Cloud Network Engineer Practice Exam 2025: Latest Questions

Your organization wants to centrally manage DNS names for services hosted in multiple VPC networks across several projects. Workloads in each VPC must resolve the same private DNS zone names, and the configuration should be managed in one place. What should you do?

A project uses a custom-mode VPC. A team creates a new subnet but instances launched in that subnet cannot reach the internet. They confirm there is a default route (0.0.0.0/0) to the internet gateway. What is the most likely missing configuration?

You need to allow an external vendor to reach a single internal application endpoint hosted on a private VM in your VPC. The vendor has a small set of static public source IPs. You want minimal exposure and do not want to assign a public IP to the VM. What should you implement?

You have two VPC networks in the same project that must communicate privately. You want the simplest approach with minimal operational overhead and no requirement for transitive routing to a third network. What should you use?

A security team requires that all outbound traffic to the internet from private subnets be logged for auditing, including destination IP and ports. They also want to avoid public IPs on workloads. Which design best meets the requirement?

A company is building a multi-region web application. They want a single anycast VIP with global load balancing, automatic multi-region failover, and protection against L7 attacks. Backends are HTTP(S) services in multiple regions. Which load balancer should they use?

Your company uses Shared VPC. A service project team can create VM instances but cannot create firewall rules in the host project network. They need to open ingress to a new internal service between subnets. What is the recommended way to enable this while keeping centralized control?

You need to connect an on-premises data center to Google Cloud with higher availability than a single VPN tunnel. The traffic is not latency sensitive, but you want dynamic routing and automatic failover between two tunnels. What should you implement?

A global enterprise has 120 VPC networks and wants a hub-and-spoke design to simplify connectivity between VPCs and on-premises while allowing transitive routing. They also want to apply centralized security inspection for east-west traffic. Which solution best fits?

After migrating to Google Cloud, users report intermittent connectivity from a specific subnet to an internal load balancer backend. You need to determine whether packets are being dropped by firewall rules or routing issues, and you want the most direct diagnostic tool for a single connection attempt. What should you use?

You need to allow SSH access to a small set of administrator public IP addresses for all Linux VMs in a project. The VMs are in multiple VPC networks. What is the recommended approach?

A team wants to resolve private DNS names for Google APIs (for example, storage.googleapis.com) without sending traffic over the public internet. What should they configure?

You need a single internal IP address in a shared VPC that always points to the active primary instance in a two-zone active/passive application. What should you use?

A company is migrating to a hub-and-spoke architecture. They want to connect 30 VPCs across multiple projects with minimal operational overhead and full-mesh routing between VPCs. Which design is recommended?

You publish an internal HTTPS load balancer for a set of microservices. A security requirement states that only clients from specific subnets in the same VPC can reach the VIP. Which control best enforces this requirement?

A hybrid deployment uses Cloud Interconnect with BGP. Your on-premises router is advertising 0.0.0.0/0 to Google Cloud, but the Cloud Router is not learning the default route. What is the most likely cause?

You manage a service producer VPC that exposes an internal service to multiple consumer VPCs in other projects. Consumers must access the service using private IPs without VPC peering, and the producer wants to control which consumers can connect. What should you implement?

A critical workload in a subnet must route all egress traffic through an on-premises security appliance over HA VPN. Other subnets should continue using direct internet egress. What is the best way to implement this selective routing?

You need to troubleshoot intermittent packet loss between two VM instances in different subnets in the same VPC. You want to capture metadata about each hop and identify where packets are being dropped, using a managed tool. What should you use?

A financial company requires that only approved regions can be used for creating external IP addresses and Cloud NAT gateways. They want enforcement that cannot be bypassed by project owners. What should you implement?

You are planning IP address allocation for a new shared VPC that will host hundreds of workloads across many subnets. The security team requires no overlap with on-prem RFC1918 ranges and wants room for long-term growth with minimal renumbering. Which approach is most appropriate?

You need a single internal DNS name (for example, app.corp.local) to resolve to different backends depending on the consumer: clients in VPC A should reach a service in VPC A, and clients in VPC B should reach a service in VPC B. Both VPCs are in the same organization and use Cloud DNS. What should you configure?

A security incident response team needs to capture and inspect traffic between two VM instances in the same VPC subnet for a short period, without installing agents on the VMs. Which solution should you use?

Your company has two Dedicated Interconnect circuits connected to different edge availability domains, and you created two VLAN attachments (one per circuit) to the same Cloud Router. You want to ensure routes from on-prem are still advertised to Google Cloud if one circuit fails, and that traffic automatically shifts to the remaining circuit. What is the recommended design?

You deployed an Internal TCP/UDP Load Balancer (ILB) for a critical service. Clients in a different region connect over VPC Network Peering. The ILB works for clients in the same region but fails for the peered clients. The peering is ACTIVE and routes are exchanged. What is the most likely cause and the correct remediation?