CCNA Pcne Managing Monitoring Questions

70 questions · Pcne Managing Monitoring topic · All types, answers revealed

1
MCQeasy

A developer wants to log all denied firewall rule events for security auditing purposes. What is the simplest way to achieve this without modifying existing firewall rules?

A.Use Cloud NAT logging
B.Enable firewall rule logging on existing rules
C.Create a deny-all firewall rule with logging enabled at the lowest priority
D.Enable VPC Flow Logs on all subnets
AnswerC

This catches all implicit denies and logs them.

Why this answer

Firewall rules logging can be enabled per rule. However, if you want to log all denied traffic without modifying existing rules, you can create a high-priority deny-all rule (e.g., priority 65535) with logging enabled. This will log any traffic not explicitly allowed.

2
Multi-Selectmedium

A company is designing a multi-region application on GCP and wants to optimize egress costs. Which TWO of the following strategies will reduce cross-region egress costs? (Choose two.)

Select 2 answers
A.Use Cloud CDN to cache content at edge locations
B.Enable VPC Flow Logs to analyze traffic
C.Deploy backends in multiple regions and use a global load balancer
D.Use a regional load balancer when users are concentrated in one region
E.Use Premium Tier networking
AnswersA, D

Reduces requests to origin, lowering egress from the origin region.

Why this answer

Using Cloud CDN caches content at edge locations, reducing the need to fetch from the origin region. Using a regional load balancer instead of a global one can avoid cross-region traffic if users are in the same region as the backend. However, global LB with CDN is also good; but the question specifically asks for cost reduction.

Cloud CDN reduces egress from origin. Regional LB avoids cross-region traffic altogether if the user and backend are in the same region.

3
MCQeasy

A network engineer wants to test whether a Compute Engine VM can reach a Cloud SQL instance in a different VPC network, considering firewall rules and VPC peering. Which Google Cloud tool should they use?

A.VPC Flow Logs
B.Connectivity Tests
C.Firewall Insights
D.Packet Mirroring
AnswerB

Connectivity Tests are designed for this exactly — simulating traffic between endpoints.

Why this answer

Connectivity Tests in Network Intelligence Center allows you to specify source and destination (including IP addresses, instances, or Google APIs) and evaluate reachability based on firewall rules, routes, VPC peering, and other policy configurations.

4
Multi-Selecthard

A company uses VPC Flow Logs exported to BigQuery for security analysis. They need to identify traffic to a known malicious IP. Which THREE fields can be used in a BigQuery query to filter this traffic? (Choose THREE.)

Select 2 answers
A.dst_ip
B.src_port
C.bytes_sent
D.src_ip
E.protocol
AnswersA, E

dst_ip is the destination IP address.

Why this answer

VPC Flow Logs include src_ip, dst_ip, src_port, dst_port, protocol, etc. For filtering traffic to a malicious IP, dst_ip is primary. src_ip identifies the source. protocol helps narrow down the traffic type.

5
Multi-Selectmedium

A company uses Cloud NAT for outbound internet access from private instances. They want to monitor for connection failures due to NAT resource exhaustion. Which two steps should they take? (Choose two.)

Select 2 answers
A.Enable Cloud NAT logging
B.Enable VPC Flow Logs on the subnet
C.Use Packet Mirroring to capture NAT traffic
D.Use Firewall Insights to check for blocked traffic
E.Set up log-based metrics and alerts on NAT logs
AnswersA, E

Correct: NAT logs record connection and allocation failures.

Why this answer

Enable Cloud NAT logging to capture connection and allocation failures. Set up alerts on NAT logs to detect failures. VPC Flow Logs do not capture NAT-specific failures.

Firewall Insights are for firewall rules. Packet Mirroring is not relevant.

6
MCQmedium

An organization has multiple VPC networks in a project and wants to centrally manage firewall rules across all networks using a single set of rules. Which approach should they take?

A.Use firewall rules with global scope
B.Create a single VPC network and use subnetting
C.Use hierarchical firewall policies at the folder level
D.Use shared VPC and apply firewall rules to the host project
AnswerC

Hierarchical firewall policies apply to all networks under a folder, enabling central management.

Why this answer

Firewall rules are per network. To centrally manage rules, you can use hierarchical firewall policies (part of VPC Firewall Policies) applied at the organization or folder level, which override network-specific rules.

7
Multi-Selectmedium

A security engineer needs to identify overly permissive firewall rules and shadowed rules (rules that never match because a higher priority rule overrides them). Which TWO Network Intelligence Center tools can help? (Choose two.)

Select 2 answers
A.Network Topology
B.Firewall Insights
C.Performance Dashboard
D.Connectivity Tests
E.VPC Flow Logs
AnswersB, E

Directly identifies shadowed and overly permissive rules.

Why this answer

Firewall Insights provides analytics on firewall usage, including identifying overly permissive rules and shadowed rules. Network Topology can show the network graph but not firewall rule analysis. Connectivity Tests can verify reachability but not analyze rules.

Performance Dashboard is for latency/packet loss.

8
MCQmedium

An engineer notices that some packets sent from a Compute Engine VM in GCP to an on-premises server via a VPN tunnel are being fragmented. The on-premises server is not receiving the fragmented packets. What is the most likely cause?

A.The VM's MTU is set to 1500
B.Cloud NAT is not configured
C.The VPN tunnel is using UDP encapsulation
D.The on-premises firewall is dropping ICMP
AnswerA

VMs with MTU 1500 may generate packets too large after VPN encapsulation, causing fragmentation. The correct step is to set MTU to 1460 or lower.

Why this answer

GCP uses an MTU of 1460 bytes on VMs, while the internet standard is 1500. If the VPN encapsulates packets, the additional overhead reduces effective MTU. Fragmentation may occur but is often problematic.

The issue is typically due to an MTU mismatch, and setting the VM's MTU to 1460 or lower (e.g., 1400) ensures no fragmentation.

9
MCQmedium

A network engineer wants to capture all traffic to and from a specific Compute Engine instance for security analysis and forward it to an IDS appliance in another VPC. Which GCP service should they use?

A.VPC Flow Logs
B.Packet Mirroring
C.Firewall Rules Logging
D.Cloud NAT logging
AnswerB

Packet Mirroring forwards actual traffic for deep packet inspection.

Why this answer

Packet Mirroring clones traffic from a source instance and sends it to a collector (IDS appliance) in the same or different VPC. It is designed for security monitoring.

10
MCQeasy

A network engineer wants to test reachability between a Compute Engine instance in VPC A and a Cloud SQL instance in VPC B, which are connected via VPC peering. Which Google Cloud tool should be used to check if firewall rules or routes are blocking traffic?

A.Connectivity Tests
B.Packet Mirroring
C.VPC Flow Logs
D.Firewall Insights
AnswerA

Correct: Connectivity Tests analyze the path between source and destination, considering firewall rules, routes, and peering.

Why this answer

Connectivity Tests in Network Intelligence Center allows you to define source and destination and checks configurations like firewall rules, routes, and VPC peering to determine if traffic can flow.

11
MCQmedium

A network engineer needs to verify that traffic from a specific Compute Engine instance can reach a Cloud SQL database in a different VPC. Which Google Cloud tool should be used to test this reachability?

A.Connectivity Tests
B.Cloud Monitoring
C.Network Topology
D.VPC Flow Logs
AnswerA

Connectivity Tests specifically verify reachability and identify blocking rules.

Why this answer

Network Intelligence Center Connectivity Tests allow you to check reachability between source and destination, analyzing firewall rules, routes, and VPC peering. It can pinpoint where traffic is blocked.

12
MCQhard

An engineer is troubleshooting asymmetric routing between two VPCs connected via VPC peering. They notice that return traffic takes a different path. What is a common cause of asymmetric routing in this scenario?

A.VPC Flow Logs are not enabled
B.One VPC has a more specific route that overrides the peering route
C.The MTU is mismatched between the VPCs
D.Firewall rules are blocking the return traffic
AnswerB

Correct: If one VPC has a more specific route (e.g., via VPN) for the other VPC's subnet, return traffic may go that way, causing asymmetry.

Why this answer

If both VPCs have routes to each other via different paths (e.g., one using peering and the other using a VPN), traffic may take asymmetric paths. VPC peering does not support transitive routing, but misconfigured routes can cause asymmetry.

13
MCQmedium

An engineer notices that VPC Flow Logs are enabling on a subnet but only a fraction of traffic is logged. What is the most likely cause?

A.The log export filter is too restrictive
B.Default sampling rate of 50% is applied
C.The subnet has an insufficient sampling rate set to 0.5
D.Flow Logs only log TCP traffic
AnswerB

Default sampling rate is 50%, so half the flows are logged.

Why this answer

VPC Flow Logs use sampling by default (50%) to reduce cost and volume. This means only half of the flows are logged.

14
MCQmedium

A company wants to reduce egress costs for traffic going to Google APIs (e.g., Cloud Storage, BigQuery) from Compute Engine instances. Which configuration should they use?

A.Use VPC Flow Logs to monitor traffic
B.Assign external IPs to the instances
C.Enable Private Google Access on the subnet
D.Set up Cloud NAT for the instances
AnswerC

Correct: Private Google Access routes traffic to Google APIs via internal IPs, free of egress charges.

Why this answer

Private Google Access allows instances without external IPs to reach Google APIs over the internal network, avoiding internet egress charges.

15
Multi-Selectmedium

An organization needs to monitor and analyze firewall rule activity for security auditing. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Enable Cloud NAT logging.
B.Enable VPC Flow Logs on all subnets.
C.Enable firewall rules logging for the rules to monitor.
D.Use Packet Mirroring to capture all traffic.
E.Export logs from Cloud Logging to BigQuery.
AnswersC, E

Firewall rules logging logs allow/deny events.

Why this answer

Enable firewall rules logging for rules of interest. Export logs to BigQuery for analysis. Cloud Logging captures the logs, and BigQuery allows complex queries.

16
Multi-Selecthard

A company wants to optimize costs for egress traffic from Compute Engine instances to the internet. They are considering using Cloud CDN and Private Google Access. Which TWO statements correctly describe how these services can reduce egress costs?

Select 2 answers
A.Cloud CDN reduces egress costs by serving cached content from edge locations closer to users.
B.Cloud CDN requires a global load balancer to function.
C.Private Google Access eliminates the need for a NAT gateway.
D.Cloud CDN eliminates all egress costs for cached content.
E.Private Google Access reduces egress costs by allowing VMs to access Google APIs using internal IPs, avoiding internet egress charges.
AnswersA, E

Correct: CDN reduces origin egress.

Why this answer

Cloud CDN caches content at edge locations, reducing the amount of egress from the origin. Private Google Access allows VMs with internal IPs to access Google APIs without using public IPs, thus avoiding internet egress charges for API calls.

17
MCQhard

A company has two VPCs connected via VPC Network Peering. Traffic from an instance in VPC A to an instance in VPC B is failing. Connectivity Tests show that the expected route exists and firewall rules allow the traffic. What is a possible cause?

A.VPC Flow Logs are disabled
B.The MTU of the instances is set to 1500
C.The VPC peering is not in active state
D.Asymmetric routing due to conflicting routes
AnswerD

Asymmetric routing can break connections if the return path is different.

Why this answer

Asymmetric routing can occur when a packet goes from A to B via peering, but the return packet takes a different path (e.g., through a VPN) due to route priorities. This can result in dropped packets.

18
MCQmedium

A company has a VPC with a Cloud Router using BGP to advertise prefixes to an on-premises network. The BGP session keeps flapping. What is a likely cause?

A.There is an MTU mismatch causing packet drops
B.VPC Flow Logs are enabled on the subnet
C.The firewall rules are blocking BGP traffic
D.The Cloud Router is configured with the wrong ASN
AnswerA

Correct: MTU mismatch can cause BGP keepalive drops, leading to flapping.

Why this answer

MTU mismatch can cause packets to be dropped, leading to BGP session instability. Ensure consistent MTU across the path.

19
Multi-Selectmedium

A company wants to audit firewall rules for security best practices. They need to identify overly permissive rules (e.g., allowing all traffic from 0.0.0.0/0) and rules that are never used. Which two Google Cloud tools can help? (Choose two.)

Select 2 answers
A.Firewall Insights
B.Packet Mirroring
C.Cloud Armor
D.VPC Flow Logs
E.Connectivity Tests
AnswersA, D

Correct: Firewall Insights identifies overly permissive and shadowed rules.

Why this answer

Firewall Insights provides analytics on rule usage (including shadowed and overly permissive rules) and suggests improvements. VPC Flow Logs can be analyzed to see which firewall rules are matched by actual traffic, identifying unused rules. Connectivity Tests is for reachability testing, not auditing.

Packet Mirroring is for traffic capture. Cloud Armor is for WAF.

20
Multi-Selecthard

A company is migrating to Google Cloud and needs to connect their on-premises data center to a VPC using Cloud VPN with dynamic routing (BGP). They want high availability and automatic failover. Which THREE components are required? (Choose THREE.)

Select 3 answers
A.Cloud Router with BGP enabled
B.A single VPN tunnel
C.Two Cloud VPN gateways (HA VPN)
D.VPC Network Peering
E.Two VPN tunnels, each connected to a different gateway
AnswersA, C, E

Cloud Router exchanges routes via BGP.

Why this answer

For HA VPN with dynamic routing, you need two VPN gateways (HA), Cloud Router for BGP, and two tunnels (one to each gateway) for redundancy. A single tunnel would be a single point of failure.

21
Multi-Selecthard

A company is experiencing packet loss between two Compute Engine instances in different zones within the same region. They suspect MTU issues. Which three actions should they take to diagnose and resolve? (Choose three.)

Select 3 answers
A.Verify that the network path between instances does not have a smaller MTU (e.g., VPN or load balancer)
B.Enable Cloud NAT to reduce packet size
C.Check the MTU configuration on the instances (default 1460)
D.Use VPC Flow Logs to check for packet drops
E.Capture packets using tcpdump on the instances to look for fragmentation
AnswersA, C, E

Correct: Path MTU discovery can reveal smaller MTUs along the path.

Why this answer

Check the MTU settings on the instances (default 1460 for GCP). Use packet capture to see if fragmentation is occurring. Ensure that the path MTU is consistent (e.g., between VMs and any load balancers).

VPC Flow Logs do not show MTU. Cloud NAT is not relevant. Connectivity Tests do not test MTU.

22
MCQhard

A network engineer is troubleshooting BGP session flaps between a Cloud Router and an on-premises router. The Cloud Router logs show that the session goes down and up repeatedly every few minutes. What is the most common cause of such flapping?

A.There is a firewall rule blocking BGP port 179
B.The VLAN attachment is misconfigured
C.The on-premises router is experiencing high CPU load
D.The Cloud Router's BGP timer values are too low
AnswerC

High CPU can cause delayed keepalives, leading to hold timer expiry and flapping.

Why this answer

BGP session flaps often occur due to hold timer expiration caused by network congestion, high CPU on either router, or packet loss. The most common cause in GCP is when the on-premises router does not process keepalives fast enough due to high CPU or memory pressure.

23
MCQmedium

A company uses an external HTTP Load Balancer with Cloud Armor. They want to log all requests that are blocked by Cloud Armor security policies for compliance auditing. What should they enable?

A.Cloud Armor request logs
B.VPC Flow Logs
C.Load balancer access logs
D.Firewall rule logging
AnswerA

Cloud Armor request logs record details of requests evaluated by security policies.

Why this answer

Cloud Armor request logs capture details about requests that are allowed or blocked by security policies. Enabling these logs provides the required auditing.

24
MCQmedium

An engineer is troubleshooting high latency between a Compute Engine instance in us-central1 and an instance in europe-west1. Which tool can show per-region latency and packet loss?

A.Connectivity Tests
B.Performance Dashboard
C.Network Topology
D.Firewall Insights
AnswerB

Performance Dashboard shows latency and packet loss between GCP regions.

25
MCQmedium

A network engineer notices asymmetric routing between two VPCs connected via VPC peering. Traffic from VPC A to VPC B flows correctly, but return traffic from VPC B to VPC A drops. What is the most likely cause?

A.MTU mismatch between VPCs
B.BGP session flaps on Cloud Router
C.Overlapping CIDR ranges in the peered VPCs
D.Firewall rules blocking ICMP
AnswerC

Overlapping CIDRs can cause asymmetric routing because a more specific route may not be present, leading to different paths.

Why this answer

Asymmetric routing in VPC peering often occurs when VPCs have overlapping CIDR ranges or when one VPC has a default route that points to another peering, causing the return traffic to take a different path that may be blocked by firewall rules or not have a route.

26
MCQhard

An organization has a VPC with multiple subnets and Cloud NAT configured for outbound internet access. They need to analyze which instances are using the most egress bandwidth to optimize costs. Which approach is most effective?

A.Enable Cloud NAT logging and analyze logs in Cloud Logging
B.Export VPC Flow Logs to BigQuery and query by source instance
C.Use Firewall Insights to identify high-traffic instances
D.Use the Performance Dashboard to see bandwidth usage per region
AnswerB

Correct: VPC Flow Logs contain instance metadata and can be aggregated in BigQuery to compute egress per instance.

Why this answer

VPC Flow Logs exported to BigQuery allow detailed analysis of traffic patterns, including source IP, destination, and bytes transferred, enabling cost attribution.

27
MCQeasy

Which Network Intelligence Center tool provides a visual representation of your VPC network, including instances, subnets, firewall rules, and routes?

A.Connectivity Tests
B.Firewall Insights
C.Network Topology
D.Performance Dashboard
AnswerC

Network Topology visualizes the entire VPC topology.

28
MCQeasy

An organization has a project with multiple VPCs. They need to know the maximum number of firewall rules allowed per VPC. Where should they look?

A.Cloud Logging
B.Network Topology
C.Firewall Insights
D.IAM & Admin Quotas page
AnswerD

Correct: The Quotas page lists VPC resource limits per project.

Why this answer

VPC quotas are documented in the Quotas page under VPC Network, showing limits per VPC such as firewall rules, routes, etc.

29
MCQmedium

An organization has a global web application deployed behind an External HTTPS Load Balancer. They want to reduce egress costs for users in Europe who are served from the same region. The application is already using Cloud CDN. Which additional action will MOST effectively reduce egress costs for these users?

A.Use Cloud Armor to block non-European traffic
B.Nothing; Cloud CDN already minimizes egress costs
C.Deploy a regional load balancer in Europe
D.Enable Private Google Access
AnswerB

Cloud CDN serves from edge locations, reducing egress for all users, including those in Europe.

Why this answer

Cloud CDN caches content at edge locations closer to users, reducing egress costs by serving cached responses from the edge. For users in Europe, if the origin is in the US, Cloud CDN will serve from European caches after the first request, minimizing cross-region egress.

30
MCQhard

A network engineer is investigating packet loss between two GCP regions using the Performance Dashboard. The dashboard shows high packet loss but no corresponding latency increase. What is the most likely cause of this packet loss?

A.Normal network behavior; small packet loss is expected
B.A misconfigured firewall rule blocking ICMP
C.A BGP session flap on Cloud Router
D.Cloud Armor blocking traffic
AnswerA

The Performance Dashboard shows actual network conditions; some packet loss is normal.

Why this answer

The Performance Dashboard measures packet loss and latency between regions. Packet loss without latency increase often indicates transient congestion or minor issues that cause drops but not queuing delay. It is normal to see some loss; the dashboard shows real measurements.

31
MCQmedium

A company wants to analyze VPC Flow Logs to identify the top talkers (source IPs) generating the most traffic to their web servers. They have enabled VPC Flow Logs on the subnet. Where should they export the logs for cost-effective querying and analysis?

A.BigQuery
B.Cloud Monitoring (Stackdriver)
C.Cloud Pub/Sub
D.Cloud Storage
AnswerA

BigQuery enables SQL analysis of flow logs efficiently.

Why this answer

BigQuery is the best choice for querying large volumes of VPC Flow Logs with SQL, enabling cost-effective analysis of top talkers. Stackdriver (Cloud Monitoring) is for metrics, not log analysis; Cloud Storage is for archival; Pub/Sub for streaming.

32
MCQhard

A company has two VPC networks connected via VPC peering. They notice asymmetric routing: traffic from Network A to Network B follows one path, but return traffic from B to A takes a different path. This is causing connectivity issues for stateful firewalls. What is the likely cause?

A.The peering connection is in an inactive state
B.The firewall rules in Network A are more permissive than in Network B
C.There is a Cloud NAT configured in Network A but not in Network B
D.Both VPCs have a default route (0.0.0.0/0) pointing to different next hops
AnswerD

Different default routes can cause traffic to exit via different gateways, breaking symmetry.

Why this answer

VPC peering does not enforce symmetric routing by default. If both networks have subnet CIDRs that overlap, or if one network has a route that sends traffic to the other via a different next hop (e.g., VPN or NAT), asymmetric routing can occur. The most common cause is when both VPCs have a default route pointing to different next hops (e.g., one to the internet, one to a VPN), causing different paths.

33
MCQhard

A company is using Cloud NAT for outbound traffic. They want to log when a connection fails due to resource exhaustion. Which logging feature should be enabled?

A.Cloud NAT logging with filter for errors
B.Firewall Rules logging
C.VPC Flow Logs on the subnet
D.Cloud Armor request logs
AnswerA

Cloud NAT logging captures connection and allocation failures.

34
MCQeasy

A developer wants to enable VPC Flow Logs on a subnet to capture metadata about IP traffic. They want to reduce costs by logging only a sample of traffic. What is the default sampling rate for VPC Flow Logs?

A.50%
B.10%
C.100%
D.25%
AnswerA

Default is 50% sampling.

Why this answer

The default sampling rate for VPC Flow Logs is 50%. This can be adjusted to reduce costs but may miss some flows.

35
MCQeasy

A company is using Cloud NAT to allow private VMs to access the internet. They want to troubleshoot connectivity failures and analyze connection attempts that were dropped due to NAT resource exhaustion. What should they enable?

A.VPC Flow Logs on the subnet
B.Cloud NAT logging
C.Firewall rule logging
D.Packet Mirroring
AnswerB

Cloud NAT logs record connection and allocation failures, including resource exhaustion.

Why this answer

Cloud NAT logging captures connection and allocation failures, which helps troubleshoot NAT resource exhaustion and other issues.

36
MCQhard

A company has two VPC networks connected via VPC Network Peering. They observe asymmetric routing causing connectivity issues. Which configuration is most likely to be the root cause?

A.One VPC has a custom route for 0.0.0.0/0 pointing to a NAT gateway.
B.One VPC has a static route pointing to the peering connection, and the other has a static route pointing to a VPN tunnel.
C.Dynamic routing mode is set to regional on both sides.
D.Both VPCs have default internet gateways.
AnswerB

This mismatch in next hops causes asymmetric routing.

Why this answer

Asymmetric routing in VPC peering often occurs when both sides have overlapping or conflicting routes, such as custom static routes that point to different next hops. VPC peering requires symmetric routing.

37
MCQmedium

A network engineer wants to capture all network traffic from a set of Compute Engine instances for security monitoring by an IDS appliance. Which Google Cloud service should be used?

A.VPC Flow Logs
B.Packet Mirroring
C.Firewall Rules logging
D.Cloud NAT logging
AnswerB

Correct: Packet Mirroring clones traffic and forwards it to monitoring tools.

Why this answer

Packet Mirroring copies traffic from designated instances and sends it to a collector (e.g., IDS appliance) for analysis.

38
MCQeasy

An engineer needs to verify that a Compute Engine instance can reach a specific IP address on the internet, considering firewall rules and routes. Which Network Intelligence Center tool should they use?

A.Performance Dashboard
B.Firewall Insights
C.Connectivity Tests
D.Network Topology
AnswerC

Connectivity Tests is designed for this purpose.

Why this answer

Connectivity Tests allow you to test reachability between a source and a destination, checking firewall rules, routes, and VPC peering configurations.

39
MCQmedium

A company wants to analyze HTTP load balancer access logs to understand user behavior and traffic patterns. Which approach is recommended for long-term analysis and querying?

A.Use VPC Flow Logs instead
B.View logs in the Cloud Logging dashboard
C.Export logs to BigQuery
D.Store logs in Cloud Storage and use grep
AnswerC

Correct: BigQuery enables efficient querying and analysis of large log datasets.

Why this answer

Load balancing logs can be exported to BigQuery for powerful SQL-based analysis and long-term retention.

40
MCQhard

A security team needs to capture all traffic to and from a specific Compute Engine instance for forensic analysis. They want to send the mirrored traffic to a third-party IDS appliance running on a separate VM in the same VPC. Which GCP feature should they use, and what is a key consideration?

A.Packet Mirroring, and the collector must be in the same VPC network as the mirrored instance
B.Firewall Rules Logging, which logs allow/deny events
C.VPC Flow Logs, since logs are stored in Stackdriver and can be exported
D.Cloud NAT logging, which logs all outbound connections
AnswerA

Packet Mirroring copies all packets; collector must be in same VPC.

Why this answer

Packet Mirroring allows copying all traffic from a source instance (the mirrored instance) and sending it to a collector. A key consideration is that the collector must be in the same VPC network and must not be the same instance as the source.

41
Multi-Selectmedium

An engineer needs to monitor Cloud NAT gateway usage for cost allocation and troubleshooting. Which TWO types of logs should they enable? (Choose TWO.)

Select 2 answers
A.Translation logs (failures)
B.VPC Flow Logs
C.Load balancer access logs
D.NAT logs (connections)
E.Firewall rules logs
AnswersA, D

Logs of allocation failures for troubleshooting.

Why this answer

Cloud NAT provides two types of logs: NAT logs (connection information) and translation logs (allocation failures). Both are useful for monitoring and troubleshooting.

42
MCQmedium

A company has deployed a global HTTP Load Balancer with Cloud CDN to serve content to users worldwide. They notice high egress costs from the origin region. What is the most cost-effective solution to reduce egress from the origin?

A.Enable Cloud CDN with general-purpose cache mode
B.Use Private Google Access
C.Increase the number of backend instances
D.Switch to a regional load balancer
AnswerA

Caching at edge reduces origin requests and egress.

Why this answer

Using Cloud CDN with a general-purpose cache mode caches content at Google's edge locations, reducing requests to the origin and lowering egress costs for served content.

43
MCQhard

A network engineer has set up a Cloud Router with BGP for an HA VPN. The BGP session is flapping. Which log should be examined to diagnose the issue?

A.Firewall Rules logs
B.VPN tunnel logs
C.VPC Flow Logs
D.Cloud Router logs
AnswerD

Cloud Router logs BGP events, including session state changes and errors.

44
Multi-Selectmedium

A security engineer wants to monitor and analyze traffic to a load-balanced web application. Which TWO services can provide detailed logs of HTTP requests and responses?

Select 2 answers
A.HTTP Load Balancer access logs
B.Cloud NAT logging
C.VPC Flow Logs
D.Firewall Rules logging
E.Cloud Armor request logs
AnswersA, E

HLB access logs show request/response details.

Why this answer

HTTP Load Balancer access logs capture request details. Cloud Armor request logs provide additional security insights. VPC Flow Logs and Firewall logs do not provide HTTP-level details.

45
Multi-Selecthard

A company is experiencing periodic packet loss between two Compute Engine instances in the same region but different zones. They have enabled VPC Flow Logs and see that the flows are marked with 'RTT' latency. Which THREE actions should they take to diagnose the issue? (Choose three.)

Select 3 answers
A.Check the Performance Dashboard for packet loss between the two zones
B.Analyze VPC Flow Logs for RTT latency values to identify congestion
C.Verify that the firewall rules are not blocking ICMP
D.Review the CPU utilization of both instances
E.Check BGP session status on the Cloud Router
AnswersA, B, D

Shows if there is underlying network packet loss.

Why this answer

VPC Flow Logs provide RTT latency for TCP flows. Analyzing the RTT values can indicate congestion. Checking the Performance Dashboard can show packet loss between zones.

Checking instance CPU metrics can reveal if one instance is overwhelmed. Checking firewall rules is less likely to cause intermittent loss; firewall rules either block or allow. Checking BGP sessions is irrelevant for intra-region traffic.

46
MCQeasy

What is the default MTU for packets sent between VMs within the same VPC network in Google Cloud?

A.8970 bytes
B.1400 bytes
C.1460 bytes
D.1500 bytes
AnswerC

Google's internal network uses 1460-byte MTU to allow for encapsulation.

47
MCQmedium

A company uses VPC Flow Logs to analyze traffic patterns. They notice that the logs show only 50% of the actual flows. What is the most likely cause?

A.The subnet does not have Flow Logs enabled.
B.The default sampling rate of 50% is applied.
C.Flow Logs are only generated for incoming traffic.
D.Logs are being filtered by a log sink.
AnswerB

VPC Flow Logs sample only 50% of flows by default.

Why this answer

By default, VPC Flow Logs sample 50% of flows. This is a known behavior and can be adjusted by configuring the sampling rate.

48
Multi-Selectmedium

A company wants to reduce outbound data transfer costs from Compute Engine to the internet. Which TWO strategies are effective?

Select 2 answers
A.Enable Private Google Access on subnets
B.Deploy a Squid proxy instance to cache content
C.Use a regional external HTTP(S) load balancer instead of global
D.Move all instances to the same region
E.Implement Cloud CDN for static content
AnswersC, E

Regional LB avoids premium tier routing, which is cheaper for local users.

Why this answer

Using Cloud CDN reduces egress by caching at edge. Using a regional load balancer avoids premium tier costs. Private Google Access reduces internet egress for Google APIs but not general internet traffic.

Squid proxy or in-region resources do not reduce egress.

49
MCQmedium

An organization runs a web application on Compute Engine behind a regional external HTTP(S) load balancer. They need to log HTTP request details (e.g., user-agent, status codes) to BigQuery for analysis. Which logging feature should they enable?

A.Cloud Armor request logs
B.Load balancing access logs
C.Firewall rules logging
D.VPC Flow Logs on the subnets
AnswerB

Access logs contain request/response details and can be exported to BigQuery.

Why this answer

HTTP(S) load balancers support access logs that can be sent directly to BigQuery. You enable logging on the load balancer and configure the log sink to BigQuery.

50
MCQmedium

A company has a VPC with 200 custom routes and wants to set up VPC peering with another VPC. The VPC peering quota limits the number of routes per VPC. What should the engineer do to avoid hitting the quota?

A.Request a VPC route quota increase
B.Use subnet routes instead of custom routes
C.Delete unused routes
D.Use a shared VPC to consolidate routes
AnswerA

The only way to go beyond the default quota is to request an increase.

Why this answer

VPC quota for routes per VPC is 200 by default. To exceed this, a quota increase request must be submitted to Google Cloud Support.

51
MCQhard

An organization wants to mirror all traffic from a set of Compute Engine instances to a third-party IDS appliance running on a separate instance in the same VPC. The IDS appliance must receive a copy of both ingress and egress traffic without impacting production traffic. Which Google Cloud service should they use?

A.Firewall Insights
B.VPC Flow Logs
C.Packet Mirroring
D.Cloud NAT logging
AnswerC

Packet Mirroring copies all traffic to a collector for deep packet inspection.

Why this answer

Packet Mirroring copies traffic from source instances (mirror source) to a collector (IDS appliance) for monitoring. It is designed for this purpose without affecting production.

52
Multi-Selecteasy

A network engineer is troubleshooting high latency between two VM instances in different GCP regions. Which TWO tools can help identify packet loss and latency issues? (Choose TWO.)

Select 2 answers
A.VPC Flow Logs
B.Performance Dashboard
C.Network Topology
D.Connectivity Tests
E.Firewall Insights
AnswersB, D

Performance Dashboard provides latency and packet loss metrics.

Why this answer

Performance Dashboard shows latency and packet loss between regions. Connectivity Tests can also report latency and packet loss along the path.

53
MCQeasy

A company wants to analyze VPC Flow Logs to understand which external IPs are generating the most outbound traffic. What is the most scalable way to store and query these logs?

A.BigQuery
B.Cloud Storage and analyze with gsutil
C.Cloud Logging with Logs Explorer
D.Cloud Monitoring Metrics
AnswerA

BigQuery offers scalable, SQL-based analysis of Flow Logs.

Why this answer

VPC Flow Logs can be exported to BigQuery, which provides scalable SQL analysis for large datasets. This is the recommended approach for complex queries.

54
MCQmedium

An organization needs to reduce egress costs for a global application serving users worldwide. The application serves static content from Compute Engine instances. Which action is most cost-effective?

A.Move all instances to a single region to reduce cross-region traffic
B.Use Cloud CDN to cache content at edge locations
C.Upgrade to premium tier networking
D.Enable Private Google Access
AnswerB

Cloud CDN reduces egress by serving cached content from edge PoPs, lowering bandwidth to origin.

55
Multi-Selecthard

A company is experiencing a BGP session flap between Cloud Router and an on-premises router. Which THREE actions should the engineer take to diagnose the issue?

Select 3 answers
A.Check VPN tunnel status and IKE parameters
B.Examine Cloud Router logs for BGP state changes
C.Enable VPC Flow Logs on the subnet
D.Review Network Topology for path changes
E.Verify firewall rules allow tcp/179 between peer IPs
AnswersA, B, E

If BGP over VPN, tunnel issues can cause flaps.

Why this answer

Check Cloud Router logs for BGP events, verify firewall rules allow BGP traffic (TCP 179), and check VPN tunnel status if using VPN. VPC Flow Logs and Network Topology are less relevant.

56
MCQeasy

An organization is using Cloud CDN to deliver content globally. Which of the following is a primary benefit of using Cloud CDN?

A.Provides DDoS protection only
B.Increases bandwidth to the origin server
C.Eliminates the need for SSL certificates
D.Reduces latency for users by caching content at edge locations
AnswerD

Correct: Cloud CDN caches content at Google's edge locations, reducing latency and origin load.

Why this answer

Cloud CDN caches content at edge locations, reducing egress costs from the origin and improving latency for users.

57
MCQmedium

An organization has a VPC with several subnets and wants to monitor firewall rule usage to identify rules that are overly permissive (e.g., allowing all traffic from 0.0.0.0/0). Which Google Cloud service provides this insight?

A.Cloud Monitoring
B.Firewall Insights
C.VPC Flow Logs
D.Cloud Logging
AnswerB

Firewall Insights identifies overly permissive and shadowed firewall rules.

Why this answer

Firewall Insights in Network Intelligence Center provides analytics on firewall rules, including overly permissive rules and shadowed rules.

58
MCQmedium

A company is using a global external HTTP(S) load balancer to serve traffic from multiple regions. They notice high egress costs for traffic served to users in Asia. What change could reduce costs?

A.Switch to a regional internal load balancer
B.Enable VPC Flow Logs to analyze traffic
C.Use a regional external load balancer in Asia and enable Cloud CDN
D.Increase the number of backend instances in Asia
AnswerC

Correct: Regional LB reduces global routing costs, and CDN caches content, reducing egress from origin.

Why this answer

A regional load balancer can be used for each region where users are located, avoiding the cost of global load balancing, and Cloud CDN can cache content closer to users, reducing origin egress.

59
MCQmedium

A company is hitting the quota for number of firewall rules per VPC network. They need to add more rules without requesting a quota increase. Which approach can reduce the number of rules?

A.Convert all deny rules to allow rules
B.Use hierarchical firewall policies at the folder level
C.Use Cloud Firewall to manage rules
D.Delete unused subnets
AnswerB

Hierarchical policies have their own quotas and can reduce VPC-level rule usage.

Why this answer

Firewall rules can be consolidated using service accounts or tags. By grouping instances with tags and applying rules to those tags, you can reduce the number of rules. Also, hierarchical firewall policies (at folder or org level) have separate quotas and can offload rules from VPC-level quotas.

60
MCQeasy

A network engineer wants to test whether a VM in VPC A can reach a VM in VPC B that is connected via VPC peering. The engineer suspects that firewall rules or routes are blocking traffic. Which Google Cloud service should they use to test the path and identify the blocking rule?

A.Performance Dashboard
B.VPC Flow Logs
C.Connectivity Tests
D.Firewall Insights
AnswerC

Connectivity Tests is designed to test reachability and diagnose firewall/route blocking.

Why this answer

Connectivity Tests in Network Intelligence Center allows you to check reachability between source and destination endpoints, analyzing firewall rules, routes, and VPC peering configurations to identify the blocking rule.

61
MCQmedium

A company is using VPC Flow Logs to analyze traffic patterns. They need to reduce the volume of logs by approximately 75% while still capturing representative data for troubleshooting. What is the most effective configuration change?

A.Export logs only to BigQuery instead of Stackdriver
B.Filter logs to only include traffic on port 80
C.Disable VPC Flow Logs on subnets with low traffic
D.Set the sampling rate to 0.25
AnswerD

Reducing sampling from 0.5 to 0.25 cuts log volume by half, achieving ~75% reduction from original.

Why this answer

VPC Flow Logs allow sampling rate configuration (from 0.5 to 1.0). The default is 0.5 (50%). Setting it to 0.25 (25%) reduces logs by half again, roughly 75% reduction from original, but still provides representative samples.

62
MCQeasy

A network engineer wants to see a real-time graphical representation of the topology of their VPC network, including instances, subnets, and load balancers. Which Network Intelligence Center tool should they use?

A.Performance Dashboard
B.Network Topology
C.Connectivity Tests
D.Firewall Insights
AnswerB

Network Topology displays a live graph of VPC resources.

Why this answer

Network Topology provides a visual map of your VPC network's resources and their relationships, updated in near real-time.

63
Multi-Selectmedium

A company is using Cloud Router with BGP for connectivity to an on-premises network via Partner Interconnect. The BGP session is flapping. Which THREE actions should the engineer take to diagnose the issue?

Select 3 answers
A.Verify BGP timers (keepalive/hold) match on both sides
B.Review the BGP route advertisements for policy conflicts
C.Disable ECMP on Cloud Router
D.Check the MTU on the on-premises router
E.Enable VPC Flow Logs on the interconnect subnet
AnswersA, B, D

Mismatched timers cause session flaps.

Why this answer

Common causes of BGP flaps include MTU mismatch, misconfigured timers, or routing policy issues. Checking MTU, BGP timers, and route advertisements helps identify the root cause.

64
MCQmedium

A company wants to analyze firewall rule effectiveness by identifying rules that are never hit or are shadowed. Which Network Intelligence Center tool should be used?

A.Network Topology
B.Firewall Insights
C.Performance Dashboard
D.Connectivity Tests
AnswerB

Firewall Insights provides analysis of firewall rules, including shadowed and overly permissive rules.

65
Multi-Selectmedium

A security team wants to capture and analyze all DNS queries from their Compute Engine instances to detect potential data exfiltration. They have enabled VPC Flow Logs. Which TWO additional steps should they take to capture DNS query details?

Select 2 answers
A.Enable Packet Mirroring on the instances
B.Enable Cloud DNS logging
C.Enable firewall rule logging
D.Increase VPC Flow Logs sampling rate to 100%
E.Export VPC Flow Logs to BigQuery
AnswersA, B

Packet Mirroring copies all traffic, including DNS packets, for deep analysis.

Why this answer

VPC Flow Logs do not include DNS query names. To capture DNS queries, they need to enable DNS logging (which logs queries sent to Cloud DNS) or use Packet Mirroring to capture the full DNS packets for analysis.

66
MCQmedium

A company has enabled VPC Flow Logs on a subnet with the default sample rate. They notice that only 50% of flows are being logged. What is the most likely reason?

A.Flow logs only capture TCP traffic
B.The sample rate is set to 50% by default
C.Flow logs are disabled by default on all subnets
D.The subnet is using a custom sample rate of 50%
AnswerB

Correct: The default sampling rate is 50%.

Why this answer

The default sampling rate for VPC Flow Logs is 50%. This means only half of the network flows are captured to reduce cost and volume.

67
MCQmedium

A security team wants to capture all traffic from a Compute Engine instance for intrusion detection. Which service should be used to copy traffic to a third-party IDS appliance running on another instance?

A.Packet Mirroring
B.Firewall Rules logging
C.VPC Flow Logs
D.Cloud NAT logging
AnswerA

Packet Mirroring copies traffic from instances to a collector for analysis.

68
MCQhard

A network engineer is using Connectivity Tests to diagnose a reachability issue between two instances in the same VPC but different subnets. The test indicates that traffic is denied by firewall rules. However, the engineer cannot find any firewall rule denying the traffic. What is a possible explanation?

A.The subnet is in a different region
B.VPC Flow Logs are not enabled
C.The instances have external IPs
D.The firewall rule is in a different project that is not being checked
AnswerD

Correct: In shared VPC, firewall rules may be in the host project, and if not checked, they can cause denial.

Why this answer

If there is an implied deny rule that is not explicitly listed, Connectivity Tests may still show it as the reason. Also, firewall rules are stateful; if return traffic is not matched, it could be denied. But a common oversight is that the firewall rule is in a different project (if using shared VPC) or the rule is disabled.

69
MCQhard

A network engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but different subnets (us-east1 and europe-west1). The engineer suspects an MTU issue. What is the default MTU for traffic within Google Cloud, and what MTU should the engineer expect when packets traverse the internet?

A.1400 bytes internally, 1500 bytes internet
B.1460 bytes internally, 1500 bytes internet
C.1500 bytes both internally and internet
D.1500 bytes internally, 1460 bytes internet
AnswerB

Correct: GCP internal MTU is 1460, internet standard is 1500.

Why this answer

Google Cloud uses an MTU of 1460 bytes (64 bytes less than the standard 1500) to accommodate encapsulation headers. Internet traffic typically uses 1500 bytes. Fragmentation can occur if a packet larger than 1460 bytes is sent over a path that expects 1500 but the internal path is 1460.

70
Multi-Selectmedium

An organization wants to reduce egress costs for data sent from Compute Engine instances to users worldwide. Which TWO approaches should they consider? (Choose TWO.)

Select 2 answers
A.Enable Private Google Access to avoid internet egress for Google APIs.
B.Deploy instances in multiple regions closer to users.
C.Use global load balancers instead of regional load balancers.
D.Use Cloud CDN to cache content at Google's edge locations.
E.Use Premium Tier networking to route traffic over Google's network.
AnswersB, D

Regional deployment reduces cross-region and internet egress costs.

Why this answer

Cloud CDN caches content at edge locations, reducing egress from origin. Using a Premium Tier network routes traffic over Google's network, which may not reduce egress cost but improves performance; however, Standard Tier egress is cheaper than Premium Tier for internet egress. For reducing costs, Cloud CDN and using Standard Tier (if acceptable) can help.

But among the options, Cloud CDN and placing instances in multiple regions (to serve users locally) reduce egress.

Ready to test yourself?

Try a timed practice session using only Pcne Managing Monitoring questions.

CCNA Pcne Managing Monitoring Questions | Courseiva