CCNA Pcne Configuring Services Questions

75 of 131 questions · Page 1/2 · Pcne Configuring Services topic · Answers revealed

1
MCQmedium

A company has an on-premises data center connected to GCP via Cloud Interconnect. They want to expose an on-premises service to internet clients through Google Cloud's global load balancer. Which type of network endpoint group should they use?

A.Zonal NEG
B.Internet NEG
C.Serverless NEG
D.Hybrid connectivity NEG
AnswerD

Correct: hybrid NEGs allow load balancing to on-premises endpoints via Interconnect or VPN.

Why this answer

Hybrid connectivity NEGs allow you to expose on-premises destinations via Cloud Interconnect or VPN to a load balancer.

2
MCQmedium

A company wants to expose a set of internal services running on Compute Engine instances in a private VPC to other internal services using HTTP load balancing. They require L7 features like URL-based routing and SSL termination. Which load balancer should they use?

A.Regional Internal HTTP(S) Load Balancer
C.Internal TCP/UDP Load Balancer
D.Regional External HTTP(S) Load Balancer
AnswerA

Correct. It provides internal L7 load balancing.

Why this answer

Regional Internal HTTP(S) Load Balancer is an Envoy-based L7 load balancer for internal traffic, supporting URL maps and SSL termination.

3
MCQhard

An organization uses Traffic Director with Envoy sidecars in GKE. They want to implement fault injection to test service resilience by injecting a 5-second delay into 10% of requests to a specific backend service. Which Traffic Director configuration resource should they use?

A.A backend service with outlier detection enabled
B.A network endpoint group with a health check that fails intermittently
C.A traffic splitting rule in the routing configuration
D.A fault injection policy in the TrafficDirectorRoute
AnswerD

Correct: Traffic Director allows fault injection via route rules in the routing configuration.

Why this answer

Traffic Director supports fault injection via the Envoy HTTP connection manager. The correct approach is to configure a TrafficDirectorRoute with a fault injection policy, which is part of the routing configuration.

4
Multi-Selectmedium

A company is designing a global web application that must serve users worldwide with low latency. They plan to use a Global HTTPS Load Balancer with Cloud CDN. Which TWO features should they enable to further reduce latency for users connecting from various regions? (Choose two.)

Select 2 answers
A.Anycast IP address
B.Reserve a static IP address
C.Enable IAP for backend services
D.Cloud CDN with CDN Interconnect
E.Cloud Armor with rate limiting
AnswersA, D

Anycast allows users to connect to the nearest edge point, reducing latency.

Why this answer

CDN Interconnect provides dedicated connectivity to CDN caches, reducing latency. Anycast IP ensures users connect to the nearest edge location. Cloud Armor is security, not performance.

5
MCQhard

A company uses Cloud DNS. They want to override DNS resolution for a specific domain (e.g., mycompany.com) to point to an internal IP for all queries originating from their VPC, while leaving all other domains unaffected. Which Cloud DNS feature should they use?

A.DNSSEC
B.A routing policy with a geo location rule
C.A response policy zone (RPZ)
D.A managed private zone
AnswerC

Correct: RPZ allows DNS overrides within the VPC.

Why this answer

Response Policy Zones (RPZ) allow you to create a local override zone that takes precedence over public DNS for specified domains within a VPC.

6
Multi-Selectmedium

A company wants to use Traffic Director to implement fault injection for testing service resilience. They want to inject delays and errors into a percentage of requests. Which two configurations are required? (Choose two.)

Select 2 answers
A.Enable Cloud Armor on the load balancer
B.Configure a fault injection policy in Traffic Director
C.Create a new backend service with different instance group
D.Configure a health check for the fault injection service
E.Apply a traffic splitting rule to direct a percentage of traffic to the fault injection policy
AnswersB, E

Fault injection policy defines delay and error percentages.

Why this answer

Traffic Director supports fault injection policies, which require a traffic splitting rule to apply the policy to a portion of traffic, and the fault injection filter config in Envoy.

7
MCQmedium

You need to configure a health check for a gRPC-based backend service. Which protocol should you use for the health check?

B.TCP
D.gRPC
AnswerD

gRPC health check is specifically designed to check gRPC service health.

Why this answer

Health checks support HTTP, HTTPS, HTTP2, TCP, SSL, and gRPC. For gRPC backends, a gRPC health check is the most appropriate as it reflects the application health. The other protocols may not accurately indicate gRPC service health.

8
MCQhard

An engineer wants to use Cloud DNS to override DNS responses for a specific domain within their VPC. Which feature should they use?

A.Private zone
B.Response policy zone (RPZ)
C.DNSSEC
D.Routing policy
AnswerB

Correct: RPZ allows custom DNS responses for domains.

Why this answer

Response policy zones (RPZ) allow overriding DNS responses for specified domains within a VPC.

9
MCQhard

A company is using Traffic Director with Envoy sidecar proxies to manage traffic between microservices. They want to gradually shift 5% of traffic from version v1 to v2 of a service for testing. Which Traffic Director resource should they configure?

A.Define a weighted traffic split in the HTTP route rule of the Traffic Director route configuration
B.Use the Envoy runtime to dynamically adjust traffic percentages
C.Create a new backend service for v2 and set the traffic split in the backend service
D.Configure a weighted round-robin routing policy in Cloud DNS
AnswerA

Traffic Director uses route rules with weighted clusters to split traffic.

Why this answer

Traffic Director supports traffic splitting via weighted routing in the HTTP route configuration, not in the backend service. The traffic splitting is done at the routing level.

10
MCQmedium

A company is deploying a global web application on Google Cloud. They need to serve traffic from the closest region to users, support both HTTP and HTTPS, and offload SSL/TLS termination at the load balancer. Which load balancing solution should they use?

A.Global SSL Proxy Load Balancer
B.Regional External HTTP(S) Load Balancer
D.Global TCP Proxy Load Balancer
AnswerC

The Global HTTPS LB provides SSL offload, anycast IP, and URL-based routing.

Why this answer

The Global HTTPS Load Balancer is a layer 7 proxy that can terminate SSL/TLS, route traffic based on URL maps, and serve users from the closest region via anycast IP. It supports both HTTP and HTTPS.

11
MCQhard

A security team wants to serve private content through Cloud CDN but restrict access to only authorized users. They need to generate time-limited URLs that do not require users to log in. Which approach should they use?

A.Use Cloud CDN signed URLs
B.Use IAM permissions on the bucket
C.Use Cloud CDN signed cookies
D.Enable Cloud CDN and set the bucket to public
AnswerA

Signed URLs provide time-limited access without user login.

Why this answer

Signed URLs allow generating time-limited URLs for private content without requiring user login. Signed cookies are for multiple URLs. Public buckets or IAM are not suitable.

12
MCQeasy

You need to configure Cloud CDN to cache all content from a backend bucket, ignoring any Cache-Control headers sent by the origin. Which cache mode should you use?

A.USE_ORIGIN_HEADERS
B.CACHE_ALL_STATIC
C.DYNAMIC_MODE
D.FORCE_CACHE_ALL
AnswerD

Correct: forces caching regardless of origin headers.

Why this answer

FORCE_CACHE_ALL ignores origin headers and caches all responses for the specified TTL.

13
Multi-Selectmedium

A company wants to use Traffic Director to implement circuit breaking for their microservices. Which two resources must be configured to enable circuit breaking? (Choose TWO.)

Select 1 answer
A.Traffic Director cluster
B.Traffic Director service
C.Traffic Director route
D.Envoy filter
E.Health check configuration
AnswersA

Cluster resource holds circuit breaker settings.

Why this answer

Traffic Director uses Envoy configurations. Circuit breaking is configured via the Envoy cluster configuration. In Traffic Director, this is done through the Traffic Director API by setting circuit breakers in the cluster resource.

The service is the logical entity, and the backend service is a load balancing concept.

14
MCQmedium

A developer wants to use Cloud CDN to cache content from a backend bucket. They want to cache all objects regardless of cache-control headers, but need to exclude certain URL patterns (e.g., /private/*) from caching. Which cache mode should they choose?

A.FORCE_CACHE_ALL
B.CACHE_ALL_STATIC
C.DISABLED
D.USE_ORIGIN_HEADERS
AnswerA

This mode caches all objects regardless of cache-control. To exclude specific paths, you would need additional configuration like separate backends.

Why this answer

Cloud CDN cache modes: FORCE_CACHE_ALL caches all content irrespective of origin headers; USE_ORIGIN_HEADERS respects cache-control; CACHE_ALL_STATIC is similar to FORCE_CACHE_ALL but for static content. To exclude certain paths, you need to set up cache key or use URL map routing to different backends. The question asks for cache mode; FORCE_CACHE_ALL will cache everything by default, but to exclude patterns, you need to configure cache key rules or separate backends.

However, the best answer among the options is FORCE_CACHE_ALL because it caches all objects, but the exclusion would require additional configuration. There is no "CACHE_ALL_EXCEPT" mode. Actually, the correct approach is to use a URL map with two backend buckets: one for public content with FORCE_CACHE_ALL, and one for private content with no CDN.

But among the cache modes, FORCE_CACHE_ALL is the one that ignores cache-control.

15
MCQmedium

You are designing a multi-tier application where an internal HTTP(S) load balancer should route requests to a backend service based on the URL path (e.g., /api/* to one service, /web/* to another). Which component is essential for this routing?

A.Cloud NAT
B.VPC peering
C.URL map
D.Firewall rules
AnswerC

Correct: URL maps define content-based routing.

Why this answer

The Internal HTTP(S) Load Balancer uses a URL map to define path-based routing rules to backend services.

16
MCQeasy

Which Traffic Director feature ensures that a service does not receive more requests than it can handle by setting a maximum number of concurrent requests or connections?

A.Traffic splitting
B.Circuit breakers
C.mTLS
D.Fault injection
AnswerB

Circuit breakers enforce limits on connections/requests to prevent overload.

Why this answer

Circuit breakers are used to limit the number of concurrent connections or requests to a service to prevent overload. Fault injection is for testing. Traffic splitting is for gradual rollouts. mTLS is for mutual TLS authentication.

17
MCQhard

An organization has deployed an internal TCP/UDP load balancer in their VPC. They need to ensure that the load balancer preserves the client IP address when forwarding traffic to backend instances. Which configuration is required?

A.Configure the health check to use the client IP as source.
B.Enable Proxy Protocol on the load balancer.
C.Use a backend service with session affinity.
D.No configuration is needed; client IP is preserved by default.
AnswerD

Internal TCP/UDP LB is pass-through, so client IP is preserved automatically.

Why this answer

Internal TCP/UDP Load Balancers are pass-through load balancers (Layer 4). They preserve the client IP address by default because they forward packets directly without NAT. No special configuration is needed; the backend instances see the original source IP.

18
MCQhard

A company uses Cloud DNS with a managed zone for example.com. They want to override DNS responses for a specific subdomain, mail.example.com, to point to an internal IP address when queried from within the VPC, but external queries should resolve normally. Which feature should they use?

A.DNS Security Extensions (DNSSEC)
B.Private DNS zone
C.Response Policy Zone (RPZ)
D.Routing policy (weighted or geo)
AnswerC

Correct. RPZ can override DNS responses for specific domains within a VPC.

Why this answer

Response Policy Zones (RPZ) allow you to override DNS responses for specific domains based on the source network. This is used for DNS filtering or overriding.

19
MCQmedium

A company has a TCP-based application running on a group of Compute Engine VMs in us-central1. They need to provide a static internal IP address to clients within the VPC, while preserving the client source IP for logging. Which load balancer should they use?

A.Regional Internal HTTP(S) Load Balancer
B.Regional Internal TCP/UDP Load Balancer
C.Regional External TCP/UDP Network Load Balancer
D.Global Internal HTTP(S) Load Balancer
AnswerB

Correct. Pass-through L4 load balancer that preserves client IP.

Why this answer

The Regional Internal TCP/UDP Load Balancer is a pass-through load balancer that preserves client IP. It provides a static internal IP and operates at L4.

20
MCQhard

A media company uses Cloud CDN with signed URLs to distribute premium video content. They need to revoke access for a specific user immediately. Which approach should they take?

A.Use Cloud CDN cache invalidation to remove the user's content
B.Add the user's IP address to a deny list in the load balancer
C.Delete the signed URL key that was used to sign the user's URL
D.Change the signing algorithm to SHA512
AnswerC

Deleting the key invalidates all URLs signed with that key, effectively revoking access.

Why this answer

Signed URLs are based on keys; to revoke access, you can either remove the key (invalidates all URLs signed with that key) or wait for expiration. There is no per-user revocation. The correct approach is to delete or disable the signing key, which invalidates all URLs signed with that key.

21
MCQhard

You are configuring a Regional Internal HTTP(S) Load Balancer for a service that must only be accessible from within a VPC. The backend is a zonal NEG of Compute Engine instances. The load balancer is not receiving traffic. What is a likely cause?

A.The zonal NEG is in a different zone than the forwarding rule
B.The health check is using TCP but the instances expect HTTP
C.The backend service is in a different region than the forwarding rule
D.The forwarding rule uses an external IP address
AnswerC

Backend service and forwarding rule must be in the same region.

Why this answer

Internal HTTP(S) LB requires an internal forwarding rule in the same region as the backend. The forwarding rule must use an internal IP address, and the backend service must be in the same region.

22
MCQmedium

A company runs a microservices application on Google Kubernetes Engine (GKE) with an Envoy sidecar proxy for each service. They want to use Traffic Director to apply traffic policies such as traffic splitting between versions and fault injection. Which API does Traffic Director use to configure Envoy proxies?

A.Traffic Director xDS API
B.gRPC API
C.Kubernetes Ingress API
D.Cloud Endpoints API
AnswerA

xDS (Discovery Service) is the standard API used by Envoy to receive dynamic configuration.

Why this answer

Traffic Director implements the Envoy xDS (Discovery Service) APIs to dynamically configure Envoy sidecar proxies with routing, load balancing, and health checking policies.

23
MCQmedium

An engineer is deploying a Regional External HTTP(S) Load Balancer to serve a web application on Compute Engine. They want to maintain the highest availability by automatically rerouting traffic away from unhealthy instances. Which additional configuration is required?

A.Enable connection draining on the backend service
B.Use a global load balancer instead
C.Configure a health check on the backend service
D.Set up a managed instance group with autoscaling
AnswerC

Health checks allow the load balancer to mark instances unhealthy and stop sending traffic.

Why this answer

Health checks are required to detect unhealthy instances. Without them, the load balancer will route traffic to any instance in the backend service. Autoscaling and managed instance groups are not mandatory for basic health checking but are recommended.

24
MCQmedium

An engineer is configuring a Global HTTPS Load Balancer with a backend service that points to a serverless NEG for Cloud Functions. The health checks are failing. What is the most likely cause?

A.The health check path is incorrect
B.Serverless NEGs do not support health checks
C.The backend service is not associated with the correct URL map
D.The health check protocol is set to HTTP instead of HTTPS
AnswerB

Health checks are not supported for serverless NEGs. They must be disabled or omitted.

Why this answer

Serverless NEGs do not support health checks. The load balancer relies on the underlying Cloud Functions being healthy. Health checks must be disabled for serverless backends.

25
MCQmedium

A company wants to expose a web application running on Cloud Run globally with a single anycast IP address, using HTTP(S) load balancing and Cloud CDN for static content. The application should be accessible at https://app.example.com. What is the correct configuration?

A.Create a global SSL Proxy load balancer with a Cloud Run backend bucket.
B.Create a global external HTTP(S) load balancer with a serverless NEG that points to the Cloud Run service.
C.Create a global TCP Proxy load balancer with a hybrid connectivity NEG.
D.Create a regional external HTTP(S) load balancer with a serverless NEG.
AnswerB

Global HTTPS LB with serverless NEG provides global anycast IP, CDN integration, and supports Cloud Run.

Why this answer

Global HTTPS LB with serverless NEG targeting Cloud Run is the best practice for globally exposing serverless workloads with CDN. The other options either lack CDN (SSL Proxy), are regional (regional LB), or use incorrect NEG type (hybrid NEG for on-prem).

26
MCQeasy

You need to configure SSL certificates for a Global HTTPS Load Balancer. The certificate should be automatically provisioned and managed by Google. Which type of certificate should you use?

A.Google-managed certificate
B.Compute Engine instance certificate
C.Certificate Authority Service certificate
D.Self-managed certificate
AnswerA

Correct: Google manages provisioning and renewal.

Why this answer

Google-managed certificates are automatically provisioned and renewed for load balancers.

27
MCQmedium

You need to migrate traffic gradually from an old version of a microservice to a new version using Traffic Director. You want to send 10% of traffic to the new version and 90% to the old version. Which configuration should you use?

A.Configure a weighted destination rule in the Envoy route with weights 9:1.
B.Create two separate backend services and use a URL map to distribute traffic.
C.Set circuit breaker thresholds to limit connections to the new version.
D.Use a health check to gradually remove the old version instances.
AnswerA

Traffic splitting is done via weighted destination rules in Envoy.

Why this answer

Traffic Director supports traffic splitting via weighted destination rules in the Envoy configuration. The correct approach is to specify weights for each service version in the route rule. Setting circuit breaker thresholds or using connection draining does not achieve traffic splitting.

28
MCQeasy

What is the purpose of a Response Policy Zone (RPZ) in Cloud DNS?

A.To override DNS responses for specified domains (e.g., block or redirect)
B.To route traffic based on geographic location of the requester
C.To enable weighted round-robin load balancing for multiple IPs
D.To create private DNS zones within a VPC
AnswerA

RPZ allows overriding DNS responses for policy enforcement.

Why this answer

RPZ allows you to override DNS responses for specific domains, often used for security (malware filtering) or policy enforcement. It is not for routing traffic, private zones, or load balancing.

29
MCQeasy

Which load balancer type preserves the client source IP address and can be used for TCP/UDP traffic on a specific port, passing traffic through to backend instances without proxy overhead?

A.Regional Internal TCP/UDP Load Balancer
B.Global External TCP Proxy Load Balancer
C.Regional External TCP/UDP Network Load Balancer
D.Global External HTTPS Load Balancer
AnswerC

Correct: pass-through LB preserves client IP.

Why this answer

The Regional External TCP/UDP Network Load Balancer is a pass-through load balancer that preserves client IP and handles TCP/UDP traffic.

30
MCQmedium

A company wants to serve private content from Cloud CDN using signed URLs that expire after 1 hour. Which steps are required to enable this?

A.Set the cache mode to FORCE_CACHE_ALL and enable private access.
B.Pass the signing key in the X-Goog-Signed-URL header on each request.
C.Create a signing key in Cloud CDN, then generate signed URLs with expiration using that key.
D.Enable IAP on the backend and generate signed URLs using the IAP client ID.
AnswerC

Correct: signing keys are created in Cloud CDN, and signed URLs are generated client-side with the key.

Why this answer

Signed URLs require a signing key (created via Cloud CDN backend bucket configuration) and generating URLs programmatically with expiration. Enabling IAP is not required. The key is not passed in the header but as query parameters.

Just setting cache mode does not enable signed URLs.

31
Multi-Selectmedium

A company uses Cloud DNS with a managed zone for 'example.com'. They want to implement a failover routing policy so that if the primary health check fails, traffic is sent to a secondary IP. Which THREE resources need to be configured? (Choose three.)

Select 3 answers
A.A DNS record set of type A with a routing policy
B.A health check for the primary endpoint
C.A network tag on the Compute Engine instances
D.A load balancer to front the endpoints
E.A failover routing policy configured on the record set
AnswersA, B, E

The record set defines the DNS name and routing behavior.

Why this answer

To set up failover routing, you need a health check for the primary endpoint, a DNS record set with a routing policy that specifies the primary and secondary targets, and the routing policy configured with failover type. A network tag is not used in DNS. A load balancer is not required; failover routing can point directly to IP addresses.

32
MCQeasy

You need to create a serverless Network Endpoint Group (NEG) to attach to a Global HTTPS Load Balancer backend for a Cloud Run service. Which command should you use?

A.gcloud compute backend-services create backend-name --load-balancing-scheme=EXTERNAL --protocol=HTTP --global
B.gcloud compute network-endpoint-groups create neg-name --network-endpoint-type=serverless --cloud-run-service=my-service --region=us-central1
C.gcloud compute instance-groups unmanaged create neg-name --zone=us-central1-a
D.gcloud compute network-endpoint-groups create neg-name --network-endpoint-type=gce-vm-ip-port --zone=us-central1-a
AnswerB

This creates a serverless NEG pointing to the Cloud Run service.

Why this answer

The correct command uses 'gcloud compute network-endpoint-groups create' with the '--network-endpoint-type=serverless' option and specifies the Cloud Run service via '--cloud-run-service'.

33
MCQmedium

An organization wants to serve private content via Cloud CDN, ensuring that only authorized users can access cached objects. They need to generate time-limited access for specific URLs. Which method should they use?

A.Set the Cache-Control header to private
B.Use signed URLs with a private key
C.Use Cloud Armor to restrict access by IP
D.Use signed cookies to restrict access
AnswerB

Correct. Signed URLs provide time-limited access to specific URLs.

Why this answer

Signed URLs allow you to grant time-limited access to specific URLs. Signed cookies are for sets of URLs, and Cloud Armor is for WAF, not authorization.

34
MCQeasy

A company wants to expose a web application running on Cloud Run globally with the lowest latency and automatic SSL termination. Which load balancer should they use?

A.Regional Internal HTTP(S) Load Balancer
C.Regional External HTTP(S) Load Balancer
D.Global SSL Proxy Load Balancer
AnswerB

Correct choice: supports HTTP(S) traffic, serverless NEGs, global anycast, and SSL termination.

Why this answer

Global HTTPS Load Balancer supports serverless NEGs for Cloud Run and provides global anycast IP, automatic SSL, and integration with Cloud CDN.

35
MCQhard

An engineer configures a Global HTTPS Load Balancer with a backend service pointing to an instance group. The health check is set to HTTP on port 80, check interval 5s, timeout 5s, healthy threshold 1, unhealthy threshold 1. After deployment, instances are marked unhealthy despite the application responding correctly on port 80. What is the most likely cause?

A.The health check is using HTTPS but the instance expects HTTP
B.The unhealthy threshold is set too high
C.The health check is not configured with a host header
D.The health check timeout is equal to the check interval
AnswerD

Timeout (5s) equals interval (5s); timeout must be less than interval.

Why this answer

With timeout equal to check interval, the health check may not have enough time to complete before the next check starts, causing failures. The timeout should be less than the interval.

36
Multi-Selectmedium

A company wants to set up a Regional Internal HTTP(S) Load Balancer to serve an internal web application. Which two components are required? (Choose two.)

Select 2 answers
A.Cloud CDN
B.An SSL certificate
C.An Envoy-based proxy
D.A global forwarding rule
E.Backend service with a NEG of type GCE_VM_IP_PORT or GCE_VM_IP
AnswersC, E

Correct: Internal HTTP(S) LB uses Envoy proxy.

Why this answer

Regional Internal HTTP(S) LB requires an Envoy-based proxy and a backend service with a NEG of type GCE_VM_IP_PORT or GCE_VM_IP.

37
Multi-Selectmedium

You are configuring a Global External HTTPS Load Balancer. Which TWO components are required to route traffic to a Cloud Run service via a serverless NEG? (Select two.)

Select 2 answers
A.Serverless NEG
B.Backend service
C.Health check
D.Target proxy
E.URL map
AnswersA, B

Required: defines the Cloud Run service as a backend.

Why this answer

A serverless NEG is a backend that points to a Cloud Run service, and a backend service is needed to define health checks and other settings.

38
MCQhard

A company uses a Global HTTPS Load Balancer with Cloud CDN. They need to purge specific cached objects for all users immediately after a content update. Which method should they use?

A.Delete the objects from the backend bucket
B.Use signed URLs
C.Reduce TTL on the origin
D.Cache invalidation
AnswerD

Correct: cache invalidation immediately removes specified objects from cache.

Why this answer

Cache invalidation allows purging specific URLs or URL prefixes from Cloud CDN caches.

39
MCQeasy

An organization wants to distribute incoming HTTPS traffic across a set of Compute Engine instances in multiple regions, with SSL termination at the Google Cloud edge. They also need to protect against DDoS attacks at the edge. Which load balancing solution should they choose?

B.External TCP/UDP Network Load Balancer
C.Global External HTTP(S) Load Balancer
D.Regional External HTTP(S) Load Balancer
AnswerC

Correct. It provides global SSL termination and Cloud Armor integration.

Why this answer

Global HTTPS Load Balancer is an external, global, proxy-based load balancer that terminates SSL at the edge and integrates with Cloud Armor for DDoS protection. It distributes traffic across regions.

40
MCQmedium

You need to route traffic to different backend services based on the URL path: /api/* goes to a Cloud Run service, /static/* goes to a Cloud Storage bucket, and /* goes to a Compute Engine instance group. Which component of the Global HTTPS Load Balancer should you configure?

A.Backend service
B.Target HTTP proxy
C.Health check
D.URL map
AnswerD

URL map contains path matchers and rules to route to different backends.

Why this answer

The URL map defines how requests are routed to backend services based on host and path rules.

41
MCQhard

A company is using a Global SSL Proxy Load Balancer to terminate SSL and forward traffic to a backend service on Compute Engine. They need to preserve the client IP address in the backend logs. What should they do?

A.Enable Cloud CDN with origin header forwarding.
B.Enable Proxy Protocol on the SSL proxy load balancer and configure the backend to parse it.
C.Use a TCP Proxy Load Balancer with the proxy protocol enabled.
D.Configure the backend service to use the X-Forwarded-For header.
AnswerB

Proxy Protocol is the standard way to pass client IP through load balancers that terminate SSL.

Why this answer

SSL Proxy Load Balancer terminates SSL and forwards traffic using TCP. It does not preserve the original client IP by default. To preserve the client IP, you must enable Proxy Protocol on the load balancer and configure the backend to accept Proxy Protocol headers.

43
MCQhard

A company is migrating on-premises services to Google Cloud. They have a hybrid connectivity NEG that points to an on-premises endpoint via a Cloud VPN tunnel. The Traffic Director service mesh is configured to route traffic to that NEG. However, traffic to the on-premises service is failing with connection timeouts. What is the most likely cause?

A.The hybrid connectivity NEG is not supported with Traffic Director
B.The Cloud VPN tunnel is not established
C.Traffic Director requires mTLS for all hybrid endpoints
D.The on-premises firewall is blocking health check probes from Google Cloud
AnswerD

Health checks from Google Cloud must be allowed; if blocked, the NEG is marked unhealthy and traffic is not sent.

Why this answer

Hybrid connectivity NEGs require that the on-premises endpoint is reachable via a Cloud VPN or Interconnect. If Traffic Director cannot reach the endpoint, it might be due to missing firewall rules allowing health check probes or the NEG endpoint being misconfigured. The most common cause is that health checks are failing because the firewall rules on-premises are not allowing the health check source ranges.

44
Multi-Selectmedium

A company runs a microservices application on Google Kubernetes Engine (GKE) and wants to expose an HTTP service to the internet using a global HTTPS load balancer. They need to enable Cloud CDN for static content and use a custom domain with a Google-managed SSL certificate. Which three resources must be created? (Choose three.)

Select 3 answers
A.Cloud NAT gateway
B.URL map
C.Target TCP proxy
D.Backend service (pointing to the GKE NEG)
E.SSL certificate (Google-managed)
AnswersB, D, E

URL map routes incoming requests to backends.

Why this answer

To achieve this, you need a backend service (or backend bucket) for the service, a URL map to route requests, and an SSL certificate for the custom domain. The load balancer itself is the target proxy.

45
MCQmedium

An organization runs a stateful TCP application on a group of Compute Engine instances in us-central1. Clients must connect to the service using a single anycast IP address, and the load balancer must preserve the client source IP address. Which load balancing option meets these requirements?

A.External TCP/UDP Network Load Balancer
B.Internal TCP/UDP Load Balancer
C.Global external TCP Proxy Load Balancer
D.Global external HTTP(S) Load Balancer
AnswerA

This is a passthrough load balancer that preserves client source IP, though it is regional. It is the only option that meets the source IP preservation requirement.

Why this answer

External TCP/UDP Network Load Balancer (NLB) is regional, passthrough, and preserves client IP. However, it is not anycast; for a single anycast IP, Global external TCP Proxy LB can be used but does not preserve client IP. Actually, external TCP/UDP NLB is regional and does not provide a single anycast IP globally.

The requirement for a single anycast IP points to Global external TCP Proxy LB, but it does NOT preserve client IP. The correct answer is External TCP/UDP NLB because it preserves source IP, though it is regional; the question says "single anycast IP" – but in GCP, global load balancers provide anycast IP. However, the only passthrough option that preserves client IP is NLB, which is regional.

The question might have a nuance: External TCP/UDP NLB does not support anycast. I must choose the best match: External TCP/UDP NLB preserves client IP, but is regional; Global external TCP Proxy does not preserve client IP. Given the strict requirement of preserving client IP, the best is External TCP/UDP NLB.

46
Multi-Selectmedium

A company wants to use Cloud CDN to accelerate content delivery globally. Which TWO of the following are valid cache key components that can be configured in Cloud CDN? (Choose 2)

Select 2 answers
A.Client IP address
B.Query string parameters
C.Protocol (HTTP/HTTPS)
D.Request headers (e.g., Accept-Language)
E.Client port
AnswersB, C

Query string parameters can be included (all, specified, or excluded).

Why this answer

Cloud CDN allows you to configure cache keys based on protocol, host, query string parameters, and headers. IP address and client port are not configurable cache key components.

47
MCQmedium

A company hosts a web application on Cloud Run and wants to serve content from a Cloud Storage bucket for static assets. They plan to use a global HTTPS load balancer with a URL map to route requests. Which backend type should they configure for the static content?

A.Backend bucket (Cloud Storage bucket)
B.Serverless NEG (Cloud Run)
C.Zonal NEG (Compute Engine)
D.Internet NEG (external endpoint)
AnswerA

Correct. Backend buckets serve static content from Cloud Storage.

Why this answer

Backend buckets are used to serve content from Cloud Storage buckets via a load balancer. Serverless NEGs are for Cloud Run/Functions, not Cloud Storage.

48
MCQeasy

A company wants to expose a web application running on Cloud Run to the internet with a single global IP address, SSL termination, and Cloud CDN. Which load balancer should they use?

A.External TCP/UDP Network Load Balancer
B.Global External HTTP(S) Load Balancer
C.Global TCP Proxy Load Balancer
D.Regional External HTTP(S) Load Balancer
AnswerB

Correct. Supports serverless NEGs for Cloud Run, global IP, SSL, and CDN.

Why this answer

The Global HTTPS Load Balancer supports serverless backends via serverless NEG, provides SSL termination, Cloud CDN integration, and a single global IP address. The others are either regional or not suitable for serverless backends.

49
Multi-Selecthard

A company uses Traffic Director with Envoy proxies to manage east-west traffic. They want to implement fault injection to test the resilience of their service mesh. Which THREE types of faults can they inject? (Choose three.)

Select 3 answers
A.Delay (add a fixed latency to matching requests)
B.Throttle (limit the rate of requests)
C.Abort (return a specified HTTP status code)
D.Retry (automatically retry failed requests)
E.Timeout (set a maximum time for a request to complete)
AnswersA, B, C

Standard fault injection type.

Why this answer

Traffic Director supports fault injection for: abort (return an HTTP error), delay (add latency), and throttle (limit request rate). Timeout is a circuit breaker setting, not a fault injection. Retry is a routing feature, not a fault injection.

50
MCQhard

An organization configures a Global external HTTP(S) Load Balancer with Cloud CDN. They notice that some users are getting stale content even after they have invalidated the cache for specific objects. What is the most likely reason?

A.The URL map is routing to the wrong backend
B.Invalidation requests are queued and take time to propagate globally
C.The objects were cached with a very long TTL
D.Cloud CDN does not support invalidation for backend buckets
AnswerB

Cache invalidation can take minutes to propagate to all edge locations.

Why this answer

Cache invalidation removes objects from cache but does not prevent new requests from being served stale content if the origin returns a 304 Not Modified or if there is a propagation delay. However, the most common cause is that the invalidation has not propagated to all edge caches yet.

51
MCQhard

You are using Cloud CDN with a backend bucket and want to cache all responses regardless of Cache-Control headers. Which cache mode should you set?

A.CACHE_ALL_STATIC
B.FORCE_CACHE_ALL
C.USE_ORIGIN_HEADERS
D.DISABLED
AnswerB

FORCE_CACHE_ALL caches all responses regardless of Cache-Control headers.

Why this answer

FORCE_CACHE_ALL overrides origin Cache-Control headers and caches all responses. CACHE_ALL_STATIC attempts to cache static content but respects Cache-Control. USE_ORIGIN_HEADERS respects origin headers.

52
MCQmedium

You need to create a load balancer that distributes traffic across Compute Engine instances in multiple regions for a TCP application without SSL offload. The clients should connect to a single anycast IP. Which load balancer should you use?

A.External TCP/UDP Network Load Balancer
B.Global external TCP Proxy Load Balancer
C.Global external SSL Proxy Load Balancer
D.Internal TCP/UDP Load Balancer
AnswerB

Provides a single anycast IP for TCP traffic, supports multiple regions, and can be used without SSL offload.

Why this answer

Global external TCP Proxy Load Balancer provides a single anycast IP and handles TCP traffic without SSL offload (though it supports SSL offload optionally). It is the only global TCP load balancer that does not require SSL termination.

53
Multi-Selectmedium

A company needs to load balance TCP traffic without SSL termination for a gaming application where client IP preservation is critical. The backend is a group of Compute Engine instances. Which load balancer types meet these requirements? (Choose TWO.)

Select 2 answers
A.Regional External TCP/UDP Network Load Balancer
B.Global TCP Proxy Load Balancer
C.Regional Internal TCP/UDP Load Balancer
D.Global SSL Proxy Load Balancer
AnswersA, B

It is pass-through and preserves client IP by default.

Why this answer

Global TCP Proxy Load Balancer terminates SSL? Actually, TCP Proxy LB does not terminate SSL; it forwards TCP traffic but does not preserve client IP by default (uses Proxy Protocol). Regional External TCP/UDP Network Load Balancer is pass-through and preserves client IP. The Internal TCP/UDP LB is pass-through but internal.

For external TCP without SSL termination and client IP preservation, the best options are the Regional External TCP/UDP NLB (pass-through) and a Global TCP Proxy with Proxy Protocol enabled (which can preserve IP via Proxy Protocol).

54
MCQmedium

A company wants to expose a globally distributed application using Cloud Run via a single anycast IP address, with SSL termination and content-based routing to different backend services. Which load balancer should they use?

A.Global External HTTPS Load Balancer
B.Global External SSL Proxy Load Balancer
C.Regional External HTTP(S) Load Balancer
D.Global External TCP Proxy Load Balancer
AnswerA

Correct: provides global anycast IP, SSL termination, URL map for content-based routing, and can use serverless NEGs for Cloud Run.

Why this answer

The Global External HTTPS Load Balancer provides a single anycast IP, SSL termination, and content-based routing via URL maps to backends like serverless NEGs pointing to Cloud Run.

55
MCQmedium

A company wants to use Cloud DNS to distribute traffic across multiple regional endpoints with failover: primary in us-central1, secondary in us-west1. If the primary health check fails, traffic should go to secondary. Which routing policy should they use?

A.Geolocation routing policy
B.Weighted round robin routing policy
C.Failover routing policy
D.Simple routing policy (A record)
AnswerC

Correct. Failover routing policy supports primary/backup with health checks.

Why this answer

Failover routing policy allows specifying primary and secondary targets with health checks. Geolocation and weighted round robin do not provide failover behavior.

56
MCQmedium

A company wants to enable mTLS between microservices in a service mesh managed by Traffic Director. They have deployed Envoy sidecars. What must be configured to enforce mTLS?

A.An SSL policy on the load balancer
B.A VPC Service Controls perimeter
C.A Cloud Armor security policy
D.The mTLS mode in Traffic Director's mesh configuration
AnswerD

Correct: setting mTLS mode to strict enforces mTLS.

Why this answer

Traffic Director uses the mTLS mode in the Envoy configuration. The correct way is to set the tls_mode to STRICT in the TrafficDirector's mesh configuration.

57
Multi-Selecthard

A company uses Traffic Director with Envoy sidecars. They want to implement traffic splitting to gradually migrate traffic from version v1 to v2 of a service. Which TWO resources must be configured? (Select two.)

Select 2 answers
A.Health check
B.Firewall rule
C.Cloud CDN cache key
D.TrafficDirectorRoute with traffic splitting rules
E.Backend service with weighted backends
AnswersD, E

Correct: the route rule specifies the percentage distribution.

Why this answer

Traffic splitting in Traffic Director is configured via routing rules (TrafficDirectorRoute) and backend services (or weighted backends).

58
MCQeasy

A team is using Traffic Director with Envoy sidecars. They want to enforce mutual TLS (mTLS) between services. Which configuration must be enabled?

A.Configure SSL certificates on each Envoy sidecar manually
B.Use Cloud NAT to hide internal IPs
C.Enable mTLS in the Traffic Director mesh configuration
D.Enable Cloud Armor on the service
AnswerC

Correct. Mesh TLS settings in Traffic Director enforce mTLS.

Why this answer

Traffic Director supports mTLS through the Mesh TLS configuration, which enforces TLS mutual authentication between sidecars.

59
Multi-Selecthard

You are designing a global web application that uses Cloud Run for the backend and Cloud Storage for static assets. You need to serve content securely over HTTPS with a custom domain, using Cloud CDN for caching. Which resources must be created or configured? (Choose three.)

Select 3 answers
A.Zonal NEG for Cloud Run
B.SSL certificate resource
C.URL map
D.Identity-Aware Proxy (IAP)
E.Global external HTTP(S) load balancer
AnswersB, C, E

SSL certificate is required for HTTPS.

Why this answer

Global HTTPS LB with backend bucket (for GCS) and serverless NEG (for Cloud Run) is the architecture. SSL certificate is needed for HTTPS. IAP is for authentication, not required.

URL map is required for routing. Zonal NEG is not needed for Cloud Run.

60
Multi-Selectmedium

A company runs a stateful TCP application on a zonal Managed Instance Group (MIG). They need to expose it to the internet using a load balancer that preserves the client IP address. Which TWO load balancer types meet this requirement? (Choose two.)

Select 2 answers
A.Global External HTTPS Load Balancer
B.Regional External HTTP(S) Load Balancer
C.Regional Internal TCP/UDP Network Load Balancer
D.Global SSL Proxy Load Balancer
E.Regional External TCP/UDP Network Load Balancer
AnswersC, E

Passthrough, preserves client IP.

Why this answer

Both Regional External TCP/UDP Network Load Balancer and Regional Internal TCP/UDP Network Load Balancer are passthrough load balancers that preserve the client IP. The Global HTTPS LB, Global SSL Proxy LB, and Regional External HTTP(S) LB are proxy load balancers that terminate connections and do not preserve client IP.

61
MCQhard

A network engineer configures a Global external HTTP(S) Load Balancer with a serverless NEG backend pointing to Cloud Run. The load balancer returns 502 Bad Gateway errors. What is the most likely cause?

A.The URL map is misconfigured
B.The SSL certificate is expired
C.The serverless NEG is not supported for Cloud Run
D.The Cloud Run service has ingress set to 'internal'
AnswerD

If ingress is set to internal, the load balancer (external) cannot reach the service. It must be set to 'all' or use a VPC connector.

Why this answer

Serverless NEG for Cloud Run requires that the Cloud Run service is publicly accessible or that the ingress is set to allow all traffic. Additionally, the load balancer's health checks must pass. A common cause is that the Cloud Run service has ingress restricted to internal traffic only.

62
MCQmedium

Your company uses Cloud DNS with a managed zone for example.com. You need to override DNS responses for a specific domain (e.g., internal.example.com) to point to an internal IP address. Which Cloud DNS feature should you use?

A.DNS forwarding zones
B.Response policies (RPZ)
C.Peering zones
D.Managed zones with private visibility
AnswerB

Response policies allow you to override DNS responses based on rules.

Why this answer

Cloud DNS response policies (RPZ) allow you to override DNS responses for domains within a VPC. You can create a response policy with rules that modify DNS responses for specified domains.

63
MCQmedium

A company wants to use Cloud CDN to cache content from a backend bucket. They need to cache all objects, including those with cookies, to maximize performance. Which cache mode should they select?

A.CACHE_ALL_STATIC
B.USE_ORIGIN_HEADERS
C.CACHE_ALL
D.FORCE_CACHE_ALL
AnswerD

This mode forces caching of all responses, overriding any no-cache directives.

Why this answer

Cloud CDN cache modes: CACHE_ALL_STATIC caches static content based on cache directives, USE_ORIGIN_HEADERS respects origin headers, FORCE_CACHE_ALL forces caching for all responses regardless of headers. FORCE_CACHE_ALL is used to override origin headers and cache everything.

64
MCQeasy

A company wants to expose a web application running on Compute Engine behind a global HTTPS load balancer with Cloud CDN enabled. They need to ensure that only authenticated users can access certain content. Which approach should they use?

A.Generate signed URLs or signed cookies for Cloud CDN.
B.Use Cloud Armor to restrict access by IP address.
C.Use Cloud IAP to authenticate users at the load balancer.
D.Configure the backend bucket with a custom header for authentication.
AnswerA

Signed URLs and signed cookies are the correct way to restrict access to private content served via Cloud CDN.

Why this answer

Cloud CDN supports signed URLs and signed cookies to restrict access to content. Signed URLs are used for individual files, while signed cookies work for multiple files. IAP is for access control at the load balancer level but not specifically for CDN content.

65
MCQmedium

You want to distribute traffic across multiple GKE clusters in different regions with automatic failover if a region becomes unhealthy. Which Cloud DNS routing policy should you use?

A.Failover
B.Simple (no policy)
C.Weighted round robin
D.Geolocation
AnswerA

Correct: failover routing policy automatically switches to healthy targets.

Why this answer

Failover routing policy allows you to set primary and secondary targets; DNS automatically responds with the secondary if the primary is unhealthy.

66
MCQmedium

A company uses Traffic Director with Envoy sidecars for service mesh. They want to gradually shift traffic from version 1 to version 2 of a service, starting with 10% traffic to version 2. Which Traffic Director feature should they use?

A.Traffic splitting
B.Circuit breakers
C.Fault injection
D.mTLS authentication
AnswerA

Traffic splitting allows you to assign weights to different backends for gradual rollout.

Why this answer

Traffic Director supports traffic splitting via the service routing API (TrafficDirectorService). You can define weighted destinations in the routing rule to split traffic between versions.

67
MCQhard

A company wants to use Cloud CDN to serve content from a custom origin that is not hosted on Google Cloud. They have enabled Cloud CDN with a backend bucket pointing to an external origin URL. However, content is not being cached. What is a likely reason?

A.The custom origin does not support HTTPS.
B.The origin is not configured in the backend bucket as an internet NEG.
C.The load balancer is a Global TCP Proxy, not HTTP.
D.The origin does not return Cache-Control or Expires headers.
AnswerD

Without caching headers, Cloud CDN will not cache unless FORCE_CACHE_ALL mode is enabled.

Why this answer

Cloud CDN with an external origin requires the origin to return explicit cache headers (Cache-Control or Expires) to enable caching. If the origin does not return caching headers, Cloud CDN will not cache the content. Force cache all mode can override this, but if not set, caching may not occur.

68
MCQmedium

An engineer manages a global application using Global external HTTP(S) Load Balancer with URL map routing to multiple backend services. They want to enable Cloud CDN for the /images/* path. What is the correct way to enable CDN for that specific path?

A.Enable CDN on the backend service that serves /images/*
B.Use the gcloud compute url-maps add-path-matcher command with --cache-mode
C.Set a cache key header for /images/* in the URL map
D.Enable Cloud CDN at the load balancer level
AnswerA

Create a separate backend service for images with CDN enabled, and route /images/* to it via URL map.

Why this answer

To enable CDN for a specific path, you must create a backend bucket (or backend service with CDN enabled) and configure a URL map rule that routes the path /images/* to that backend. Enabling CDN on the backend service itself will apply to all paths served by that backend.

69
MCQhard

You are using Traffic Director with Envoy sidecars for a microservices application. You want to inject artificial delays into requests from service A to service B for testing purposes. Which Traffic Director feature should you use?

A.Fault injection
B.Traffic splitting
C.Circuit breakers
D.Outlier detection
AnswerA

Fault injection adds delays or aborts to test resilience.

Why this answer

Traffic Director supports fault injection, which allows you to inject delays and abort requests into the traffic between services.

70
MCQhard

A team is using Traffic Director with Envoy sidecars. They want to enforce mutual TLS (mTLS) between all services. Which component is responsible for issuing and distributing certificates to the Envoy proxies?

A.Envoy's built-in certificate management
B.Secret Manager
C.Google Cloud Certificate Authority Service
D.Cloud KMS
AnswerC

Traffic Director uses CAS or its own CA to issue and distribute certificates for mTLS.

Why this answer

Traffic Director integrates with Certificate Authority Service (CAS) or uses its own CA to issue certificates for mTLS. Envoy's SDS (Secret Discovery Service) can also be used, but Traffic Director manages the CA.

71
MCQmedium

A company runs a global e-commerce platform with a monolithic application deployed on Compute Engine. They want to modernize by splitting the monolith into microservices running on Cloud Run and Cloud Functions, and expose them externally via a single anycast IP with Google-managed SSL certificates. Which load balancer should they use?

A.Global TCP Proxy Load Balancer
B.Regional External HTTPS Load Balancer
C.Global SSL Proxy Load Balancer
D.Global External HTTPS Load Balancer
AnswerD

Correct. It supports serverless NEGs, global anycast IP, and Google-managed SSL certificates.

Why this answer

The Global External HTTPS Load Balancer supports serverless NEGs for Cloud Run and Cloud Functions, provides an anycast IP, and offers Google-managed SSL certificates. The Regional External HTTPS LB is regional and does not provide global anycast. The Global SSL Proxy LB does not support serverless NEGs.

The Global TCP Proxy LB also does not support serverless NEGs.

72
MCQhard

A company wants to expose an on-premises HTTP server to internet clients through a Global HTTPS Load Balancer using a hybrid connectivity NEG. The on-prem server is reachable via a Cloud VPN tunnel. What must the engineer configure to ensure the load balancer can reach the on-prem endpoint?

A.Use a global TCP proxy load balancer instead
B.Configure a firewall rule allowing health check ranges to the on-prem server
C.Create a static route in VPC pointing to the VPN tunnel for the on-prem IP
D.Deploy a proxy VM in the VPC to forward traffic to on-prem
AnswerC

A route is required so that packets from the load balancer reach the on-prem server via VPN.

Why this answer

Hybrid connectivity NEGs require a custom route that directs traffic to the on-prem network via the VPN tunnel. The load balancer's health check source ranges also need routes back. Firewall rules are necessary but not the primary routing requirement.

73
MCQeasy

An organization wants to direct traffic from a global load balancer to an on-premises data center using a hybrid connectivity NEG. Which connectivity option must be in place for this to work?

A.Dedicated Interconnect without VLAN attachments
B.Cloud VPN or Cloud Interconnect
C.Direct peering with Google
D.VPC Network Peering
AnswerB

A Cloud VPN tunnel or Cloud Interconnect VLAN attachment is required to establish connectivity to on-premises.

Why this answer

Hybrid connectivity NEGs require a Cloud VPN tunnel or Cloud Interconnect VLAN attachment to connect GCP to on-premises. The NEG points to endpoints reachable over that connection.

74
MCQmedium

You are configuring a health check for a backend service that expects gRPC health probing. Which protocol should the health check use to verify gRPC service health?

B.TCP
C.gRPC
AnswerC

Correct: gRPC health checks use the gRPC health protocol.

Why this answer

gRPC health checks use the gRPC protocol to query the standard gRPC health check endpoint.

75
MCQhard

A network engineer is configuring a global HTTPS load balancer with Cloud CDN. They want to cache responses based on the request origin, query parameters, and user agent. Which cache key configuration should they use?

A.Use the default cache key, which includes host, scheme, and URL
B.Set cache mode to CACHE_ALL_STATIC and enable query string whitelist
C.Enable custom cache keys and include the origin header, query string, and user-agent header
D.Create a signed URL to include the required parameters
AnswerC

Custom cache keys allow specifying which parameters to include.

Why this answer

Custom cache keys allow inclusion of specific request headers, query parameters, and other attributes. The other options are either not valid or insufficient.

Page 1 of 2 · 131 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcne Configuring Services questions.