- A
Establish a Cloud VPN connection and use Identity-Aware Proxy for access
Why wrong: Cloud VPN provides encrypted connectivity but may not meet low-latency requirements and does not solve incompatible routing protocols.
- B
Directly peer with Google using Carrier Peering
Why wrong: Carrier Peering does not provide encryption or fine-grained access controls, and may not support SLA.
- C
Deploy Dedicated Interconnect, use Cloud VPN for encryption, and VPC Service Controls for access
Dedicated Interconnect offers low latency, Cloud VPN adds encryption, and VPC Service Controls enforce access policies, meeting all requirements.
- D
Use a third-party VPN appliance on a Compute Engine instance and configure firewall rules
Why wrong: Third-party VPN adds management overhead; still uses public internet, risking latency and inconsistent performance.
Cloud Digital Leader Practice Question: A large financial institution has a hybrid cloud…
This GCDL practice question tests your understanding of gcdl exam topics. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A large financial institution has a hybrid cloud strategy with sensitive data stored on-premises and customer-facing applications in Google Cloud. They need low-latency access between on-premises databases and cloud applications, but also require encryption in transit and strong access controls. The on-premises network uses non-google-compatible routing protocols. Which solution should they implement?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Deploy Dedicated Interconnect, use Cloud VPN for encryption, and VPC Service Controls for access
Option C is correct because Dedicated Interconnect provides a dedicated, low-latency connection between on-premises and Google Cloud, essential for the hybrid cloud requirement. While the on-premises network uses non-Google-compatible routing protocols internally, Dedicated Interconnect requires BGP peering at the interconnect points. This BGP session is separate from the internal routing protocols; the on-premises routers can be configured to run BGP toward Google while still using their own protocols for internal routing. Cloud VPN over the interconnect adds IPSec encryption in transit for sensitive data, and VPC Service Controls enforce strong access controls by preventing data exfiltration from managed services. Options A, B, and D do not meet all requirements: Cloud VPN alone (A) uses the public internet, lacking low-latency guarantees; Carrier Peering (B) is not suitable for low-latency or encryption without a VPN; and a third-party VPN appliance (D) introduces complexity and may not guarantee low latency.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Establish a Cloud VPN connection and use Identity-Aware Proxy for access
Why it's wrong here
Cloud VPN provides encrypted connectivity but may not meet low-latency requirements and does not solve incompatible routing protocols.
- ✗
Directly peer with Google using Carrier Peering
Why it's wrong here
Carrier Peering does not provide encryption or fine-grained access controls, and may not support SLA.
- ✓
Deploy Dedicated Interconnect, use Cloud VPN for encryption, and VPC Service Controls for access
Why this is correct
Dedicated Interconnect offers low latency, Cloud VPN adds encryption, and VPC Service Controls enforce access policies, meeting all requirements.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Use a third-party VPN appliance on a Compute Engine instance and configure firewall rules
Why it's wrong here
Third-party VPN adds management overhead; still uses public internet, risking latency and inconsistent performance.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Google Cloud often tests the misconception that Cloud VPN alone is sufficient for low-latency hybrid connections, but the trap here is that Cloud VPN uses the public internet, which cannot guarantee low latency, whereas Dedicated Interconnect provides a dedicated, low-latency link.
Detailed technical explanation
How to think about this question
Dedicated Interconnect uses BGP for dynamic routing and supports up to 10 Gbps per circuit, with latency as low as 1-2 ms within the same metro. Cloud VPN over Interconnect (IPsec with IKEv2) adds encryption without significant latency overhead, and VPC Service Controls use context-aware access policies (e.g., based on identity, device, and network) to prevent data exfiltration via VPC peering or the internet. In practice, this hybrid setup is common for financial institutions requiring PCI-DSS compliance, where the interconnect provides the SLA-backed connection and VPC Service Controls enforce perimeter security.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
Quick reference
Routing Protocol Comparison
| Protocol | Metric | Max Hops | Algorithm | Type |
|---|---|---|---|---|
| RIP v2 | Hop count | 15 | Bellman-Ford | Distance vector |
| OSPF | Cost (bandwidth) | Unlimited | Dijkstra (SPF) | Link state |
| EIGRP | Composite metric | Unlimited | DUAL | Hybrid |
| IS-IS | Cost | Unlimited | Dijkstra | Link state |
| BGP | Policy / attributes | Unlimited | Path vector | Path vector |
RIP's 15-hop limit makes it unsuitable for large networks. OSPF and EIGRP dominate modern enterprise deployments.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Related practice questions
Related GCDL practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Why Cloud Technology Can Transform Business practice questions
Practise GCDL questions linked to Why Cloud Technology Can Transform Business.
Fundamental Cloud Concepts practice questions
Practise GCDL questions linked to Fundamental Cloud Concepts.
Google Cloud Security practice questions
Practise GCDL questions linked to Google Cloud Security.
How Google Cloud Resources Are Managed practice questions
Practise GCDL questions linked to How Google Cloud Resources Are Managed.
Google Cloud Products and Services practice questions
Practise GCDL questions linked to Google Cloud Products and Services.
Why cloud technology is transforming business practice questions
Practise GCDL questions linked to Why cloud technology is transforming business.
Google Cloud products, services, and solutions practice questions
Practise GCDL questions linked to Google Cloud products, services, and solutions.
Scaling with Google Cloud operations practice questions
Practise GCDL questions linked to Scaling with Google Cloud operations.
Trust and security with Google Cloud practice questions
Practise GCDL questions linked to Trust and security with Google Cloud.
GCDL fundamentals practice questions
Practise GCDL questions linked to GCDL fundamentals.
GCDL scenario practice questions
Practise GCDL questions linked to GCDL scenario.
GCDL troubleshooting practice questions
Practise GCDL questions linked to GCDL troubleshooting.
Practice this exam
Start a free GCDL practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this GCDL question test?
Read the scenario before looking for a memorised answer.
What is the correct answer to this question?
The correct answer is: Deploy Dedicated Interconnect, use Cloud VPN for encryption, and VPC Service Controls for access — Option C is correct because Dedicated Interconnect provides a dedicated, low-latency connection between on-premises and Google Cloud, essential for the hybrid cloud requirement. While the on-premises network uses non-Google-compatible routing protocols internally, Dedicated Interconnect requires BGP peering at the interconnect points. This BGP session is separate from the internal routing protocols; the on-premises routers can be configured to run BGP toward Google while still using their own protocols for internal routing. Cloud VPN over the interconnect adds IPSec encryption in transit for sensitive data, and VPC Service Controls enforce strong access controls by preventing data exfiltration from managed services. Options A, B, and D do not meet all requirements: Cloud VPN alone (A) uses the public internet, lacking low-latency guarantees; Carrier Peering (B) is not suitable for low-latency or encryption without a VPN; and a third-party VPN appliance (D) introduces complexity and may not guarantee low latency.
What should I do if I get this GCDL question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More GCDL practice questions
- A DevOps team wants to adopt GitOps practices for managing their Google Cloud infrastructure. Which combination of tools…
- A startup is building an application that sends daily promotional push notifications to millions of mobile users on both…
- An organization's leadership wants to foster a 'fail fast' culture to accelerate innovation. A cloud environment directl…
- A company's on-premises applications occasionally need more compute capacity than their own infrastructure can provide (…
- A digital media company hosts video content globally. They want to reduce origin server load and deliver content faster…
- A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Ad…
Last reviewed: Jun 30, 2026
This GCDL practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the GCDL exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.