CCNA Pcne Implementing VPC Questions

25 of 100 questions · Page 2/2 · Pcne Implementing VPC topic · Answers revealed

76
MCQhard

An organization needs to restrict access to Google Cloud APIs such that only traffic from a specific set of VMs inside a VPC can reach the APIs, and all other traffic (including from other VPCs) must be denied. The VMs do not have external IPs. Which combination of services should they use?

A.Private Service Connect and VPC Service Controls
B.Cloud NAT and VPC Service Controls
C.Private Google Access and VPC Service Controls
D.Cloud NAT and Private Google Access
AnswerC

Private Google Access enables VMs without external IPs to reach Google APIs; VPC Service Controls restrict to the specified VPC.

Why this answer

Private Google Access allows VMs without external IPs to reach Google APIs. VPC Service Controls can create a service perimeter that restricts access to APIs from only authorized VPCs.

77
MCQeasy

What is the default Maximum Transmission Unit (MTU) for Compute Engine virtual machines?

A.1460
B.1500
C.9001
D.1400
AnswerA

1460 is the default MTU for Compute Engine instances.

Why this answer

GCP uses an MTU of 1460 for both VMs and the underlying network infrastructure.

78
MCQhard

An organization uses a hierarchical firewall policy at the organization level with a deny-all egress rule (priority 100). They also have a VPC-level firewall rule allowing egress to a specific external IP (priority 1000). Will traffic to that external IP be allowed?

A.Yes, because VPC firewall rules override hierarchical policies for the same traffic.
B.Yes, because the VPC rule has a higher priority number and is more specific.
C.No, because hierarchical firewall policies take precedence over VPC firewall rules.
D.No, because both rules deny and allow cancel out, resulting in default deny.
AnswerC

Hierarchical policies are evaluated first and if they deny, traffic is denied regardless of VPC rules.

Why this answer

Hierarchical firewall policies are evaluated before VPC firewall rules and have higher precedence. A deny rule at the org level with priority 100 will override a VPC allow rule with lower priority (higher number).

79
MCQeasy

A company wants to restrict access to Google Cloud APIs from a specific set of VMs based on the VM's service account. Which type of firewall rule target should be used?

A.Target tags
B.All instances
C.Source service accounts
D.Target service accounts
AnswerD

Target service accounts specify which instances to apply the rule to based on their service account.

Why this answer

Firewall rules can target instances by service account, allowing fine-grained control based on identity rather than network tags.

80
MCQmedium

You need to protect an HTTPS load-balanced application from SQL injection and cross-site scripting attacks. Which Google Cloud service should you use?

A.Firewall Rules
B.Cloud IDS
C.VPC Service Controls
D.Cloud Armor
AnswerD

Cloud Armor offers WAF rules to protect against web attacks.

Why this answer

Cloud Armor provides Web Application Firewall (WAF) capabilities, including preconfigured rules to detect and block SQLi and XSS attacks. It attaches to HTTPS Load Balancers.

81
MCQeasy

A company wants to protect its HTTP(S) Load Balancer against DDoS attacks and common web exploits like SQL injection and cross-site scripting. Which Google Cloud service should they use?

A.VPC Service Controls
B.Cloud Armor
C.Firewall Rules
D.Cloud NAT
AnswerB

Cloud Armor provides WAF rules for SQLi, XSS, and DDoS protection.

Why this answer

Cloud Armor is Google's web application firewall (WAF) and DDoS protection service. It integrates with Cloud Load Balancing to provide security policies that inspect traffic and block attacks like SQLi and XSS using pre-configured WAF rules.

82
Multi-Selecthard

A company wants to deploy a network appliance (e.g., firewall) on a Compute Engine instance that requires inspecting traffic between two VPCs. The instance must have interfaces in both VPCs. Which three configurations are required? (Choose three.)

Select 3 answers
A.Assign an external IP to each interface
B.Attach at least two network interfaces (NIC0 and NIC1)
C.Use the same subnet for both interfaces
D.Configure static routes in both VPCs pointing to the appliance's IP
E.Enable IP forwarding on the instance
AnswersB, D, E

Required to connect to two different VPCs.

Why this answer

For a multi-NIC network appliance, you need at least two network interfaces (NIC0, NIC1) attached to different VPCs. Each interface must be in a different subnet. Also, IP forwarding must be enabled on the instance to allow it to forward traffic between interfaces.

83
Multi-Selectmedium

A company wants to restrict access to Google Cloud Storage so that only traffic originating from a specific VPC network is allowed. They also need to prevent data exfiltration to other VPCs. Which two services should they use? (Choose two.)

Select 2 answers
A.VPC Service Controls
B.Cloud VPN
C.Cloud NAT
D.Firewall rules
E.Private Google Access
AnswersA, E

Creates a perimeter to restrict access.

Why this answer

VPC Service Controls creates a service perimeter around the Storage API, and Private Google Access enables VMs without external IPs to access Google APIs from within the VPC.

84
MCQmedium

An engineer needs to provide outbound internet access to a set of Compute Engine instances that do not have external IP addresses. The instances are in a VPC subnet with a Cloud NAT configured. However, the instances still cannot reach the internet. The engineer verified that Cloud NAT is configured on the same region and VPC as the instances. What is the most likely cause?

A.The firewall rules block all outbound traffic from the subnet
B.The instances are using a custom network that does not support Cloud NAT
C.The instances are not tagged with the correct network tag used in the Cloud NAT configuration
D.The Cloud NAT gateway uses dynamic port allocation, which is disabled
AnswerC

Cloud NAT uses tags or service accounts to determine which instances can use it for outbound connectivity.

Why this answer

Cloud NAT requires the instances to have the 'allow NAT' network tag or service account configured in the NAT gateway rules. If the instances are not tagged or the service account is not specified, traffic is not forwarded.

85
Multi-Selecthard

A company wants to use Cloud Armor to block traffic from a specific IP range (198.51.100.0/24) and also apply rate limiting. Which TWO components are needed? (Select 2)

Select 2 answers
A.A Cloud CDN cache rule
B.A Cloud Armor security policy with one rule that combines IP deny and rate limiting
C.A Cloud Armor security policy with two rules: one for IP deny and one for rate limiting
D.A network firewall rule to block the IP range
E.An HTTPS load balancer with the security policy attached
AnswersC, E

A single policy can contain multiple rules to achieve both requirements.

Why this answer

Cloud Armor security policies contain rules with conditions like IP ranges and rate limiting. The policy is attached to a backend service of an HTTPS load balancer.

86
MCQhard

A company has a VPC with a subnet in us-central1. Compute Engine instances in that subnet have no external IPs but need to reach the internet for software updates. The engineer configured Cloud NAT with the default settings. However, instances fail to reach the internet. What is the most likely cause?

A.Cloud NAT is not configured in the correct region.
B.An egress firewall rule is missing that allows traffic from the instances to the internet via NAT.
C.Private Google Access is enabled on the subnet, which overrides Cloud NAT.
D.The Cloud NAT router is not attached to the correct VPC network.
AnswerB

Firewall rules control egress traffic; Cloud NAT does not bypass them. A rule allowing egress to 0.0.0.0/0 is needed.

Why this answer

Cloud NAT requires that the instances are allowed egress traffic to the internet. Without a suitable egress firewall rule, NAT traffic is blocked. The default firewall rules only allow egress to Google APIs (private.googleapis.com) but not to general internet destinations.

A firewall rule allowing egress to 0.0.0.0/0 on the appropriate ports is required.

87
MCQhard

An organization wants to allow only certain users to access a service published via Private Service Connect. They need to restrict access based on the source VPC network. What should they use?

A.Firewall rules in the consumer VPC
B.IAM permissions on the service attachment
C.Consumer allow lists in the service attachment
D.VPC Service Controls
AnswerC

Consumer allow lists restrict which projects or VPCs can access the published service.

Why this answer

Private Service Connect allows publishing services with access control using service attachment with consumer allow lists that specify which projects or VPCs can connect.

88
Multi-Selecthard

An organization has a VPC with multiple subnets. They want to log all outbound connections from instances to the internet for compliance. They also want to use a cost-effective solution that doesn't require a proxy. Which three components are needed? (Choose three.)

Select 3 answers
A.Cloud NAT
B.Cloud Logging
C.Cloud VPN
D.Cloud Router
E.VPC Flow Logs
AnswersA, B, D

Provides outbound connectivity with optional logging.

Why this answer

Cloud NAT with logging enabled provides logs of outbound connections. Cloud Router is required to set up Cloud NAT. Firewall rules allow the traffic but are not specifically needed for logging; the NAT logs capture the connections.

89
MCQmedium

An engineer is troubleshooting outbound connectivity from a Compute Engine instance that has no external IP. The instance needs to reach an external service on the internet. Cloud NAT is configured on the VPC network. However, the instance cannot connect. What is the most likely cause?

A.Private Google Access is not enabled
B.The instance has an external IP assigned
C.Egress firewall rules are blocking the traffic
D.The Cloud NAT gateway is in a different region than the instance
AnswerC

Correct. Even with Cloud NAT, egress firewall rules must allow the traffic; by default, egress is allowed, but if custom rules are applied, they might deny.

Why this answer

For Cloud NAT to work, the instance must be in a subnet for which a Cloud NAT gateway is configured, and the instance should not have an external IP. Additionally, firewall rules must allow egress traffic. The most common issue is missing egress firewall rules or incorrect NAT configuration.

90
MCQmedium

A security team wants to enforce a policy that blocks all egress traffic to the internet from a specific set of VMs across multiple projects in an organization. The policy should be centrally managed and override VPC-level firewall rules. Which approach should they use?

A.Create VPC firewall rules with deny egress for the specific VMs in each VPC.
B.Deploy a hierarchical firewall policy at the organization level with a deny egress rule targeting the VMs.
C.Use a network firewall policy attached to each VPC network.
D.Configure Cloud Armor security policies on the load balancer to block egress.
AnswerB

Hierarchical firewall policies are centrally managed and can override VPC firewall rules.

Why this answer

Hierarchical firewall policies at the organization level can enforce rules that apply to all VPCs and override VPC-level rules with lower priority.

91
Multi-Selectmedium

You need to allow instances with network tag 'db' in subnet-a to only accept connections on TCP port 3306 from instances with network tag 'app' in subnet-b. Which TWO firewall rules should you create? (Choose 2)

Select 1 answer
A.Ingress rule: target tag 'db', source tag 'app', allow tcp:3306, priority 1000.
B.Egress rule: target tag 'app', destination tag 'db', allow tcp:3306, priority 1000.
C.Ingress rule: target tag 'db', source 0.0.0.0/0, deny tcp:3306, priority 2000.
D.Ingress rule: target tag 'db', source tag 'app', deny tcp:3306, priority 1000.
E.Ingress rule: target tag 'db', source 0.0.0.0/0, deny all ports, priority 500.
AnswersA

This allows 'app' instances to connect to 'db' on 3306.

Why this answer

The correct approach is to create an ingress rule on subnet-a targeting 'db' tags, allowing TCP 3306 from source tag 'app' (which implies source instances with that tag). Alternatively, an egress rule on subnet-b could allow traffic to 'db' instances. However, the typical solution is ingress rule on the target.

The options require two rules to ensure only 'app' instances can connect to 'db' and also block other sources.

92
MCQmedium

An engineer needs to set up a firewall rule that allows health check probes from Google Cloud's health check ranges (130.211.0.0/22 and 35.191.0.0/16) to a backend instance group. The rule should apply only to instances with the 'backend' network tag. What is the correct configuration?

A.Create an ingress rule with destination IP ranges 130.211.0.0/22 and 35.191.0.0/16, and target tags 'backend'
B.Create an ingress rule with source IP ranges 130.211.0.0/22 and 35.191.0.0/16, and target tags 'backend'
C.Create a route with next hop as the backend instance group
D.Create an egress rule with source IP ranges 130.211.0.0/22 and 35.191.0.0/16, and target tags 'backend'
AnswerB

This ingress rule allows health check traffic from the specified source ranges to instances with the 'backend' tag.

Why this answer

Ingress firewall rules control incoming traffic. The rule must allow traffic from the health check source ranges to all instances (targets) with the tag 'backend'. Priority lower number means higher priority.

93
MCQmedium

An engineer wants to allow traffic from a specific service account to a Compute Engine instance. Which firewall rule option should they use for the source?

A.Source service accounts
B.Target service accounts
C.Source IP ranges
D.Source tags
AnswerA

Service accounts can be used as source to identify traffic from instances using that service account.

Why this answer

Firewall rules can use service accounts as source or target. For source, you specify the source service account using the --source-service-accounts flag.

94
MCQeasy

A developer wants to allow HTTP (port 80) traffic from the internet to a set of Compute Engine instances that have a tag "web-server". Which firewall rule should they create?

A.Egress rule: source 0.0.0.0/0, target tag "web-server", tcp:80
B.Ingress rule: source 0.0.0.0/0, target tag "web-server", tcp:80
C.Egress rule: destination 0.0.0.0/0, target tag "web-server", tcp:80
D.Ingress rule: source 0.0.0.0/0, target service account "web-server", tcp:80
AnswerB

This correctly allows inbound HTTP from anywhere to instances with the web-server tag.

Why this answer

An ingress firewall rule with source range 0.0.0.0/0, target tag "web-server", and protocol/port tcp:80 allows HTTP traffic from the internet to the tagged instances.

95
MCQmedium

An organization wants to allow on-premises hosts to connect to a Cloud SQL instance privately without traversing the public internet. They have a Cloud VPN tunnel set up. What additional step is required?

A.Create a VPC peering connection
B.Add a route with next hop set to the VPN gateway
C.Configure Cloud NAT
D.Enable Private Service Connect on the Cloud SQL instance
AnswerD

Private Service Connect allows private access to managed services from on-premises via VPN.

Why this answer

Private Service Connect enables private connectivity to Google-managed services from on-premises via VPC and VPN.

96
Multi-Selecteasy

A company wants to allow traffic to a specific set of Compute Engine instances only from a single management instance that uses a service account. The management instance has the service account 'sa-mgmt@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations can achieve this? (Choose TWO.)

Select 2 answers
A.Set the source IP range to the internal IP of the management instance
B.Set the source service account filter to 'sa-mgmt@project.iam.gserviceaccount.com'
C.Set the priority to 65535 to ensure it is evaluated last
D.Set the target tags to 'mgmt' and assign that tag to the management instance
E.Set the target of the rule to the service account 'sa-mgmt@project.iam.gserviceaccount.com'
AnswersA, B

This restricts traffic to that specific IP address.

Why this answer

Firewall rules can target instances by service account (using the 'target service accounts' field) and filter source traffic by service account (using the 'source service accounts' field). Both approaches can restrict traffic to only the management instance's service account.

97
MCQeasy

An engineer needs to provide outbound internet access to a set of Compute Engine instances that have only internal IP addresses. The instances must use a static IP address for outbound traffic. Which solution should they implement?

A.Create a Cloud NAT gateway with static IP address and configure it on the VPC network.
B.Assign a static external IP to each instance and configure a firewall rule to allow egress.
C.Configure Private Google Access on the subnet to route traffic to Google APIs.
D.Deploy a Compute Engine instance as a NAT instance with IP forwarding enabled.
AnswerA

Cloud NAT provides outbound internet access for instances without external IPs using a static IP.

Why this answer

Cloud NAT with manual port allocation allows a static IP to be assigned to the NAT gateway, providing outbound internet access to instances without external IPs.

98
Multi-Selecthard

You are configuring a VPC Service Controls perimeter to protect a project containing BigQuery datasets. Access should be allowed only from a specific VPC network and only for users with a specific access level. Which THREE components must you define? (Choose 3)

Select 3 answers
A.Cloud NAT gateway
B.Private Google Access
C.Service perimeter
D.VPC accessible services configuration
E.Access level
AnswersC, D, E

Defines the protected resources.

Why this answer

VPC Service Controls perimeters require: 1) A service perimeter that includes the project and services, 2) Access levels that define allowed client attributes (e.g., IP addresses, device policy), and 3) VPC accessible services configuration to restrict access to only requests originating from specified VPC networks. Ingress rules are optional for allowing access from outside the perimeter.

99
MCQmedium

A company has Compute Engine instances without external IPs in a VPC. They need to reach Google APIs such as Cloud Storage and BigQuery. Which configuration will meet this requirement with minimal cost and operational overhead?

A.Configure the subnet to have Private Google Access enabled. Ensure the instances have the appropriate DNS resolution for private.googleapis.com.
B.Set up a Squid proxy on a bastion host with an external IP and route all API traffic through it.
C.Create a Cloud NAT gateway in the same region and attach it to the VPC.
D.Assign external IPs to the instances and create firewall rules to allow traffic to Google APIs.
AnswerA

This enables instances to reach Google APIs via internal IPs without needing external IPs or NAT.

Why this answer

Private Google Access enables instances without external IPs to reach Google APIs using internal IPs via the default internet gateway or VPC peering. Configuring a Private Google Access enabled subnet is the simplest and cheapest option, as it does not require NAT or additional instances.

100
MCQmedium

A network engineer needs to create a firewall rule that blocks all ingress traffic from the internet to Compute Engine instances tagged 'web-server', except for traffic from the organization's VPN gateway at IP 203.0.113.1. The engineer creates a rule with priority 1000, deny ingress, source IP ranges 0.0.0.0/0, and targets 'web-server'. To allow the VPN IP, what should the engineer do?

A.Modify the existing deny rule to include an exception for the VPN IP in the source IP field.
B.Delete the deny rule and create a single rule that denies all IPs except the VPN IP using the 'except' option.
C.Create a new allow rule with priority 500, source IP 203.0.113.1/32, target 'web-server', and action allow.
D.Change the priority of the existing deny rule to 1 and create an allow rule with priority 2 for the VPN IP.
AnswerC

This allow rule has higher priority (lower number) than the deny rule, so traffic from the VPN IP will be allowed before the deny rule applies.

Why this answer

Firewall rules are evaluated in order of priority (lower number = higher priority). The deny rule at priority 1000 will deny all IPs. To allow the VPN IP, a higher priority (lower number) allow rule must be created for that specific IP, before the deny rule is evaluated.

The correct approach is to create an allow rule with priority 100 (or any lower number) for source IP 203.0.0.0/8 (or the specific IP) targeting web-server.

← PreviousPage 2 of 2 · 100 questions total

Ready to test yourself?

Try a timed practice session using only Pcne Implementing VPC questions.