689 お客様のコメント
クリック」
質問 1:
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)
A. Activate the Cloud Datastore API in your project.
B. Create a custom static route to allow the traffic to reach the Cloud SQL API.
C. Enable Private Google Access.
D. Create a private connection to a service producer.
E. Activate the Service Networking API in your project.
正解:C,D
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
Question:
Your company's current network architecture has three VPC Service Controls perimeters:
* One perimeter (PERIMETER_PROD) to protect production storage buckets
* One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets
* One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)
In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?
A. Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.
B. Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.
C. Develop a design that creates a new VPC (VPC_NONPROD) in the same project as VPC_ONE.
Migrate all the non-production workloads from VPC_ONE to the PERIMETER_NONPROD perimeter.
Remove the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include VPC_ONE and the PERIMETER_NONPROD perimeter to include VPC_NONPROD.
D. Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_NONPROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_PROD perimeter.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us- east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?
A. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header
B. Use Network Load Balancing
C. Use External HTTP(S) Load Balancing with URL Maps and custom headers
D. Use TCP Proxy Load Balancing with PROXY protocol enabled
正解:A
質問 4:
You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?
A. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.
Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for 'corp.altostrat.
com' called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
B. Create a private forwarding zone in Cloud DNS for 'corp altostrat.com' called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.
C. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.
D. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Configure VPC peering in the spoke VPCs to peer with the hub VPC.
正解:D
質問 5:
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security?
(Choose two.)
A. VPC peering
B. Shared VPC
C. Cloud VPN
D. Dedicated Interconnect
E. Cloud NAT
正解:A,C
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
* The subnetwork logs are not excluded from Stackdriver.
* The instance that is hosting the application can communicate outside the subnet.
* Other instances within the subnet can communicate outside the subnet.
* The external resource initiates communication.
What is the most likely cause of the missing log lines?
A. The traffic is not matching the expected ingress rule.
B. The traffic is not matching the expected egress rule.
C. The traffic is matching the expected egress rule.
D. The traffic is matching the expected ingress rule.
正解:A
質問 7:
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?
A. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments.Create a new dedicated HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels.
B. Enable MACsec on Partner Interconnect.
C. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments.
Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same encrypted Cloud Router used for the Cloud Interconnect tier.
D. Enable MACsec for Cloud Interconnect on the VLAN attachments.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 8:
Question:
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights into what is occurring within Google Cloud. What should you do?
A. Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.
B. Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.
C. Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
D. Enable the Firewall insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 9:
You have several VMs across multiple VPCs in your cloud environment that require access to internet endpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use Cloud NAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. You want to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoid any unintentional configuration issues caused by other administrators and align to Google-recommended practices. What should you do?
A. Deploy Cloud NAT in each VPC and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.
B. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0
/0). Deploy Cloud NAT and configure all primary and secondary subnet source ranges.
C. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0
/0). Deploy Cloud NAT and configure a custom source range that includes the allowed subnets.
D. Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)
A. Activate the Cloud Datastore API in your project.
B. Create a custom static route to allow the traffic to reach the Cloud SQL API.
C. Enable Private Google Access.
D. Create a private connection to a service producer.
E. Activate the Service Networking API in your project.
正解:C,D
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
Question:
Your company's current network architecture has three VPC Service Controls perimeters:
* One perimeter (PERIMETER_PROD) to protect production storage buckets
* One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets
* One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)
In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?
A. Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.
B. Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.
C. Develop a design that creates a new VPC (VPC_NONPROD) in the same project as VPC_ONE.
Migrate all the non-production workloads from VPC_ONE to the PERIMETER_NONPROD perimeter.
Remove the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include VPC_ONE and the PERIMETER_NONPROD perimeter to include VPC_NONPROD.
D. Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_NONPROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_PROD perimeter.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us- east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?
A. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header
B. Use Network Load Balancing
C. Use External HTTP(S) Load Balancing with URL Maps and custom headers
D. Use TCP Proxy Load Balancing with PROXY protocol enabled
正解:A
質問 4:
You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?
A. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.
Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for 'corp.altostrat.
com' called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
B. Create a private forwarding zone in Cloud DNS for 'corp altostrat.com' called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.
C. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.
D. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Configure VPC peering in the spoke VPCs to peer with the hub VPC.
正解:D
質問 5:
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security?
(Choose two.)
A. VPC peering
B. Shared VPC
C. Cloud VPN
D. Dedicated Interconnect
E. Cloud NAT
正解:A,C
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
* The subnetwork logs are not excluded from Stackdriver.
* The instance that is hosting the application can communicate outside the subnet.
* Other instances within the subnet can communicate outside the subnet.
* The external resource initiates communication.
What is the most likely cause of the missing log lines?
A. The traffic is not matching the expected ingress rule.
B. The traffic is not matching the expected egress rule.
C. The traffic is matching the expected egress rule.
D. The traffic is matching the expected ingress rule.
正解:A
質問 7:
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?
A. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments.Create a new dedicated HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels.
B. Enable MACsec on Partner Interconnect.
C. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments.
Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same encrypted Cloud Router used for the Cloud Interconnect tier.
D. Enable MACsec for Cloud Interconnect on the VLAN attachments.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 8:
Question:
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights into what is occurring within Google Cloud. What should you do?
A. Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.
B. Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.
C. Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
D. Enable the Firewall insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 9:
You have several VMs across multiple VPCs in your cloud environment that require access to internet endpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use Cloud NAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. You want to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoid any unintentional configuration issues caused by other administrators and align to Google-recommended practices. What should you do?
A. Deploy Cloud NAT in each VPC and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.
B. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0
/0). Deploy Cloud NAT and configure all primary and secondary subnet source ranges.
C. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0
/0). Deploy Cloud NAT and configure a custom source range that includes the allowed subnets.
D. Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
羽冈** -
レビューの高評価を信じて、このProfessional-Cloud-Network-Engineer問題集を買いました。ちゃんと勉強したのは6日くらいですが、9割以上で出題されましたので、合格できました。ありがとうございました。