Question 334 of 497
Implementing hybrid interconnectivityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that VPC peering does not automatically propagate routes to Cloud Router, which is the most likely cause of the issue. In Google Cloud, VPC peering establishes a direct, non-transitive connection between two VPCs, meaning routes learned via peering are not automatically injected into the VPC’s dynamic routing table used by Cloud Router for BGP advertisement. Since the Cloud Router in us-central1 only advertises routes explicitly present in that VPC’s routing table—and peering routes are not imported there—the on-premises router never receives a route for 172.17.0.0/16, even though no firewall rules block traffic. This scenario tests your understanding of the VPC peering transitive routing limitation, a common trap on the Google Professional Cloud Network Engineer exam where candidates assume peering routes propagate through Cloud Router to on-premises. Remember: peering is point-to-point and non-transitive; Cloud Router only sees routes from its own VPC’s subnets or custom advertised ranges, not from peered networks. A useful memory tip is “Peering is private, not propagated—Cloud Router needs explicit routes to be advertised.”

PCNE Implementing hybrid interconnectivity Practice Question

This PCNE practice question tests your understanding of implementing hybrid interconnectivity. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A large e-commerce company has a hybrid cloud setup with a Dedicated Interconnect between their on-premises data center in Dallas and Google Cloud us-central1 region. They have a single VLAN attachment with a Cloud Router that uses BGP to exchange routes. The on-premises network uses 10.0.0.0/8, and Google Cloud VPC uses 172.16.0.0/16. They recently deployed a new application in us-west1 that uses IP range 172.17.0.0/16. They created a VPC peering between the us-central1 VPC and the us-west1 VPC. On-premises users can reach the us-central1 workloads but cannot reach the us-west1 application. There are no firewall rules blocking traffic. The on-premises router has a default route pointing to the Interconnect. What is the most likely cause of the issue?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Open the full BGP breakdown →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The Cloud Router does not have routes for 172.17.0.0/16 because VPC peering does not automatically propagate routes to Cloud Router

The issue is that VPC peering does not automatically propagate routes from the peered VPC (us-west1, 172.17.0.0/16) to the Cloud Router that is used for the Dedicated Interconnect. Cloud Router only learns routes that are present in the VPC’s routing table and that are explicitly advertised via BGP. Since VPC peering routes are not automatically imported into the VPC’s dynamic routing table for Cloud Router, the on-premises router never receives a route for 172.17.0.0/16, even though there are no firewall blocks.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The Cloud Router does not have routes for 172.17.0.0/16 because VPC peering does not automatically propagate routes to Cloud Router

    Why this is correct

    VPC peering does not propagate routes to on-premises via Cloud Router; you must use a separate VLAN attachment or VPN in us-west1.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • BGP is not configured between Cloud Router and us-west1 VPC

    Why it's wrong here

    Cloud Router is in us-central1; BGP is not needed for VPC peering.

  • Firewall rules in us-west1 are blocking traffic from the on-premises IP range

    Why it's wrong here

    The stem says no firewall rules blocking.

  • The Dedicated Interconnect is only available in us-central1 and cannot reach us-west1

    Why it's wrong here

    Interconnect is regional, but VPC peering should allow connectivity if routes are propagated.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume VPC peering automatically makes all peered networks reachable from on-premises via the Interconnect, forgetting that Cloud Router only advertises routes that are explicitly in the VPC’s routing table and not those learned through peering unless custom advertisement is set up.

Detailed technical explanation

How to think about this question

Cloud Router uses dynamic route exchange with on-premises routers via BGP, but it only advertises routes that are in the VPC’s effective routes. VPC peering adds routes to the VPC’s routing table, but those routes are not automatically included in the Cloud Router’s BGP advertisements unless custom route advertisements are configured. Additionally, the on-premises router’s default route pointing to the Interconnect does not help because the destination 172.17.0.0/16 is more specific and requires an explicit route.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNE question test?

Implementing hybrid interconnectivity — This question tests Implementing hybrid interconnectivity — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The Cloud Router does not have routes for 172.17.0.0/16 because VPC peering does not automatically propagate routes to Cloud Router — The issue is that VPC peering does not automatically propagate routes from the peered VPC (us-west1, 172.17.0.0/16) to the Cloud Router that is used for the Dedicated Interconnect. Cloud Router only learns routes that are present in the VPC’s routing table and that are explicitly advertised via BGP. Since VPC peering routes are not automatically imported into the VPC’s dynamic routing table for Cloud Router, the on-premises router never receives a route for 172.17.0.0/16, even though there are no firewall blocks.

What should I do if I get this PCNE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on PCNE

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Your company has two on-premises data centers, DC1 and DC2, each connected to a separate Google Cloud VPC via Dedicated Interconnect. Both VPCs are connected via VPC Network Peering. A new application deployed in VPC1 needs to communicate with a database in DC2. The database IP range is 10.0.0.0/16. You have configured firewall rules to allow the traffic. However, the application cannot reach the database. You have verified that routes for 10.0.0.0/16 exist in VPC1's route table with next hop to VPC Peering, and in VPC2's route table with next hop to the interconnect attachment. The BGP sessions on both interconnects are up. What is the most likely reason for the connectivity failure?

easy
  • A.The route for 10.0.0.0/16 in VPC1 is not imported correctly from VPC Peering
  • B.VPC Network Peering does not support transitive routing through a peered VPC
  • C.BGP session on the interconnect between VPC2 and DC2 is down
  • D.Firewall rules in VPC2 are blocking traffic

Why B: VPC Network Peering does not support transitive routing. In this topology, VPC1 is peered with VPC2, but traffic from VPC1 to DC2 must pass through VPC2 and then over the interconnect. Since VPC1's route for 10.0.0.0/16 points to the VPC peering as next hop, VPC1 expects the traffic to be forwarded directly to VPC2. However, VPC2 cannot forward that traffic to DC2 because Google Cloud VPC peering does not allow a peered VPC to act as a transit hub; each VPC can only communicate directly with its peer, not with resources reachable through that peer. This is a fundamental limitation of VPC Network Peering, which is non-transitive.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNE exam.