Professional-Cloud-Network-Engineer無料問題集「Google Cloud Certified

質問 1

Question:
Your organization has distributed geographic applications with significant data volumes. You need to create a design that exposes the HTTPS workloads globally and keeps traffic costs to a minimum. What should you do?

（A）Deploy a regional external Application Load Balancer with Standard Network Service Tier.

（B）Deploy a regional external Application Load Balancer with Premium Network Service Tier.

（C）Deploy a global external Application Load Balancer with Premium Network Service Tier.

（D）Deploy a global external proxy Network Load Balancer with Standard Network Service Tier.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 2

You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods.
In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?

（A）Create the appropriate master authorized network entries to allow the instance to communicate to the master.

（B）Assign a public IP address to the instance.

（C）Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.

（D）Create a route to reach the Master, pointing to the default internet gateway.

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 3

You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

（A）Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.
Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for 'corp.altostrat.
com' called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

（B）Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Configure VPC peering in the spoke VPCs to peer with the hub VPC.

（C）Create a private forwarding zone in Cloud DNS for 'corp altostrat.com' called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.

（D）Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.

正解：B 解答を投票する

質問 4

You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.
What should you do?

（A）Create a custom Google Compute Engine image with your public ssh key embedded.

（B）Upload your public ssh key to each instance Metadata.

（C）Upload your public ssh key to the project Metadata.

（D）Use gcloud compute ssh to automatically copy your public ssh key to the instance.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 5

You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used.
You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range?

（A）/23

（B）/25

（C）/22

（D）/21

正解：D 解答を投票する

質問 6

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content.
Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.
What is the most likely cause of the problem?

（A）You have configured the web servers and Cloud CDN with different compression types.

（B）The web servers behind the load balancer are configured with different compression types.

（C）You have not configured compression in Cloud CDN.

（D）You have to configure the web servers to compress responses even if the request has a Via header.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 7

You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.
Which two methods can accomplish this? (Choose two.)

（A）In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.

（B）In Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.

（C）On the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.

（D）In Stackdriver Monitoring, select Resources > Metrics Explorer and search for https
/request_bytes_count metric.

（E）In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.

正解：B、C 解答を投票する

質問 8

You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations. What should you do?

（A）Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.

（B）Use multiple VPC networks with a transit network using VPC Network Peering.

（C）Use overlapping RFC 1918 ranges with multiple isolated VPC networks.

（D）Use non-RFC 1918 ranges with a single global VPC.

正解：D 解答を投票する

質問 9

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?

（A）Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

（B）Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.

（C）Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.

（D）Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 10

You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?

（A）Using the new instance template, perform a rolling update across all instances in the instance group.
Verify the new feature once the rollout completes.

（B）Manually patch some of the instances, and then perform a rolling restart on the instance group.

（C）Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

（D）Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 11

You deployed a hub-and-spoke architecture in your Google Cloud environment that uses VPC Network Peering to connect the spokes to the hub. For security reasons, you deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed. When you attempt to reach the GKE control plane from a different spoke project, you cannot access it. You need to allow access to the GKE control plane from the other spoke projects. What should you do?

（A）Add a firewall rule that allows port 443 from the other spoke projects.

（B）Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.

（C）Configure the authorized networks to be the subnet ranges of the other spoke projects.

（D）Enable Private Google Access on the subnet where the GKE nodes are deployed.

正解：C 解答を投票する

質問 12

Your frontend application VMs and your backend database VMs are all deployed in the same VPC but across different subnets. Global network firewall policy rules are configured to allow traffic from the frontend VMs to the backend VMs. Based on a recent compliance requirement, this traffic must now be inspected by network virtual appliances (NVAs) firewalls that are deployed in the same VPC. The NVAs are configured to be full network proxies and will source NAT-allowed traffic. You need to configure VPC routing to allow the NVAs to inspect the traffic between subnets. What should you do?

（A）Create your NVA with multiple interfaces. Configure NIC0 for NVA in the backend subnet. Configure NIC1 for NVA in the frontend subnet. Place your NVAs behind an internal passthrough Network Load Balancer named ilb1. Add global network firewall policy rules to allow traffic through your NVAs.
Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ilb1. Add a frontend network tag to your frontend VMs.

（B）Place your NVAs behind an internal passthrough Network Load Balancer named ilb1. Add global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the frontend VM subnet, destination IP range of the backend VM subnet, and the next hop of ilb1. Scope the PBR to the VMs with the frontend network tag. Add a frontend network tag to your frontend servers.

（C）Place your NVAs behind an internal passthrough Network Load Balancer named ilb1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ilb1. Add a frontend network tag to your frontend VMs.

（D）Place your NVAs behind an internal passthrough Network Load Balancer named ilb1. Add the global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the backend VM subnet, destination IP range of the frontend VM subnet, and the next hop of ilb1. Scope the PBR to the VMs with the backend network tag. Add a backend network tag to your backend servers.

正解：B 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 13

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?

（A）Assign members of the networking team the compute.networkUser role.

（B）Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

（C）Assign members of the networking team the compute.networkAdmin role.

（D）Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

正解：C 解答を投票する

質問 14

You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?

（A）Update the TTL for the zone.

（B）Transfer ownership of the domain to a new registar.

（C）Disable DNSSEC at your domain registar.

（D）Set the zone to the TRANSFER state.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 15

Question:
Your company's current network architecture has three VPC Service Controls perimeters:
* One perimeter (PERIMETER_PROD) to protect production storage buckets
* One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets
* One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)
In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?

（A）Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_NONPROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_PROD perimeter.

（B）Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.

（C）Develop a design that creates a new VPC (VPC_NONPROD) in the same project as VPC_ONE.
Migrate all the non-production workloads from VPC_ONE to the PERIMETER_NONPROD perimeter.
Remove the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include VPC_ONE and the PERIMETER_NONPROD perimeter to include VPC_NONPROD.

（D）Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.

正解：B 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 16

You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.
How should you design this topology?

（A）Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.

（B）Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

（C）Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

（D）Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

正解：D 解答を投票する

Professional-Cloud-Network-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Network Engineer」

弊社を連絡する

関連リンク

トップ試験