Google Professional Cloud Network Engineer (PCNE) — Questions 175

497 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

A company is deploying an internal load balancer (ILB) in a VPC to distribute traffic among backend instances in a managed instance group. The ILB should only be accessible from within the VPC. Which of the following is a required step when configuring the ILB?

A.Assign a static external IP address to the forwarding rule.
B.Upload an SSL certificate to the load balancer.
C.Specify a subnet in the same region as the backend instances.
D.Create a Cloud NAT gateway for the backend instances.
AnswerC

The ILB's IP is allocated from a subnet in the same region.

Why this answer

An internal load balancer (ILB) in GCP requires a regional forwarding rule that routes traffic to backend instances within the same VPC. Specifying a subnet in the same region as the backend instances is mandatory because the ILB's internal IP address is allocated from that subnet, and the forwarding rule must reference a subnet to enable internal-only routing. Without a subnet, the ILB cannot be provisioned as an internal load balancer.

Exam trap

Google Cloud often tests the misconception that an internal load balancer requires an external IP or SSL termination, but the key requirement is specifying a subnet in the same region as the backends for internal IP allocation.

How to eliminate wrong answers

Option A is wrong because an internal load balancer uses an internal IP address, not an external one; assigning a static external IP would make it an external load balancer, which is not required for internal-only access. Option B is wrong because SSL certificates are only needed for HTTPS/SSL proxy load balancers, not for internal TCP/UDP load balancers, which operate at Layer 4 and do not terminate TLS. Option D is wrong because Cloud NAT is used to provide outbound internet access for instances without external IPs, but it is unrelated to inbound traffic distribution via an internal load balancer.

2
MCQhard

A network engineer sees the above output from a Cloud Router. There are two BGP peers from the on-premises router (10.0.0.1 and 10.0.0.2). Both learned the same route 10.1.0.0/16 from their respective peers. However, traffic from Google Cloud to 10.1.0.0/16 is only going through the first peer (10.0.0.1) and not load-balanced. What could be the reason?

A.The on-premises router is advertising the route with different MED values
B.The on-premises router is advertising the route with different AS_PATH lengths
C.The VPC routing mode is set to 'global'
D.Cloud Router has a limit of one route per prefix
AnswerA

Different MED values prevent ECMP; Cloud Router selects the route with the lower MED.

Why this answer

Option A is correct because BGP uses the MED (Multi-Exit Discriminator) attribute to influence inbound traffic from a neighboring AS. When the on-premises router advertises the same route (10.1.0.0/16) to the Cloud Router via two peers (10.0.0.1 and 10.0.0.2) with different MED values, the Cloud Router will prefer the route with the lower MED value. This causes all traffic to be sent through the peer with the lower MED, preventing load balancing.

By default, Cloud Router does not perform ECMP (Equal-Cost Multi-Path) for BGP routes unless the paths are identical in all BGP path selection criteria, including MED.

Exam trap

The trap here is that candidates often assume BGP automatically load-balances across multiple peers for the same prefix, forgetting that BGP's path selection algorithm picks a single best path unless all attributes (including MED) are equal, and that MED is compared even when AS_PATH lengths are the same.

How to eliminate wrong answers

Option B is wrong because if the on-premises router advertised the route with different AS_PATH lengths, the Cloud Router would prefer the shorter AS_PATH, which would also result in a single preferred path, not load balancing. However, the question states that both peers learned the same route, implying the AS_PATH lengths are likely equal; the issue is specifically about MED. Option C is wrong because the VPC routing mode (global vs. regional) affects how routes are propagated across regions, not how BGP path selection chooses between two peers in the same region.

Option D is wrong because Cloud Router does not have a limit of one route per prefix; it can learn multiple routes for the same prefix from different BGP peers and can perform ECMP if the routes are equal in all BGP selection criteria.

3
Multi-Selecthard

An organization is configuring Cloud NAT to allow private instances to access the internet. Which three statements about Cloud NAT are correct? (Choose three.)

Select 3 answers
A.Cloud NAT can be configured per subnet or per region.
B.Cloud NAT requires that the VPC has a default route (0.0.0.0/0) to the internet gateway.
C.Cloud NAT automatically assigns external IP addresses to instances.
D.Cloud NAT can be configured with a manual list of NAT IP addresses.
E.Cloud NAT supports both TCP and UDP protocols.
AnswersB, D, E

Without a default route, traffic cannot reach the internet.

Why this answer

Options A, C, and D are correct. Option A: Cloud NAT supports both TCP and UDP. Option C: Cloud NAT requires a default route (0.0.0.0/0) to the internet gateway to function.

Option D: Cloud NAT can be configured with a manual list of NAT IP addresses. Option B is incorrect because Cloud NAT provides NAT for instances without external IPs; it does not assign external IPs to instances. Option E is incorrect because Cloud NAT is regional, not per subnet; it applies to all subnets in the region that are configured to use it.

4
Drag & Dropmedium

Drag and drop the steps to set up a Google Cloud Armor security policy for a backend service into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Security policy creation involves defining rules, setting default action, and attaching to a backend service. Testing ensures correct enforcement.

5
Drag & Dropmedium

Drag and drop the steps to troubleshoot a VPN tunnel that is not passing traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting starts with tunnel status, then BGP, firewall, routing, and finally connectivity tests.

6
MCQmedium

An organization has multiple VPC networks and wants to allow traffic between them with fine-grained control over which VMs can communicate. Which solution should they implement?

A.Cloud Interconnect.
B.Shared VPC.
C.VPC peering with firewall rules.
D.Cloud VPN between VPCs.
AnswerC

VPC peering connects networks and firewall rules provide granular control.

Why this answer

VPC peering with firewall rules is the correct solution because it allows direct, private connectivity between two VPC networks while enabling fine-grained control over which specific VMs can communicate via firewall rules (ingress/egress). Unlike Shared VPC, which centralizes management but does not inherently provide per-VM granularity across separate VPCs, VPC peering combined with firewall rules allows you to restrict traffic based on source and destination tags, service accounts, or CIDR ranges. This meets the requirement for both inter-VPC traffic and granular VM-level control.

Exam trap

Google Cloud often tests the misconception that Shared VPC is the solution for inter-VPC traffic, but Shared VPC actually consolidates multiple projects into a single VPC, not connecting separate VPCs, while VPC peering with firewall rules provides the required granular control across distinct VPC networks.

How to eliminate wrong answers

Option A is wrong because Cloud Interconnect provides dedicated, high-bandwidth connectivity between on-premises networks and Google Cloud, not between multiple VPC networks within the same organization. Option B is wrong because Shared VPC allows multiple projects to share a common VPC network but does not enable traffic between separate VPC networks; it centralizes resources into one VPC, which contradicts the requirement of having multiple VPC networks. Option D is wrong because Cloud VPN creates an encrypted tunnel over the public internet, which is typically used for hybrid connectivity (on-premises to VPC) and adds latency and complexity; it is not designed for fine-grained VM-level control between VPCs, and firewall rules still apply but the underlying architecture is less direct than VPC peering.

7
Drag & Dropmedium

Drag and drop the steps to set up a Cloud Interconnect connection for dedicated on-premises connectivity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud Interconnect requires ordering, VLAN attachment, cross-connect, BGP, and verification.

8
MCQmedium

An engineer has set up VPC Network Peering between VPC-A and VPC-B. Both VPCs have non-overlapping CIDR ranges. The peering state is ACTIVE. However, instances in VPC-A cannot reach instances in VPC-B. The engineer verified that firewall rules allow the traffic. What should the engineer check next?

A.The subnet routes are exported from VPC-B to VPC-A.
B.The BGP session status on the Cloud Router.
C.The MTU size of the instances.
D.The route tables for the peered network.
AnswerA

Subnet routes must be exported explicitly if default export settings are changed.

Why this answer

Option D is correct because VPC Network Peering requires that subnet routes be exported from the peered VPC. By default, subnet routes are automatically exported, but if the peering configuration was modified (e.g., exportSubnetRoutesWithPublicIp set to false), routes may not be exported. The engineer should verify that VPC-B exports its subnet routes to VPC-A.

Option A is incorrect because MTU mismatch is unlikely to cause complete lack of connectivity. Option B is incorrect because BGP is not used in VPC peering. Option C is incorrect because the route tables themselves are not the issue; the missing routes are due to export settings.

9
MCQeasy

A developer wants to deploy a single Compute Engine instance that needs to initiate outbound connections to the internet, but should not have a public IP address. Which GCP networking feature must be configured?

A.Cloud NAT on the subnet or VPC
B.Configure a private Google access for the subnet
C.Assign a static external IP address to the instance
D.Set up an internal HTTP(S) load balancer
AnswerA

Enables outbound internet access without external IP.

Why this answer

Cloud NAT (Network Address Translation) allows private Compute Engine instances to initiate outbound connections to the internet without assigning them public IP addresses. It translates the instance's private IP to a Cloud NAT external IP address for outbound traffic, while unsolicited inbound connections from the internet are blocked. This is the correct solution because the requirement explicitly states no public IP on the instance, yet outbound internet access is needed.

Exam trap

Google Cloud often tests the distinction between Private Google Access (which only reaches Google APIs) and Cloud NAT (which provides general internet access), causing candidates to confuse the two when the question mentions 'outbound connections to the internet' versus 'access to Google services'.

How to eliminate wrong answers

Option B is wrong because Private Google Access enables instances with only internal IPs to reach Google APIs and services (e.g., Cloud Storage, BigQuery) over Google's private network, not general internet destinations. Option C is wrong because assigning a static external IP address directly contradicts the requirement that the instance should not have a public IP address. Option D is wrong because an internal HTTP(S) load balancer distributes traffic among instances within a VPC using private IPs; it does not provide outbound internet connectivity for instances.

10
MCQmedium

A company needs to connect on-premises to Google Cloud with overlapping IP ranges. The on-premises network uses 10.0.0.0/16 and the VPC uses 10.0.0.0/16. What is the best approach?

A.Use Cloud NAT.
B.Use VPC peering.
C.Use Private Google Access.
D.Use Cloud VPN with source NAT on the on-premises side.
AnswerD

Source NAT allows overlapping IPs by translating them.

Why this answer

Cloud VPN with source NAT on the on-premises side translates overlapping addresses.

11
MCQmedium

A company has a VPC with a firewall rule that allows SSH (tcp:22) from 0.0.0.0/0. They want to restrict SSH access to only the public IP address of their Cloud VPN gateway. How should they modify the firewall rule?

A.Use Cloud Armor to block all SSH except from the VPN IP.
B.Change the source IP range to the VPN gateway's internal IP address.
C.Change the source IP range to the VPN gateway's public IP address.
D.Use IAP Tunneling instead of SSH firewall rules.
AnswerC

Restricts SSH to traffic coming from the VPN gateway.

Why this answer

The firewall rule currently allows SSH from any source IP (0.0.0.0/0). To restrict access to only the Cloud VPN gateway, you must change the source IP range to the gateway's public IP address, because the SSH connection originates from the VPN gateway's public-facing interface over the internet. Internal IP addresses are not routable over the internet and would not match the source of the incoming SSH traffic.

Exam trap

Google Cloud often tests the misconception that internal IPs can be used as source ranges for internet-originating traffic, leading candidates to choose Option B instead of recognizing that the source IP of the SSH connection is the VPN gateway's public IP.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall for HTTP/S traffic and cannot filter SSH (TCP/22) traffic at the network layer; it operates at Layer 7. Option B is wrong because the VPN gateway's internal IP address is private and not reachable from the internet; the SSH connection comes from the gateway's public IP, so using the internal IP would block all SSH traffic. Option D is wrong because IAP Tunneling is an alternative method for SSH access that does not modify the existing firewall rule; it requires separate IAP configuration and does not restrict the current rule's source range.

12
MCQmedium

You are configuring an SSL Proxy load balancer for HTTPS traffic. The backend service points to an instance group with a self-managed certificate. The load balancer's frontend uses a Google-managed certificate. Clients receive SSL errors indicating certificate mismatch. What is the most likely cause?

A.The SSL policy is configured to require TLS 1.3 only.
B.The domain is not verified for the Google-managed certificate on the frontend.
C.The backend self-managed certificate is not signed by a public CA.
D.The backend service must use a Google-managed certificate as well.
AnswerB

Google-managed certificates require domain verification; if not verified, the certificate may not issue, causing mismatch.

Why this answer

When a Google-managed certificate is used on the frontend of an SSL proxy load balancer, the domain must be verified via DNS or a challenge file. If the domain is not verified, the certificate cannot be provisioned or validated, causing a mismatch between the certificate's Subject Alternative Names (SANs) and the domain clients are connecting to, resulting in SSL errors.

Exam trap

Google Cloud often tests the distinction between frontend and backend certificate validation, and candidates mistakenly think a backend certificate issue (like not being signed by a public CA) would cause frontend client errors, when in fact the frontend certificate mismatch is caused by domain verification failure for the Google-managed certificate.

How to eliminate wrong answers

Option A is wrong because requiring TLS 1.3 only does not cause a certificate mismatch; it would instead cause handshake failures for clients using older TLS versions. Option C is wrong because a backend self-managed certificate not signed by a public CA would cause backend SSL errors, not frontend client-side certificate mismatch errors. Option D is wrong because the backend service does not need to use a Google-managed certificate; it can use a self-managed certificate, and the frontend certificate mismatch is independent of the backend certificate type.

13
MCQmedium

A company uses Cloud NAT for outbound internet access. Engineering notices that some VM instances fail to connect to external services during peak hours. The network engineer suspects port exhaustion. Which action would best mitigate this issue?

A.Change the NAT type from standard to public.
B.Enable TCP keepalive on the NAT gateway.
C.Reduce the number of NAT gateways in the region.
D.Increase the number of NAT IP addresses assigned to the NAT gateway.
AnswerD

More NAT IPs provide additional source ports, alleviating exhaustion.

Why this answer

Port exhaustion occurs when the NAT gateway runs out of available source ports to map outbound connections. Increasing the number of NAT IP addresses assigned to the gateway multiplies the available port range (each IP provides 64,512 ports), directly alleviating port exhaustion during peak traffic. This is the standard mitigation for port exhaustion in Cloud NAT.

Exam trap

Google Cloud often tests the misconception that reducing NAT gateways or changing NAT type solves port exhaustion, when the actual solution is increasing the number of NAT IP addresses to expand the available port range.

How to eliminate wrong answers

Option A is wrong because changing the NAT type from standard to public is not a valid concept in Cloud NAT; Cloud NAT is always public-facing, and this option reflects a misunderstanding of NAT types. Option B is wrong because TCP keepalive helps maintain idle connections but does not increase the port pool or prevent port exhaustion; it may even delay port release. Option C is wrong because reducing the number of NAT gateways in the region would decrease the total available port capacity, worsening port exhaustion rather than mitigating it.

14
MCQhard

An organization wants to use Shared VPC but restrict access to certain subnets for specific service projects. Which GCP feature should they use?

A.Subnet-level IAM bindings
B.VPC Network Peering
C.VPC Service Perimeters
D.Firewall rules
AnswerA

Allows granular subnet access control for service projects.

Why this answer

Subnet-level IAM bindings allow you to grant roles (e.g., compute.networkUser) on specific subnets within a Shared VPC to service project principals. This restricts access to only those subnets, while the service project can still use the shared network. It is the native GCP mechanism for fine-grained subnet access control in a Shared VPC environment.

Exam trap

The trap here is that candidates confuse VPC Service Perimeters (which control data boundaries for managed services) with subnet-level IAM (which controls compute resource access within a Shared VPC), leading them to pick Option C when the question explicitly asks about restricting access to subnets for service projects.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering connects two separate VPC networks, not a Shared VPC with service projects, and does not support subnet-level access restrictions within a single shared network. Option C is wrong because VPC Service Perimeters (part of VPC Service Controls) restrict data exfiltration from managed services (e.g., BigQuery, Cloud Storage) by defining perimeters around projects, not subnet-level IAM access for compute resources. Option D is wrong because Firewall rules control traffic flow (allow/deny) based on IP addresses, ports, and protocols, but do not control which principals can use or access a subnet; they are not an IAM mechanism.

15
Drag & Dropmedium

Drag and drop the steps to set up a shared VPC in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Shared VPC requires a host project with VPC, then granting access to service projects. Service projects then use the shared subnets.

16
MCQhard

A company has multiple VPC networks in the same project, each with its own Cloud NAT configuration. They notice that traffic from a VM in VPC-A that has an external IP address is being NATed through the Cloud NAT gateway, but they only want Cloud NAT to be used for VMs without external IPs. What configuration ensures this?

A.Disable the 'send-tosource-ip' flag on the Cloud NAT gateway.
B.Set the network tier of the VM to 'Standard' instead of 'Premium'.
C.Remove any NAT rules that match the source subnet and include external IP addresses; Cloud NAT automatically applies only to VMs without external IPs if not explicitly configured otherwise.
D.Enable Cloud NAT logging to track which VMs are NATed.
AnswerC

By default, Cloud NAT only applies to VMs without external IPs when using default configuration.

Why this answer

Option C is correct because Cloud NAT only performs source network address translation for VMs that do not have external IP addresses, unless you explicitly configure NAT rules that match traffic from VMs with external IPs. By removing any such custom NAT rules, the default behavior ensures that only VMs without external IPs are NATed through the Cloud NAT gateway, leaving VMs with external IPs to use their own public addresses directly.

Exam trap

The trap here is that candidates assume Cloud NAT always NATs all VMs in a subnet, but the default behavior explicitly excludes VMs with external IPs unless custom NAT rules are added to include them.

How to eliminate wrong answers

Option A is wrong because the 'send-tosource-ip' flag does not exist in Cloud NAT; the relevant flag is 'source_ip_ranges_to_nat' which controls which source IP ranges are NATed, and disabling a non-existent flag has no effect. Option B is wrong because the network tier (Standard vs. Premium) affects the routing path and pricing of egress traffic, but does not influence whether a VM with an external IP is NATed by Cloud NAT.

Option D is wrong because enabling Cloud NAT logging only provides visibility into which VMs are being NATed; it does not change the NAT behavior or prevent VMs with external IPs from being NATed.

17
MCQhard

A GCP environment has a VPC with a subnet that enables Private Google Access. Instances in that subnet can access Google APIs without external IPs. However, an instance cannot reach storage.googleapis.com from a private IP. Cloud NAT is configured for the subnet. What is the most likely reason for the failure?

A.The instance does not have a DNS resolution for storage.googleapis.com.
B.The subnet's Private Google Access is enabled, but Cloud NAT is also routing traffic to Google APIs via NAT, bypassing the internal access.
C.The VPC does not have a default route to the internet.
D.The instance does not have a firewall rule allowing egress to 199.36.153.4/30.
AnswerB

When Cloud NAT is enabled, the default route (0.0.0.0/0) points to NAT, which may override Private Google Access routes. Private Google Access requires a specific route for 199.36.153.4/30 with next hop 'default internet gateway'.

Why this answer

Private Google Access uses the default routes for Google APIs. If Cloud NAT is configured, it may override Private Google Access because traffic to Google APIs can be matched by a default route with a next hop of NAT. To fix, ensure the subnet has a Private Google Access route with a next hop 'default internet gateway' for the restricted VIPs.

Option B correctly identifies that Cloud NAT is incorrectly routing traffic.

18
Multi-Selecthard

Which THREE actions are required to configure a High-Availability Cloud VPN (HA VPN) with dynamic routing to an on-premises peer?

Select 3 answers
A.Create two VPN tunnels, each associated with a different Cloud VPN gateway interface
B.Create two separate Cloud Routers, one for each tunnel
C.Allocate two external IP addresses for the Cloud VPN gateway
D.Create a Cloud Router in the same region as the VPN gateway
E.Configure static routes for the remote network in the VPC
AnswersA, C, D

Two tunnels provide redundancy.

Why this answer

Option A is correct because HA VPN requires two tunnels, each attached to a different interface of the Cloud VPN gateway, to provide redundancy and failover. This ensures that if one tunnel or interface fails, traffic can continue through the other tunnel, maintaining connectivity to the on-premises peer.

Exam trap

Google Cloud often tests the misconception that you need separate Cloud Routers for each tunnel, but HA VPN uses a single Cloud Router to manage BGP sessions for both tunnels, and static routes are not used with dynamic routing.

19
MCQeasy

A company has deployed an HTTP load balancer with a backend service configured to use an unmanaged instance group. Users report that traffic is not reaching the backend instances. The backend instances are healthy and have proper firewall rules allowing traffic from the load balancer. What step should the network engineer take to resolve the issue?

A.Configure a firewall rule to allow health check probes from the load balancer's health check ranges.
B.Enable HTTP health check on the backend service.
C.Assign an external IP address to each backend instance.
D.Add a route for the load balancer's IP range.
AnswerA

Health check probes must be permitted by firewall rules to validate backend health.

Why this answer

The most likely issue is that firewall rules are not allowing health check probes from the load balancer's health check ranges. Option C is correct because health check probes must be allowed by a firewall rule for the load balancer to consider instances healthy. Option A is unnecessary because the load balancer VIP is not a destination route; Option B is not needed if health checks are already configured; Option D would give instances external IPs, defeating the purpose of internal load balancing.

20
Multi-Selecthard

A company is using Cloud NAT to allow private instances to access the internet. They notice that some instances are not able to reach certain external services. Which THREE steps should they take to troubleshoot?

Select 3 answers
A.Check if the external service is blocking the Cloud NAT IP addresses.
B.Verify that the VPC firewall rules allow egress traffic from the instances.
C.Ensure that the VPC has a default route to the internet gateway.
D.Verify that the Cloud Router associated with Cloud NAT is healthy and has established BGP sessions.
E.Check the DNS resolution for the external service.
AnswersA, B, D

Some external services may block specific IP ranges, including NAT IPs.

Why this answer

Option A is correct because Cloud NAT uses a set of public IP addresses for outbound traffic. If the external service has firewall rules or access control lists that block these specific IP addresses, the instances will be unable to reach it. Checking for IP-based blocking is a standard first step in troubleshooting connectivity issues through a NAT gateway.

Exam trap

Google Cloud often tests the misconception that DNS resolution is the primary cause of connectivity failures to external services, when in fact the issue is often at the network layer (e.g., IP blocking or firewall rules) rather than the application layer.

21
Matchingmedium

Match each VPC firewall rule component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Determines rule evaluation order (lower number = higher priority)

Specifies ingress or egress traffic

Allow or deny matching traffic

Specifies IP ranges or tags for traffic filtering

Selects VM instances to apply the rule

Why these pairings

These are key fields when defining VPC firewall rules.

22
MCQmedium

Your organization has an internal HTTP load balancer (ILB) in us-central1. The backend service is a managed instance group with a health check on port 8080. Recently, some instances are reported as unhealthy despite the application running fine. What is the most likely cause?

A.The health check firewall rule is configured for the same source range as the VPC internal traffic.
B.The internal load balancer is using a proxy protocol which changes the health check source IP.
C.The firewall rule allowing health check probes does not include the required source IP ranges (e.g., 35.191.0.0/16).
D.The instances are preemptible and become unhealthy after 24 hours.
AnswerC

Health check probes come from Google's probe IPs, not from within the VPC.

Why this answer

Option A is correct because the firewall rule for health check sources must allow traffic from the GCP health check IP ranges (35.191.0.0/16, 130.211.0.0/22). If only allowing traffic from the VPC, health checks fail. Option B is wrong because the load balancer does not interfere with health check source IPs.

Option C is wrong because preemptible VMs are still healthy if app runs. Option D is wrong because the health check firewall rule must be separate from VPC internal traffic.

23
MCQmedium

A company uses a shared VPC with multiple service projects. They want to connect their on-premises data center to the shared VPC through a Dedicated Interconnect. Where should they configure the Cloud Router and VLAN attachment?

A.In the same region as the majority of service project instances
B.In the host project of the shared VPC
C.In a global resource policy, cross-project
D.In the service project that will use the connectivity
AnswerB

Host project manages networking for all service projects.

Why this answer

In a shared VPC architecture, the Cloud Router and VLAN attachment for Dedicated Interconnect must be configured in the host project because the host project owns the VPC network and manages all network resources, including interconnect attachments. Service projects consume subnets from the host project but cannot create or manage interconnect resources. This ensures that the on-premises connectivity is centrally managed and that all service projects can use the interconnect through the shared VPC's routing.

Exam trap

Google Cloud often tests the misconception that interconnect resources can be configured in a service project because the service project uses the VPC, but in reality, the host project owns the VPC and all network-level resources like Cloud Routers and VLAN attachments must be created there.

How to eliminate wrong answers

Option A is wrong because the Cloud Router and VLAN attachment are not tied to the region of service project instances; they must be in the host project, and the Cloud Router can be regional or global, but the VLAN attachment is always regional and must be in the same region as the interconnect location, not the majority of instances. Option C is wrong because there is no 'global resource policy, cross-project' for interconnect configuration; Cloud Router and VLAN attachments are always project-scoped resources, and cross-project connectivity is handled via shared VPC host project ownership. Option D is wrong because service projects cannot configure Cloud Router or VLAN attachments; they lack the necessary permissions and the VPC network is not owned by them, so they cannot create interconnect resources in the host project's VPC.

24
MCQeasy

A company wants to restrict SSH access to a VM instance to only a specific subnet (10.0.1.0/24) and allow all traffic from the health check ranges (130.211.0.0/22 and 35.191.0.0/16) for load balancing. Which firewall rule configuration should be used for the SSH rule?

A.Create a rule allowing SSH from 0.0.0.0/0 and apply a tag to the VM.
B.Create a rule allowing SSH from 10.0.1.0/24 and another rule allowing SSH from health check ranges.
C.Create a rule with source ranges 10.0.1.0/24, 130.211.0.0/22, 35.191.0.0/16, protocol tcp:22, and target tag 'ssh-allowed'.
D.Create a rule allowing SSH only from health check ranges and deny all other traffic.
AnswerC

This rule correctly restricts SSH to the subnet and health check ranges.

Why this answer

Option D is correct because a single firewall rule can specify both source ranges and target tags. Priority is not needed to be lowest unless conflicting. Option A is wrong because allowing all traffic is too broad.

Option B is wrong because denying SSH would not allow health checks if not specified separately. Option C is wrong because it allows only health check ranges, not the subnet.

25
MCQhard

Company A and Company B both have networks in Google Cloud. They want to connect their VPCs using VPC peering, but they have overlapping IP addresses. How can they resolve this?

A.Use Cloud VPN to establish connectivity between the VPCs, as VPC peering cannot handle overlapping IPs.
B.Configure Private Service Connect to connect the VPCs.
C.Configure VPC peering with custom route exchange to exclude the overlapping subnets.
D.Use Dedicated Interconnect to connect the VPCs through a central router.
AnswerA

Cloud VPN can be configured with NAT or traffic selectors to handle overlapping IPs.

Why this answer

VPC peering does not support overlapping IP ranges. The only option from the list that can handle overlapping IPs is Cloud VPN with network address translation or filtering.

26
MCQmedium

A company wants to protect their application behind an external HTTP(S) load balancer from SQL injection attacks. Which Cloud Armor feature should be used?

A.IP allowlist/denylist
B.Pre-configured WAF rules
C.Named IP address lists
D.Rate limiting
AnswerB

WAF rules include signatures for SQL injection and other common web attacks.

Why this answer

Pre-configured WAF rules in Cloud Armor include a SQL injection (SQLi) rule that inspects HTTP(S) request bodies, headers, and URIs for SQL injection patterns. This rule uses a set of signatures to detect and block malicious SQL queries, directly addressing the requirement to protect against SQL injection attacks on an external HTTP(S) load balancer.

Exam trap

Google Cloud often tests the misconception that IP-based controls (allowlist/denylist or named IP lists) can protect against application-layer attacks like SQL injection, but these features operate at Layer 3/4 and cannot inspect HTTP payloads.

How to eliminate wrong answers

Option A is wrong because IP allowlist/denylist only controls access based on source IP addresses and cannot inspect application-layer payloads for SQL injection patterns. Option C is wrong because Named IP address lists are simply a way to group IP addresses for use in firewall rules or allowlist/denylist policies, not a mechanism for content inspection. Option D is wrong because Rate limiting only restricts the number of requests from a client over a time window and does not analyze request content for SQL injection signatures.

27
Multi-Selectmedium

A company is planning to connect multiple VPCs in different regions to their on-premises network using a single Dedicated Interconnect. Which TWO configurations are required to achieve this?

Select 2 answers
A.Create a single Cloud Router for all VPCs
B.Set up Cloud VPN tunnels for regional connectivity
C.Create a Cloud Router in each VPC
D.Use a global VLAN attachment
E.Provision a separate VLAN attachment for each VPC
AnswersC, E

Each VPC needs its own Cloud Router to establish BGP sessions.

Why this answer

Option C is correct because each VPC requires its own Cloud Router to establish dynamic routing (BGP) over the Dedicated Interconnect. A Cloud Router is a per-VPC resource that manages BGP sessions and routes for that specific VPC, and since the interconnect is shared, each VPC must have its own router to participate in routing independently.

Exam trap

Google Cloud often tests the misconception that a single Cloud Router or global VLAN attachment can serve multiple VPCs across regions, but in reality, each VPC requires its own regional Cloud Router and VLAN attachment for Dedicated Interconnect.

28
MCQmedium

Refer to the exhibit. A DNS managed zone is configured with private visibility and associated with a VPC network. A Compute Engine instance in a different VPC network tries to resolve 'test.example.com' but fails. What is the most likely reason?

A.The zone is not set as authoritative for example.com.
B.The Cloud DNS name servers are not reachable from the instance.
C.The instance's VPC is not in the list of authorized networks.
D.The instance does not have the required IAM permissions.
AnswerC

The zone only resolves queries from vpc1; other VPCs are not authorized.

Why this answer

Private zones only respond to queries from authorized VPC networks. The instance is in a different VPC, so resolution fails.

29
MCQmedium

Refer to the exhibit. You have two VPCs, vpc-a and vpc-b, with VPC peering configured and custom route import/export enabled. An instance in subnet-a (10.0.1.2) cannot ping an instance in subnet-b (10.0.2.2) using internal IP. Firewall rules are default (deny all ingress). What is the required action?

A.Add a firewall rule allowing ICMP from 10.0.1.0/24 to 10.0.2.0/24.
B.Add a static route for the peer range.
C.Enable Private Google Access.
D.Create a Cloud VPN tunnel.
AnswerA

This rule allows the ping traffic between the subnets.

Why this answer

Even with peering, firewall rules are needed to allow traffic. Default deny all ingress blocks the ping.

30
Multi-Selecteasy

Which TWO are necessary components for setting up Dedicated Interconnect? (Choose two.)

Select 2 answers
A.A Cloud VPN tunnel for management traffic
B.A QoS policy to ensure bandwidth guarantee
C.A Cloud Router in the same region as the VLAN attachment
D.Two physical interconnect connections for redundancy
E.A VLAN attachment mapped to a VPC
AnswersC, E

Cloud Router handles BGP routing for the interconnect.

Why this answer

A Cloud Router is required in the same region as the VLAN attachment to enable dynamic routing (BGP) between your on-premises network and Google Cloud VPC. The VLAN attachment must be mapped to a VPC to define which VPC network the interconnect circuit connects to, allowing traffic to flow between your on-premises network and Google Cloud resources.

Exam trap

Google Cloud often tests the misconception that Dedicated Interconnect requires a VPN tunnel for management or redundancy, when in fact the VPN tunnel is a separate service for encrypted connectivity and is not a component of Dedicated Interconnect setup.

31
MCQhard

A large multinational corporation uses a Shared VPC in Google Cloud with multiple service projects. They have a central Cloud NAT configured in the host project in the us-central1 region to provide internet egress for all VMs. Recently, the IT team added a new subnet (10.0.10.0/24) in a service project and deployed VMs there. All other VMs in the same project but in different subnets (e.g., 10.0.1.0/24) can reach the internet, but the new VMs in 10.0.10.0/24 cannot. The Cloud NAT gateway is configured in us-central1 with all IP ranges allowed. The VPC firewall rules allow egress traffic to the internet. The team verified that the VMs have a default route (0.0.0.0/0) with next-hop 'default-internet-gateway' and that the Cloud NAT router's NAT IPs are properly assigned. However, the new subnet's VMs are unable to connect to any external IP. The network engineer suspects that the Cloud NAT's NAT reservations might be the issue, but all NAT IPs are ephemeral. Further investigation shows that the Cloud Router used by Cloud NAT is advertising custom IP ranges via BGP to an on-premises router for a different use case. What is the most likely cause and solution?

A.Remove the new subnet range (10.0.10.0/24) from the custom advertised routes on the Cloud Router associated with the Cloud NAT.
B.Add a static route for 0.0.0.0/0 with next-hop set to the Cloud NAT gateway's IP address in the VPC.
C.Update the VPC firewall rules to explicitly allow egress traffic from the new subnet's IP range to 0.0.0.0/0.
D.Reserve static NAT IPs for the new subnet in the Cloud NAT configuration to ensure that the VMs have a consistent egress IP.
AnswerA

The Cloud Router is advertising that subnet to on-premises, causing Cloud NAT to think traffic for that subnet should be sent through the VPN, not NATed.

Why this answer

The Cloud Router associated with Cloud NAT is advertising custom IP ranges via BGP to an on-premises router. If the new subnet range (10.0.10.0/24) is included in those custom advertised routes, the on-premises router may advertise a more specific route back to the VPC, causing the VMs in that subnet to prefer the on-premises route over the default route (0.0.0.0/0) for internet-bound traffic. Since the on-premises router does not have internet access, the traffic is blackholed.

Removing the subnet range from the custom advertised routes on the Cloud Router resolves the issue by ensuring the default route remains the preferred path for internet egress.

Exam trap

The trap here is that candidates often focus on Cloud NAT configuration or firewall rules, overlooking how BGP custom route advertisements from the Cloud Router can inject more specific routes that override the default route and cause asymmetric routing or blackholing.

How to eliminate wrong answers

Option B is wrong because adding a static route for 0.0.0.0/0 with next-hop set to the Cloud NAT gateway's IP address is not a valid configuration; Cloud NAT is not a next-hop target, and the default route already exists with next-hop 'default-internet-gateway'. Option C is wrong because the VPC firewall rules already allow egress traffic to the internet, and the issue is not firewall-related; the problem is a routing conflict caused by BGP advertisements. Option D is wrong because reserving static NAT IPs would not fix the routing issue; the Cloud NAT is already using ephemeral IPs and the problem stems from the Cloud Router's BGP advertisements overriding the default route for the new subnet.

32
MCQeasy

You are a cloud network engineer for a company that runs a web application on Compute Engine instances in a managed instance group (MIG) behind an external HTTP(S) load balancer. The backend instances are in a subnet with CIDR 10.0.2.0/24 and are tagged 'web-backend'. The health checks are configured to use TCP port 80. Recently, the security team added new firewall rules to restrict traffic, and now the health checks are failing. The current firewall rules (in order of priority) are: 1. Priority 100: Deny ingress from 0.0.0.0/0 to all instances (deny-all). 2. Priority 200: Allow ingress from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'health-checked' on TCP port 80. 3. Priority 300: Allow ingress from 0.0.0.0/0 to instances with tag 'web-backend' on TCP port 80. The MIG instances are tagged 'web-backend' but not 'health-checked'. The health checks are failing. What is the most efficient course of action to fix the health checks while maintaining security?

A.Change the priority 300 rule to allow from 0.0.0.0/0 to instances with tag 'health-checked' on TCP port 80.
B.Add a new ingress firewall rule with priority 150 that allows traffic from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'web-backend' on TCP port 80.
C.Delete the deny-all rule (priority 100) because it is blocking health checks.
D.Modify the existing priority 200 rule to set target tags to 'web-backend' instead of 'health-checked'.
AnswerD

This directly fixes the issue by allowing health checks to the MIG instances without creating an additional rule, maintaining the security posture.

Why this answer

The health check probes originate from Google's health checker IP ranges (130.211.0.0/22 and 35.191.0.0/16) and must reach the instances. The current priority 200 rule allows these ranges only to instances tagged 'health-checked', but the MIG instances are tagged 'web-backend'. By modifying the priority 200 rule to target 'web-backend' instead, you permit health check traffic to the correct instances without creating a new rule or lowering security, as the deny-all rule (priority 100) remains in place and the more specific allow rule (priority 200) will match first.

Exam trap

Google Cloud often tests the misconception that you must create a new firewall rule or delete the deny-all rule, rather than simply modifying the target tags of an existing allow rule that already has the correct source IP ranges and protocol.

How to eliminate wrong answers

Option A is wrong because changing the priority 300 rule to target 'health-checked' would allow all internet traffic (0.0.0.0/0) to instances tagged 'health-checked', which does not exist on the MIG instances and would not fix the health check failure; it also unnecessarily opens broad access. Option B is wrong because adding a new rule at priority 150 is redundant and less efficient; the existing priority 200 rule already permits the required health checker ranges, so simply modifying its target tags is sufficient and avoids adding extra rules that could complicate firewall management. Option C is wrong because deleting the deny-all rule would remove the baseline security posture, allowing all traffic to all instances, which is a significant security risk and not required to fix the health checks.

33
MCQhard

Your company has a hybrid cloud architecture with two on-premises data centers: DC1 and DC2. Each DC is connected to Google Cloud via separate Cloud VPN tunnels (tunnel1 from DC1, tunnel2 from DC2) to a VPC in us-west1. The VPC has two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). DC1 has a subnet 192.168.1.0/24 and DC2 has 192.168.2.0/24. You configure BGP on both tunnels with the VPC dynamic routing, and each on-premises router advertises its local subnet. The VPC automatically imports the learned routes. You notice that traffic from DC1 to an instance in subnet-a (10.0.1.5) works, but traffic from DC2 to the same instance fails intermittently. Additionally, traffic from DC2 to DC1 (192.168.1.0/24) fails completely. You check the route tables and see that both tunnels have learned the routes for the remote subnets. What is the most likely cause and solution?

A.Create a new VPN tunnel from DC2 to a different VPC and use VPC peering.
B.Increase the MTU on the VPN tunnels to avoid fragmentation.
C.Configure each Cloud VPN tunnel with a separate Cloud Router and assign different BGP priorities to influence route selection, or use distinct regions for the VPN gateways.
D.Disable dynamic routing on both tunnels and use static routes instead.
AnswerC

Separate Cloud Routers allow fine-grained control over route priority, preventing asymmetric routing.

Why this answer

The issue is that both Cloud VPN tunnels are using the same Cloud Router, causing BGP to learn identical routes for the on-premises subnets from both tunnels. This leads to asymmetric routing and potential black-holing, especially when traffic from DC2 to DC1 or to subnet-a is routed via DC1's tunnel due to equal-cost multi-path (ECMP) or default BGP tie-breaking. By configuring separate Cloud Routers with different BGP priorities (MED or local preference), you can force traffic from each DC to use its own tunnel, ensuring symmetric routing and consistent connectivity.

Exam trap

Google Cloud often tests the misconception that VPN tunnels inherently provide symmetric routing, when in fact BGP route propagation without proper priority configuration can cause ECMP or suboptimal path selection, leading to intermittent failures.

How to eliminate wrong answers

Option A is wrong because creating a new VPN tunnel to a different VPC and using VPC peering adds unnecessary complexity and does not address the root cause of route conflict between the two tunnels; the problem is within the same VPC. Option B is wrong because increasing MTU addresses fragmentation issues, which would manifest as packet drops or performance degradation, not intermittent or complete connectivity failures for specific traffic flows. Option D is wrong because disabling dynamic routing and using static routes would remove the learned routes for remote subnets, breaking connectivity entirely, and would not resolve the asymmetric routing caused by BGP route propagation.

34
MCQmedium

A network engineer wants to allow specific instances to use Cloud NAT while others should not. Which configuration step should be taken?

A.Assign external IPs to non-NAT instances.
B.Use firewall rules to allow NAT for tagged instances.
C.Apply a network tag to instances that should use NAT and create a Cloud NAT with that tag.
D.Create separate subnets for NAT instances.
AnswerC

This is the standard method to select which instances are NATed.

Why this answer

Cloud NAT uses network tags to filter which instances use it.

35
MCQhard

Refer to the exhibit. The Cloud Router shows one BGP peer as ESTABLISHED and one as IDLE. The best routes show two routes to the same destination with different priorities. What is the most likely reason the IDLE peer is not establishing?

A.The on-premises router is not sending routes for the IDLE peer
B.The IDLE peer has a higher priority route, so it is not needed
C.BGP configuration mismatch between Cloud Router and on-premises router for the IDLE peer
D.The IDLE peer is not configured on the Cloud Router
AnswerC

IDLE state indicates a BGP session issue, typically misconfiguration.

Why this answer

The IDLE state in BGP indicates that the session has not been established, typically due to a configuration mismatch. Since the Cloud Router shows one peer as ESTABLISHED and another as IDLE, the most likely cause is a mismatch in BGP parameters (such as AS number, peer IP, or authentication) between the Cloud Router and the on-premises router for the IDLE peer. This prevents the BGP session from transitioning out of the IDLE state.

Exam trap

Google Cloud often tests the misconception that route advertisement or route priority affects BGP session state, but the IDLE state is strictly a session establishment issue caused by misconfiguration or network reachability problems between the peers.

How to eliminate wrong answers

Option A is wrong because the on-premises router not sending routes does not prevent BGP session establishment; the session can still reach ESTABLISHED state even if no routes are advertised. Option B is wrong because route priority (administrative distance or local preference) affects route selection, not BGP peering state; a higher priority route does not cause a peer to remain IDLE. Option D is wrong because if the IDLE peer were not configured on the Cloud Router, it would not appear in the BGP peer list at all; the fact that it is listed as IDLE indicates it is configured but not establishing.

36
MCQeasy

A service provider uses a Shared VPC with multiple service projects. The host project has a Cloud NAT configured for subnet 10.1.0.0/24 to provide outbound internet access to all service projects using that subnet. A new service project needs to use its own Cloud NAT for its VM instances in subnet 10.1.0.0/24 to meet compliance requirements. The network engineer attempts to create a Cloud NAT in the service project for that subnet but receives an error that the subnet already has a NAT gateway. What action should the engineer take to meet the compliance requirement?

A.Create a new Cloud NAT in the service project for the same subnet, overwriting the existing one.
B.Use VPC peering to connect the service project to a different network that has a Cloud NAT.
C.Implement a proxy instance with an external IP in the service project.
D.Remove the host project's NAT from the subnet and create a Cloud NAT in the service project for that subnet.
AnswerD

This removes the conflict and allows the service project to manage its own NAT.

Why this answer

Option B is correct because a subnet can have only one NAT gateway associated. To use a different NAT for the service project, the host project's NAT must be removed from that subnet first, then the service project's NAT can be created. Option A is impossible due to the conflict.

Option C (VPC peering) would not allow the service project to have its own NAT on the same subnet. Option D (proxy instance) is not a native solution and introduces management overhead.

37
Matchingmedium

Match each network troubleshooting command/tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tests basic connectivity to an IP address

Traces the path packets take to a destination

Displays network connections and listening ports

Queries DNS to resolve a hostname

Captures and analyzes network packets

Why these pairings

These are common tools for diagnosing network issues.

38
MCQeasy

A company wants to connect two VPC networks (vpc-a and vpc-b) that both reside in the same Google Cloud project. They need to ensure that all IP ranges in both VPCs can communicate using internal private IP addresses. Which solution should they implement?

A.Use Dedicated Interconnect to connect the VPCs.
B.Enable VPC Network Peering between vpc-a and vpc-b.
C.Set up Cloud VPN tunnels between the two VPCs.
D.Configure Cloud NAT to allow the VPCs to communicate through NAT.
AnswerB

VPC Network Peering allows private RFC 1918 connectivity across two VPCs, regardless of project or region, as long as they are in the same organization or project.

Why this answer

VPC Network Peering directly connects two VPCs within the same project using internal RFC 1918 IP addresses, with no bandwidth limitations and no single point of failure. It allows all subnets in both VPCs to communicate privately without requiring external connectivity, VPN tunnels, or NAT gateways.

Exam trap

Google Cloud often tests the misconception that VPN or Interconnect is required for VPC-to-VPC connectivity, but in Google Cloud, VPC Network Peering is the native, simpler solution for same-project or cross-project private communication.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect is a hybrid connectivity solution for connecting on-premises networks to a VPC, not for connecting two VPCs within the same project. Option C is wrong because Cloud VPN tunnels introduce latency, bandwidth limits, and complexity (e.g., BGP configuration) that are unnecessary when VPC Network Peering provides simpler, lower-latency private connectivity. Option D is wrong because Cloud NAT is designed to allow private instances to access the internet outbound, not to enable direct private communication between VPCs; it would force traffic through external IPs and break internal routing.

39
MCQeasy

A company uses Private Service Connect (PSC) to access a managed SaaS application published by another company. The SaaS provider publishes a service attachment in their VPC. Which resource must the consumer create to connect to the service?

A.Service attachment
B.Internal forwarding rule
C.Cloud VPN tunnel
D.Private Service Connect endpoint
AnswerD

The consumer creates an endpoint to connect to the producer's service.

Why this answer

When a consumer wants to connect to a managed SaaS application published via Private Service Connect (PSC), they must create a Private Service Connect endpoint in their own VPC. This endpoint is a regional resource that uses an internal IP address from the consumer's VPC and establishes a connection to the service attachment published by the provider. The endpoint effectively makes the SaaS service accessible as if it were a resource inside the consumer's VPC, without requiring public IPs or VPNs.

Exam trap

Google Cloud often tests the distinction between who creates which resource — candidates mistakenly think the consumer creates the service attachment (Option A) because they confuse it with the endpoint, but the service attachment is always created by the provider.

How to eliminate wrong answers

Option A is wrong because a service attachment is created by the service provider (the SaaS company) to publish their service, not by the consumer. Option B is wrong because an internal forwarding rule is used within a VPC to route traffic to a backend service (e.g., a load balancer), but it does not directly connect to a PSC service attachment; the PSC endpoint itself handles the forwarding. Option C is wrong because a Cloud VPN tunnel is used for site-to-site or remote access connectivity between on-premises networks and Google Cloud, not for connecting to a published PSC service.

40
MCQhard

A large enterprise has a Google Cloud environment with multiple projects under an organization. They have a Shared VPC host project with a VPC named 'shared-vpc' that has subnets in us-central1 and europe-west1. Several service projects are attached to this host project. One service project, 'proj-analytics', has a Compute Engine instance 'vm-analytics' in us-central1 that needs to connect to a Cloud SQL PostgreSQL instance (private IP) also in us-central1, but within a different service project 'proj-db'. The Cloud SQL instance is configured with a private IP address 10.0.1.5 from a subnet in 'shared-vpc' (the same VPC). The vm-analytics instance has an internal IP 10.0.0.5 from a different subnet in 'shared-vpc'. The two subnets are in the same region, and there is a firewall rule allowing all traffic from 10.0.0.0/16 (the entire VPC range) to the Cloud SQL subnet. However, vm-analytics cannot connect to the Cloud SQL instance. The error on vm-analytics is 'Connection timed out'. There are no firewall rules blocking egress from vm-analytics. What is the most likely cause and solution?

A.Grant the service project's compute engine default service account the Compute Network User role on the host project.
B.Enable Private Google Access on the vm-analytics subnet.
C.Create a firewall rule in the host project allowing ingress from the service project's subnets to the Cloud SQL subnet.
D.Configure a Cloud Router in the service project to advertise routes to the Cloud SQL subnet.
AnswerA

Without this role, the service project's instances cannot use the VPC resources, including the VPC peering routes to Cloud SQL.

Why this answer

Cloud SQL with private IP uses Private Service Access, which requires a VPC peering connection between the VPC and the service producer VPC (Google's). The Cloud SQL instance's private IP is accessible only from the VPC network where the peering is established. However, the issue often arises because the service project does not have the necessary IAM permissions or the VPC peering is set up in the host project but not propagated to service projects.

In this case, vm-analytics is in a service project attached to the Shared VPC, so it should have connectivity to the Cloud SQL private IP because it's in the same VPC. But the timeout suggests no route. One common cause is that the Private Service Access connection (VPC peering) is only set up in the host project's VPC, but the service project's VPC (which is actually the same VPC via Shared VPC) may not have routes to the peered network.

Actually, when using Shared VPC, the service projects use the host project's VPC, so routes from VPC peering are automatically propagated. However, there is a known issue: if the Cloud SQL instance is created in a service project that is attached to the same Shared VPC, the private service access must be configured in the host project. Also, the service project's service accounts may need the compute.networkUser role on the host project's VPC.

The most likely cause is that the VPC peering is set up but the service project's project does not have the necessary IAM role to use the peering. Option C is correct: Grant the service project's compute service account the Compute Network User role on the host project.

41
MCQeasy

A company runs a private GKE cluster in us-central1. Pods need to access the internet for updates. Which configuration is required?

A.Add network tags to allow egress traffic.
B.Create a Cloud Router with BGP peering.
C.Enable Cloud NAT on the cluster's subnet.
D.Assign external IPs to the nodes.
AnswerC

Cloud NAT provides outbound internet access for private instances.

Why this answer

In a private GKE cluster, nodes do not have external IPs, so pods cannot reach the internet directly. Cloud NAT provides outbound connectivity by translating private IPs to a public IP, allowing pods to fetch updates while keeping the cluster private. This is the standard solution for outbound-only internet access from private GKE clusters.

Exam trap

Google Cloud often tests the misconception that private clusters can reach the internet via default routes or firewall rules alone, but the trap here is that without Cloud NAT or a public IP, private instances have no path to the internet because the VPC's default route only covers internal ranges.

How to eliminate wrong answers

Option A is wrong because network tags control firewall rules for ingress/egress traffic within a VPC, but they do not provide internet connectivity; without a public IP or NAT, egress traffic to the internet is still blocked. Option B is wrong because Cloud Router with BGP peering is used for dynamic routing between on-premises and GCP, not for providing internet access to private instances. Option D is wrong because assigning external IPs to nodes would expose them to the internet, defeating the purpose of a private cluster and violating security best practices; Cloud NAT is the correct approach to avoid public IPs on nodes.

42
MCQhard

An organization uses Shared VPC with multiple service projects. They want to allow a service project to create a VM in a subnet that belongs to the host project. The subnet has an IAM policy that grants the compute.instanceAdmin role to the service project's service account. However, the service project is unable to create VMs in that subnet. What is the most likely reason?

A.The subnet IAM policy does not include the service project's service account.
B.The subnet is out of IP addresses.
C.The service project does not have the compute.instanceAdmin role on itself.
D.The service project is missing the compute.networkUser role on the host project.
AnswerD

The compute.networkUser role is required to use the host project's VPC networks.

Why this answer

In addition to subnet-level IAM, the service project must have the compute.networkUser role on the host project to use the Shared VPC. Option A is correct. Option B is wrong because the subnet IAM is sufficient for subnet access once the network user role is granted.

Option C is wrong because service project's own IAM does not grant access to host project resources. Option D is wrong because quota is not the issue here.

43
MCQeasy

An organization requires a hybrid connectivity option that offers an SLA of 99.99% availability and supports bandwidth up to 100 Gbps. They are willing to manage their own physical infrastructure in a Google colocation facility. Which connectivity solution should they choose?

A.Cloud VPN with multiple tunnels
B.Dedicated Interconnect
C.Partner Interconnect
D.HA VPN
AnswerB

Direct physical connection with high SLA and bandwidth.

Why this answer

Dedicated Interconnect is the correct choice because it provides a direct, private connection between your on-premises network and Google Cloud, supporting bandwidth up to 100 Gbps (via multiple 10 Gbps or 100 Gbps links) and offering a 99.99% availability SLA when configured with redundant attachments. This solution requires you to manage your own physical infrastructure in a Google colocation facility, meeting the organization's requirement for self-managed hardware.

Exam trap

Google Cloud often tests the distinction between Dedicated and Partner Interconnect, where candidates mistakenly choose Partner Interconnect because they overlook the requirement for the organization to manage its own physical infrastructure, assuming any 'Interconnect' option meets the SLA and bandwidth needs.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with multiple tunnels is an internet-based, encrypted connection that does not offer an SLA of 99.99% availability (typically 99.9% at best) and cannot support bandwidth up to 100 Gbps due to per-tunnel throughput limits (e.g., 3 Gbps per tunnel for HA VPN). Option C is wrong because Partner Interconnect relies on a third-party service provider to manage the physical connection, which contradicts the requirement that the organization manages its own physical infrastructure in a Google colocation facility. Option D is wrong because HA VPN, while providing high availability, is still an internet-based VPN solution with a maximum throughput of 3 Gbps per tunnel and does not meet the 100 Gbps bandwidth requirement or the 99.99% SLA.

44
MCQeasy

An engineer configured a Cloud Router with the above settings. The VPC network has subnets 10.1.0.0/16 and 10.2.0.0/16, as well as subnets 10.3.0.0/16 and 10.4.0.0/16. The on-premises router is only receiving routes for 10.1.0.0/16 and 10.2.0.0/16 but not for 10.3.0.0/16 and 10.4.0.0/16. What is the cause?

A.The BGP session is not established
B.The Cloud Router is in global routing mode, which does not advertise all subnets
C.The Cloud Router is set to custom advertisement mode, and the missing subnets are not included in the advertised IP ranges
D.The on-premises router has a filter that blocks the other routes
AnswerC

Custom mode requires explicit specification of ranges to advertise; only listed ranges are advertised.

Why this answer

Option C is correct because when a Cloud Router is configured in custom advertisement mode, it only advertises the specific CIDR ranges explicitly listed in the 'Advertised IP ranges' field. Since the missing subnets (10.3.0.0/16 and 10.4.0.0/16) are not included in that list, they are not propagated via BGP to the on-premises router, even though they exist in the VPC.

Exam trap

Google Cloud often tests the distinction between default advertisement mode (which automatically advertises all VPC subnets) and custom advertisement mode (which requires explicit configuration), leading candidates to overlook the fact that missing routes are due to an incomplete custom list rather than a BGP session issue or routing mode setting.

How to eliminate wrong answers

Option A is wrong because if the BGP session were not established, the on-premises router would receive no routes at all, not just a subset. Option B is wrong because global routing mode (as opposed to regional routing mode) does not affect which subnets are advertised; it only controls the scope of route propagation within Google Cloud, not the BGP advertisement list. Option D is wrong because the question states the on-premises router is 'only receiving routes for 10.1.0.0/16 and 10.2.0.0/16', which matches the advertised IP ranges; a filter on the on-premises router would typically block all or specific routes, but the pattern here points to a missing advertisement on the Cloud Router side.

45
Multi-Selecthard

A company uses Cloud NAT to enable outbound internet access for private instances in a VPC. They notice that some instances are unable to connect to external services, while others can. The network team has verified that all instances have the same tags and are in the same subnet. Which TWO actions should the team take to troubleshoot the issue?

Select 2 answers
A.Ensure Cloud NAT is enabled in each zone where instances are located
B.Check Cloud NAT logs for port exhaustion
C.Verify that the instances have external IP addresses assigned
D.Verify that the external service is not blocking the NAT IP addresses
E.Review the health check configuration for the NAT gateway
AnswersB, D

Port exhaustion can cause connection failures; Cloud NAT logs show when ports are depleted.

Why this answer

Option B is correct because Cloud NAT logs can reveal port exhaustion, which occurs when the NAT gateway runs out of available source ports for connections. Since all instances share the same NAT IP addresses, high connection counts from some instances can exhaust ports, preventing others from establishing new outbound connections. Checking these logs helps identify whether port exhaustion is the root cause of the connectivity issue.

Exam trap

Google Cloud often tests the misconception that Cloud NAT must be zone-specific or that instances need external IPs for NAT to work, but the real trap is overlooking port exhaustion as a common failure mode when multiple instances share the same NAT gateway.

46
MCQeasy

A company wants to allow on-premises servers to access Google APIs and services through a Dedicated Interconnect without using public IPs. What should they configure?

A.Enable Private Google Access on the VPC subnet.
B.Set up VPC Network Peering.
C.Configure Private Service Connect.
D.Configure Cloud Router with custom route advertisement.
AnswerA

This enables private access to Google APIs via the interconnect.

Why this answer

Private Google Access enables on-premises hosts connected via Dedicated Interconnect to reach Google APIs and services using internal IP addresses. When enabled on the VPC subnet, traffic destined for Google APIs is routed through the interconnect without needing public IPs, as the VPC uses its default routes and Cloud NAT-like functionality to forward requests to Google's internal addresses.

Exam trap

Google Cloud often tests the misconception that Private Service Connect or Cloud Router alone can provide private API access from on-premises, but the key requirement is enabling Private Google Access on the subnet to route API traffic through the interconnect without public IPs.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering connects two VPC networks, not on-premises networks to Google APIs; it does not provide access to Google APIs from on-premises via interconnect. Option C is wrong because Private Service Connect is used to privately access managed services (e.g., Google APIs) from within a VPC using endpoints, but it does not extend that access to on-premises networks over Dedicated Interconnect without additional configuration like Private Google Access. Option D is wrong because Cloud Router with custom route advertisement manages dynamic routing (BGP) between on-premises and GCP, but it does not by itself enable access to Google APIs without public IPs; Private Google Access must be explicitly enabled on the subnet.

47
MCQhard

A company has two HA VPN tunnels from on-premises to Google Cloud using two separate Cloud Routers for redundancy. The on-premises network uses BGP and advertises a default route to Google Cloud. The company wants to ensure that traffic from Google Cloud to on-premises prefers the primary Cloud Router over the secondary. Which configuration should be applied?

A.Set the primary Cloud Router's BGP IP as the next-hop for all routes on the secondary.
B.Set a lower MED on the primary Cloud Router's BGP session for the default route advertisement.
C.Set a higher LOCAL_PREF on the primary Cloud Router for the default route.
D.Set a shorter AS_PATH on the primary Cloud Router's BGP session.
AnswerC

Higher LOCAL_PREF makes the route more preferred for outbound traffic from Google Cloud.

Why this answer

Option C is correct because LOCAL_PREF is a well-known mandatory BGP attribute that is used to influence outbound traffic from an AS. By setting a higher LOCAL_PREF on the primary Cloud Router for the default route, Google Cloud will prefer that path for traffic destined to on-premises, as LOCAL_PREF is evaluated before other attributes like AS_PATH and MED.

Exam trap

The trap here is that candidates often confuse MED (which influences inbound traffic) with LOCAL_PREF (which influences outbound traffic), leading them to incorrectly select Option B, thinking MED can control which path Google Cloud uses to send traffic to on-premises.

How to eliminate wrong answers

Option A is wrong because manually setting the primary Cloud Router's BGP IP as the next-hop on the secondary does not influence BGP path selection; BGP next-hop is used for reachability, not preference, and this configuration would not cause the primary to be preferred. Option B is wrong because MED is a multi-exit discriminator that influences inbound traffic to an AS, not outbound traffic from Google Cloud; it is used by the on-premises router to choose which path to use when multiple paths exist to the same prefix, not by Google Cloud. Option D is wrong because a shorter AS_PATH makes a route more preferred, but this attribute is typically manipulated on the on-premises side to influence Google Cloud's path selection; setting a shorter AS_PATH on the primary Cloud Router would not be effective because AS_PATH is prepended by the router advertising the route, and Google Cloud would see the same AS_PATH length from both routers if they are in the same AS.

48
MCQmedium

A company has a multi-region VPC with subnets in us-central1 (10.0.0.0/24) and europe-west1 (10.0.1.0/24). They have deployed a global Application Load Balancer (ALB) with backend services in both regions. The backends are instance groups with instances in each subnet. The ALB uses internal IP addresses from a subnet in each region for the backend services. The company wants to restrict access to the ALB so that only traffic from a specific list of external IP addresses (e.g., corporate VPN) can reach the load balancer. They have created a firewall rule allowing ingress from those IP addresses to the ALB's forwarding rule IP (which is a global IP). However, external traffic from allowed IPs is still being blocked. What is the most likely reason?

A.The firewall rule should be created with priority lower than 1000 to override default deny.
B.VPC firewall rules do not apply to global load balancer's frontend; use Cloud Armor with IP whitelist.
C.The firewall rule must allow ingress from the allowed IPs to the backend instance's internal IPs.
D.The firewall rule must be applied to the backend instances' tags, not the forwarding rule IP.
AnswerB

Global ALB traffic bypasses VPC firewall; Cloud Armor provides access control at the edge.

Why this answer

The Global Application Load Balancer uses a frontend IP that is a global anycast IP. Firewall rules are applied at the network level and cannot filter traffic to global forwarding rules because the traffic is routed through Google's frontend infrastructure before reaching the VPC. To restrict access to a global ALB, you should use Cloud Armor or IAP, not VPC firewall rules.

Option C is correct: Use Cloud Armor with an IP whitelist to restrict access.

49
MCQhard

A company has deployed a global application on Compute Engine instances in multiple regions. Users are experiencing high latency connecting to the application. The network team wants to use Google Cloud's global network to improve performance. Which approach should they take?

A.Deploy a global HTTP(S) Load Balancer with backend services in each region.
B.Use Cloud DNS with geo-routing to direct users to regional load balancers.
C.Set up Cloud NAT with multiple static IP addresses for each region.
D.Assign a global anycast IP address to all instances and use BGP to advertise it.
AnswerA

Global HTTP(S) LB uses anycast IP and proxies traffic to the closest region, reducing latency.

Why this answer

A global HTTP(S) Load Balancer uses Google Cloud's global anycast IP address and the Google Front End (GFE) infrastructure to route traffic over Google's private network to the closest healthy backend instance. This reduces latency by avoiding the public internet and leveraging Google's global fiber backbone, making it the correct choice for improving performance for a globally distributed application.

Exam trap

Google Cloud often tests the misconception that anycast IPs can be directly assigned to instances or that BGP-based anycast is a viable option in Google Cloud, when in fact only Google-managed load balancers can provide anycast IPs, and customers cannot advertise their own anycast prefixes.

How to eliminate wrong answers

Option B is wrong because Cloud DNS with geo-routing directs users to regional load balancers based on DNS resolution, but DNS-based routing cannot react to real-time network conditions or instance health, and traffic still traverses the public internet after DNS resolution, failing to fully utilize Google's global network. Option C is wrong because Cloud NAT provides outbound internet access for instances without public IPs and does not improve inbound user latency; it is used for egress traffic, not ingress load balancing. Option D is wrong because assigning a global anycast IP address directly to instances and using BGP to advertise it is not supported in Google Cloud; Google Cloud does not allow customers to advertise their own anycast IPs via BGP, and instances cannot share a single anycast IP without a load balancer.

50
MCQmedium

A company has deployed a Dedicated Interconnect with multiple VLAN attachments connected to a single Cloud Router. They want to influence inbound traffic from on-premises to Google Cloud to use a specific attachment for certain prefixes. Which BGP attribute can they manipulate on the on-premises router to achieve this?

A.AS_PATH
B.LOCAL_PREF
C.MED
D.Community tags
AnswerC

MED can be set on routes advertised from on-premises to Google Cloud, influencing which attachment is preferred for those prefixes.

Why this answer

Option C is correct because the Multi-Exit Discriminator (MED) attribute is used to influence inbound traffic from on-premises to Google Cloud when multiple paths exist via a Dedicated Interconnect. By setting a lower MED value on the on-premises router for specific prefixes, the Cloud Router will prefer that attachment for those prefixes, as MED is compared first among paths from the same neighboring AS.

Exam trap

Google Cloud often tests the distinction between attributes that influence inbound vs. outbound traffic, and the trap here is that candidates confuse MED (inbound influence) with LOCAL_PREF (outbound influence) or AS_PATH prepending (outbound influence), assuming any attribute can be manipulated on the on-premises router to affect Google Cloud's path selection.

How to eliminate wrong answers

Option A is wrong because AS_PATH is used to influence outbound traffic from Google Cloud to on-premises by prepending AS numbers, not inbound traffic from on-premises to Google Cloud. Option B is wrong because LOCAL_PREF is a well-known mandatory attribute that is only used within a single AS to influence outbound traffic from the local router, and it is not exchanged between ASes, so it cannot be set on the on-premises router to affect Google Cloud's path selection. Option D is wrong because Community tags are used for tagging routes to trigger routing policies (like route filtering or preference) but do not directly influence path selection; they require explicit configuration on the receiving router to interpret them, unlike MED which is a standard BGP attribute compared automatically.

51
MCQeasy

A network engineer notices unusual traffic patterns from a VM. They want to capture detailed information about each packet sent and received by the VM, including source and destination IPs, protocols, and ports. Which feature should they enable?

A.Packet Mirroring
B.VPC Flow Logs
C.Cloud Audit Logs
D.Firewall Rules Logging
AnswerB

VPC Flow Logs sample and log network flows with metadata.

Why this answer

VPC Flow Logs capture metadata about IP traffic flowing to and from network interfaces in a VPC, including source/destination IPs, protocols, and ports. This feature is designed specifically for analyzing traffic patterns and troubleshooting connectivity issues at the network layer, making it the correct choice for the described requirement.

Exam trap

Google Cloud often tests the distinction between metadata logging (VPC Flow Logs) and full packet capture (Packet Mirroring), leading candidates to choose Packet Mirroring when only summary traffic information is needed.

How to eliminate wrong answers

Option A is wrong because Packet Mirroring copies the actual packet payload (full packet capture) for deep inspection, not just metadata like IPs and ports, and is typically used for security appliances or intrusion detection, not for lightweight traffic pattern analysis. Option C is wrong because Cloud Audit Logs record administrative actions and API calls (e.g., who created a VM), not network packet-level details such as IPs, protocols, or ports. Option D is wrong because Firewall Rules Logging logs only traffic that is allowed or denied by firewall rules, and it does not capture all packets sent/received by a VM; it is rule-centric, not interface-centric.

52
MCQmedium

A customer reports that after setting up HA VPN, some on-premises subnets are not reachable from Google Cloud. The Cloud Router shows the missing routes. What is the most likely cause?

A.The VPN tunnel is down.
B.The on-premises router is not configured to advertise those subnets.
C.BGP route filters are blocking the advertisement of those subnets.
D.The shared secret is incorrect.
AnswerC

Route filters on the Cloud Router or on-premises router can selectively allow or deny routes.

Why this answer

Option C is correct because the Cloud Router shows the missing routes, indicating that the VPN tunnel and BGP session are up, but the routes are not being installed. BGP route filters on the Cloud Router or on-premises router can explicitly block the advertisement of specific subnets, preventing them from being learned and installed in the routing table even though the BGP session is established.

Exam trap

The trap here is that candidates often assume missing routes are due to a tunnel or BGP session failure, but Cisco tests the distinction between routes being received (BGP table) versus being installed (routing table), which points to route filtering as the cause.

How to eliminate wrong answers

Option A is wrong because if the VPN tunnel were down, the Cloud Router would not show any routes from the on-premises side, and the BGP session would be down, not just missing specific subnets. Option B is wrong because the on-premises router not advertising those subnets would result in the Cloud Router not seeing those routes at all, but the question states the Cloud Router shows the missing routes, meaning they are present in the BGP updates but not installed. Option D is wrong because an incorrect shared secret would prevent the IPsec tunnel from establishing, causing the BGP session to fail entirely, not just filter specific subnets.

53
MCQmedium

A company is migrating from an on-premises data center to Google Cloud. They have set up a High-Availability VPN (with two tunnels) between their on-premises router and a Cloud VPN gateway in a VPC. They use static routing. The on-premises network uses RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the VPC uses 10.1.0.0/16. They have configured static routes in the VPC for the on-premises ranges pointing to the VPN gateway. However, they notice that traffic from on-premises to the VPC is intermittent: sometimes packets go through tunnel 1, sometimes through tunnel 2, and sometimes they drop. The on-premises router is configured to use both tunnels in an active-active mode with equal-cost multipath (ECMP). What is the most likely cause of the intermittent drops?

A.Increase the number of tunnels to four to distribute traffic better.
B.Change from static routing to dynamic routing (BGP) to allow the Cloud VPN gateway to advertise routes and avoid ECMP issues.
C.Set the on-premises router to active-passive mode using only one tunnel at a time.
D.Configure traffic selector policies on the VPN tunnels to ensure each tunnel only handles specific subnets.
AnswerB

BGP provides better control over path selection and is recommended for HA VPN with multiple tunnels.

Why this answer

Cloud VPN with static routing does not support ECMP for traffic going from the VPC to on-premises, but from on-premises to VPC, ECMP is possible if the on-premises router distributes traffic across multiple tunnels. However, Cloud VPN gateways have a known limitation: when using static routing, the Cloud VPN gateway treats each tunnel as a separate next-hop, and the VPC routes point to the gateway, not individual tunnels. Actually, for incoming traffic from on-premises, the Cloud VPN gateway receives the packets on either tunnel and forwards them to the VPC.

The issue is that the on-premises router may be sending packets out of order due to ECMP, and the Cloud VPN gateway may not reassemble them correctly, causing drops. But more commonly, if the on-premises router uses ECMP across tunnels that terminate on the same Cloud VPN gateway, the gateway may see packets from different flows on different tunnels, but the gateway will forward them correctly. A more likely cause is that the VPN tunnels do not have matching encryption domains or the on-premises router's ECMP algorithm is not consistent.

The correct action is to use BGP dynamic routing to avoid ECMP issues, or to use active-passive mode. Option A is correct: Switch to BGP routing, which allows better path selection and route advertisement.

54
MCQmedium

Your company has a hybrid network architecture with two Cloud VPN tunnels (tunnel-a and tunnel-b) from an on-premises router to a Cloud VPN gateway in us-central1, and one Dedicated Interconnect connection from the same on-premises router to a VLAN attachment in us-east1. All connections use BGP to exchange routes. The on-premises router advertises the same CIDR block 10.0.0.0/8 to both VPN and Interconnect. Google Cloud routes for on-premises prefixes are learned via both paths with the same priority. You notice that traffic from Google Cloud VMs in us-central1 to on-premises destinations sometimes fails during periods of high load. Additionally, you observe ICMP redirects from the VMs. What is the most likely cause and recommended action?

A.Configure BGP ASN prepending on the Cloud Router associated with the VPN tunnels to make the Interconnect path more preferred for on-premises traffic back to Google Cloud.
B.Create a second Cloud VPN gateway in us-east1 and establish a separate VPN tunnel from on-premises to that gateway to provide symmetric routing.
C.Enable source NAT on the Cloud VPN gateway so that VMs' source IPs are rewritten, preventing ICMP redirects.
D.Disable route propagation on the Cloud Router in us-east1 to force all traffic through the VPN tunnels.
AnswerA

ASN prepending makes the VPN path less desirable, causing return traffic to use the Interconnect connection, achieving symmetric routing.

Why this answer

The issue is asymmetric routing: traffic from Google Cloud VMs in us-central1 to on-premises destinations uses the Interconnect (us-east1) due to equal-cost multipath (ECMP) or routing decisions, but return traffic from on-premises may prefer the VPN tunnels (tunnel-a/tunnel-b) because BGP path selection (e.g., local preference, AS path length) is not influenced. This causes ICMP redirects and failures under load. Option A corrects this by using BGP ASN prepending on the Cloud Router for the VPN tunnels, artificially lengthening the AS path for routes learned via VPN, making the Interconnect path more preferred for return traffic, ensuring symmetric routing.

Exam trap

The trap here is that candidates confuse ICMP redirects with a NAT or firewall issue, rather than recognizing them as a classic symptom of asymmetric routing in a multi-homed BGP environment, and they overlook the simple BGP path manipulation technique of ASN prepending to enforce symmetric routing.

How to eliminate wrong answers

Option B is wrong because creating a second VPN gateway in us-east1 does not solve the asymmetric routing problem; it adds another path without influencing path preference, and the core issue is route selection, not geographic proximity. Option C is wrong because source NAT on the Cloud VPN gateway would break end-to-end IP connectivity and does not address the routing asymmetry; ICMP redirects are a symptom of asymmetric routing, not a source IP issue. Option D is wrong because disabling route propagation on the Cloud Router in us-east1 would remove the Interconnect route entirely, forcing all traffic through VPN tunnels, which defeats the purpose of using Dedicated Interconnect and may cause performance degradation or single-path failure.

55
MCQmedium

A network engineer is troubleshooting a Cloud VPN tunnel that is not passing traffic. The tunnel status shows as established, and BGP sessions are up. However, traffic from an on-premises subnet (10.0.1.0/24) to a GCP subnet (192.168.1.0/24) is not working. What should the engineer check first?

A.Verify that the on-premises router is advertising the 10.0.1.0/24 prefix via BGP
B.Ensure that the Cloud Router is configured with the correct BGP ASN
C.Check that GCP has a static route for 10.0.1.0/24 pointing to the VPN tunnel
D.Check GCP firewall rules to allow ingress from 10.0.1.0/24
AnswerA

If the prefix is not advertised, GCP will not have a route to reach it.

Why this answer

Option A is correct because even though the VPN tunnel and BGP session are established, traffic may still fail if the on-premises router is not advertising the on-premises subnet (10.0.1.0/24) to GCP via BGP. Without this advertisement, GCP's Cloud Router has no route to reach that subnet, so return traffic from GCP to on-premises is dropped. The first step in troubleshooting is to verify that the on-premises BGP speaker is sending the correct prefix in its UPDATE messages.

Exam trap

Google Cloud often tests the misconception that a 'tunnel established' and 'BGP up' guarantee traffic flow, but the trap here is that route advertisement via BGP is a separate requirement that must be explicitly verified.

How to eliminate wrong answers

Option B is wrong because the BGP ASN on the Cloud Router is already configured correctly if the BGP session is up; an incorrect ASN would prevent the session from establishing. Option C is wrong because GCP does not require a static route for the on-premises subnet when using dynamic routing (BGP); the route is learned automatically via BGP from the on-premises router. Option D is wrong because firewall rules control ingress traffic into GCP, but if GCP has no route back to 10.0.1.0/24, traffic will be dropped before firewall rules are evaluated; the routing issue must be resolved first.

56
MCQhard

A company has a VPC with subnets in us-east1 and europe-west1. They have a Compute Engine instance in us-east1 with an internal IP 10.0.1.2. They need to allow SSH (port 22) from a specific on-premises IP 203.0.113.5 via Cloud VPN. The Cloud VPN tunnel uses a Cloud Router with BGP. The on-premises network advertises the route for 203.0.113.5/32 to the Cloud Router. Which firewall rule must be created?

A.Ingress rule: source 203.0.113.5/32, destination 169.254.0.1/32, tcp:22
B.Ingress rule: source 10.0.1.2/32, destination 203.0.113.5/32, tcp:22
C.Ingress rule: source 0.0.0.0/0, destination 203.0.113.5/32, tcp:22
D.Ingress rule: source 203.0.113.5/32, destination 10.0.1.2/32, tcp:22
AnswerD

Allows SSH from on-premises IP to the instance.

Why this answer

Option D is correct because firewall rules in GCP are stateful and applied at the instance level, not the VPN tunnel. The rule must allow ingress traffic from the on-premises source IP (203.0.113.5/32) to the Compute Engine instance's internal IP (10.0.1.2/32) on TCP port 22. The Cloud VPN and Cloud Router handle routing, but the firewall rule explicitly defines the allowed traffic flow.

Exam trap

The trap here is that candidates often confuse the direction of traffic in firewall rules, mistakenly thinking the on-premises IP should be the destination (as in Option B) or that the VPN tunnel's link-local address is the correct destination (as in Option A), when in fact the rule must match the actual source and destination IPs of the SSH session.

How to eliminate wrong answers

Option A is wrong because the destination 169.254.0.1/32 is a link-local address used for BGP peering between the Cloud Router and the VPN tunnel, not the Compute Engine instance; SSH traffic must reach the instance's internal IP. Option B is wrong because it reverses the source and destination: the on-premises host (203.0.113.5) is the source initiating SSH, not the destination, and the rule would incorrectly allow traffic from the instance to the on-premises host. Option C is wrong because it allows SSH from any source (0.0.0.0/0), which violates the requirement to restrict access to only the specific on-premises IP 203.0.113.5, creating a security risk.

57
Multi-Selecthard

A financial services company is migrating sensitive workloads to Google Cloud. They need to implement a defense-in-depth strategy to protect their VPC networks. Which TWO actions should they take to meet their security requirements? (Choose two.)

Select 2 answers
A.Enable Private Google Access on subnets that host instances without external IP addresses.
B.Configure firewall rules with stateful packet inspection disabled to maximize throughput.
C.Use VPC Service Controls to create a perimeter around the sensitive data stored in Cloud Storage and BigQuery.
D.Use VPC Network Peering to isolate the sensitive workloads from other projects.
E.Create a Cloud NAT gateway to filter inbound traffic from the internet.
AnswersA, C

This allows instances to access Google APIs over the internal network, reducing exposure to the internet.

Why this answer

Option A is correct because Private Google Access allows VM instances that have only internal IP addresses (no external IPs) to reach Google APIs and services (e.g., Cloud Storage, BigQuery) through the Google Cloud network. This eliminates the need for an external IP address, reducing the attack surface and supporting a defense-in-depth strategy by keeping traffic within Google's internal infrastructure.

Exam trap

Google Cloud often tests the misconception that Cloud NAT can filter inbound traffic, but Cloud NAT is strictly an outbound proxy that does not inspect or filter inbound connections; inbound traffic must be controlled by firewall rules or Cloud Armor.

58
MCQhard

A global application uses a global external HTTPS load balancer with backend NEGs in multiple regions. The content is static and must be cached at edge locations to reduce latency. Which GCP service should be enabled?

A.Cloud CDN
B.Cloud Storage
C.Cloud NAT
D.Cloud Memorystore
AnswerA

Provides edge caching for content.

Why this answer

Cloud CDN is the correct service because it leverages Google's global edge cache network to cache static content from an external HTTPS load balancer with backend NEGs. When enabled, Cloud CDN intercepts requests at edge locations and serves cached responses, reducing latency and offloading origin servers. This directly addresses the requirement to cache static content at edge locations for a global application.

Exam trap

The trap here is confusing Cloud CDN (edge caching) with Cloud Memorystore (backend caching) or Cloud Storage (origin storage), as candidates may think any caching service works at the edge, but only Cloud CDN integrates with the external HTTPS load balancer and Google's edge PoPs.

How to eliminate wrong answers

Option B (Cloud Storage) is wrong because Cloud Storage is a scalable object storage service, not a content delivery network; it can serve static content but does not provide edge caching without Cloud CDN enabled on the bucket. Option C (Cloud NAT) is wrong because Cloud NAT provides outbound internet connectivity for private instances, not inbound caching or content delivery. Option D (Cloud Memorystore) is wrong because Cloud Memorystore is a managed in-memory cache (Redis/Memcached) for backend caching, not an edge caching service; it operates within a VPC, not at Google's edge locations.

59
MCQmedium

Refer to the exhibit. A VM in my-subnet without an external IP address cannot access Google APIs. What is the likely missing configuration?

A.Create a Cloud NAT.
B.Add a firewall rule to allow egress to 0.0.0.0/0.
C.Enable Private Google Access on the subnet.
D.Add a default route to the internet gateway.
AnswerC

The setting privateIpGoogleAccess is currently false; enabling it allows access to Google APIs.

Why this answer

The subnet has privateIpGoogleAccess set to false, which must be enabled for VMs without external IPs to access Google APIs via Private Google Access. Option A is correct. Option B is not needed because egress to 0.0.0.0/0 is allowed by default.

Option C is not required for Private Google Access (Cloud NAT is for outbound internet to non-Google destinations). Option D is not missing; a default route exists as indicated by gatewayAddress.

60
MCQmedium

A company wants to securely connect an on-premises data center to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) that overlap with the VPC subnet (10.0.1.0/24). They need connectivity to specific workloads in the VPC without changing IP addresses on premises. What should they do?

A.Use VPC Network Peering with a custom route exchange to filter the overlapping range.
B.Set up Dedicated Interconnect and configure BGP with the on-premises router, advertising a more specific prefix.
C.Use Cloud NAT and configure a firewall rule to allow traffic from the on-premises network.
D.Deploy Private Service Connect to expose the VPC workloads as endpoints accessible from on-premises.
AnswerD

Private Service Connect allows private connectivity without route overlap by using service attachments and endpoints.

Why this answer

Private Service Connect (PSC) allows on-premises clients to access specific VPC workloads via internal IP addresses (RFC 1918) without requiring VPC peering or VPN. PSC publishes the workloads as endpoints reachable through a Private Service Connect endpoint in the on-premises network, avoiding IP overlap by using a separate IP address range for the endpoint. This solution meets the requirement of not changing on-premises IPs while providing secure, targeted connectivity.

Exam trap

The trap here is that candidates assume BGP or more specific prefixes can overcome IP overlap, but without NAT or a proxy mechanism, overlapping routes cause routing conflicts that break connectivity.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering requires non-overlapping IP ranges between the two networks; overlapping RFC 1918 addresses (10.0.0.0/8 vs 10.0.1.0/24) cannot be resolved by custom route exchange, as peering does not support NAT or address translation. Option B is wrong because Dedicated Interconnect with BGP does not solve IP overlap; even with a more specific prefix, the on-premises router would still have a conflicting route for 10.0.0.0/8, causing asymmetric routing or unreachability. Option C is wrong because Cloud NAT is designed for outbound internet traffic from VMs, not for inbound connectivity from on-premises networks; firewall rules cannot translate overlapping IPs or provide direct access to VPC workloads.

61
MCQeasy

An organization has two Cloud VPN tunnels from the same on-premises router to a Cloud Router in Google Cloud. Both tunnels are using BGP, and the on-premises router is sending the same routes over both tunnels. The Cloud Router is configured to use 'route propagation' from a VPC network. Which of the following is true regarding route priority?

A.Cloud Router will use both tunnels for load balancing (ECMP) if the routes are identical
B.The tunnel with the lower local preference value will be used
C.The tunnel with the higher BGP MED value will be preferred
D.Only the tunnel with the lowest IP address will be used
AnswerA

With identical BGP routes (same prefix, next hop different, same MED and local preference), Cloud Router will install multiple paths and use ECMP.

Why this answer

When both BGP routes are identical in prefix, AS path, local preference, MED, and other attributes, Cloud Router uses ECMP (Equal-Cost Multi-Path) to load balance traffic across both Cloud VPN tunnels. Route propagation in the VPC network does not alter the BGP best-path selection; it simply injects the learned routes into the VPC routing table. Since the on-premises router advertises the same routes over both tunnels, Cloud Router treats them as equal-cost paths and distributes traffic across both tunnels.

Exam trap

The trap here is that candidates often assume BGP always selects a single best path and ignore that ECMP is enabled when routes are identical, leading them to incorrectly choose options that involve attribute-based tiebreakers like local preference or MED.

How to eliminate wrong answers

Option B is wrong because local preference is a BGP attribute used to influence outbound traffic from the Cloud Router's perspective, but when both tunnels receive the same local preference (default 100), it does not cause one tunnel to be preferred over the other. Option C is wrong because a higher BGP MED value makes a route less preferred, not more; MED is a metric used to influence inbound traffic from the on-premises side. Option D is wrong because Cloud Router does not use the tunnel's IP address as a tiebreaker; it uses BGP attributes and, if all attributes are equal, it will use ECMP rather than selecting a single tunnel.

62
MCQmedium

Refer to the exhibit. The Cloud Router is connected to two on-premises routers via dedicated interconnect. The on-premises routers advertise the same prefix 10.1.0.0/16. Which on-premises router's route will be preferred by Google Cloud for traffic destined to 10.1.0.0/24? (Assume equal AS path length and MED from on-premises.)

A.The route with lower peer IP address
B.Both routes will be used equally (ECMP)
C.The route from peer with IP 169.254.0.1
D.The route from peer with IP 169.254.1.1
AnswerD

This peer has customLearnedRoutePriority 100, which is lower (more preferred).

Why this answer

Google Cloud Router prefers the route with the higher link-local (peer) IP address when two on-premises routers advertise the same prefix via separate VLAN attachments on a Dedicated Interconnect, assuming equal AS path length and MED. Since 169.254.1.1 is higher than 169.254.0.1, the route from the peer with IP 169.254.1.1 is selected. This behavior is specific to Google Cloud's BGP best-path selection tie-breaking logic, which uses the peer IP address as a deterministic tiebreaker.

Exam trap

Google Cloud often tests the misconception that BGP always uses the lowest neighbor IP address as a tiebreaker, but Google Cloud Router uses the highest peer IP address (link-local address) for Dedicated Interconnect VLAN attachments.

How to eliminate wrong answers

Option A is wrong because Google Cloud Router does not use a lower peer IP address as a tiebreaker; it uses the higher peer IP address. Option B is wrong because ECMP is not applied when the same prefix is received from two different BGP peers on a Cloud Router; a single best path is selected based on deterministic tie-breaking rules. Option C is wrong because 169.254.0.1 is the lower link-local address, and the route from that peer would be rejected in favor of the route from the peer with the higher IP address (169.254.1.1).

63
MCQmedium

A company is deploying a multi-tier web application on Google Cloud. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier must not have any public IP addresses. Which VPC design should be used?

A.Use a Shared VPC with separate subnets in different projects for each tier.
B.Use three separate VPCs for each tier and connect them using VPC peering.
C.Use a single VPC and connect the database tier via Cloud VPN to on-premises.
D.Use a single VPC with separate subnets for each tier and configure firewall rules to restrict traffic.
AnswerB

Separate VPCs provide full isolation; peering allows controlled communication.

Why this answer

Option B is correct because using three separate VPCs with VPC peering enforces strict network segmentation: the web tier VPC has a public subnet with an internet gateway, the application tier VPC is peered only to the web tier VPC (no internet gateway), and the database tier VPC is peered only to the application tier VPC (no public IPs). This design ensures that the database tier has no public IP addresses and is only reachable through the application tier, meeting all security requirements.

Exam trap

Google Cloud often tests the misconception that firewall rules alone can prevent public IP assignment, but the trap here is that firewall rules control traffic, not the existence of a public IP address on a resource; the database tier must have no public IP at all, which requires a VPC design that prohibits internet gateway routes.

How to eliminate wrong answers

Option A is wrong because Shared VPC with separate subnets in different projects still places all subnets within the same VPC, meaning the database tier could potentially be assigned a public IP (unless explicitly prevented) and traffic between tiers is not isolated at the VPC level, violating the 'no public IP' requirement. Option C is wrong because using a single VPC with Cloud VPN to on-premises does not address the requirement to isolate the database tier from the internet; the database tier would still reside in the same VPC as the web tier, and Cloud VPN is for hybrid connectivity, not for tier isolation. Option D is wrong because a single VPC with separate subnets and firewall rules does not prevent the database tier from having a public IP address (firewall rules control traffic, not IP assignment), and the database tier could still be assigned a public IP via an external IP address on its instances, which violates the explicit requirement.

64
MCQhard

A company deploys a web application on Google Kubernetes Engine (GKE) with an Ingress resource handled by an external HTTPS load balancer. They want to enforce mutual TLS (mTLS) authentication where the load balancer verifies the client certificate and then passes the client's identity to the backend using a header. Which configuration should be used?

A.Enable Client Certificate Validation on the HTTPS backend service and configure the backend to read the X-Forwarded-Client-Cert header.
B.Use an SSL policy with mTLS and set the backend service to require client certificates.
C.Use Cloud Armor with mTLS and configure a custom request header to include the client certificate.
D.Configure the GKE Ingress to use an SSL certificate and set the annotation for client certificate validation.
AnswerA

This is the correct method for mTLS with the HTTPS load balancer.

Why this answer

Option A is correct because Google Cloud's external HTTPS load balancer supports mTLS by enabling Client Certificate Validation on the backend service. When enabled, the load balancer terminates TLS, validates the client certificate, and injects the client certificate details into the X-Forwarded-Client-Cert (XFCC) header, which the backend application can read to identify the client. This approach offloads certificate validation to the load balancer and passes identity via a standard header, meeting the requirement without modifying the GKE Ingress or backend application logic.

Exam trap

Google Cloud often tests the misconception that mTLS can be configured directly on the Ingress resource or via SSL policies, when in fact it requires enabling Client Certificate Validation on the backend service and using the XFCC header to pass client identity.

How to eliminate wrong answers

Option B is wrong because SSL policies on Google Cloud HTTPS load balancers do not support mTLS; they only configure TLS versions and cipher suites, not client certificate validation. Option C is wrong because Cloud Armor does not handle mTLS or client certificate validation; it provides WAF and DDoS protection, and cannot inject client certificate details into headers. Option D is wrong because GKE Ingress annotations do not support client certificate validation; the Ingress resource delegates to the load balancer, and client certificate validation must be configured on the backend service, not via Ingress annotations.

65
MCQmedium

A company uses Shared VPC with multiple service projects. The security team wants to ensure that only specific service projects can create firewall rules that allow ingress traffic to the Shared VPC network. What is the best practice?

A.Grant the compute.securityAdmin role to a group with a condition that limits access to only the service projects that need it, using the resource.name condition.
B.Disable firewall rule creation by setting an organization policy constraint.
C.Grant the compute.securityAdmin role to a group at the organization level.
D.Grant the compute.securityAdmin role to the service project owners at the host project level.
AnswerA

IAM conditions allow fine-grained access control.

Why this answer

Option A is correct because the compute.securityAdmin role allows users to create firewall rules, and by applying a condition on the resource.name, you can restrict this permission to only specific service projects. This ensures that only authorized service projects can create ingress firewall rules in the Shared VPC network, aligning with the security team's requirement.

Exam trap

Google Cloud often tests the misconception that granting roles at the organization level or to project owners is sufficient for granular control, but the trap here is that without IAM conditions, these broad grants allow all service projects to create firewall rules, failing the requirement for selective access.

How to eliminate wrong answers

Option B is wrong because disabling firewall rule creation with an organization policy constraint would block all firewall rule creation across the entire organization, which is too restrictive and not aligned with the requirement to allow specific service projects to create rules. Option C is wrong because granting the compute.securityAdmin role at the organization level would give all service projects the ability to create firewall rules, violating the security team's need to limit this capability to only specific projects. Option D is wrong because granting the compute.securityAdmin role to service project owners at the host project level would allow those owners to create firewall rules for the Shared VPC network, but it does not provide the granularity to restrict which service projects can do so, as it applies to all service projects owned by those users.

66
MCQhard

An organization is using Shared VPC with 100 service projects. They want to allow each service project to manage its own Cloud NAT, but the network administration team wants to control the outbound IP addresses used. What is the best design?

A.Create a single Cloud NAT in the host project and share it
B.Use a NAT instance with an external IP in the host project and route traffic from service projects
C.Create Cloud NAT in each service project with the same external IPs
D.Use Private Google Access with Cloud NAT in the host project
AnswerB

Network team controls the IP, service projects can manage routes to use it.

Why this answer

Option B is correct because a NAT instance in the host project allows the network administration team to control the outbound IP addresses (by attaching a static external IP to the instance) while service projects can manage their own Cloud NAT configurations for outbound traffic. The NAT instance acts as a centralized egress point, and service project traffic is routed to it via custom routes or policy-based routing, meeting both requirements: service project autonomy for NAT management and centralized IP control.

Exam trap

Google Cloud often tests the misconception that Cloud NAT can be shared across VPCs or service projects, or that multiple Cloud NATs can reuse the same external IP, leading candidates to pick Option A or C without realizing Cloud NAT's per-VPC and per-region scope and IP uniqueness constraints.

How to eliminate wrong answers

Option A is wrong because a single Cloud NAT in the host project cannot be 'shared' across service projects; Cloud NAT is per-VPC network and per-region, and service projects would need to use the host project's NAT, which prevents them from managing their own Cloud NAT. Option C is wrong because creating Cloud NAT in each service project with the same external IPs is not possible—Cloud NAT assigns ephemeral or static IPs per NAT gateway, and multiple service projects cannot use identical external IPs without complex, unsupported configurations. Option D is wrong because Private Google Access with Cloud NAT in the host project only enables outbound connections to Google APIs and services, not general internet egress, and still does not allow service projects to manage their own Cloud NAT.

67
MCQhard

A multinational company is migrating workloads to Google Cloud and requires a hybrid connectivity solution between their on-premises data centers in New York and London and Google Cloud regions us-central1 and europe-west1. Each data center has a pair of redundant border routers. The network team has set up a Dedicated Interconnect connection in each Google Cloud region, with two VLAN attachments per region (total 4 attachments). Each VLAN attachment is associated with a separate Cloud Router. The Cloud Routers in us-central1 are configured with BGP sessions to the on-premises routers in New York, and the Cloud Routers in europe-west1 peer with the London routers. The VPC is in 'global' dynamic routing mode. After deployment, traffic from on-premises London to Google Cloud in us-central1 takes a suboptimal path: it goes from London to us-central1 via the internet instead of using the Dedicated Interconnect in europe-west1 and then internal Google Cloud backbone. All BGP sessions are up, and routes are being exchanged. The on-premises routers are advertising all their subnets. The Cloud Routers are learning the on-premises prefixes. What is the most likely cause of this suboptimal routing?

A.The VPC subnets in us-central1 are using smaller prefixes that are not being summarized by the Cloud Router.
B.The on-premises London routers are not receiving routes for the VPC subnets in us-central1, so they send traffic via the internet.
C.The Cloud Router in europe-west1 is prepending AS path for routes coming from us-central1, making them less preferred.
D.The on-premises New York routers are setting a lower MED for routes to us-central1, causing London to deprefer them.
AnswerB

Cloud Router only sends routes for subnets in its own region to its BGP peers; global routing mode does not change this.

Why this answer

Option B is correct because the on-premises London routers are not receiving routes for the VPC subnets in us-central1. Since the Cloud Routers in europe-west1 only peer with London, they must advertise the us-central1 VPC subnets to London via BGP. If those routes are missing, London has no path via the Dedicated Interconnect and falls back to the internet.

The VPC is in global dynamic routing mode, so Cloud Routers in both regions learn all VPC subnets, but the europe-west1 Cloud Router must explicitly advertise them to London.

Exam trap

The trap here is that candidates assume global dynamic routing automatically ensures all Cloud Routers advertise all VPC subnets to all on-premises peers, but in reality, each Cloud Router must be explicitly configured to advertise the prefixes it learns from the VPC to its BGP neighbors.

How to eliminate wrong answers

Option A is wrong because smaller prefixes are not the issue; Cloud Routers advertise the exact VPC subnet prefixes learned from the VPC, and summarization is not required for correct routing. Option C is wrong because AS path prepending would make routes less preferred, but the question states all BGP sessions are up and routes are being exchanged; prepending would not cause a complete absence of routes, only a preference change. Option D is wrong because MED is a metric used to influence inbound traffic from a single AS; New York routers setting a lower MED for us-central1 routes would not affect London's routing decisions, as MED is not transitive between different AS paths.

68
MCQhard

Refer to the exhibit. A VM in the my-vpc network is unable to reach an external HTTPS server. What is the most likely cause?

A.The deny-all-egress firewall rule blocks all outbound traffic.
B.The allow-custom-internal rule only allows inbound traffic.
C.No rule allows outbound traffic to port 443.
D.The default-allow-ssh rule has a low priority.
AnswerA

This egress deny rule with priority 1000 blocks all outbound traffic, including HTTPS.

Why this answer

The default VPC configuration includes a deny-all-egress firewall rule with the lowest priority (65535) that blocks all outbound traffic not explicitly allowed. Since no higher-priority rule permits outbound traffic to the external HTTPS server (port 443), the VM's HTTPS requests are dropped by this implicit deny rule, preventing connectivity.

Exam trap

Google Cloud often tests the misconception that a missing allow rule is the direct cause, rather than recognizing the explicit deny-all-egress rule with lowest priority as the actual blocking mechanism.

How to eliminate wrong answers

Option B is wrong because the allow-custom-internal rule (priority 1000) allows inbound and outbound traffic within the VPC using the 'custom' target tag, but it does not affect external HTTPS traffic; the issue is outbound, not inbound. Option C is wrong because while no rule explicitly allows outbound HTTPS, the deny-all-egress rule is the actual blocking mechanism—the absence of an allow rule alone does not cause the block; the explicit deny rule does. Option D is wrong because the default-allow-ssh rule (priority 65534) allows inbound SSH on port 22, but it has no relevance to outbound HTTPS traffic; priority only matters when rules conflict, and this rule does not apply to the egress direction or port 443.

69
MCQhard

An organization is connecting their on-premises data center to GCP using Dedicated Interconnect with multiple VLAN attachments. They have configured Cloud Router with BGP sessions for each VLAN attachment. They notice that traffic from GCP to on-premises is not load-balanced across the attachments; instead, all traffic uses a single link. What is the most likely cause?

A.Cloud Router's BGP is not configured for multipath; it selects only one best path per prefix.
B.The on-premises router is not advertising the same routes over all BGP sessions.
C.The VLAN attachments have different bandwidths, causing BGP to prefer the higher bandwidth link.
D.The BGP keepalive timers are misconfigured, causing session flapping.
AnswerA

BGP multipath must be enabled to load-balance across multiple equal-cost paths.

Why this answer

Cloud Router uses BGP to exchange routes with the on-premises router. By default, BGP selects only a single best path per prefix based on the lowest MED, weight, local preference, AS-path length, or IGP metric. Without BGP multipath enabled (e.g., 'maximum-paths' or 'bgp multipath' configuration), Cloud Router will not load-balance traffic across multiple VLAN attachments even if multiple equal-cost paths are available.

This causes all traffic to egress through a single link.

Exam trap

The trap here is that candidates often assume BGP automatically load-balances across multiple equal-cost paths, but BGP requires explicit multipath configuration to enable ECMP; otherwise, it selects only one best path per prefix.

How to eliminate wrong answers

Option B is wrong because if the on-premises router were not advertising the same routes over all BGP sessions, Cloud Router would not see multiple paths at all, but the question states that traffic is not load-balanced across the attachments, implying multiple paths are received but not used equally. Option C is wrong because BGP does not consider link bandwidth in its path selection algorithm; bandwidth is not a standard BGP attribute, and Cloud Router does not use bandwidth to influence path preference. Option D is wrong because misconfigured BGP keepalive timers would cause session flapping and intermittent connectivity, not a consistent failure to load-balance across stable sessions.

70
MCQhard

A network engineer is troubleshooting an HA VPN setup between Google Cloud and an on-premises data center. The two tunnels are established, and BGP sessions are up on both tunnels. However, traffic from Google Cloud to the on-premises network is only using one tunnel, even though both BGP sessions are advertising the same routes. What is the most likely cause?

A.The on-premises router is sending different BGP metrics (MED) for the same route on the two BGP sessions.
B.The Cloud Router is not configured for dynamic routing.
C.One of the IPsec tunnels is in a dead state.
D.The on-premises router is setting a higher local preference on one route.
AnswerA

If MED differs, Cloud Router will prefer lower MED, leading to single-path use.

Why this answer

When both BGP sessions are up and advertising the same routes, but traffic only uses one tunnel, the most likely cause is that the on-premises router is sending different Multi-Exit Discriminator (MED) values for the same route on the two BGP sessions. MED is a metric that influences inbound traffic to an AS; a lower MED value is preferred. If one tunnel's BGP update carries a lower MED, Google Cloud's Cloud Router will select that path for all traffic, even though both tunnels are functional.

Exam trap

Google Cloud often tests the distinction between BGP attributes that influence inbound vs. outbound traffic; the trap here is that candidates may confuse MED (inbound metric) with local preference (outbound metric) and incorrectly select Option D, not realizing that local preference set by the on-premises router is not sent to Google Cloud's eBGP peer.

How to eliminate wrong answers

Option B is wrong because Cloud Router is explicitly configured for dynamic routing in an HA VPN setup (BGP sessions are up), so the issue is not a lack of dynamic routing configuration. Option C is wrong because the question states both tunnels are established and BGP sessions are up, so neither IPsec tunnel is in a dead state. Option D is wrong because local preference is used to influence outbound traffic from an AS, not inbound traffic to the on-premises network; Google Cloud's Cloud Router would not consider local preference set by the on-premises router, as local preference is typically only propagated within an AS and not sent to eBGP peers.

71
MCQeasy

An organization wants to connect their on-premises network to Google Cloud using Partner Interconnect. Which of the following is a requirement that must be met before the partner can provision the connection?

A.The organization must purchase a cross-connect at a colocation facility.
B.The organization must have a Dedicated Interconnect connection already set up.
C.The organization must have a VLAN attachment created and share the pairing key.
D.The organization must have a Cloud Router configured with BGP sessions.
AnswerC

The VLAN attachment and pairing key are required for the partner to provision.

Why this answer

Partner Interconnect requires the customer to create a VLAN attachment in their Google Cloud project and share the generated pairing key with the service provider. The partner uses this key to provision the connection on their side, ensuring the correct mapping to the customer's VPC. Without the VLAN attachment and pairing key, the partner cannot establish the Layer 2 circuit.

Exam trap

Google Cloud often tests the distinction between the prerequisites for Partner Interconnect versus Dedicated Interconnect, trapping candidates who confuse the cross-connect requirement (Dedicated) with the VLAN attachment and pairing key requirement (Partner).

How to eliminate wrong answers

Option A is wrong because purchasing a cross-connect at a colocation facility is a requirement for Dedicated Interconnect, not Partner Interconnect, where the partner manages the physical infrastructure. Option B is wrong because Dedicated Interconnect is a separate product and is not a prerequisite for Partner Interconnect; they are independent connectivity options. Option D is wrong because a Cloud Router with BGP sessions is configured after the VLAN attachment is created and the partner provisions the connection, not as a prerequisite before provisioning.

72
MCQhard

A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?

A.Use Cloud DNS inbound server policy to forward queries to on-premises DNS.
B.Create a forwarding zone in Cloud DNS and associate it with the VPC.
C.Enable Private Google Access on the VPC subnet.
D.Configure Cloud NAT to forward DNS queries to on-premises DNS servers.
AnswerA

Cloud DNS inbound server policy enables DNS queries from GCP to be forwarded to on-premises DNS servers via VPN or Interconnect.

Why this answer

Cloud DNS inbound server policy allows on-premises DNS servers to receive DNS queries from Compute Engine instances by creating a VPC-scoped policy that forwards queries to the IP addresses of on-premises DNS resolvers over Cloud VPN. This enables hybrid name resolution without custom scripts, as the policy automatically handles the forwarding of DNS requests from Google Cloud resources to the on-premises DNS infrastructure.

Exam trap

Google Cloud often tests the distinction between inbound and outbound DNS policies; the trap here is confusing the direction of DNS resolution, leading candidates to choose a forwarding zone (outbound) when the requirement is for Compute Engine to resolve on-premises hostnames (inbound).

How to eliminate wrong answers

Option B is wrong because a forwarding zone in Cloud DNS is used to forward queries from on-premises to Google Cloud, not the reverse; it resolves Google Cloud private DNS names from on-premises, not on-premises hostnames from Compute Engine. Option C is wrong because Private Google Access enables Compute Engine instances without external IPs to reach Google APIs and services, not to resolve on-premises hostnames. Option D is wrong because Cloud NAT is used for outbound internet connectivity from private instances, not for DNS query forwarding; it does not provide DNS resolution for on-premises hostnames.

73
Multi-Selectmedium

A company is planning to connect their on-premises data center to Google Cloud. They require high bandwidth (10 Gbps) and low latency for real-time data replication. They also want a cost-effective solution that supports burstable traffic. Which TWO connectivity options should they consider? (Choose TWO.)

Select 2 answers
A.Classic VPN (route-based VPN)
B.Cloud VPN (IPsec VPN)
C.Partner Interconnect
D.Dedicated Interconnect
E.Direct Peering
AnswersC, D

Offers flexible bandwidth up to 10 Gbps or more via supported partners, with pay-as-you-go pricing suitable for burstable traffic.

Why this answer

Partner Interconnect (Option C) is correct because it provides dedicated, high-bandwidth connections (up to 10 Gbps per circuit) with low latency, suitable for real-time data replication, and supports burstable traffic through a service provider's network, offering a cost-effective alternative to Dedicated Interconnect for enterprises that need flexibility without full physical infrastructure ownership.

Exam trap

Google Cloud often tests the misconception that Cloud VPN or Classic VPN can meet high-bandwidth, low-latency requirements because they are 'VPNs,' but the trap is that these options lack the dedicated physical infrastructure and SLAs needed for real-time replication, whereas Interconnect options provide guaranteed performance.

74
MCQmedium

Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?

A.Define a Kubernetes NetworkPolicy that allows ingress to backend pods from frontend pods on port 8080.
B.Configure Private Service Connect to restrict access to backend pods.
C.Create VPC firewall rules to allow ingress from frontend pods to backend pods on port 8080.
D.Use Cloud Armor security policies to restrict traffic to backend pods.
AnswerA

NetworkPolicy is the native Kubernetes mechanism for pod-level traffic control.

Why this answer

A Kubernetes NetworkPolicy is the native and most secure way to control pod-to-pod traffic within a GKE cluster. By defining an ingress rule that allows traffic only from frontend pods (selected via pod labels) to backend pods on TCP port 8080, you enforce micro-segmentation at the pod level, which is the recommended practice for multi-tier applications. This approach works regardless of the underlying node or VPC configuration and is fully integrated with GKE's network policies engine (Calico or Cilium).

Exam trap

The trap here is that candidates often confuse VPC firewall rules (which control traffic at the node level) with Kubernetes NetworkPolicy (which controls traffic at the pod level), leading them to choose option C, even though pod IPs are ephemeral and not directly manageable via VPC firewall rules.

How to eliminate wrong answers

Option B is wrong because Private Service Connect is used to expose managed services privately to VPC networks, not to restrict pod-to-pod traffic within a cluster. Option C is wrong because VPC firewall rules operate at the node/VM level, not at the pod level, and cannot distinguish between individual pods running on the same node; they also cannot enforce label-based selection. Option D is wrong because Cloud Armor is a web application firewall (WAF) that protects external HTTP(S) load balancers, not internal pod-to-pod traffic within a GKE cluster.

75
Multi-Selectmedium

Which THREE factors should be considered when choosing between a global external HTTP(S) load balancer and a regional external HTTP(S) load balancer? (Choose 3.)

Select 3 answers
A.Support for multiple backend types (Compute Engine, GKE, serverless).
B.SSL termination at the edge (global) vs. at the backend (regional).
C.Ability to use health checks.
D.Integration with Cloud CDN.
E.Need for a single anycast IP address worldwide.
AnswersB, D, E

Global terminates SSL at the edge; regional terminates at the backend.

Why this answer

Regional external HTTP(S) load balancers terminate SSL at the backend (the backend service or instance), meaning the encrypted traffic must travel to the backend before decryption. Global external HTTP(S) load balancers terminate SSL at the edge (Google Front End), decrypting traffic at the closest point of presence and forwarding plaintext HTTP to the backend. This architectural difference impacts security, latency, and backend processing requirements, making it a key factor in choosing between the two.

Exam trap

Google Cloud often tests the misconception that SSL termination location is the same for both load balancer types, but the key distinction is that global terminates at the edge (GFE) and regional terminates at the backend, which directly affects security and performance decisions.

Page 1 of 7

Page 2

All pages