2026 Latest Professional-Cloud-Network-Engineer DUMPS Q&As with Explanations Verified & Correct Answers [Q30-Q53]

2026 Latest Professional-Cloud-Network-Engineer DUMPS Q&As with Explanations Verified & Correct Answers

Professional-Cloud-Network-Engineer dumps Exam Material with 236 Questions

NEW QUESTION # 30
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP- capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

• A. * Create a Cloud VPN instance.
  * Create a route-based VPN tunnel.
  * Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  * Configure the appropriate static routes.
• B. * Create a Cloud VPN instance.
  * Create a policy-based VPN tunnel.
  * Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  * Configure the appropriate static routes.
• C. * Create a Cloud VPN instance.
  * Create a route-based VPN tunnel.
  * Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.
  * Configure the appropriate static routes.
• D. * Create a Cloud VPN instance.
  * Create a policy-based VPN tunnel per subnet.
  * Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  * Create the appropriate static routes.

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

NEW QUESTION # 31
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)

• A. Enable Private Google Access on the VPC.
• B. Create network peering between your VPC and BigQuery.
• C. Enable Private Google Access on all the subnets.
• D. Enable Private Services Access on the VPC.
• E. Create a Cloud NAT, and route the application traffic via NAT gateway.

Answer: A,E

NEW QUESTION # 32
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?

• A. Check the VPC flow logs for the instance.
• B. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
• C. Create a new firewall rule to allow traffic from port 22, and enable logs.
• D. Try connecting to the instance via SSH, and check the logs.

Answer: A

NEW QUESTION # 33
You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?

• A. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.
• B. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
• C. Rename the default VPC as "Distribution" and peer it via network peering.
• D. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

Answer: D

Explanation:
https://cloud.google.com/vpc/docs/vpc#ip-ranges

NEW QUESTION # 34
Question:
Your company's current network architecture has three VPC Service Controls perimeters:
* One perimeter (PERIMETER_PROD) to protect production storage buckets
* One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets
* One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)
In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?

• A. Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.
• B. Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.
• C. Develop a design that creates a new VPC (VPC_NONPROD) in the same project as VPC_ONE.
  Migrate all the non-production workloads from VPC_ONE to the PERIMETER_NONPROD perimeter.
  Remove the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include VPC_ONE and the PERIMETER_NONPROD perimeter to include VPC_NONPROD.
• D. Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_NONPROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_PROD perimeter.

Answer: B

Explanation:
Using IP range-based access levels for VPC Service Controls allows segmentation of production and non- production resources within the same VPC. By creating separate access levels and ingress policies for each IP range, you ensure that only production subnets access production buckets and non-production subnets access non-production buckets, providing the required isolation.
Reference: Google Cloud - VPC Service Controls and Access Levels

NEW QUESTION # 35
You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

• A. Policy-based routing using the default local traffic selector
• B. Route-based routing using default traffic selectors
• C. Policy-based routing using a custom local traffic selector
• D. Dynamic routing using Cloud Router

Answer: C

NEW QUESTION # 36
You are deploying GKE clusters in your organization's Google Cloud environment. The pods in these clusters need to egress directly to the internet for a majority of their communications. You need to deploy the clusters and associated networking features using the most cost-efficient approach, and following Google- recommended practices. What should you do?

• A. Q Deploy the GKE cluster with public cluster nodes. Do not deploy Cloud NAT or Secure Web Proxy for the cluster.
• B. Q Deploy the GKE cluster with private cluster nodes. Deploy Cloud NAT for the primary subnet of the cluster.
• C. Q Deploy the GKE cluster with public cluster nodes. Deploy Secure Web Proxy, and configure the pods to use Secure Web Proxy as an HTTP(S) proxy.
• D. Q Deploy the GKE cluster with private cluster nodes. Deploy Secure Web Proxy, and configure the pods to use Secure Web Proxy as an HTTP(S) proxy.

Answer: A

Explanation:
For GKE pods that need to egress directly to the internet for most of their communications, the most cost- efficient and straightforward approach is to deploy a GKE cluster with public cluster nodes. Public nodes have external IP addresses, allowing pods to directly reach the internet. This eliminates the need for additional services like Cloud NAT or Secure Web Proxy for outbound internet access, which would incur extra costs and management overhead.
Exact Extract:
"Public clusters have nodes with external IP addresses, allowing them to directly initiate connections to the internet. This is the simplest configuration for clusters that require direct internet egress for their workloads."
"When using public clusters, Cloud NAT is not required for outbound internet connectivity from the nodes or pods, as they can use their external IP addresses. This can reduce operational overhead and cost compared to private clusters that need NAT."Reference: Google Kubernetes Engine Documentation - Cluster network configuration, Public clusters vs Private clusters

NEW QUESTION # 37
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)

• A. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
• B. setIamPolicy() via REST API
• C. GetIamPolicy() via REST API
• D. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
• E. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

Answer: D,E

NEW QUESTION # 38
You work for a university that is migrating to Google Cloud.
These are the cloud requirements:
On-premises connectivity with 10 Gbps
Lowest latency access to the cloud
Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

• A. Use Shared VPC, and deploy the VLAN attachments and Dedicated Interconnect in the host project.
• B. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Dedicated Interconnects.
• C. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
• D. Use standalone projects and deploy the VLAN attachments and Dedicated Interconnects in each of the individual projects.

Answer: A

NEW QUESTION # 39
You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.
Always allow Secure Shell (SSH) from your corporate IP address.
Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team's requirements. What should you do?

• A. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.
  Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.
• B. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.
  Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.
• C. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1 Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.
• D. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.
  Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

Answer: A

NEW QUESTION # 40
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range.
You want to SSH into one instance.
What should you do?

• A. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
• B. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
• C. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
• D. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.

Answer: C

NEW QUESTION # 41
You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.
What should you do?

• A. Create a new Custom Role for all members of the WebServices Team.
• B. Create a new Cloud Identity Domain for the WebServices Team.
• C. Create a G Suite Domain for the WebServices Team.
• D. Create a Google Group for the WebServices Team.

Answer: D

NEW QUESTION # 42
You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

• A. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.
• B. Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.
• C. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.
• D. Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Answer: B

NEW QUESTION # 43
You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:
* IP ranges for pods and services must be as small as possible.
* The nodes and the master must not be reachable from the internet.
* You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?

• A. * Create a private cluster that uses VPC advanced routes.
  *Set the pod and service ranges as /24.
  *Set up a network proxy to access the master.
• B. * Create a VPC-native GKE cluster using user-managed IP ranges.
  *Enable a GKE cluster network policy, set the pod and service ranges as /24.
  *Set up a network proxy to access the master.
  *Enable master authorized networks.
• C. * Create a VPC-native GKE cluster using user-managed IP ranges.
  *Enable privateEndpoint on the cluster master.
  *Set the pod and service ranges as /24.
  *Set up a network proxy to access the master.
  *Enable master authorized networks.
• D. * Create a VPC-native GKE cluster using GKE-managed IP ranges.
  *Set the pod IP range as /21 and service IP range as /24.
  *Set up a network proxy to access the master.

Answer: C

Explanation:
Creating GKE private clusters with network proxies for controller access When you create a GKE private cluster with a private cluster controller endpoint, the cluster's controller node is inaccessible from the public internet, but it needs to be accessible for administration. By default, clusters can access the controller through its private endpoint, and authorized networks can be defined within the VPC network. To access the controller from on-premises or another VPC network, however, requires additional steps. This is because the VPC network that hosts the controller is owned by Google and cannot be accessed from resources connected through another VPC network peering connection, Cloud VPN or Cloud Interconnect. https://cloud.google.
com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies

NEW QUESTION # 44
(You need to migrate multiple PostgreSQL databases from your on-premises data center to Google Cloud.
You want to significantly improve the performance of your databases while minimizing changes to your data schema and application code. You expect to exceed 150 TB of data per geographical region. You want to follow Google-recommended practices and minimize your operational costs. What should you do?)

• A. Migrate your data to Bigtable.
• B. Migrate your data to Spanner.
• C. Migrate your data to Firebase.
• D. Migrate your data to AlloyDB.

Answer: A,C,D

Explanation:
Let's analyze each option based on the requirements: PostgreSQL compatibility, significant performance improvement, minimal schema/code changes, handling large data volumes, Google-recommended practices, and cost minimization:
A: Migrate your data to AlloyDB: AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service that offers significant performance improvements over standard PostgreSQL due to its architectural optimizations. It is designed to handle large data volumes and minimizes the need for schema and application code changes as it's wire-compatible with PostgreSQL. This aligns well with the requirements for performance improvement, minimal changes, large data, and being a Google-recommended option for PostgreSQL workloads.
B: Migrate your data to Spanner: Spanner is a globally distributed, horizontally scalable database with strong consistency. While it offers excellent scalability and performance, it's not directly PostgreSQL-compatible.
Migrating to Spanner would likely require significant schema and application code changes due to differences in data modeling and SQL dialect.
C: Migrate your data to Firebase: Firebase is a suite of mobile and web development tools, with its primary database offering being Firestore (a NoSQL document database) and Realtime Database. These are not PostgreSQL-compatible and would require substantial changes to the data model and application code.
D: Migrate your data to Bigtable: Bigtable is a highly scalable NoSQL wide-column store. It's not compatible with PostgreSQL and requires a completely different data model and application logic.
Therefore, AlloyDB is the most suitable option as it provides PostgreSQL compatibility for minimal migration effort, significant performance improvements, scalability for large data volumes, and is a recommended Google Cloud database service for PostgreSQL workloads.
Google Cloud Documentation References:
AlloyDB for PostgreSQL Overview: https://cloud.google.com/alloydb/docs/overview - This document highlights AlloyDB's PostgreSQL compatibility, performance benefits, scalability, and suitability for migrating existing PostgreSQL workloads.
Spanner Overview: https://cloud.google.com/spanner/docs/overview - This emphasizes Spanner's unique features and differences from traditional relational databases like PostgreSQL.
Firebase Documentation: https://firebase.google.com/docs - This outlines the features of Firebase, including Firestore and Realtime Database, highlighting their NoSQL nature and incompatibility with PostgreSQL.
Cloud Bigtable Overview: https://cloud.google.com/bigtable/docs/overview - This describes Bigtable as a NoSQL database, emphasizing its differences from relational databases like PostgreSQL.

NEW QUESTION # 45
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
*Each on-premises router is configured with the same ASN.
*Each on-premises router is configured with the same routes and priorities.
*Both on-premises routers are configured with a VPN connected to a single Cloud Router.
*The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
*BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

• A. One of the VPN sessions is configured incorrectly.
• B. A firewall is blocking the traffic across the second VPN connection.
• C. You do not have a load balancer to load-balance the network traffic.
• D. BGP sessions are not established between both on-premises routers and the Cloud Router.

Answer: A

Explanation:
If the VPN logs show a no-proposal-chosen error, this error indicates that Cloud VPN and your peer VPN gateway were unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. For IKEv2, there must be at least one common cipher proposed by each gateway. Make sure that you use supported ciphers to configure your peer VPN gateway. https://cloud.google.com/network-connectivity/docs
/vpn/support/troubleshooting#:~:text=If%20the%20VPN%20logs%20show,of%20ciphers%20must%
20match%20exactly.&text=Make%20sure%20that%20you%20use,configure%20your%20peer%20VPN%
20gateway.

NEW QUESTION # 46
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?

• A. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments.
  Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same encrypted Cloud Router used for the Cloud Interconnect tier.
• B. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments.Create a new dedicated HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels.
• C. Enable MACsec on Partner Interconnect.
• D. Enable MACsec for Cloud Interconnect on the VLAN attachments.

Answer: A

Explanation:
Explanation: The correct approach is to create an HA VPN gateway and associate it with the encrypted VLAN attachments. The same Cloud Router used for BGP sessions with Cloud Interconnect can be used for the HA VPN. This configuration ensures encryption of the traffic passing over the Cloud Interconnect links.

NEW QUESTION # 47
You are a admin at XYZ organization. Few of your team members need to use BigQuery Data Transfer Service for Amazon S3 . They want to automatically schedule and manage recurring load jobs from Amazon S3 into BigQuery, they want to run the transfer job every week. They have, Amazon S3 URI for the source data, access key ID , secret access key and Read permission on the data source . What necessary permissions are required for the transfer job creators in BigQuery .

• A. bigquery.jobs.create and bigquery.transfers.get
• B. bigquery.transfers.update and bigquery.datasets.update
• C. bigquery.transfer.get and bigquery.data.sets.update
• D. bigquery.transfers.update and bigquery.transfers.get

Answer: B

Explanation:
Option A is the correct choice because bigquery.transfers.update permissions is needed to create the transfer and bigquery.datasets.update permissions is needed on the target dataset .Also The bigquery.admin predefined Cloud IAM role includes bigquery.transfers.update and bigquery.datasets.update permissions .
Option B is Incorrect because , it is not the required permission for transfer job creators.
Option C and Option D are Incorrect because , they are not the required permission for transfer job creators.

NEW QUESTION # 48
You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:
* IP ranges for pods and services must be as small as possible.
* The nodes and the master must not be reachable from the internet.
* You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?

• A. * Create a VPC-native GKE cluster using GKE-managed IP ranges.
  * Set the pod IP range as /21 and service IP range as /24.
  * Set up a network proxy to access the master.
• B. * Create a VPC-native GKE cluster using user-managed IP ranges.
  * Enable a GKE cluster network policy, set the pod and service ranges as /24.
  * Set up a network proxy to access the master.
  * Enable master authorized networks.
• C. * Create a VPC-native GKE cluster using user-managed IP ranges.
  * Enable privateEndpoint on the cluster master.
  * Set the pod and service ranges as /24.
  * Set up a network proxy to access the master.
  * Enable master authorized networks.
• D. * Create a private cluster that uses VPC advanced routes.
  * Set the pod and service ranges as /24.
  * Set up a network proxy to access the master.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

NEW QUESTION # 49
(You are managing the security configuration of your company's Google Cloud organization. The Operations team needs specific permissions on both a Google Kubernetes Engine (GKE) cluster and a Cloud SQL instance. Two predefined Identity and Access Management (IAM) roles exist that contain a subset of the permissions needed by the team. You need to configure the necessary IAM permissions for this team while following Google-recommended practices. What should you do?)

• A. Grant the team the IAM roles of Kubernetes Engine Admin and Cloud SQL Admin.
• B. Grant the team the two predefined IAM roles.
• C. Create a custom IAM role that combines the permissions from the two relevant predefined roles.
• D. Create a custom IAM role that includes only the required permissions from the predefined roles.

Answer: D

Explanation:
Comprehensive and Detailed In Depth Explanation:
Granting more permissions than necessary violates the principle of least privilege, a fundamental security best practice. While option A grants the necessary permissions (as subsets exist in two predefined roles), it might also grant more permissions than the Operations team strictly requires for their tasks on GKE and Cloud SQL.
Option D is too broad; 'Admin' roles grant extensive permissions that likely exceed the specific needs.
Google Cloud's best practices strongly recommend adhering to the principle of least privilege. Creating a custom role allows you to precisely define the set of permissions the Operations team needs for their specific tasks on the GKE cluster and the Cloud SQL instance, without granting any unnecessary permissions. This minimizes the potential blast radius in case of accidental or malicious actions.
Google Cloud Documentation References:
IAM best practices: https://cloud.google.com/iam/docs/best-practices - This document explicitly recommends granting the minimum necessary permissions.
Creating and managing custom roles: https://cloud.google.com/iam/docs/creating-managing-custom-roles - This explains how to create roles tailored to specific job functions.
Understanding roles: https://cloud.google.com/iam/docs/understanding-roles - This outlines the concepts of predefined and custom roles and their use cases.

NEW QUESTION # 50
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?

• A. Shared VPC Admin privileges from the Organization Admin.
• B. Security Admin privileges from the Shared VPC Admin.
• C. Service Project Admin privileges from the Shared VPC Admin.
• D. Organization Admin privileges from the Organization Admin.

Answer: B

NEW QUESTION # 51
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?

• A. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
• B. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
• C. Assign each user the compute.networkAdmin role.
• D. Assign each user the editor role.

Answer: B

Explanation:
https://cloud.google.com/interconnect/docs/how-to/dedicated/creating-vlan-attachments

NEW QUESTION # 52
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?

• A. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.
• B. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.
• C. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.
• D. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

Answer: C

Explanation:
Global load balancer will proxy the connection . thus no trace of session origin IP. you should use Cloud Armor to geofence your service.
https://cloud.google.com/load-balancing/docs/https

NEW QUESTION # 53
......

Share Latest Professional-Cloud-Network-Engineer DUMP Questions and Answers: https://www.testvalid.com/Professional-Cloud-Network-Engineer-exam-collection.html

Professional-Cloud-Network-Engineer Questions and Answers Guarantee you Oass the Test Easily: https://drive.google.com/open?id=17FcfDmO0aK8OHmCeIZIxoUIH4SZeah5B