expects a YAML-formatted records file, and when you include it, import expects a BIND zone formatted file.
Question 2. Us-east1 and Europe-west1 are close to where your end users are located. Those workloads must communicate with each other. If you want to minimize cost and increase performance, what topology should you use?
- A. Creating 2 VPCs, with their own regions and individual subnets. Creating 2 VPN gateways for establishing connectivity between these regions.
- B. Creating 2 VPCs, each with their own region and individual subnets. Using external IP addresses on the instances for establishing connectivity between these regions.
- C. Creating 1 VPC with 2 regional subnets. Creating a global load balancer for establishing connectivity between the regions.
- D. Creating 1 VPC with 2 regional subnets. Deploying workloads in these subnets and having them communicate using private RFC1918 IP addresses.
Correct Answer: D
Explanation: Through VPC Network Peering, workloads from different VPC networks can communicate privately in RFC 1918 spaces across VPC networks. Traffic cannot traverse the public internet and stays within Google’s network.
Reference: https://cloud.google.com/vpc/docs/vpc-peering
Question 3. Inspecting traffic is done using a next-generation firewall provided by a third party. To route traffic to the firewall, you created a custom route of 0.0.0.0/0. Without going through the firewall, you wish to access the BigQuery and Cloud Pub/Sub APIs from your instances hosted in your VPC.
Which two actions should you take? (Choose two.)
- A. Turning on Private Google Access at the subnet level.
- B. Turning on Private Google Access at the VPC level.
- C. Turning on Private Services Access at the VPC level.
- D. Creating a set of custom static routes for sending traffic to the external IP addresses of Google APIs and services via the default internet gateway.
- E. Creating a set of custom static routes for sending traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
Correct Answer: CE
Reference: https://cloud.google.com/vpc/docs/private-access-options
Question 4. In your project, every instance has the enable-oslogin metadata value set to FALSE and every SSH key is blocked. There is no SSH key set for any of the instances, and no project-wide SSH keys have been created. A firewall rule is set up to allow SSH sessions from any range of IP addresses. What should you do if you want to SSH into one instance?
- A. Opening the Cloud Shell SSH into the instance using gcloud compute ssh.
- B. Setting the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
- C. Generating a new SSH key pair. Verifying the format of the private key and adding it to the instance. SSH into the instance using a third-party tool like putty or ssh.
- D. Generating a new SSH key pair. Verifying the format of the public key and adding it to the project. SSH into the instance using a third-party tool like putty or ssh.
Correct Answer: B
Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata
Question 5. Your company has developed and deployed an internal application that provides HTTP and TFTP services to on-premises hosts. It is desired that traffic be distributed across multiple hosts. The client must be able to stick to a single instance across both services, regardless of the instance type.
Which session affinity should you choose?
- A. None
- B. Client IP
- C. Client IP and protocol
- D. Client IP, port and protocol
Correct Answer: B
Question 6. In a shared VPC, you attempted to modify firewall rules, but you only have Network Admin permissions. To comply with your organization’s requirements, you must use the least privilege possible.
Which level of permissions would you request?
- A. Security Admin privileges from the Shared VPC Admin.
- B. Service Project Admin privileges from the Shared VPC Admin.
- C. Shared VPC Admin privileges from the Organization Admin.
- D. Organization Admin privileges from the Organization Admin.
Correct Answer: A
Reference: https://cloud.google.com/vpc/docs/shared-vpc
Question 7. Your job is to create a service in GCP using IPv6. How would you proceed?
- A. Creating the instance with the designated IPv6 address.
- B. Configuring a TCP Proxy with the designated IPv6 address.
- C. Configuring a global load balancer with the designated IPv6 address.
- D. Configuring an internal load balancer with the designated IPv6 address.
Correct Answer: B
Question 8. Dedicated Interconnect can be ordered in the GCP Console, and you will need to give your cross-connect provider the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to wire up the physical connection.
Which two actions can accomplish this? (Choose two.)
- A. Opening a Cloud Support ticket under the Cloud Interconnect category.
- B. Downloading the LOA-CFA from the Hybrid Connectivity section of the GCP Console.
- C. Running gcloud compute interconnects describe <interconnect>.
- D. Checking the email for the account of the NOC contact that you specified during the ordering process.
- E. Contacting your cross-connect provider and informing them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.
Correct Answer: DE
Question 9. You run a popular gaming company with private IP addresses and a global load balancer. All external access to your servers is controlled by a global load balancer. The IP address of the potential malicious actor appears to be accurate, but you don’t know for sure. In order to minimize disruption to your legitimate users, you want to identify this actor.
What should you do?
- A. Creating a Cloud Armor Policy rule that denies traffic and reviews necessary logs.
- B. Creating a Cloud Armor Policy rule that denies traffic, enables preview mode, and reviews necessary logs.
- C. Creating a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
- D. Creating a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.
Correct Answer: D
Question 10. One of your instances does not use Cloud NAT for outbound NAT after you configure it. After completing the configuration, you find that the Cloud NAT configuration does not work.
What could be the most likely cause of this problem?
- A. The instance has been configured with multiple interfaces.
- B. An external IP address has been configured on the instance.
- C. You have created static routes that use RFC1918 ranges.
- D. The instance is accessible by a load balancer external IP address.
Correct Answer: B
Reference: https://www.sovereignsolutionscorp.com/google-cloud-nat/
Question 11. Two Cloud Routers require an active Border Gateway Protocol so that one has an active Border Gateway Protocol (BGP) session, while the other one acts as a standby.
Which BGP attribute would you choose use on your on-premises router?
- A. AS-Path
- B. Community
- C. Local Preference
- D. Multi-exit Discriminator
Correct Answer: D
Reference: https://cloud.google.com/router/docs/concepts/overview
Question 12. With Cloud VPN, you’re increasing usage between on-premises and GCP, and you want to handle more data than a single tunnel can handle. With Cloud VPN, you’d like to increase the available bandwidth.
How should you proceed?
- A. Doubling the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
- B. Creating two VPN tunnels on the same Cloud VPN gateway pointing to the same destination VPN gateway IP address.
- C. Adding a second on-premises VPN gateway with a different public IP address. Creating a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
- D. Adding a second Cloud VPN gateway in a different region than the existing VPN gateway. Creating a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
Correct Answer: C
Question 13. A Cloud DNS zone that you are managing is being disabled from DNSSEC. DNSSEC is disabled for the zone after the DS records have been removed from your zone file and allowed to expire from the cache. It has been reported that DNSSEC validating resolves are unable to resolve names in your zone.
How should you proceed?
- A. Updating the TTL for the zone.
- B. Setting the zone to the TRANSFER state.
- C. Disabling DNSSEC at your domain registrar.
- D. Transfering ownership of the domain to a new registrar.
Correct Answer: C
Explanation: To ensure DNSSEC-validating resolvers can still resolve names in a zone where DNSSEC has been disabled, it is important to deactivate DNSSEC at your domain registrar before disabling DNSSEC.
Reference: https://cloud.google.com/dns/docs/dnssec-config
Question 14. Suppose that you have a Compute Engine application that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)
- A. Enabling Private Google Access on all the subnets.
- B. Enabling Private Google Access on the VPC.
- C. Enabling Private Services Access on the VPC.
- D. Creating network peering between your VPC and BigQuery.
- E. Creating a Cloud NAT, and routing the application traffic via NAT gateway.
Correct Answer: BE
Question 15. Your organization recently assigned you the responsibility of managing identity and access management. Several projects are in progress, and you would like to use scripts and automation wherever possible. You would also like to give a member of the project the editor role.
Which two methods are the most suitable? (Choose two.)
- A. GetIamPolicy() via REST API
- B. setIamPolicy() via REST API
- C. gcloud pubsub add-iam-policy-binding Sprojectname –member user:Susername –role roles/editor
- D. gcloud projects add-iam-policy-binding Sprojectname –member user:Susername –role roles/editor
- E. Entering an email address in the Add members field, and selecting the desired role from the drop-down menu in the GCP Console.
Correct Answer: DE
Reference:https://cloud.google.com/iam/docs/granting-changing-revoking-access