Professional-Cloud-Network-Engineer無料問題集「Google Cloud Certified

質問 1

You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
* The subnetwork logs are not excluded from Stackdriver.
* The instance that is hosting the application can communicate outside the subnet.
* Other instances within the subnet can communicate outside the subnet.
* The external resource initiates communication.
What is the most likely cause of the missing log lines?

（A）The traffic is not matching the expected ingress rule.

（B）The traffic is matching the expected ingress rule.

（C）The traffic is matching the expected egress rule.

（D）The traffic is not matching the expected egress rule.

正解：A 解答を投票する

質問 2

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?

（A）Assign members of the networking team the compute.networkUser role.

（B）Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

（C）Assign members of the networking team the compute.networkAdmin role.

（D）Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

正解：C 解答を投票する

質問 3

There are two established Partner Interconnect connections between your on-premises network and Google Cloud. The VPC that hosts the Partner Interconnect connections is named "vpc-a" and contains three VPC subnets across three regions, Compute Engine instances, and a GKE cluster. Your on-premises users would like to resolve records hosted in a Cloud DNS private zone following Google-recommended practices. You need to implement a solution that allows your on-premises users to resolve records that are hosted in Google Cloud. What should you do?

（A）Associate the private zone to "vpc-a." Create an outbound forwarding policy and associate the policy to "vpc-a." Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to "vpc-a."

（B）Use custom route advertisements to announce 169.254.169.254 via BGP to the on-premises environment. Configure the on-premises DNS servers to forward DNS requests to 169.254.169.254.

（C）Associate the private zone to "vpc-a." Create an inbound forwarding policy and associate the policy to "vpc-a." Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to "vpc-a."

（D）Configure a DNS proxy service inside one of the GKE clusters. Expose the DNS proxy service in GKE as an internal load balancer. Configure the on-premises DNS servers to forward queries for the private zone to the IP address of the internal load balancer.

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 4

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

（A）Turn on Private Google Access at the VPC level.

（B）Turn on Private Services Access at the VPC level.

（C）Turn on Private Google Access at the subnet level.

（D）Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

（E）Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

正解：C、D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 5

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.
What is the most likely cause of the problem?

（A）You have configured the web servers and Cloud CDN with different compression types.

（B）The web servers behind the load balancer are configured with different compression types.

（C）You have not configured compression in Cloud CDN.

（D）You have to configure the web servers to compress responses even if the request has a Via header.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 6

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

（A）Open the Cloud Shell SSH into the instance using gcloud compute ssh.

（B）Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.

（C）Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.

（D）Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.

正解：A 解答を投票する

質問 7

You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router. What should you do?

（A）Configure the route advertisement to the default setting.

（B）Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.

（C）On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.

（D）Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.

正解：D 解答を投票する

質問 8

Your organization has resources in two different VPCs, each in different Google Cloud projects, and requires connectivity between the resources in the two VPCs. You have already determined that there is no IP address overlap; however, one VPC uses privately used public IP (PUPI) ranges. You would like to enable connectivity between these resources by using a lower cost and higher performance method. What should you do?

（A）Create an HA VPN between the two VPCs that includes the PUPI ranges in the custom route advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

（B）Create a VPC Network Peering connection between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using network tags as the source filter.

（C）Create a VPC Network Peering connection between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

（D）Create a VPC Network Peering connection between the two VPCs that allows the export and import of custom routes for public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 9

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

（A）Create a logging sink forwarding all firewall logs with no filters.

（B）Enable logging on the VM Instances that receive traffic.

（C）Enable logging on the default Deny Any Firewall Rule.

（D）Create an explicit Deny Any rule and enable logging on the new rule.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 10

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

（A）Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, -enable-ip-alias, and-enable-private-nodes

（B）Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

（C）Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

（D）Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 11

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive dat a. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

（A）Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

（B）Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

（C）Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

（D）Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

正解：D 解答を投票する

質問 12

Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:
/fr/video
/en/video
/es/video
/../video
/fr/audio
/en/audio
/es/audio
/../audio
Which solution should you recommend?

（A）Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

（B）Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

（C）Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and
\/[a-z]{2}\/audio.

（D）Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 13

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?

（A）Client IP and protocol

（B）Client IP, port and protocol

（C）Client IP

（D）None

正解：C 解答を投票する

質問 14

You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?

（A）Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.
Create a custom route that points Google's private API address range to the default internet gateway as the next hop.

（B）Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.
Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

（C）Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

（D）Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.

正解：B 解答を投票する

質問 15

You are configuring the final elements of a migration effort where resources have been moved from on-premises to Google Cloud. While reviewing the deployed architecture, you noticed that DNS resolution is failing when queries are being sent to the on-premises environment. You log in to a Compute Engine instance, try to resolve an on-premises hostname, and the query fails. DNS queries are not arriving at the on-premises DNS server. You need to use managed services to reconfigure Cloud DNS to resolve the DNS error. What should you do?

（A）Review the existing Cloud DNS zones, and validate that there is a route in the VPC directing traffic destined to the IP address of the DNS servers. Recreate the existing DNS forwarding zones to forward all queries to the on-premises DNS servers.

（B）Ensure that the operating systems of the Compute Engine instances are configured to send DNS queries to the on-premises DNS servers directly.

（C）Validate that there is network connectivity to the on-premises environment and that the Compute Engine instances can reach other on-premises resources. If errors persist, remove the VPC Network Peerings and recreate the peerings after validating the routes.

（D）Validate that the Compute Engine instances are using the Metadata Service IP address as their resolver. Configure an outbound forwarding zone for the on-premises domain pointing to the on-premises DNS server. Configure Cloud Router to advertise the Cloud DNS proxy range to the on-premises network.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 16

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.
How should you design this topology?

（A）Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

（B）Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

（C）Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.

（D）Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 17

You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

（A）Review the VPC audit logs in Cloud Logging for the affected instances.

（B）Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.

（C）Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.

（D）Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.

正解：B 解答を投票する

Professional-Cloud-Network-Engineer 無料問題集「Google Cloud Certified - Professional Cloud Network Engineer」

弊社を連絡する

関連リンク

トップ試験