Google Exams Lab

Professional Cloud Network Engineer - questions & answers

Study template for gradually building a Q&A bank. Adjust topics and structure to your plan.

Back to overview Jump to questions

Status: In progress · Questions: 40 · Notes: 40

How to use it

Every question follows the same format: short answer, explanation and steps.

  • Frame the question as a real-world scenario.
  • Answer in one or two sentences.
  • Add detail (why, trade-offs, risks).
  • List steps/diagnostics and tag it.
Template

Question standard

A consistent structure keeps the bank readable and easy to revise.

  • Question - scenario or decision point
  • Short answer - 1-2 sentences
  • Explanation - why this solution fits
  • Steps - implementation or diagnostics
  • Tags - domain, tool, priority

Status legend

Draft Review Mastered Needs revisit

Update the badge in each question to guide your review cycles.

Quick tips

  • Add 1-2 references for every question.
  • Write answers as if explaining to a junior engineer.
  • Capture common pitfalls and anti-patterns.

Question bank

The study blocks are working drafts - adapt them to your plan or the exam guide.

Study block 1 · VPC core design

VPC topology, address planning, firewall governance, and DNS architecture.

[Question] hub-and-spoke vs mesh topology decision. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "hub-and-spoke vs mesh topology decision" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "hub-and-spoke vs mesh topology decision" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "hub-and-spoke vs mesh topology decision" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "hub-and-spoke vs mesh topology decision".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] host and service project boundaries in Shared VPC. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "host and service project boundaries in Shared VPC" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "host and service project boundaries in Shared VPC" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "host and service project boundaries in Shared VPC" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "host and service project boundaries in Shared VPC".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] subnet sizing for growth and isolation. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "subnet sizing for growth and isolation" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "subnet sizing for growth and isolation" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "subnet sizing for growth and isolation" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "subnet sizing for growth and isolation".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] IP overlap remediation across environments. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "IP overlap remediation across environments" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "IP overlap remediation across environments" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "IP overlap remediation across environments" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "IP overlap remediation across environments".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] hierarchical firewall policy design. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "hierarchical firewall policy design" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "hierarchical firewall policy design" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "hierarchical firewall policy design" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "hierarchical firewall policy design".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] Private Google Access for internal workloads. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "Private Google Access for internal workloads" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "Private Google Access for internal workloads" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Private Google Access for internal workloads" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Private Google Access for internal workloads".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] Cloud NAT egress governance model. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "Cloud NAT egress governance model" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "Cloud NAT egress governance model" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Cloud NAT egress governance model" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Cloud NAT egress governance model".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

[Question] private DNS zones and forwarding architecture. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "private DNS zones and forwarding architecture" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "private DNS zones and forwarding architecture" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "private DNS zones and forwarding architecture" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "private DNS zones and forwarding architecture".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer VPC Review

Source: Cloudpeakify original question

Study block 2 · Hybrid connectivity

VPN/Interconnect, routing policy, redundancy, and operational reliability.

[Question] HA VPN with dynamic routing via BGP. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "HA VPN with dynamic routing via BGP" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "HA VPN with dynamic routing via BGP" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "HA VPN with dynamic routing via BGP" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "HA VPN with dynamic routing via BGP".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] Interconnect redundancy across two locations. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "Interconnect redundancy across two locations" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "Interconnect redundancy across two locations" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Interconnect redundancy across two locations" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Interconnect redundancy across two locations".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] route advertisement and import filtering policy. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "route advertisement and import filtering policy" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "route advertisement and import filtering policy" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "route advertisement and import filtering policy" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "route advertisement and import filtering policy".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] on-prem access to Private Service Connect endpoints. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "on-prem access to Private Service Connect endpoints" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "on-prem access to Private Service Connect endpoints" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "on-prem access to Private Service Connect endpoints" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "on-prem access to Private Service Connect endpoints".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] hybrid connectivity failover test process. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "hybrid connectivity failover test process" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "hybrid connectivity failover test process" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "hybrid connectivity failover test process" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "hybrid connectivity failover test process".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] MTU and MSS tuning across hybrid paths. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "MTU and MSS tuning across hybrid paths" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "MTU and MSS tuning across hybrid paths" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "MTU and MSS tuning across hybrid paths" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "MTU and MSS tuning across hybrid paths".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] Cloud Router route policy controls. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "Cloud Router route policy controls" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "Cloud Router route policy controls" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Cloud Router route policy controls" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Cloud Router route policy controls".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

[Question] Partner vs Dedicated Interconnect decision. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "Partner vs Dedicated Interconnect decision" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "Partner vs Dedicated Interconnect decision" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Partner vs Dedicated Interconnect decision" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Partner vs Dedicated Interconnect decision".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Hybrid Review

Source: Cloudpeakify original question

Study block 3 · Traffic & load balancing

Traffic control, load balancing, TLS policy, and migration traffic cutovers.

[Question] global external load balancer design choice. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "global external load balancer design choice" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "global external load balancer design choice" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "global external load balancer design choice" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "global external load balancer design choice".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] internal load balancing for east-west traffic. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "internal load balancing for east-west traffic" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "internal load balancing for east-west traffic" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "internal load balancing for east-west traffic" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "internal load balancing for east-west traffic".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] Traffic Director for service-to-service routing. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "Traffic Director for service-to-service routing" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "Traffic Director for service-to-service routing" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Traffic Director for service-to-service routing" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Traffic Director for service-to-service routing".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] TLS policy and HTTPS redirect enforcement. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "TLS policy and HTTPS redirect enforcement" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "TLS policy and HTTPS redirect enforcement" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "TLS policy and HTTPS redirect enforcement" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "TLS policy and HTTPS redirect enforcement".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] Cloud CDN caching and invalidation strategy. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "Cloud CDN caching and invalidation strategy" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "Cloud CDN caching and invalidation strategy" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Cloud CDN caching and invalidation strategy" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Cloud CDN caching and invalidation strategy".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] weighted traffic migration during cutover. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "weighted traffic migration during cutover" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "weighted traffic migration during cutover" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "weighted traffic migration during cutover" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "weighted traffic migration during cutover".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] health-check design for multi-region backends. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "health-check design for multi-region backends" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "health-check design for multi-region backends" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "health-check design for multi-region backends" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "health-check design for multi-region backends".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

[Question] latency routing using an Anycast frontend. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "latency routing using an Anycast frontend" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "latency routing using an Anycast frontend" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "latency routing using an Anycast frontend" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "latency routing using an Anycast frontend".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Traffic Review

Source: Cloudpeakify original question

Study block 4 · Security & segmentation

Network segmentation, perimeter controls, WAF, and secure application access.

[Question] microsegmentation using tags and service accounts. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "microsegmentation using tags and service accounts" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "microsegmentation using tags and service accounts" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "microsegmentation using tags and service accounts" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "microsegmentation using tags and service accounts".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] zero-trust ingress model for private applications. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "zero-trust ingress model for private applications" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "zero-trust ingress model for private applications" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "zero-trust ingress model for private applications" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "zero-trust ingress model for private applications".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] Cloud Armor WAF rule tuning workflow. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "Cloud Armor WAF rule tuning workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "Cloud Armor WAF rule tuning workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Cloud Armor WAF rule tuning workflow" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Cloud Armor WAF rule tuning workflow".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] VPC Service Controls with restricted APIs. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "VPC Service Controls with restricted APIs" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "VPC Service Controls with restricted APIs" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "VPC Service Controls with restricted APIs" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "VPC Service Controls with restricted APIs".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] DDoS response architecture and runbook. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "DDoS response architecture and runbook" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "DDoS response architecture and runbook" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "DDoS response architecture and runbook" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "DDoS response architecture and runbook".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] Private Service Connect producer-consumer isolation. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "Private Service Connect producer-consumer isolation" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "Private Service Connect producer-consumer isolation" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "Private Service Connect producer-consumer isolation" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "Private Service Connect producer-consumer isolation".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] egress allowlist and FQDN control strategy. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "egress allowlist and FQDN control strategy" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "egress allowlist and FQDN control strategy" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "egress allowlist and FQDN control strategy" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "egress allowlist and FQDN control strategy".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

[Question] IAP-based admin access without a bastion host. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "IAP-based admin access without a bastion host" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "IAP-based admin access without a bastion host" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "IAP-based admin access without a bastion host" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "IAP-based admin access without a bastion host".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Security Review

Source: Cloudpeakify original question

Study block 5 · Operations & troubleshooting

Monitoring, diagnostics, troubleshooting, and safe network change management.

[Question] packet mirroring for network incident investigation. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "packet mirroring for network incident investigation" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "packet mirroring for network incident investigation" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "packet mirroring for network incident investigation" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "packet mirroring for network incident investigation".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] VPC flow logs sampling strategy. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "VPC flow logs sampling strategy" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "VPC flow logs sampling strategy" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "VPC flow logs sampling strategy" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "VPC flow logs sampling strategy".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] automated connectivity tests in CI. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "automated connectivity tests in CI" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "automated connectivity tests in CI" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "automated connectivity tests in CI" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "automated connectivity tests in CI".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] DNS outage triage process. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "DNS outage triage process" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "DNS outage triage process" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "DNS outage triage process" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "DNS outage triage process".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] BGP flapping diagnosis. Which approach is most suitable for production? Review

Options:

  • A. Design and validate "BGP flapping diagnosis" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • B. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: A. Design and validate "BGP flapping diagnosis" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "BGP flapping diagnosis" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "BGP flapping diagnosis".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] asymmetric routing troubleshooting. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Design and validate "asymmetric routing troubleshooting" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • C. Rely solely on the public internet without redundant paths.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: B. Design and validate "asymmetric routing troubleshooting" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "asymmetric routing troubleshooting" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "asymmetric routing troubleshooting".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] network latency SLO monitoring. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Design and validate "network latency SLO monitoring" in a controlled environment with SLO metrics, rollback, and security guardrails.
  • D. Change routing/firewall rules directly in production without validation or rollback.

Short answer: C. Design and validate "network latency SLO monitoring" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "network latency SLO monitoring" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "network latency SLO monitoring".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

[Question] firewall rule change management workflow. Which approach is most suitable for production? Review

Options:

  • A. Open broad 0.0.0.0/0 access and postpone segmentation for later.
  • B. Rely solely on the public internet without redundant paths.
  • C. Change routing/firewall rules directly in production without validation or rollback.
  • D. Design and validate "firewall rule change management workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.

Short answer: D. Design and validate "firewall rule change management workflow" in a controlled environment with SLO metrics, rollback, and security guardrails.

Explanation: For "firewall rule change management workflow" this option is best because it combines controlled validation, impact measurement, governance enforcement, and safe rollback capability.

  • Define target SLI/SLO and acceptance criteria for "firewall rule change management workflow".
  • Implement the change through IaC/automation and validate it in non-production.
  • Roll out gradually (canary/rolling), monitor key metrics, and keep rollback runbooks ready.
Network Engineer Operations Review

Source: Cloudpeakify original question

Want to add another certification?

Duplicate this page, adjust the blocks and start adding new questions.

Back to exams overview