Google Professional Cloud Network Engineer (PCNE) — Questions 976982

982 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

A company uses Cloud NAT to enable outbound connectivity for private VMs. They notice that some VMs are not able to reach a specific external IP range. The VMs have no tags or service accounts. What is the most likely cause?

A.Cloud NAT requires each VM to have a unique external IP address.
B.The VMs need a default route pointing to the NAT gateway.
C.A static route must be created for the external IP range via the NAT gateway.
D.The VMs might be in a different subnet than the one where Cloud NAT is configured.
AnswerD

Cloud NAT is applied per subnet; VMs in other subnets won't use it unless also configured.

Why this answer

Option C is correct because Cloud NAT uses the source IP address of the VM to determine which NAT IP to use, and if the VM is not in the subnet where Cloud NAT is configured, it won't use that NAT. Option A is wrong because Cloud NAT does not require a default route via the NAT gateway; it works with dynamic routes. Option B is wrong because there is no static route requirement.

Option D is wrong because Cloud NAT does use unique external IPs per VM if configured, but that wouldn't block traffic.

977
MCQeasy

A security engineer wants to allow SSH access to a VM that has no external IP. The VM is in a VPC with IAP configured. What is the simplest way to enable secure SSH without a bastion host?

A.Use Identity-Aware Proxy (IAP) TCP forwarding with the gcloud compute start-iap-tunnel command.
B.Create a VPN tunnel to the VPC and SSH over the VPN.
C.Configure a SOCKS proxy on a bastion host.
D.Assign an external IP to the VM and use a firewall rule to restrict access.
AnswerA

IAP TCP forwarding provides secure access without external IPs.

Why this answer

Identity-Aware Proxy (IAP) TCP forwarding allows secure SSH access to a VM without an external IP by tunneling traffic through the IAP service. The `gcloud compute start-iap-tunnel` command establishes an encrypted tunnel from your local machine to the VM via the IAP proxy, using the VM's internal IP and port 22. This eliminates the need for a bastion host or public IP while leveraging IAP's identity-based access controls.

Exam trap

Google Cloud often tests the misconception that IAP is only for web-based access (HTTP/HTTPS) and not for TCP forwarding, causing candidates to overlook the `gcloud compute start-iap-tunnel` command as a valid solution for SSH without a bastion host.

How to eliminate wrong answers

Option B is wrong because creating a VPN tunnel adds unnecessary complexity and cost, and it does not leverage IAP which is already configured in the VPC; it also requires additional VPN gateway setup. Option C is wrong because configuring a SOCKS proxy on a bastion host contradicts the requirement of 'without a bastion host' and introduces an extra hop and management overhead. Option D is wrong because assigning an external IP directly exposes the VM to the internet, violating the security intent of having no external IP and requiring firewall rules that could be misconfigured.

978
MCQmedium

Refer to the exhibit. A VM in the default VPC with an internal IP 10.0.1.2 tries to SSH (tcp:22) from a host at 10.0.2.5. What is the result?

A.The traffic is denied because the source IP is not in the same subnet as the VM.
B.The traffic is denied because the deny-ssh rule has a lower priority number and blocks all SSH traffic.
C.The traffic is denied due to the implicit deny rule at the end.
D.The traffic is allowed because it matches the allow-internal rule.
AnswerD

allow-internal allows all traffic from 10.0.0.0/8.

Why this answer

The default VPC in a cloud environment (such as AWS) includes a default security group that allows all inbound traffic from other resources within the same security group. Since both the VM (10.0.1.2) and the host (10.0.2.5) are in the default VPC and likely associated with the same default security group, the allow-internal rule permits the SSH connection. The traffic matches the allow rule before any deny rules are evaluated, so it is allowed.

Exam trap

Google Cloud often tests the misconception that security group rules are evaluated in priority order like ACLs, when in fact they are evaluated as a set of allow rules with an implicit deny at the end, and the order of rules does not affect the outcome.

How to eliminate wrong answers

Option A is wrong because the source IP (10.0.2.5) is in a different subnet (10.0.2.0/24) than the VM (10.0.1.0/24), but security group rules in a VPC are not subnet-aware; they evaluate based on IP addresses or CIDR blocks, not subnet membership. Option B is wrong because there is no explicit 'deny-ssh' rule with a lower priority number in the default VPC; the exhibit shows only an allow-internal rule, and security group rules are evaluated as a whole (all allow rules are checked first, then implicit deny). Option C is wrong because the implicit deny rule only applies if no explicit allow rule matches; here, the traffic matches the allow-internal rule, so the implicit deny is not triggered.

979
MCQmedium

An organization wants to use Cloud DNS to forward DNS queries from on-premises to Google Cloud for a private zone. Which feature should they implement?

A.DNS peering
B.Inbound DNS policy
C.Outbound DNS forwarding zone
D.Private zone with DNS forwarding
AnswerB

Inbound DNS policy creates a forwarding IP that on-premises resolvers can use to query Cloud DNS private zones.

Why this answer

Inbound DNS policy provides a Google-managed forwarding IP address in your VPC that on-premises resolvers can use to forward queries to Cloud DNS private zones.

980
Multi-Selectmedium

An organization wants to reduce egress costs for data sent from Compute Engine instances to users worldwide. Which TWO approaches should they consider? (Choose TWO.)

Select 2 answers
A.Enable Private Google Access to avoid internet egress for Google APIs.
B.Deploy instances in multiple regions closer to users.
C.Use global load balancers instead of regional load balancers.
D.Use Cloud CDN to cache content at Google's edge locations.
E.Use Premium Tier networking to route traffic over Google's network.
AnswersB, D

Regional deployment reduces cross-region and internet egress costs.

Why this answer

Cloud CDN caches content at edge locations, reducing egress from origin. Using a Premium Tier network routes traffic over Google's network, which may not reduce egress cost but improves performance; however, Standard Tier egress is cheaper than Premium Tier for internet egress. For reducing costs, Cloud CDN and using Standard Tier (if acceptable) can help.

But among the options, Cloud CDN and placing instances in multiple regions (to serve users locally) reduce egress.

981
MCQmedium

A network engineer needs to create a firewall rule that blocks all ingress traffic from the internet to Compute Engine instances tagged 'web-server', except for traffic from the organization's VPN gateway at IP 203.0.113.1. The engineer creates a rule with priority 1000, deny ingress, source IP ranges 0.0.0.0/0, and targets 'web-server'. To allow the VPN IP, what should the engineer do?

A.Modify the existing deny rule to include an exception for the VPN IP in the source IP field.
B.Delete the deny rule and create a single rule that denies all IPs except the VPN IP using the 'except' option.
C.Create a new allow rule with priority 500, source IP 203.0.113.1/32, target 'web-server', and action allow.
D.Change the priority of the existing deny rule to 1 and create an allow rule with priority 2 for the VPN IP.
AnswerC

This allow rule has higher priority (lower number) than the deny rule, so traffic from the VPN IP will be allowed before the deny rule applies.

Why this answer

Firewall rules are evaluated in order of priority (lower number = higher priority). The deny rule at priority 1000 will deny all IPs. To allow the VPN IP, a higher priority (lower number) allow rule must be created for that specific IP, before the deny rule is evaluated.

The correct approach is to create an allow rule with priority 100 (or any lower number) for source IP 203.0.0.0/8 (or the specific IP) targeting web-server.

982
Multi-Selectmedium

A company has a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They are experiencing intermittent connectivity issues on a specific VLAN attachment. The VLAN attachment is configured with a single Cloud Router and BGP sessions are established. Which two steps should they take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Verify the BGP session status on the Cloud Router.
B.Check the MTU configuration on the on-premises router.
C.Verify the physical interconnect location and cable connections.
D.Review the VLAN attachment status in the Google Cloud Console.
E.Review the Cloud NAT configuration for the VPC network.
AnswersA, D

Correct. BGP session flapping can cause intermittent connectivity.

Why this answer

Option A is correct because BGP session status on the Cloud Router directly indicates whether the routing protocol is functioning correctly between the on-premises router and Google Cloud. Intermittent connectivity on a VLAN attachment often stems from BGP flapping or session drops, which can be verified by checking the BGP state (e.g., Established, Idle, or Active) and associated error counters in the Google Cloud Console or via gcloud commands.

Exam trap

The trap here is that candidates often confuse physical layer issues (Option C) with logical layer problems, but the question specifies a single VLAN attachment, which points to a logical configuration error rather than a physical interconnect fault.

Page 13

Page 14 of 14