Free Access to Google.Professional-Cloud-Network-Engineer.v2026-01-02.q124 with Valid Practice Test (Page 11)

Question 46

Question:
You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

A.Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.
B.Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.
C.Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.
D.Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Question 47

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.
What should you do?

A.Ensure that the object you don't want to be cached anymore is not shared publicly.
B.Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.
C.Add an appropriate lifecycle rule on the storage bucket containing the two objects.
D.Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.

Question 48

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?

A.Check the VPC flow logs for the instance.
B.Try connecting to the instance via SSH, and check the logs.
C.Create a new firewall rule to allow traffic from port 22, and enable logs.
D.Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

Question 49

You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?

A.Manually patch some of the instances, and then perform a rolling restart on the instance group.
B.Using the new instance template, perform a rolling update across all instances in the instance group.
Verify the new feature once the rollout completes.
C.Deploy a new instance group and canary the updated template in that group.
Verify the new feature in the new canary instance group, and then update the original instance group.
D.Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template.
Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

Question 50