Google Cloud Professional Cloud Network Engineer Practice Exam

What the Google Cloud Professional Cloud Network Engineer exam covers

• Designing and Planning a Network138 questions
• Implementing VPC Networks144 questions
• Configuring Network Services154 questions
• Implementing Hybrid Connectivity117 questions
• Managing and Monitoring Network Operations125 questions

Free Google Cloud Professional Cloud Network Engineer sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 678.

1. Question 1Managing and Monitoring Network Operations

   A Cloud Armor security policy is attached to a backend service. The security team wants to see, per request, which Cloud Armor rule matched and whether the request was allowed, denied, or only previewed. Where do these per-request decisions appear?

   • AIn the external Application Load Balancer request logs in Cloud Logging, which include the enforced security policy and matched rule fieldsCorrect
   • BIn VPC Flow Logs for the load balancer's proxy-only subnet
   • CIn Cloud Router logs for the backend region
   • DIn Cloud NAT logs for the backend instances
   ✓ Correct answer: A

   GCP networking is built on a global VPC model where VPCs span all regions while subnets are regional resources. This architecture enables flexible deployment patterns while firewall rules, routing policies, and connectivity options provide fine-grained control over traffic flow. Understanding VPC architecture, firewall rule priority and scope, Cloud Router BGP configuration, and hybrid connectivity options is essential for building resilient networks.

   Why the other options are wrong

   • BIn VPC Flow Logs for the load balancer's proxy-only subnet is incorrect because this option does not provide the technical solution described in the correct answer.
   • CIn Cloud Router logs for the backend region is incorrect because this option does not provide the technical solution described in the correct answer.
   • DIn Cloud NAT logs for the backend instances is incorrect because this option does not provide the technical solution described in the correct answer.
2. Question 2Managing and Monitoring Network Operations

   Traffic to on-premises is taking the HA VPN backup path even though the Dedicated Interconnect primary is healthy. Both paths use Cloud Router BGP. Which monitoring signal would you check to confirm whether the Interconnect's learned routes have a less-preferred BGP attribute than the VPN's?

   • ACloud Router logs and the learned-routes view to compare the advertised MED/AS-path priorities on each pathCorrect
   • BCloud NAT logs to compare port allocation between paths
   • CFirewall Rules Logging to compare allowed bytes per path
   • DCloud DNS query logs to compare resolution latency per path
   ✓ Correct answer: A

   GCP enables hybrid and multi-cloud architectures through Cloud Interconnect (dedicated connections) and VPN (encrypted connections over the internet). These options provide different trade-offs between cost, capacity, and reliability that must be evaluated based on workload requirements.

   Why the other options are wrong

   • BCloud NAT logs to compare port allocation between paths is incorrect because this option does not provide the technical solution described in the correct answer.
   • CFirewall Rules Logging to compare allowed bytes per path is incorrect because this option does not provide the technical solution described in the correct answer.
   • DCloud DNS query logs to compare resolution latency per path is incorrect because this option does not provide the technical solution described in the correct answer.
3. Question 3Managing and Monitoring Network Operations

   A VPC Service Controls perimeter is enforced. Developers report that a job intermittently fails to call the BigQuery API and you must confirm whether the perimeter is blocking the calls. Which log should you examine to see VPC Service Controls denials?

   • AVPC Service Controls audit logs (policy-denied entries) in Cloud Logging, which record blocked requests and the violated perimeterCorrect
   • BVPC Flow Logs on the subnet running the job
   • CCloud NAT error logs for the egress IP
   • DFirewall Rules Logging on the egress allow rule
   ✓ Correct answer: A

   GCP networking is built on a global VPC model where VPCs span all regions while subnets are regional resources. This architecture enables flexible deployment patterns while firewall rules, routing policies, and connectivity options provide fine-grained control over traffic flow. Understanding VPC architecture, firewall rule priority and scope, Cloud Router BGP configuration, and hybrid connectivity options is essential for building resilient networks.

   Why the other options are wrong

   • BVPC Flow Logs on the subnet running the job is incorrect because this option does not provide the technical solution described in the correct answer.
   • CCloud NAT error logs for the egress IP is incorrect because this option does not provide the technical solution described in the correct answer.
   • DFirewall Rules Logging on the egress allow rule is incorrect because this option does not provide the technical solution described in the correct answer.
4. Question 4Managing and Monitoring Network Operations

   During a phased migration you want to gradually shift a percentage of production HTTP traffic from an on-premises backend to a new Google Cloud backend behind the same external Application Load Balancer, and watch error rates as you increase the share. Which URL map feature enables this controlled shift?

   • AWeighted traffic splitting in the URL map's route action across two backend servicesCorrect
   • BConnection draining on the on-premises backend service
   • CA Cloud Armor rate-limiting rule on the new backend
   • DDNS round-robin between two A records
   ✓ Correct answer: A

   GCP enables hybrid and multi-cloud architectures through Cloud Interconnect (dedicated connections) and VPN (encrypted connections over the internet). These options provide different trade-offs between cost, capacity, and reliability that must be evaluated based on workload requirements.

   Why the other options are wrong

   • BConnection draining on the on-premises backend service is incorrect because this option does not provide the technical solution described in the correct answer.
   • CA Cloud Armor rate-limiting rule on the new backend is incorrect because this option does not provide the technical solution described in the correct answer.
   • DDNS round-robin between two A records is incorrect because this option does not provide the technical solution described in the correct answer.
5. Question 5Managing and Monitoring Network OperationsSelect all that apply

   You need long-term, queryable retention of VPC Flow Logs and firewall logs for compliance and SQL-based analysis spanning months. Which TWO Cloud Logging configurations support this most cost-effectively? (Choose TWO)

   • ACreate a log sink that routes the matching entries to a BigQuery dataset for SQL analyticsCorrect
   • BCreate a log sink that routes the matching entries to a Cloud Storage bucket for low-cost long-term archivalCorrect
   • CIncrease the default _Default log bucket retention to indefinite and query only in the Logs Explorer
   • DDisable log sinks and rely on Packet Mirroring captures for retention
   ✓ Correct answer: A, B

   Create a log sink that routes the matching entries to a Cloud Storage bucket for low-cost long-term archival. GCP's networking services operate at different layers: L3/L4 firewall rules for basic access control, Cloud Armor for L7 DDoS protection, VPC Flow Logs for traffic analysis, and network monitoring for operational insights. Each service plays a specific role in the overall network strategy and must be configured correctly to achieve security and operational goals.

   Why the other options are wrong

   • CIncrease the default _Default log bucket retention to indefinite and query only in the Logs Explorer is incorrect because this option does not provide the technical solution described in the correct answer.
   • DDisable log sinks and rely on Packet Mirroring captures for retention is incorrect because this option does not provide the technical solution described in the correct answer.
6. Question 6Managing and Monitoring Network Operations

   A security review flagged that your VPC has many firewall rules accumulated over years. You want a tool that identifies rules that are never hit (unused), rules that are shadowed by higher-priority rules, and rules that are overly permissive so you can tighten them. Which Network Intelligence Center module provides these recommendations?

   • AFirewall InsightsCorrect
   • BNetwork Topology
   • CFlow Analyzer
   • DPerformance Dashboard
   ✓ Correct answer: A

   Cloud Router, Cloud NAT, firewall rules, and connectivity services (Cloud Interconnect, VPN) form the backbone of GCP networking. Understanding how these components interact—particularly BGP routing, NAT behavior, and firewall rule evaluation order—is critical for designing networks that meet performance, security, and cost requirements.

   Why the other options are wrong

   • BNetwork Topology is incorrect because this option does not provide the technical solution described in the correct answer.
   • CFlow Analyzer is incorrect because this option does not provide the technical solution described in the correct answer.
   • DPerformance Dashboard is incorrect because this option does not provide the technical solution described in the correct answer.
7. Question 7Managing and Monitoring Network Operations

   Users in europe-west1 report slow response times reaching a service backed in us-central1. Before changing any configuration, you want to confirm whether elevated inter-region latency or packet loss on Google's network is contributing. Which Network Intelligence Center module gives you this latency/loss evidence?

   • APerformance DashboardCorrect
   • BConnectivity Tests
   • CFirewall Insights
   • DNetwork Topology
   ✓ Correct answer: A

   GCP enables hybrid and multi-cloud architectures through Cloud Interconnect (dedicated connections) and VPN (encrypted connections over the internet). These options provide different trade-offs between cost, capacity, and reliability that must be evaluated based on workload requirements.

   Why the other options are wrong

   • BConnectivity Tests is incorrect because this option does not provide the technical solution described in the correct answer.
   • CFirewall Insights is incorrect because this option does not provide the technical solution described in the correct answer.
   • DNetwork Topology is incorrect because this option does not provide the technical solution described in the correct answer.
8. Question 8Managing and Monitoring Network Operations

   You want to confirm whether a recently created VPC Network Peering is actually exchanging routes and is healthy, and to be alerted to a peering that exists but has no usable routes (a suboptimal or broken configuration). Which Network Intelligence Center module automatically surfaces such peering issues?

   • ANetwork AnalyzerCorrect
   • BPerformance Dashboard
   • CFlow Analyzer
   • DFirewall Insights
   ✓ Correct answer: A

   Network Analyzer.

   Why the other options are wrong

   • BPerformance Dashboard is incorrect because this option does not provide the technical solution described in the correct answer.
   • CFlow Analyzer is incorrect because this option does not provide the technical solution described in the correct answer. Firewall Insights is incorrect because this option does not provide the technical solution described in the correct answer.
   • DGCP's networking services operate at different layers: L3/L4 firewall rules for basic access control, Cloud Armor for L7 DDoS protection, VPC Flow Logs for traffic analysis, and network monitoring for operational insights. Each service plays a specific role in the overall network strategy and must be configured correctly to achieve security and operational goals.
9. Question 9Managing and Monitoring Network Operations

   Your team wants Network Intelligence Center to continuously evaluate configuration and warn when a Cloud Router or hybrid connectivity setup is suboptimal, such as a route that will never be used or an attachment with no advertised prefixes. Which module produces these automatic findings?

   • ANetwork AnalyzerCorrect
   • BConnectivity Tests
   • CFlow Analyzer
   • DPerformance Dashboard
   ✓ Correct answer: A

   Cloud Router, Cloud NAT, firewall rules, and connectivity services (Cloud Interconnect, VPN) form the backbone of GCP networking. Understanding how these components interact—particularly BGP routing, NAT behavior, and firewall rule evaluation order—is critical for designing networks that meet performance, security, and cost requirements.

   Why the other options are wrong

   • BConnectivity Tests is incorrect because this option does not provide the technical solution described in the correct answer.
   • CFlow Analyzer is incorrect because this option does not provide the technical solution described in the correct answer.
   • DPerformance Dashboard is incorrect because this option does not provide the technical solution described in the correct answer.
10. Question 10Managing and Monitoring Network Operations

    You are choosing the correct Network Intelligence Center tool: you must determine, from configuration only, why a VM cannot reach a Cloud SQL instance over Private Service Connect, identifying any firewall rule or route preventing the path. Which tool should you use?

    • AConnectivity TestsCorrect
    • BNetwork Topology
    • CPerformance Dashboard
    • DFlow Analyzer
    ✓ Correct answer: A

    GCP enables hybrid and multi-cloud architectures through Cloud Interconnect (dedicated connections) and VPN (encrypted connections over the internet). These options provide different trade-offs between cost, capacity, and reliability that must be evaluated based on workload requirements.

    Why the other options are wrong

    • BNetwork Topology is incorrect because this option does not provide the technical solution described in the correct answer.
    • CPerformance Dashboard is incorrect because this option does not provide the technical solution described in the correct answer.
    • DFlow Analyzer is incorrect because this option does not provide the technical solution described in the correct answer.

Google Cloud Professional Cloud Network Engineer practice exam FAQ