Professional-Cloud-Network-Engineer無料問題集「Google Cloud Certified

質問 1

You are configuring the final elements of a migration effort where resources have been moved from on-premises to Google Cloud. While reviewing the deployed architecture, you noticed that DNS resolution is failing when queries are being sent to the on-premises environment. You log in to a Compute Engine instance, try to resolve an on-premises hostname, and the query fails. DNS queries are not arriving at the on-premises DNS server. You need to use managed services to reconfigure Cloud DNS to resolve the DNS error. What should you do?

（A）Review the existing Cloud DNS zones, and validate that there is a route in the VPC directing traffic destined to the IP address of the DNS servers. Recreate the existing DNS forwarding zones to forward all queries to the on-premises DNS servers.

（B）Ensure that the operating systems of the Compute Engine instances are configured to send DNS queries to the on-premises DNS servers directly.

（C）Validate that there is network connectivity to the on-premises environment and that the Compute Engine instances can reach other on-premises resources. If errors persist, remove the VPC Network Peerings and recreate the peerings after validating the routes.

（D）Validate that the Compute Engine instances are using the Metadata Service IP address as their resolver. Configure an outbound forwarding zone for the on-premises domain pointing to the on-premises DNS server. Configure Cloud Router to advertise the Cloud DNS proxy range to the on-premises network.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 2

You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements:
All access to your on-premises network must go through the network virtual appliances.
Allow on-premises access in the event of a single network virtual appliance failure.
Both network virtual appliances must be used simultaneously.
Which method should you use to accomplish this?

（A）Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

（B）Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.

（C）Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0/8 with the network load balancer as the next hop.

（D）Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances.

正解：B 解答を投票する

質問 3

You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

（A）Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.
Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

（B）Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30.
Create a static route in your VPC for the range 199 .36.153.8/30 with the default internet gateway as the next hop.

（C）Delete the default route in your VPC.
Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30.
Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.

（D）Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.
Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199 .36.153.8/30.
Create a static route in your VPC for the range 199.36. 153.8/30 with the default internet gateway as the next hop.

正解：D 解答を投票する

質問 4

You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.
Which two methods can accomplish this? (Choose two.)

（A）In Stackdriver Monitoring, select Resources > Metrics Explorer and search for https/request_bytes_count metric.

（B）In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.

（C）In Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.

（D）On the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.

（E）In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.

正解：C、D 解答を投票する

質問 5

You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.
What should you do?

（A）Use a public Google ASN 16550.

（B）Use a 2-byte private ASN 64512-65535.

（C）Use a 4-byte private ASN 4200000000-4294967294.

（D）Use a public Google ASN 15169.

正解：B 解答を投票する

質問 6

You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

（A）Grant the read-only privilege to the service account for the Cloud Storage bucket.

（B）Grant the compute.instanceAdmin to your user account.

（C）Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.

（D）Grant the iam.serviceAccountUser to your user account.

正解：A 解答を投票する

質問 7

Your organization wants to seamlessly migrate a global external web application from Compute Engine to GKE. You need to deploy a simple, cloud-first solution that exposes both applications and sends 10% of the requests to the new application. What should you do?

（A）Configure a global external Application Load Balancer with weighted request mirroring.

（B）Configure a global external Application Load Balancer with a Service Extension that points to an application running in a VM, which controls which requests go to each application.

（C）Configure two separate global external Application Load Balancers, and use Cloud DNS geolocation routing policies.

（D）Configure a global external Application Load Balancer with weighted traffic splitting.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 8

You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps. What should you do?

（A）Configure Private Google Access on the VPC resource. Create a default route to the internet.

（B）Configure a global Secure Web Proxy and remove the default route to the internet.

（C）Configure Cloud NAT and remove the default route to the internet.

（D）Configure Private Google Access on the subnet resource. Create a default route to the internet.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 9

You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements:
Your on-premises resources should resolve your Google Cloud zones.
Your Google Cloud resources should resolve your on-premises zones.
You need the ability to resolve ". internal" zones provisioned by Google Cloud.
What should you do?

（A）Configure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.

（B）Configure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

（C）Configure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.

（D）Configure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

正解：B 解答を投票する

質問 10

Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments: Sales and Finance. The Sales department's VPC network already has connectivity to on-premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on-premises locations. What should you do?

（A）Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router's custom route advertisements to announce a default route to the on-premises locations.

（B）Peer the two VPCs, and use the default configuration for the Cloud Routers.

（C）Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router's custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

（D）Peer the two VPCs, and use Cloud Router's custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

正解：B 解答を投票する

質問 11

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

（A）Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

（B）Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

（C）Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

（D）Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

正解：A 解答を投票する

質問 12

You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?

（A）Manually patch some of the instances, and then perform a rolling restart on the instance group.

（B）Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.

（C）Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

（D）Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 13

You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?

（A）Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.
Create a custom route that points Google's private API address range to the default internet gateway as the next hop.

（B）Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.
Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

（C）Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

（D）Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.

正解：B 解答を投票する

質問 14

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

（A）Cloud VPN

（B）Shared VPC

（C）VPC peering

（D）Cloud NAT

（E）Dedicated Interconnect

正解：A、C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 15

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

（A）Create a logging sink forwarding all firewall logs with no filters.

（B）Enable logging on the VM Instances that receive traffic.

（C）Enable logging on the default Deny Any Firewall Rule.

（D）Create an explicit Deny Any rule and enable logging on the new rule.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

Professional-Cloud-Network-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Network Engineer」

弊社を連絡する

関連リンク

トップ試験