Google Professional Cloud Network Engineer (PCNE) — Questions 676750

982 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

A company has deployed a Global External HTTP(S) Load Balancer with a backend service that points to an instance group in us-central1. The load balancer's frontend uses a reserved static external IP address. Users in Europe report high latency, while users in Asia cannot reach the application at all. The application works fine when accessed directly via the instance group's internal IPs from within us-central1. Which action should be taken to resolve the issue?

A.Change the load balancer to a regional load balancer and deploy additional instance groups in other regions.
B.Enable Cloud CDN on the backend service to cache content closer to users.
C.Configure a DNS A record for the load balancer's IP address with a low TTL.
D.Ensure the backend service's 'Enable Global Access' checkbox is selected in the instance group's network settings.
AnswerD

Global access allows the load balancer's global IP to reach the backend instance group even though it's in a single region. Without it, traffic from other regions may be blocked.

Why this answer

Option D is correct because for a Global External HTTP(S) Load Balancer, the backend service must have the 'Enable Global Access' checkbox selected on the instance group's network settings. This setting allows the load balancer's global anycast IP to reach the backend instances across regions. Without it, the load balancer can only forward traffic to instances within the same region as the load balancer's frontend, causing high latency for European users and complete failure for Asian users.

Exam trap

The trap here is that candidates often assume a global load balancer automatically routes to any backend region, but they overlook the explicit 'Enable Global Access' checkbox that must be enabled for cross-region backend connectivity.

How to eliminate wrong answers

Option A is wrong because changing to a regional load balancer would limit the load balancer to a single region, worsening the issue for users outside that region; the correct solution is to keep the global load balancer and enable global access. Option B is wrong because Cloud CDN caches static content, but the problem is connectivity and routing, not content delivery speed; CDN does not fix the inability of Asian users to reach the application. Option C is wrong because configuring a DNS A record with a low TTL does not affect how the load balancer routes traffic to backend instances; the issue is at the network layer, not DNS resolution.

677
MCQmedium

A company is designing a Shared VPC architecture for multiple projects. The host project hosts three VPC networks: 'prod', 'staging', 'dev'. Each service project needs access to a specific network. Some service projects require access to multiple networks. The security team wants to minimize the number of firewall rules and use IAM for centralized control. Which approach meets these requirements?

A.Attach each service project to one host project network and use IAM roles to grant access to specific subnets in other networks with a cross-project service account.
B.Use VPC Network Peering between each service project's VPC and the host project's networks.
C.Create a separate host project for each environment and attach service projects accordingly.
D.Create a single VPC network that encompasses all environments, and use subnet-level firewall rules to isolate environments.
AnswerA

This allows service projects to access multiple networks by using IAM on subnets and service accounts, minimizing firewall rules.

Why this answer

Shared VPC allows service projects to be attached to a single host project, but a service project can only be attached to one VPC network in the host project. To access multiple networks, the service project must be attached to multiple host projects or use separate networks per project. Using IAM at the subnet level with roles like compute.networkUser allows granular access.

Option C is correct because it limits service projects to one network each and uses IAM to grant cross-network access as needed.

678
MCQeasy

A company wants to ensure that Compute Engine instances in a VPC can resolve internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. What is required for this to work?

A.Assign a custom DNS server to the VPC using Cloud DNS inbound server policy.
B.Configure a DNS managed zone in Cloud DNS.
C.No additional configuration is required; internal DNS resolution works by default.
D.Enable Private Google Access on the subnet.
AnswerC

Google Cloud automatically provides internal DNS for instances in the same VPC.

Why this answer

Google Cloud provides internal DNS resolution for instances within the same VPC network. By default, instances can resolve DNS names for other instances in the same VPC if they are in the same network. There is no additional setup needed; it works out of the box.

The DNS name format is [vm-name].[zone].c.[project-id].internal.

679
MCQeasy

A company deploys a web application behind a global external HTTP(S) load balancer and wants to protect against SQL injection attacks. Which Google Cloud security product should they use?

A.Identity-Aware Proxy (IAP)
B.VPC firewall rules
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor provides WAF capabilities.

Why this answer

Cloud Armor is the correct choice because it provides web application firewall (WAF) capabilities, including pre-configured rules to filter SQL injection (SQLi) attacks at the edge of Google's network, before traffic reaches the backend. It integrates directly with the global external HTTP(S) load balancer to inspect HTTP/HTTPS requests and block malicious payloads based on OWASP Top 10 signatures.

Exam trap

Google Cloud often tests the distinction between network-layer security (VPC firewall rules, Cloud IDS) and application-layer security (Cloud Armor), leading candidates to confuse IDS/IPS capabilities with WAF functionality.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., OAuth, SAML), not application-layer attack patterns like SQL injection. Option B is wrong because VPC firewall rules operate at the network layer (IP/port/protocol) and cannot inspect HTTP request bodies or query strings for SQL injection signatures. Option C is wrong because Cloud IDS is a network-based intrusion detection system that monitors for network-level threats (e.g., malware, C2 traffic) using packet mirroring, but it does not provide inline blocking or HTTP-layer WAF rules for SQL injection.

680
MCQmedium

An organization needs DNS resolution for on-premises hosts to resolve GCP private zone names (e.g., myinstance.gcp.internal). They have Cloud DNS private zones in GCP. Which Cloud DNS feature should they configure to forward queries from on-premises to GCP?

A.Inbound DNS forwarding
B.Split-horizon DNS
C.DNS peering
D.Outbound DNS forwarding
AnswerA

Inbound DNS server policy allows on-premises resolvers to forward queries to Cloud DNS.

Why this answer

Cloud DNS inbound server policy enables on-premises DNS resolvers to forward queries to Cloud DNS for resolution of private zones. This is the appropriate feature for on-premises to GCP DNS resolution.

681
MCQmedium

A company has a VPC with 200 custom routes and wants to set up VPC peering with another VPC. The VPC peering quota limits the number of routes per VPC. What should the engineer do to avoid hitting the quota?

A.Request a VPC route quota increase
B.Use subnet routes instead of custom routes
C.Delete unused routes
D.Use a shared VPC to consolidate routes
AnswerA

The only way to go beyond the default quota is to request an increase.

Why this answer

VPC quota for routes per VPC is 200 by default. To exceed this, a quota increase request must be submitted to Google Cloud Support.

682
MCQeasy

A company wants to allow HTTP traffic from the internet to a web server running on a Compute Engine VM in a VPC. The web server should only be accessible on port 80. Which firewall rule should be created?

A.Egress rule: allow tcp:80 from 0.0.0.0/0 (target tags: web-server)
B.Ingress rule: allow tcp:80 from 0.0.0.0/0 (target tags: web-server)
C.Ingress rule: allow tcp:443 from 0.0.0.0/0 (target tags: web-server)
D.Ingress rule: allow tcp:80 from 0.0.0.0/0 (target tags: default)
AnswerB

Correct: Ingress, port 80, any source, target tag 'web-server'.

Why this answer

Option B is correct because HTTP traffic from the internet (source 0.0.0.0/0) must be allowed by an ingress firewall rule targeting the web server VM. The rule specifies TCP port 80, which is the standard HTTP port, and uses target tags 'web-server' to apply the rule only to VMs with that tag, ensuring the web server is accessible on port 80 from any source.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates may confuse the direction of traffic (ingress for inbound, egress for outbound) or select a rule with the wrong port (e.g., 443 instead of 80) or incorrect target tags (e.g., 'default' instead of 'web-server').

How to eliminate wrong answers

Option A is wrong because it defines an egress rule, which controls outbound traffic from the VM, not inbound HTTP traffic from the internet. Option C is wrong because it allows TCP port 443 (HTTPS), not port 80 (HTTP), which does not meet the requirement to allow HTTP traffic on port 80. Option D is wrong because it uses target tags 'default', which would apply the rule to all VMs in the VPC with the default tag, rather than specifically targeting the web server VM with the 'web-server' tag, potentially exposing other VMs to inbound HTTP traffic.

683
MCQeasy

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

A.Alice has the role roles/compute.securityAdmin, which should allow deletion; perhaps the rule is managed by another service
B.The IAM policy has a condition that denies deletion after business hours
C.An organization policy prevents deletion of firewall rules in this project
D.Bob has the role roles/compute.networkAdmin, which does not include permissions to delete firewall rules
AnswerA

roles/compute.securityAdmin includes firewall rule deletion. If Alice still gets an error, it might be due to hierarchical policies or the rule being managed by another service like Firewall Insights.

Why this answer

Alice has the role roles/compute.securityAdmin, which includes the compute.firewalls.delete permission. However, if the VPC firewall rule is managed by another service (e.g., Firewall Rules Manager, Google Cloud Armor, or a managed service like GKE), the rule may have a 'managed' label or be part of a service-managed resource hierarchy that prevents direct deletion via the compute.firewalls.delete API. In such cases, the rule must be deleted through the managing service, not directly via the firewall rules API, leading to a permission error despite having the correct role.

Exam trap

Google Cloud often tests the misconception that having the correct IAM role (like compute.securityAdmin) always grants full control over all firewall rules, ignoring that managed services can impose additional deletion restrictions that override the base IAM permissions.

How to eliminate wrong answers

Option B is wrong because the IAM policy shown does not include any conditions; the exhibit only shows a simple binding with roles/compute.securityAdmin for Alice, and there is no mention of a condition that denies deletion after business hours. Option C is wrong because an organization policy would apply at the organization or folder level, not within a project's IAM policy; the exhibit shows a project-level IAM policy, and organization policies are separate constraints (e.g., constraints/compute.restrictFirewallRules) that would appear in the Organization Policies section, not in the IAM policy. Option D is wrong because Bob's role is irrelevant to Alice's permission error; the question asks why Alice cannot delete the rule, and Bob's role does not affect Alice's permissions.

684
MCQmedium

A company has set up a route-based HA VPN tunnel between Google Cloud and their on-premises network. They are experiencing packet loss and need to troubleshoot. Which logs or metrics would provide the MOST relevant information to diagnose the issue?

A.Cloud Monitoring metric: interconnect/network/received_bytes_count
B.Cloud Load Balancing logs
C.VPC flow logs
D.Cloud VPN gateway logs (syslog)
AnswerD

Gateway logs contain detailed information about the VPN tunnels.

Why this answer

Cloud VPN gateway logs provide detailed information about tunnel establishment, IKE negotiations, and BGP messages. They can help identify packet loss causes like MTU issues, encryption mismatches, or routing problems. Cloud Monitoring metrics for VPN tunnels show traffic volume and errors, but logs provide more granular detail.

685
Multi-Selectmedium

An organization has an internal application that runs on Compute Engine and needs to be load balanced within the same region using a Layer 7 load balancer. They want the load balancer to be accessible only from within their VPC. Which THREE components are needed? (Choose three.)

Select 3 answers
A.A Regional Internal HTTP(S) Load Balancer forwarding rule
B.A backend service
C.A URL map
D.A health check
E.An SSL certificate
AnswersB, C, D

Required to define the backend instances.

Why this answer

A Regional Internal HTTP(S) Load Balancer requires a backend service, a URL map, and a health check. The forwarding rule is needed but is part of the load balancer creation. An SSL certificate is optional only if HTTPS is used.

An Internet NEG is for external backends.

686
MCQhard

An organization needs to protect a web application behind an HTTPS Load Balancer from SQL injection attacks. They want to use a managed WAF solution. Which Google Cloud service should they configure?

A.Cloud Armor
B.VPC Service Controls
C.Cloud Firewall Rules
D.Cloud CDN
AnswerA

Cloud Armor includes WAF rules, including preconfigured SQLi protection.

Why this answer

Cloud Armor provides WAF capabilities including preconfigured rules for SQL injection (OWASP) and custom rules.

687
MCQmedium

A company wants to deploy an HTTP application on Compute Engine instances in us-east1 and europe-west1, and use a global external HTTP(S) load balancer. How should they configure the backend?

A.Create a regional load balancer in each region and use DNS round-robin.
B.Create one backend service and add two instance groups, one from each region.
C.Create one backend service and add one instance group with instances in both regions.
D.Create two backend services, one per region, and attach to the same URL map.
AnswerB

This allows the load balancer to distribute traffic globally.

Why this answer

A global external HTTP(S) load balancer requires a single backend service that can span multiple regions. By adding one instance group from us-east1 and another from europe-west1 to the same backend service, the load balancer automatically routes traffic to the closest healthy backend based on the client's geographic location and the load balancer's anycast IP. This configuration leverages Google's global network infrastructure for optimal latency and failover.

Exam trap

The trap here is that candidates mistakenly think instance groups can span multiple regions (Option C) or that multiple backend services are needed for multi-region deployments (Option D), when in fact a single backend service with multiple regional instance groups is the correct and simplest design for a global load balancer.

How to eliminate wrong answers

Option A is wrong because creating two regional load balancers with DNS round-robin does not provide true global load balancing; DNS round-robin cannot account for backend health or geographic proximity, and it lacks the anycast IP and automatic failover capabilities of a global load balancer. Option C is wrong because an instance group cannot span multiple regions; instance groups are zonal or regional resources, and you must use separate instance groups per region. Option D is wrong because creating two backend services per region and attaching them to the same URL map would require a multi-backend setup, but for a single HTTP application you need one backend service that aggregates both regional instance groups; using two backend services would require separate URL paths or host rules, which is unnecessary and adds complexity.

688
Multi-Selectmedium

Which TWO of the following are advantages of using the Premium Tier of Google Cloud's Network Service Tiers? (Choose TWO.)

Select 2 answers
A.Reduced cost compared to Standard Tier.
B.Global load balancing with a single anycast IP address.
C.Lower latency and egress costs for traffic originating in regions far from users.
D.Supports regional load balancers only.
E.Public IP addresses are assigned from a regional pool.
AnswersB, C

Premium Tier enables global anycast IP for load balancers.

Why this answer

Options B and D are correct. Premium Tier offers lower latency by leveraging Google's global network. Option A is wrong because Premium Tier costs more.

Option C is wrong because Premium Tier allows global load balancing with anycast IP. Option E is wrong because Premium Tier supports both global and regional load balancers, but the advantage is global.

689
MCQeasy

Which Cloud DNS zone type is used to resolve DNS names for resources within a VPC network, and is not accessible from the internet?

A.Peering zone
B.Forwarding zone
C.Private managed zone
D.Public managed zone
AnswerC

Private zones are internal to VPC networks.

Why this answer

Private managed zones are associated with one or more VPC networks and are used for internal DNS resolution. Public managed zones are for internet-facing DNS.

690
MCQhard

A global e-commerce company has deployed a web application across multiple GCP regions using an external HTTPS load balancer. Traffic is expected to originate from users worldwide. They want to minimize latency and improve user experience, while also ensuring that traffic is served from the nearest healthy backend. Which load balancing configuration should they use?

A.Deploy a regional external HTTP(S) load balancer in each region and use Cloud CDN to cache content.
B.Use a global external HTTP(S) load balancer with an anycast IP and enable Cloud CDN.
C.Configure an internal TCP/UDP load balancer in each region with DNS-based geolocation routing.
D.Set up a global external TCP proxy load balancer with SSL termination at each backend.
AnswerB

Global load balancer uses anycast to route users to the nearest healthy backend automatically.

Why this answer

A global external HTTP(S) load balancer uses a single anycast IP address, which directs each user to the closest healthy backend based on the user's geographic location and backend health. Enabling Cloud CDN further reduces latency by caching content at Google's global edge locations, ensuring that static and dynamic content is served from the nearest point of presence.

Exam trap

Google Cloud often tests the distinction between global anycast-based load balancers and regional load balancers with DNS routing, where candidates mistakenly think that regional load balancers with Cloud CDN can achieve the same latency optimization as a global anycast load balancer.

How to eliminate wrong answers

Option A is wrong because regional external HTTP(S) load balancers do not provide a single anycast IP; they require separate IPs per region and rely on DNS-based routing, which cannot guarantee that traffic is always served from the nearest healthy backend without additional complexity and potential latency from DNS caching. Option C is wrong because internal TCP/UDP load balancers are designed for private VPC traffic within a region, not for global external user traffic, and DNS-based geolocation routing introduces latency and does not provide the same anycast-based proximity as a global load balancer. Option D is wrong because a global external TCP proxy load balancer operates at Layer 4 and does not support HTTP/HTTPS features like Cloud CDN, URL-based routing, or content caching, making it unsuitable for optimizing user experience for a web application.

691
Multi-Selecthard

Which TWO statements about VPC Network Peering are correct?

Select 2 answers
A.VPC peering supports global load balancing with internal IPs
B.VPC peering is supported within the same organization
C.VPC peering supports transitivity across multiple peerings
D.VPC peering allows overlapping CIDR ranges
E.VPC peering can be used to connect VPCs in different regions
AnswersB, E

Peering can be established between VPCs in the same organization.

Why this answer

Option B is correct because VPC Network Peering is designed to connect VPCs within the same organization (or across different organizations) without requiring a VPN or gateway. It allows private RFC 1918 IP communication between VPCs, and when both VPCs belong to the same organization, the peering setup is straightforward and does not involve cross-organization trust policies. This is a fundamental use case for peering in Google Cloud.

Exam trap

The trap here is that candidates often assume VPC peering supports transitivity (Option C) because they confuse it with traditional router-based networking, but Google Cloud explicitly enforces non-transitive peering to maintain security and simplicity.

692
MCQhard

Refer to the exhibit. You are troubleshooting an on-premises to Cloud VPN connection with dynamic routing. The BGP session is CONNECTED, but no routes are received from the on-premises router. What is the most likely cause?

A.The firewall rules are blocking BGP traffic.
B.The on-premises router is not configured to advertise routes.
C.The VPN tunnel is down.
D.The cloud router is not advertising any routes.
AnswerB

Since the BGP session is CONNECTED but no routes received, the on-premises side is not advertising.

Why this answer

The BGP session is up, but routesReceived is 0, indicating the on-premises router is not advertising routes.

693
MCQmedium

A network engineer is troubleshooting connectivity from a VM to an on-premises server over a Cloud VPN. The VM can reach the on-premises server, but the return traffic is dropped. What is the most likely cause?

A.The on-premises network does not have a route back to the VPC subnet.
B.A firewall rule is blocking ingress traffic from the on-premises network.
C.The BGP session is down.
D.The Cloud Router is not configured.
AnswerA

Return traffic requires a route on-premises pointing to the VPN gateway.

Why this answer

Option C is correct because on-premises routes must include the VPC subnet to ensure return traffic is sent to the VPN gateway. Option A is wrong because firewall rules can be separate for ingress/egress. Option B is wrong because BGP session being down would cause no connectivity.

Option D is wrong because Cloud Router is needed for dynamic routing, but not having one does not cause asymmetric dropping specifically.

694
Multi-Selecteasy

Which TWO statements about VPC Network Peering are correct? (Choose TWO.)

Select 2 answers
A.Transitive peering is not supported; if Network A is peered with Network B and Network A is peered with Network C, Network B cannot communicate with Network C through Network A.
B.Peered networks can use globally distributed routing to communicate across regions without additional configuration.
C.Default routes (0.0.0.0/0) are automatically exported and imported between peered networks.
D.Firewall rules from one network are automatically applied to the peered network.
E.The subnet IP ranges of peered VPC networks must not overlap.
AnswersA, E

VPC peering is non-transitive; traffic must be directly peered.

Why this answer

Option A is correct because VPC Network Peering is non-transitive by design. This means that if Network A is peered with both Network B and Network C, traffic cannot flow from Network B to Network C through Network A. Each peering connection is a direct, point-to-point link, and routing is not propagated across multiple peering hops.

This behavior is enforced by the GCP networking stack to prevent complex and unintended routing topologies.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing, similar to how traditional router-based networks work, but GCP explicitly disallows this to enforce network segmentation and prevent unintended traffic flows.

695
MCQmedium

A company uses Identity-Aware Proxy (IAP) to secure access to Compute Engine VMs. Users report that they can SSH into some VMs but not others, even though they have the IAP-secured Tunnel User role. Both VMs are in the same project and have the same network tags. What is the most likely reason?

A.Firewall rules allow ingress from IAP's IP ranges only for some VMs.
B.The VMs are in different zones with different DNS resolution.
C.The VMs that can be accessed have external IP addresses; the others only have internal IP addresses.
D.The VMs do not have OS Login enabled.
AnswerC

IAP requires that the VM can be reached from IAP proxies, which typically requires an external IP.

Why this answer

Option C is correct because IAP for TCP forwarding requires the target VM to have an external IP address (or be accessible via a Cloud NAT with specific routing) for the IAP service to establish the tunnel. Without an external IP, the IAP tunnel cannot reach the VM, even if the user has the IAP-secured Tunnel User role and the firewall rules allow ingress from IAP's IP ranges (35.235.240.0/20).

Exam trap

The trap here is that candidates assume IAP works with any VM in the project as long as firewall rules and IAM roles are correct, overlooking the requirement for an external IP address (or Cloud NAT) for the IAP tunnel to reach the VM.

How to eliminate wrong answers

Option A is wrong because firewall rules in a project apply to all VMs with the same network tags; if the rules allow ingress from IAP's IP ranges (35.235.240.0/20) for one VM with a given tag, they apply equally to all VMs with that tag, so this cannot explain why some VMs are inaccessible. Option B is wrong because DNS resolution is not a factor in IAP tunneling; IAP uses IP addresses, not DNS names, and zones do not affect DNS resolution for internal VM connectivity. Option D is wrong because OS Login is not required for IAP tunneling; IAP works with standard SSH keys or gcloud auth, and OS Login is an optional authentication method that does not affect the ability to establish the IAP tunnel itself.

696
MCQhard

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

A.Deploy the Cloud SQL Auth Proxy on each VM and configure IAM permissions for each VM's service account
B.Use Shared VPC and assign the specific VMs to a subnet with a dedicated secondary IP range, then restrict database access to that range
C.Use Private Service Connect to publish the database as a managed service and create a Private Service Connect endpoint in the spoke VPC with IAM permissions for the specific VM service accounts
D.Configure firewall rules in the hub project to allow traffic only from the specific VM internal IPs
AnswerC

Private Service Connect provides per-service account authorization and network isolation.

Why this answer

Option C is correct because Private Service Connect (PSC) allows you to publish a managed service (like Cloud SQL) and create a PSC endpoint in the spoke VPC. By combining the PSC endpoint with IAM permissions on the VM service accounts, you ensure that only specific VMs can connect to the database, providing fine-grained, identity-aware access control without exposing the database to the entire network.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewall rules or IP ranges) are sufficient for securing access to managed services, when in fact identity-based controls (IAM + Private Service Connect) provide a more secure and auditable solution in a shared VPC topology.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Auth Proxy provides authentication and encryption but does not restrict network-level access; any VM with the proxy installed and valid IAM credentials could connect, and it does not leverage the hub-and-spoke topology for isolation. Option B is wrong because Shared VPC with a dedicated secondary IP range only controls IP addressing, not access; firewall rules would still be needed, and any VM in that subnet could reach the database, not just the specific VMs. Option D is wrong because firewall rules in the hub project filter traffic based on source IPs, which can be spoofed within the VPC or bypassed if VMs are moved; they lack identity-based controls and do not prevent traffic from other VMs in the same subnet.

697
MCQmedium

An organization uses Cloud DNS with a managed zone for example.com. They want to block or override DNS queries for a specific malicious domain (malware.com) to return a sinkhole IP address. Which Cloud DNS feature should they use?

A.DNS forwarding
B.Response Policy Zone (RPZ)
C.DNS peering
D.Managed zone with DNSSEC
AnswerB

RPZ can override DNS responses for specified domains.

Why this answer

Response Policy Zones (RPZ) allow DNS administrators to override DNS responses for specific domains, such as redirecting malicious domains to a sinkhole.

698
MCQhard

An organization wants to mirror all traffic from a set of Compute Engine instances to a third-party IDS appliance running on a separate instance in the same VPC. The IDS appliance must receive a copy of both ingress and egress traffic without impacting production traffic. Which Google Cloud service should they use?

A.Firewall Insights
B.VPC Flow Logs
C.Packet Mirroring
D.Cloud NAT logging
AnswerC

Packet Mirroring copies all traffic to a collector for deep packet inspection.

Why this answer

Packet Mirroring copies traffic from source instances (mirror source) to a collector (IDS appliance) for monitoring. It is designed for this purpose without affecting production.

699
MCQhard

A company uses Partner Interconnect with a service provider that offers Layer 2 connectivity. The engineer needs to establish BGP peering between the on-premises router and Cloud Router. What must be created in Google Cloud to enable this?

A.An HA VPN gateway.
B.A VLAN attachment of type PARTNER_PROVIDER.
C.A Dedicated Interconnect attachment.
D.A VLAN attachment of type PARTNER.
AnswerB

PARTNER_PROVIDER is used when the partner provides Layer 2 connectivity.

Why this answer

With Layer 2 Partner Interconnect, the service provider extends a VLAN to Google. You create a VLAN attachment of type PARTNER_PROVIDER, which allows you to configure the Cloud Router and BGP session.

700
MCQeasy

A company needs to connect multiple on-premises sites to Google Cloud using a single Cloud VPN gateway. What is the recommended approach?

A.Create a single VPN tunnel and use policy-based routing to direct traffic.
B.Use a single VPN tunnel with multiple BGP sessions.
C.Create multiple VPN tunnels, each with its own BGP session to a Cloud Router.
D.Create a single VPN tunnel and use static routes for each site.
AnswerC

This allows each site to have its own encrypted tunnel and dynamic routing.

Why this answer

When connecting multiple on-premises sites to Google Cloud using a single Cloud VPN gateway, the recommended approach is to create multiple VPN tunnels, each with its own BGP session to a Cloud Router. This allows the Cloud VPN gateway to terminate multiple tunnels, and each tunnel can have a unique BGP session for dynamic route exchange, enabling the gateway to learn and advertise routes for each site independently. Using a single tunnel with multiple BGP sessions or policy-based routing is not supported because a Cloud VPN tunnel is a point-to-point connection that can only have one BGP session per tunnel, and static routes would not provide the redundancy or dynamic failover needed for multiple sites.

Exam trap

Google Cloud often tests the misconception that a single VPN tunnel can support multiple BGP sessions or that policy-based routing can be used to segregate traffic for multiple sites, but in Google Cloud, each tunnel is a point-to-point construct that requires its own BGP session, and policy-based routing is not available for Cloud VPN.

How to eliminate wrong answers

Option A is wrong because policy-based routing is not a supported feature for Cloud VPN tunnels; Cloud VPN uses route-based VPNs (with BGP or static routes) and cannot direct traffic based on policies across multiple sites through a single tunnel. Option B is wrong because a single VPN tunnel can only have one BGP session; multiple BGP sessions cannot be established over a single tunnel as each BGP session requires a separate tunnel interface and peer IP address. Option D is wrong because using a single VPN tunnel with static routes for each site would create a single point of failure and cannot provide the dynamic routing, failover, or load balancing needed for multiple on-premises sites; static routes also require manual updates if site topologies change.

701
MCQeasy

A team needs to perform a health check for a gRPC backend service. Which health check type should they use?

A.HTTP health check
B.TCP health check
C.gRPC health check
D.SSL health check
AnswerC

gRPC health check uses the gRPC Health Checking Protocol to verify service health.

Why this answer

Cloud Load Balancing supports HTTP, HTTPS, HTTP2, TCP, SSL, and gRPC health checks. For gRPC backends, the gRPC health check is the most appropriate.

702
MCQeasy

A team has deployed Compute Engine instances with internal IPs only. They need to allow these instances to download updates from specific external IP ranges. Which action should they take?

A.Create egress firewall rules with target tags and allowed IP ranges.
B.Configure Cloud NAT and allow all traffic.
C.Attach a public IP to each instance.
D.Use Private Google Access.
AnswerA

Egress firewall rules can restrict outbound traffic to specific IP ranges.

Why this answer

Egress firewall rules with target tags allow you to control outbound traffic from Compute Engine instances based on destination IP ranges. By specifying the allowed external IP ranges for updates and applying the rule to instances with a specific tag, you enable secure outbound access without exposing the instances to inbound traffic or requiring public IPs.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone can restrict outbound traffic to specific destinations, but Cloud NAT only provides source NAT and does not filter traffic by destination; egress firewall rules are required for that control.

How to eliminate wrong answers

Option B is wrong because Cloud NAT provides outbound connectivity to the internet for instances without public IPs, but it does not restrict traffic to specific external IP ranges; allowing all traffic would violate the requirement to limit updates to specific IP ranges. Option C is wrong because attaching a public IP to each instance would expose them to inbound traffic from the internet, increasing the attack surface and contradicting the requirement to use internal IPs only. Option D is wrong because Private Google Access enables instances with internal IPs to reach Google APIs and services, not external third-party update servers.

703
Matchingmedium

Match each VPC networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Regional IP range within a VPC

Connection between two VPCs for private IP communication

VPC from one project shared with other projects

Outbound internet access for private instances

Access Google APIs from on-premises or other clouds

Why these pairings

These concepts are fundamental to VPC design in Google Cloud.

704
MCQhard

You are using Serverless VPC Access to connect Cloud Run services to a VPC network. The connector is in us-central1 with a /28 subnet. You have a Cloud SQL instance (private IP) in the same region but in a different VPC network (peered). The Cloud Run service cannot reach the Cloud SQL instance. What is the most likely cause?

A.The Cloud SQL instance must have the Cloud SQL Proxy configured.
B.Serverless VPC Access requires Private Google Access to be enabled on the connector's subnet.
C.Cloud SQL requires an external IP for Serverless VPC Access connectivity.
D.The VPC connector's subnet does not have a route to the peered VPC where Cloud SQL resides.
AnswerD

VPC peering does not automatically propagate routes; you must configure custom route exchange or create routes.

Why this answer

Option A is correct because Serverless VPC Access routes traffic through the connector's VPC, but if the Cloud SQL instance is in a different VPC (even peered), the connector does not automatically route to the peered VPC. You need to ensure the route for the Cloud SQL private IP range is present in the connector's VPC. Option B is wrong because Cloud SQL private IP is accessible within the same VPC.

Option C is wrong because the Cloud SQL proxy is not required if direct access is configured. Option D is wrong because the connector does not use Private Google Access for Cloud SQL.

705
MCQmedium

A company uses Shared VPC to grant separate teams access to subnets in a host project. They want to allow Team A to create VM instances in subnet-1, but not delete the subnet itself. Which IAM role should be granted to Team A on subnet-1?

A.roles/owner
B.roles/compute.networkAdmin
C.roles/compute.instanceAdmin.v1
D.roles/compute.networkUser
AnswerD

networkUser allows using the subnet without full administrative rights.

Why this answer

The Compute Network User role (roles/compute.networkUser) grants permissions to use existing networks and subnets (create VMs, attach disks, etc.) but not to delete or modify network resources.

706
Multi-Selecthard

A company is migrating workloads to Google Cloud and wants to use Cloud Interconnect for low-latency connectivity. They have two on-premises locations and need to connect to multiple GCP regions. Which two statements are true about using VLAN attachments with Dedicated Interconnect? (Choose TWO.)

Select 2 answers
A.Multiple VLAN attachments can be created over a single physical interconnect link.
B.VLAN attachments support both Dedicated and Partner Interconnect.
C.A VLAN attachment can span multiple geographic regions.
D.Each VLAN attachment connects to a single Cloud Router.
E.A single VLAN attachment can connect to multiple VPCs.
AnswersA, D

You can create multiple VLAN attachments over one Dedicated Interconnect link.

Why this answer

VLAN attachments are used to create logical connections over a Dedicated Interconnect link. Each VLAN attachment connects to a single VPC and region. Multiple attachments can be created over one physical link to connect multiple VPCs or regions.

707
Multi-Selectmedium

A company has a VPC with three tiers: web, app, and db. They want to enforce that only the web tier can communicate with the app tier on TCP port 8080, and only the app tier can communicate with the db tier on TCP port 3306. All instances are in the same region but different subnets. Which TWO firewall rules should be created? (Choose 2.)

Select 2 answers
A.An ingress rule on the db tier instances with tag 'db' allowing TCP 3306 from instances with tag 'app'.
B.An egress rule on the web instances with tag 'web' allowing TCP 8080 to the app subnet.
C.An egress rule on the web subnet allowing TCP 8080 to any destination.
D.An ingress rule on the app tier instances with tag 'app' allowing TCP 8080 from instances with tag 'web'.
E.An ingress rule on the web subnet allowing TCP 8080 from the app subnet.
AnswersA, D

This ensures only app tier can reach db tier on port 3306.

Why this answer

To control traffic between tiers, you use firewall rules with source tags. The correct approach is to create ingress rules on the destination tier's subnet, allowing traffic from the source tier's tag. Option B is an egress rule on the web tier to allow to app tier on 8080, but that doesn't prevent other sources from reaching app tier.

Option D is an ingress rule on app tier allowing from web tag on 8080. Option E is an ingress rule on db tier allowing from app tag on 3306. Option A and C are incorrect because they allow traffic from any source or are on the wrong tier.

708
MCQeasy

A company is deploying a hybrid cloud solution using Partner Interconnect. They have ordered a 1 Gbps connection from a partner at a colocation facility. The on-premises network uses a 10 Gbps link to the colo, and the partner provides a single 1 Gbps connection to Google Cloud. The company wants to connect two separate VPC networks in Google Cloud (production and development) to their on-premises network. Each VPC requires 500 Mbps of dedicated bandwidth. The company also needs high availability for the connection. What should they do?

A.Create a single VLAN attachment, then use a shared VPC with two subnets. Configure one Cloud Router with two BGP sessions, one for each subnet.
B.Create one VLAN attachment with 1 Gbps capacity, attach it to both VPCs using a single Cloud Router with two BGP sessions.
C.Create two VLAN attachments on the same interconnect, each with 500 Mbps capacity. Configure a separate Cloud Router for each VPC, each with a BGP session on its respective VLAN attachment. Use BGP metrics for active/passive failover.
D.Order two separate 1 Gbps Partner Interconnect connections, one for each VPC, and configure each with a single VLAN attachment.
AnswerC

Correct. This meets bandwidth and HA requirements.

Why this answer

Option C is correct because Partner Interconnect supports multiple VLAN attachments on a single connection, each with its own capacity allocation. By creating two VLAN attachments with 500 Mbps each, you can dedicate bandwidth to each VPC while meeting the 500 Mbps requirement. Using separate Cloud Routers with BGP sessions on each VLAN attachment and adjusting BGP metrics (e.g., local preference) allows active/passive failover for high availability, satisfying both the bandwidth and HA needs without requiring additional physical connections.

Exam trap

The trap here is that candidates assume a single VLAN attachment can serve multiple VPCs or that multiple physical connections are required for multiple VPCs, but Partner Interconnect allows multiple VLAN attachments on one connection, each dedicated to a different VPC with its own bandwidth and BGP session.

How to eliminate wrong answers

Option A is wrong because a single VLAN attachment cannot be shared across two separate VPC networks; VLAN attachments are per-VPC resources, and using a shared VPC with subnets does not provide dedicated bandwidth per VPC or proper isolation. Option B is wrong because a single VLAN attachment cannot be attached to two VPCs simultaneously; each VLAN attachment is associated with exactly one VPC and one Cloud Router, and a single Cloud Router with two BGP sessions cannot route traffic to two different VPCs over the same attachment. Option D is wrong because ordering two separate 1 Gbps connections is unnecessary and cost-prohibitive; a single 1 Gbps Partner Interconnect connection can support multiple VLAN attachments (up to 8 per connection) to serve multiple VPCs with dedicated bandwidth.

709
MCQmedium

Your security team wants to block specific SQL injection attacks using Cloud Armor. You have configured a security policy with a preconfigured WAF rule for SQL injection (evaluatePreconfiguredExpr('sqli-stable')). The rule is set to DENY. However, legitimate traffic is being blocked intermittently. What should you adjust?

A.Add a rate-based rule to limit the number of requests per second.
B.Create a rule with higher priority to allow the legitimate traffic before the WAF rule.
C.Modify the WAF rule to use a lower sensitivity level or exclude certain request attributes.
D.Enable TLS inspection for the load balancer to fully inspect encrypted traffic.
AnswerC

Reducing sensitivity reduces false positives.

Why this answer

The preconfigured WAF rule for SQL injection (sqli-stable) uses a default sensitivity level that may be too aggressive, causing false positives on legitimate traffic. By lowering the sensitivity level or excluding specific request attributes (e.g., headers, cookies, or URI paths), you can reduce false positives while still blocking actual SQL injection attempts. Cloud Armor allows fine-tuning of preconfigured rules via the `sensitivity` parameter and `exclude` lists, which is the correct approach here.

Exam trap

Google Cloud often tests the misconception that false positives from WAF rules are best handled by adding allow rules or rate limiting, rather than tuning the rule's sensitivity or exclusions, which is the proper Cloud Armor mechanism.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request frequency to mitigate DDoS or brute-force attacks, not to address false positives from a WAF rule that incorrectly flags legitimate SQL-like patterns. Option B is wrong because creating a higher-priority allow rule would bypass the WAF rule entirely for that traffic, defeating the purpose of SQL injection protection and potentially allowing actual attacks through. Option D is wrong because TLS inspection (e.g., using Cloud Armor with HTTPS load balancers) is already performed by default for encrypted traffic; the issue is not about decryption but about the WAF rule's sensitivity to benign SQL-like patterns.

710
MCQhard

Your company runs a multi-tier web application on Google Cloud. The application consists of frontend instances in a managed instance group (MIG) in us-central1, backend instances in a MIG in us-west1, and a Cloud SQL database in us-central1. The frontend and backend communicate over a VPC network with custom subnet mode (10.0.0.0/16) and use internal IP addresses. Recently, the application experienced intermittent timeouts. You notice that the backend instances in us-west1 have high latency when querying the Cloud SQL database in us-central1. You suspect network congestion or suboptimal routing. You want to minimize latency between the regions for database queries while ensuring the most cost-effective solution. What should you do?

A.Move all resources to a single region, such as us-central1, and use a single VPC.
B.Set up a Cloud VPN tunnel with Cloud Router and use BGP to advertise routes between the two regions.
C.Create a VPC peering connection between the frontend and backend VPCs.
D.Enable Cloud CDN on the backend load balancer to cache database responses.
AnswerB

This provides a dedicated encrypted tunnel and dynamic routing, which can reduce latency by using a more direct path than the public internet.

Why this answer

Option B is correct because Cloud VPN with Cloud Router and BGP enables dynamic route advertisement between the two regions, allowing traffic between the backend instances in us-west1 and the Cloud SQL database in us-central1 to traverse Google's global network with optimal routing. This minimizes latency by using Google's internal backbone rather than the public internet, and it is cost-effective because Cloud VPN charges only for the tunnel hours and egress traffic, with no per-GB data transfer costs for inter-region traffic within the same VPC.

Exam trap

Google Cloud often tests the misconception that VPC peering is needed for inter-region communication within the same VPC, but the trap here is that the frontend and backend are already in the same VPC, so peering is irrelevant, and the real issue is optimizing routing between regions, which Cloud VPN with BGP addresses.

How to eliminate wrong answers

Option A is wrong because moving all resources to a single region would eliminate the multi-region architecture, potentially increasing latency for users in other regions and violating the requirement to minimize latency between regions while maintaining the existing deployment. Option C is wrong because VPC peering connects two separate VPCs, but the frontend and backend are already in the same VPC (custom subnet mode 10.0.0.0/16), so peering is unnecessary and does not address routing optimization between regions. Option D is wrong because Cloud CDN caches static content at edge locations, not database query responses, and it cannot reduce latency for dynamic database queries that require real-time access to Cloud SQL.

711
Multi-Selectmedium

An organization needs low-latency connectivity between their on-premises data center and Google Cloud, supporting up to 20 Gbps throughput. They already have a Partner Interconnect connection but need to increase capacity. Which two actions should they take? (Choose two.)

Select 2 answers
A.Work with the service provider to upgrade the existing interconnect to a higher capacity
B.Create additional Cloud VPN tunnels to the same region
C.Provision a new Dedicated Interconnect to bypass the partner
D.Provision additional VLAN attachments on the existing Partner Interconnect
AnswersA, D

Partner Interconnect bandwidth can be upgraded with provider.

Why this answer

Option A is correct because Partner Interconnect connections can be upgraded to higher capacity by working with the service provider, as the provider manages the underlying physical circuit. This allows increasing throughput up to 20 Gbps without replacing the existing connection, leveraging the existing Layer 2 or Layer 3 handoff.

Exam trap

Google Cloud often tests the misconception that adding Cloud VPN tunnels can scale throughput to match Interconnect speeds, but VPN tunnels have lower bandwidth limits and higher latency, making them unsuitable for high-throughput, low-latency requirements.

712
Multi-Selecteasy

A network engineer needs to configure firewall rules to allow health checks from Google Cloud's health check systems to a backend service. Which two source IP ranges should they allow? (Choose two.)

Select 2 answers
A.169.254.0.0/16
B.10.0.0.0/8
C.130.211.0.0/22
D.35.191.0.0/16
E.0.0.0.0/0
AnswersC, D

This is the other health check range.

Why this answer

Google Cloud health check probes originate from the specific IP ranges 130.211.0.0/22 and 35.191.0.0/16. Allowing these source ranges in firewall rules is necessary to permit health check traffic to reach backend instances, ensuring load balancers can determine instance health.

Exam trap

Google Cloud often tests the misconception that health checks originate from the same subnet as the load balancer or from private IP ranges, leading candidates to incorrectly select 10.0.0.0/8 or 169.254.0.0/16 instead of the documented Google Cloud health check source ranges.

713
MCQmedium

A company uses Cloud Armor to protect its HTTP(S) load balancer. They need to block requests from a specific geographic region and also apply a rate limiting rule. What is the correct order of evaluation for Cloud Armor security policies?

A.Rate limiting rules are evaluated separately from other rules.
B.Evaluate rules in priority order and apply all matching rules.
C.Evaluate rules in priority order; the first matching rule determines the action.
D.Evaluate all rules and apply the most restrictive action.
AnswerC

This is the correct behavior of Cloud Armor security policies.

Why this answer

Cloud Armor security policies evaluate rules in priority order, and the first rule that matches the request determines the action (allow or deny). This means that if a rate limiting rule matches first, it will be applied, and subsequent rules are not evaluated. Option C correctly describes this behavior.

Exam trap

Google Cloud often tests the misconception that all matching rules are applied or that the most restrictive action is taken, but Cloud Armor uses first-match semantics, not cumulative or most-restrictive logic.

How to eliminate wrong answers

Option A is wrong because rate limiting rules are not evaluated separately; they are integrated into the same priority-ordered rule set as other rules. Option B is wrong because Cloud Armor does not apply all matching rules; it stops at the first match and applies only that rule's action. Option D is wrong because Cloud Armor does not evaluate all rules and apply the most restrictive action; it uses the first match in priority order, not the most restrictive.

714
MCQhard

A large enterprise uses hierarchical firewall policies across multiple VPCs. They have an organization policy that requires all VPCs to block SSH from the internet. However, a development team needs SSH from a specific external IP range for a building. How can they create a firewall rule that allows that range without violating the organization policy?

A.Remove the organization policy and implement firewall rules at the project level only.
B.Create a project-level firewall policy with a priority higher than the organization policy's deny rule, allowing the specific source range.
C.Use VPC firewall rules instead of hierarchical policies to allow the range, as they are evaluated after hierarchical policies.
D.Add the external IP range to an exception list in the organization policy.
AnswerB

In hierarchical firewall policies, lower priority numbers take precedence. A project-level rule with a higher priority (lower number) than the organization's deny rule will be evaluated first and allow the traffic.

Why this answer

In Google Cloud, hierarchical firewall policies are evaluated before VPC firewall rules, and the effective rule is the one with the highest priority (lowest numeric value). By creating a project-level firewall policy rule with a higher priority (e.g., priority 100) than the organization policy's deny rule (e.g., priority 1000), the allow rule for the specific external IP range will take precedence, effectively overriding the deny for that traffic while keeping the organization policy intact.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules are evaluated after hierarchical policies and can override them, but in reality, hierarchical policies are evaluated first and their deny rules will block traffic unless a higher-priority allow rule exists within the hierarchical policy hierarchy.

How to eliminate wrong answers

Option A is wrong because removing the organization policy violates the enterprise's security requirements and is not necessary; the goal is to allow a specific exception without removing the global block. Option C is wrong because VPC firewall rules are evaluated after hierarchical policies, so a VPC rule allowing SSH would be overridden by the hierarchical deny rule, not the other way around. Option D is wrong because Google Cloud hierarchical firewall policies do not support an 'exception list' mechanism; exceptions must be implemented via higher-priority allow rules within the hierarchical policy or at a lower level.

715
MCQmedium

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth of at least 10 Gbps. Which connectivity option meets these requirements?

A.Cloud VPN with two tunnels to different gateways
B.Dedicated Interconnect with two circuits (each 10 Gbps) to different edge locations
C.Direct Peering with multiple BGP sessions
D.Partner Interconnect with 1 Gbps VLAN attachments
AnswerB

Dedicated Interconnect offers 10 Gbps per circuit and with two circuits provides HA and meets bandwidth requirement.

Why this answer

Dedicated Interconnect with two 10 Gbps circuits to different edge locations meets the 10 Gbps bandwidth requirement and provides high availability through diverse physical paths. Cloud VPN maxes out at 3 Gbps per tunnel, Direct Peering does not offer SLA-backed bandwidth or support for 10 Gbps single connections, and Partner Interconnect typically caps at 1 Gbps per VLAN attachment.

Exam trap

Google Cloud often tests the misconception that Cloud VPN can achieve 10 Gbps by using multiple tunnels, but the per-tunnel and per-VPN gateway throughput limits (typically 3 Gbps) make it unsuitable for sustained 10 Gbps traffic, while Dedicated Interconnect provides dedicated physical circuits with guaranteed bandwidth.

How to eliminate wrong answers

Option A is wrong because Cloud VPN tunnels have a maximum throughput of approximately 3 Gbps per tunnel (even with two tunnels, aggregate throughput is limited by the VPN gateway capacity and does not guarantee 10 Gbps). Option C is wrong because Direct Peering is a bilateral arrangement without a Google SLA, does not support dedicated bandwidth guarantees, and is not designed for single-connection 10 Gbps throughput to a VPC. Option D is wrong because Partner Interconnect VLAN attachments are typically offered at 1 Gbps or lower, and even with multiple attachments, they do not provide the dedicated 10 Gbps circuit required.

716
MCQmedium

A company wants to load balance TCP traffic (non-HTTP) across a group of Compute Engine instances in a single region, while preserving the client IP address. They also need to support session affinity based on client IP. Which load balancer should they choose?

A.Global SSL Proxy Load Balancer
B.Global TCP Proxy Load Balancer
C.Internal TCP/UDP Load Balancer
D.External TCP/UDP Network Load Balancer
AnswerD

Correct. It is pass-through, preserves client IP, and supports session affinity.

Why this answer

External TCP/UDP Network Load Balancer is a pass-through load balancer that preserves client IP and supports session affinity. Other options either terminate connections or are HTTP-specific.

717
MCQmedium

An organization wants to use Cloud DNS to resolve queries for a custom domain 'example.internal' across multiple projects in the same organization. They have a private zone in project A and want project B to be able to resolve records in that zone. Which feature should they use?

A.Shared VPC
B.Public zone with visibility
C.DNS forwarding
D.DNS peering
AnswerD

DNS peering enables cross-project DNS resolution by allowing a target project to query the source project's private zone.

Why this answer

DNS peering allows a private zone in one project to be shared with other projects for DNS resolution.

718
Multi-Selecteasy

A network engineer is troubleshooting high latency between two VM instances in different GCP regions. Which TWO tools can help identify packet loss and latency issues? (Choose TWO.)

Select 2 answers
A.VPC Flow Logs
B.Performance Dashboard
C.Network Topology
D.Connectivity Tests
E.Firewall Insights
AnswersB, D

Performance Dashboard provides latency and packet loss metrics.

Why this answer

Performance Dashboard shows latency and packet loss between regions. Connectivity Tests can also report latency and packet loss along the path.

719
MCQmedium

You need to configure firewall rules to allow HTTP (TCP 80) traffic from the internet to instances in a VPC. The instances are in different subnets and have a network tag 'web-server'. You want to minimize the number of rules. Which rule configuration is correct?

A.Create an ingress rule with source 0.0.0.0/0, protocol tcp:0-65535, and target tags 'web-server'.
B.Create an egress rule with source 0.0.0.0/0, tcp:80, and target tags 'web-server'.
C.Create an ingress rule with source 0.0.0.0/0, tcp:80, and target tags 'web-server'.
D.Create an ingress rule for each subnet with source 0.0.0.0/0, tcp:80, and target tags 'web-server'.
AnswerC

This single ingress rule allows HTTP from any source to instances tagged 'web-server'.

Why this answer

Firewall rules are global, so one ingress rule can apply to all instances with the tag 'web-server' regardless of subnet. The direction must be ingress, source 0.0.0.0/0, protocol tcp:80, and target tags 'web-server'.

720
MCQmedium

A company has an HA VPN tunnel between on-premises and Google Cloud. They want traffic destined to 10.1.0.0/16 (a subnet in their VPC) to go through a specific next-hop VPN tunnel interface, but currently traffic is being dropped. What should they verify?

A.The VPC has a custom route with destination 10.1.0.0/16 and next-hop set to the correct VPN tunnel interface.
B.Cloud NAT is enabled.
C.Firewall rules allow ingress from on-premises IPs.
D.The on-premises router is advertising the route via BGP.
AnswerA

A custom route with the correct next-hop is necessary to direct traffic through the specific VPN tunnel.

Why this answer

Option B is correct because a custom route with destination 10.1.0.0/16 and next-hop set to the specific VPN tunnel interface is required to direct traffic through that interface. Option A is incorrect because firewall rules control access but not routing. Option C is incorrect because on-premises BGP advertisement is for routes from on-premises, not Google Cloud routes.

Option D is incorrect because Cloud NAT is used for outbound internet access, not routing to on-premises.

721
MCQmedium

A company wants to route traffic to different backend services based on the geographic location of the client. Which Cloud DNS routing policy should they use?

A.Weighted round robin
B.Failover
C.Geolocation
D.Cloud CDN
AnswerC

Correct: geolocation routing routes traffic based on client location.

Why this answer

Geolocation routing policy directs traffic to different backends based on the geographic location of the DNS resolver.

722
MCQhard

A company is designing a hub-and-spoke VPC architecture in Google Cloud. The hub VPC hosts a set of shared services, including a third-party firewall appliance (NGFW) in a managed instance group behind a TCP load balancer. Spoke VPCs need to send traffic to the hub's internal TCP load balancer IP (10.0.0.10) for inspection. The firewall appliance inspects traffic and forwards it to the final destination. The network team notices that traffic from one spoke to the load balancer is being dropped. They have verified that VPC peering is established, routes are propagated, and firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

A.The spoke VPC's subnet routes are not advertised to the hub VPC via VPC peering.
B.The spoke VPC does not have a route to the hub's internal load balancer IP via the peering connection.
C.The internal TCP load balancer's forwarding rule is misconfigured, pointing to the wrong target.
D.The hub VPC uses Cloud NAT, which is not compatible with VPC peering.
AnswerA

VPC peering does not automatically export custom static routes; the load balancer IP is in the hub's subnet, but the spoke needs a route to that IP via peering, which is automatically present. However, if the load balancer is in a different subnet, static routes may be needed. But the most likely cause is that the spoke VPC uses custom static routes that are not exported to the hub, causing asymmetric routing.

Why this answer

The most likely cause is that the spoke VPC's subnet routes are not advertised to the hub VPC via VPC peering. For traffic from a spoke to reach the hub's internal TCP load balancer (10.0.0.10), the hub must have a route back to the spoke's source IP range. Without the spoke advertising its subnet routes, the hub's firewall appliance cannot return traffic to the spoke, causing asymmetric routing and dropped packets.

Exam trap

The trap here is that candidates assume VPC peering automatically handles all routing in both directions, but they forget that custom routes or non-default subnet ranges must be explicitly advertised to the hub for return traffic to work.

How to eliminate wrong answers

Option B is wrong because the spoke VPC does have a route to the hub's internal load balancer IP via the peering connection — VPC peering automatically installs routes for the entire peered VPC's subnet ranges, so the spoke can reach 10.0.0.10. Option C is wrong because the forwarding rule misconfiguration would cause traffic to never reach the load balancer, but the question states traffic is being dropped (not that it fails to arrive), and the team has verified firewall rules and routes, implying the forwarding rule is correct. Option D is wrong because Cloud NAT is used for outbound internet access from instances without external IPs, and it is fully compatible with VPC peering — it does not interfere with traffic to internal load balancers.

723
MCQhard

A security team wants to restrict which Google services can be accessed from their VPC without external IPs. They use Private Google Access. What should they use to block access to specific services?

A.VPC Service Controls
B.Firewall rules blocking destination IPs
C.Cloud NAT with a specific IP range
D.Private Google Access with restricted VIPs
AnswerA

This service creates perimeters to control access to Google services.

Why this answer

VPC Service Controls allows creating security perimeters that restrict access to services.

724
Multi-Selecthard

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

Select 3 answers
A.Ensure the VMs have a default route (0.0.0.0/0) with next hop set to the Cloud NAT gateway's subnet
B.Configure IAM conditions on the Cloud NAT resource to restrict which VMs can use it
C.Enable VPC Flow Logs on the subnet to monitor which NAT IPs are used
D.Create a separate Cloud NAT gateway with the desired IPs and associate it with the VMs via a subnet or tags
E.Configure VPC firewall rules to allow egress from the VMs to the internet
AnswersA, D, E

The default route sends traffic to Cloud NAT.

Why this answer

Option A is correct because for Cloud NAT to function, the VM must have a default route (0.0.0.0/0) that points to the Cloud NAT gateway's subnet as the next hop. Without this route, the VM's outbound traffic will not be directed to the NAT gateway, and the NAT IPs will not be used. This ensures that traffic from the VM is routed through the NAT gateway, allowing the specific set of NAT IPs to be applied for auditing.

Exam trap

Google Cloud often tests the misconception that IAM conditions can control Cloud NAT usage per VM, but in reality, Cloud NAT uses subnet or tag-based association, not IAM, and VPC Flow Logs are for monitoring, not configuration.

725
MCQeasy

A company has a VPC with subnet 10.1.0.0/24 in us-central1. They created a Cloud NAT gateway named 'nat-us-central1' attached to that subnet. During peak hours, many VM instances in the subnet cannot connect to the internet. The NAT configuration shows only one NAT IP. Firewall rules allow egress traffic, and health checks confirm the NAT gateway is functioning. What is the most likely cause of the failure?

A.The Cloud Router is missing or misconfigured.
B.The NAT gateway is not attached to the correct subnet.
C.An egress firewall rule blocks ICMP packets.
D.Port exhaustion due to insufficient NAT IP addresses.
AnswerD

One NAT IP provides limited source ports, easily exhausted by many concurrent connections.

Why this answer

With only one NAT IP address and many VM instances sharing it, the available source ports (65,535 per IP) are quickly exhausted during peak hours. Each concurrent outbound connection consumes a unique source port; once all ports are in use, new connections fail. This is a classic port exhaustion scenario, not a configuration or firewall issue.

Exam trap

Google Cloud often tests the misconception that firewall rules or router misconfiguration are the primary cause of connectivity failures, when in reality port exhaustion from insufficient NAT IPs is a common scaling issue in high-traffic environments.

How to eliminate wrong answers

Option A is wrong because Cloud NAT requires a Cloud Router for dynamic routing, but the question states the NAT gateway is functioning and health checks pass, indicating the router is present and correctly configured. Option B is wrong because the NAT gateway is explicitly attached to subnet 10.1.0.0/24, and health checks confirm it is working, so the attachment is correct. Option C is wrong because the firewall rules allow egress traffic, and ICMP is not required for general internet connectivity; the failure affects all protocols, not just ICMP.

726
MCQmedium

A company needs to advertise a specific prefix from their on-premises network to GCP via Cloud Router. They do not want to advertise all connected networks. What should they configure on the Cloud Router's BGP peer?

A.Use a static route instead
B.Export custom routes
C.Global routing mode
D.Route advertisements with custom learned routes
AnswerD

Correct. You can set custom learned routes to control advertised prefixes.

Why this answer

Custom learned routes allow you to specify which prefixes are advertised to GCP via BGP.

727
Multi-Selectmedium

A company has two Dedicated Interconnect connections from different metro areas to their GCP VPC. They want to use both connections actively (active-active load balancing) without manual intervention. Which TWO configurations are required to achieve this? (Choose two.)

Select 2 answers
A.Use AS path prepending on one of the BGP sessions
B.Advertise the same on-premises prefix with the same MED on both BGP sessions
C.Configure ECMP on the Cloud Router
D.Create two separate Cloud Routers
E.Set different MED values on each BGP session
AnswersB, C

Equal MED ensures both paths are considered equal by BGP, enabling ECMP.

Why this answer

To use active-active, you must configure ECMP on the Cloud Router to load balance across both BGP sessions, and advertise the same prefixes with equal priority (same MED) from both on-premises routers.

728
MCQeasy

Your company has a VPC with a single subnet in us-central1 (10.0.1.0/24). You have a managed instance group (MIG) of web servers (10.0.1.2-10.0.1.10) and a standalone database instance (10.0.1.100). The web servers need to communicate with the database on TCP port 3306. You have configured a firewall rule allowing ingress from 10.0.1.0/24 to 10.0.1.100 on tcp:3306. However, the web servers cannot connect to the database. You verified that the database is running and listening on port 3306, and that the web servers can ping the database. What should you do to resolve the issue?

A.Create a custom route from the web servers to the database.
B.Check the database instance's OS-level firewall (e.g., iptables) and ensure it allows traffic on port 3306 from the web servers.
C.Add a network tag 'db' to the database instance and update the firewall rule to target 'db'.
D.Configure the firewall rule to use the database's service account as the target.
AnswerB

The VPC firewall allows traffic, but the OS firewall on the database may be blocking the connection.

Why this answer

The firewall rule is correctly configured at the VPC level to allow ingress from the web servers' subnet to the database on TCP port 3306. Since the web servers can ping the database, network connectivity exists, but the application-layer connection fails. This indicates the database instance's OS-level firewall (e.g., iptables on Linux) is blocking the port, as cloud VPC firewall rules and guest OS firewalls operate independently.

Exam trap

Google Cloud often tests the distinction between cloud-level firewall rules and guest OS firewalls, leading candidates to overcomplicate the solution with network tags or routes when the issue is a simple OS-level block.

How to eliminate wrong answers

Option A is wrong because custom routes control packet forwarding paths, not firewall filtering; the web servers and database are in the same subnet, so no routing is needed. Option C is wrong because network tags are used to apply firewall rules to specific instances, but the existing rule already allows traffic from the entire subnet (10.0.1.0/24) to the database IP, so tags are unnecessary and would not fix an OS-level block. Option D is wrong because service accounts are used for authentication and authorization to Google Cloud APIs, not for controlling network traffic within a VPC; firewall rules cannot target service accounts.

729
MCQhard

A network engineer configured a hierarchical firewall policy at the organization level with a priority 100 rule that denies all ingress traffic. At the folder level, a policy with priority 110 allows ingress from a specific IP range. At the VPC level, a network firewall policy with priority 90 allows ingress from a different IP range. Which traffic will be allowed?

A.Traffic matching either the folder-level or VPC-level allow rules
B.Only traffic matching the folder-level allow rule
C.Only traffic matching the VPC-level allow rule
D.No traffic is allowed because the org-level deny is evaluated last
AnswerC

The VPC-level policy has priority 90, which is lower than the org-level deny (100), so it overrides the deny and allows matching traffic.

Why this answer

Hierarchical firewall policies are evaluated in order of priority (lower number = higher priority) and then network firewall policies. The org-level rule with priority 100 denies all ingress. The folder-level rule with priority 110 allows specific IPs, but since the org rule has higher priority, it overrides the folder rule.

The VPC-level network firewall policy is evaluated after hierarchical policies and has priority 90, which is lower than 100, so it would override the org rule. However, hierarchical policies are evaluated before network firewall policies only if they have higher priority. Here, the VPC policy has priority 90, which is lower than 100, so it takes precedence over the org-level deny.

Thus, traffic matching the VPC policy's allowed IP range is allowed.

730
Multi-Selectmedium

Which THREE of the following are benefits of using VPC Flow Logs?

Select 3 answers
A.Compliance and audit requirements.
B.Troubleshooting connectivity issues.
C.Detecting DDoS attacks.
D.Reducing network latency.
E.Real-time network monitoring.
AnswersA, B, C

Flow logs provide records of network traffic for compliance.

Why this answer

VPC Flow Logs help with compliance and audit (B), troubleshooting connectivity issues (C), and detecting DDoS attacks (E). Option A is incorrect because flow logs are not real-time; there is a delay. Option D is incorrect because flow logs do not reduce latency.

731
MCQeasy

A company is deploying a Dedicated Interconnect with a 10 Gbps circuit to Google Cloud. They need to ensure high availability. Which configuration is required by Google Cloud to meet the high availability SLA?

A.Combine Dedicated Interconnect with a Cloud VPN tunnel for failover
B.Use Partner Interconnect instead of Dedicated Interconnect
C.Provision two VLAN attachments on two separate Cloud Routers in different zones
D.Provision a single VLAN attachment on one Cloud Router
AnswerC

Two VLAN attachments in different zones provide redundancy and meet the HA SLA.

Why this answer

To meet the high availability SLA for Dedicated Interconnect, Google Cloud requires at least two VLAN attachments, each on a separate Cloud Router in different zones. This ensures that if one zone or Cloud Router fails, traffic can still flow through the other attachment, providing redundancy. A single VLAN attachment or a single Cloud Router does not meet the 99.99% availability SLA because it creates a single point of failure.

Exam trap

The trap here is that candidates often think a single Cloud Router with multiple VLAN attachments is sufficient, but Google Cloud requires the Cloud Routers themselves to be in different zones to avoid a single point of failure at the zone level.

How to eliminate wrong answers

Option A is wrong because combining Dedicated Interconnect with a Cloud VPN tunnel is not a required configuration for the high availability SLA; while it can provide a backup path, the SLA specifically requires redundant VLAN attachments on separate Cloud Routers in different zones. Option B is wrong because Partner Interconnect is an alternative connectivity option, not a requirement for high availability; the SLA for Dedicated Interconnect is met with redundant VLAN attachments, not by switching to Partner Interconnect. Option D is wrong because a single VLAN attachment on one Cloud Router creates a single point of failure and does not meet the high availability SLA, which mandates at least two attachments in different zones.

732
Multi-Selecteasy

An organization is considering using Partner Interconnect to connect to Google Cloud. They want the service provider to manage the BGP sessions. Which TWO configurations must they choose? (Choose TWO.)

Select 2 answers
A.Select Layer 2 connectivity option with the provider
B.Create VLAN attachment of type PARTNER_PROVIDER
C.Select Layer 3 connectivity option with the provider
D.Create VLAN attachment of type PARTNER
E.Configure BGP sessions on the Cloud Router
AnswersB, C

PARTNER_PROVIDER is used when the provider manages BGP.

Why this answer

For Layer 3 connectivity where the provider manages BGP, the VLAN attachment type must be PARTNER_PROVIDER, and the provider handles BGP.

733
MCQmedium

A company needs to connect their on-premises data center to Google Cloud using Dedicated Interconnect. They have a service level agreement that requires 99.99% availability for the connection. What is the minimum number of VLAN attachments they must provision, and how should they be configured to meet this SLA?

A.One VLAN attachment with a single Interconnect
B.Two VLAN attachments, each on a different Interconnect
C.Four VLAN attachments on two Interconnects
D.Two VLAN attachments on the same Interconnect
AnswerB

Two VLAN attachments on redundant Interconnects provide the required availability.

Why this answer

To achieve 99.99% availability for Dedicated Interconnect, you must eliminate single points of failure. A single VLAN attachment on one Interconnect (Option A) provides no redundancy. Google Cloud requires at least two VLAN attachments, each on a different Interconnect (and ideally different edge availability domains), to meet this SLA.

This ensures that if one Interconnect or VLAN attachment fails, traffic can fail over to the other, maintaining connectivity.

Exam trap

Google Cloud often tests the misconception that two VLAN attachments on the same Interconnect provide redundancy, but the trap here is that they share the same physical link and edge availability domain, so a single failure takes down both attachments.

How to eliminate wrong answers

Option A is wrong because a single VLAN attachment on one Interconnect creates a single point of failure; Google Cloud's 99.99% SLA for Dedicated Interconnect requires redundant connections across at least two separate Interconnects. Option C is wrong because four VLAN attachments on two Interconnects exceed the minimum requirement; two VLAN attachments (one per Interconnect) are sufficient to meet the 99.99% SLA, and adding more does not increase availability beyond the SLA. Option D is wrong because two VLAN attachments on the same Interconnect share the same physical link; if that Interconnect fails, both attachments go down, so this configuration does not provide the required redundancy.

734
MCQmedium

A company wants to protect its external HTTPS load balancer from SQL injection and cross-site scripting attacks. Which Google Cloud service should they use?

A.VPC Service Controls
B.Cloud Firewall
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor provides WAF with preconfigured rules for SQLi and XSS.

Why this answer

Cloud Armor provides WAF capabilities including preconfigured rules for OWASP Top 10 threats like SQLi and XSS, and can be attached to HTTPS load balancers.

735
MCQmedium

A network engineer is setting up a Dedicated Interconnect between an on-premises network and Google Cloud. After the circuit is ordered and the physical connection is established at the co-location facility, what is the first step to configure the interconnect inside GCP?

A.Configure a VPN tunnel for backup connectivity.
B.Create a VLAN attachment to associate with the interconnect.
C.Enable Cloud NAT for outbound traffic.
D.Create a Cloud Router with BGP sessions.
AnswerB

A VLAN attachment is the first logical configuration step after the physical connection.

Why this answer

After the physical connection is ready, you must create a VLAN attachment in Google Cloud to define the connection between your VPC and the interconnect.

736
MCQeasy

A startup is deploying its first application on Google Cloud and needs to create a VPC network. They want to avoid manual subnet planning and prefer that Google automatically creates subnets in each region as they expand. Which VPC type should they choose?

A.Shared VPC
B.Auto mode VPC
C.VPC Network Peering
D.Custom mode VPC
AnswerB

Auto mode VPCs automatically create subnets in each region, which is ideal for avoiding manual subnet planning.

Why this answer

Auto mode VPCs automatically create subnets in each region with predetermined IP ranges, simplifying initial setup. Custom mode VPCs require manual subnet creation.

737
Multi-Selectmedium

Your organization uses Cloud DNS for private DNS resolution within GCP. You need to enable on-premises DNS servers to resolve GCP private zone names (e.g., myinstance.internal.example.com). Which TWO resources must you configure? (Choose two.)

Select 2 answers
A.Configure an outbound DNS server policy in GCP
B.Create a DNS peering zone in Cloud DNS that points to the on-premises DNS servers
C.Configure an inbound DNS server policy in GCP
D.Set up a VPN tunnel between GCP and on-premises
E.Create a forwarding zone in Cloud DNS
AnswersB, C

This peering zone is used to forward queries for the GCP private zone back to on-premises (though the primary direction is reverse). Actually, for on-prem to resolve GCP private zones, you need outbound forwarding from on-prem to GCP, but the correct components are inbound policy and a peering zone that allows GCP to accept queries from on-prem. However, the standard solution: create inbound policy to get a forwarding IP, and on on-prem DNS, set up conditional forwarders to that IP. The question asks 'which two resources must you configure'—the two are inbound DNS server policy and a DNS peering zone (or alternatively, a forwarding zone in GCP). The classic answer: inbound DNS server policy + DNS peering zone. Let's keep as is.

Why this answer

To allow on-premises DNS to resolve GCP private zones, you create a DNS peering zone in Cloud DNS that forwards queries to on-premises, and you configure the on-premises DNS servers to forward queries for the GCP private zone to the Google-managed forwarding IP (inbound DNS policy).

738
MCQeasy

A startup is creating a new VPC for their production environment. They want to minimize management overhead and plan to use multiple regions. Which VPC type should they choose?

A.Auto mode VPC
B.Custom mode VPC
C.Shared VPC
D.VPC Network Peering
AnswerA

Auto mode creates subnets in each region automatically, suitable for multi-region setups with minimal management.

Why this answer

Auto mode VPCs automatically create subnets in each region and manage IP ranges, reducing management overhead. Custom mode requires manual subnet creation.

739
Multi-Selecthard

A company is setting up HA VPN between GCP and on-premises. They want 99.99% SLA. Which TWO configurations are required? (Choose 2)

Select 3 answers
A.One external IP address on the Cloud VPN gateway
B.Four IKEv2 tunnels with BGP
C.Cloud Router configured with BGP
D.Two external IP addresses on the Cloud VPN gateway
E.Static routing
AnswersB, C, D

Four tunnels (two per gateway) with BGP for HA.

Why this answer

To achieve a 99.99% SLA for HA VPN, Google Cloud requires two Cloud VPN gateways, each with a unique external IP address, and two tunnels per gateway (four tunnels total) using IKEv2. BGP must be configured on a Cloud Router to provide dynamic routing and failover, ensuring that traffic is redirected if a tunnel or gateway fails.

Exam trap

Cisco often tests the misconception that a single VPN gateway with two tunnels is sufficient for high availability, but the 99.99% SLA specifically requires two gateways (two external IPs) and four tunnels with BGP.

740
MCQhard

An engineer configures an HA VPN with two tunnels to an on-premises network using IKEv2 and pre-shared keys. After configuration, the tunnels show as established, but no traffic flows. The Cloud Router BGP sessions are not established. The on-premises firewall logs show IKE packets are being sent but no response. What is the most likely cause?

A.The Cloud Router BGP AS number is duplicated
B.The pre-shared keys do not match
C.The on-premises firewall is blocking UDP port 500
D.The VPN tunnel is configured as policy-based instead of route-based
AnswerB

Mismatched pre-shared keys would cause IKE negotiation to fail, resulting in no response from Google side.

Why this answer

B is correct because the on-premises firewall logs show IKE packets being sent but no response, which indicates that the IKEv2 pre-shared key mismatch causes the IKE authentication phase to fail. Even though the tunnel status shows as established (likely due to a stale or misconfigured status check), the BGP sessions cannot form because the IKE security association (SA) is not fully authenticated, preventing the IPsec SA from being created and thus blocking all traffic, including BGP packets.

Exam trap

Cisco often tests the distinction between IKE phase 1 (ISAKMP) and phase 2 (IPsec) failures, and the trap here is that candidates assume 'tunnels established' means the IPsec SA is up, when in reality the status may reflect only the IKE_SA_INIT phase, and the pre-shared key mismatch prevents full authentication and IPsec SA creation.

How to eliminate wrong answers

Option A is wrong because a duplicate Cloud Router BGP AS number would cause BGP session flapping or rejection, but it would not prevent IKE packets from receiving a response; the IKE phase would still complete successfully. Option C is wrong because if the on-premises firewall were blocking UDP port 500, the firewall logs would show IKE packets being dropped or no packets at all, not 'IKE packets are being sent but no response' (the packets are sent, but the response is missing due to authentication failure). Option D is wrong because a policy-based tunnel would still allow IKE to establish and BGP to form if the correct policies are in place; the issue here is specifically at the IKE authentication layer, not the tunnel type.

741
MCQhard

An organization needs to restrict access to Google Cloud APIs such that only traffic from a specific set of VMs inside a VPC can reach the APIs, and all other traffic (including from other VPCs) must be denied. The VMs do not have external IPs. Which combination of services should they use?

A.Private Service Connect and VPC Service Controls
B.Cloud NAT and VPC Service Controls
C.Private Google Access and VPC Service Controls
D.Cloud NAT and Private Google Access
AnswerC

Private Google Access enables VMs without external IPs to reach Google APIs; VPC Service Controls restrict to the specified VPC.

Why this answer

Private Google Access allows VMs without external IPs to reach Google APIs. VPC Service Controls can create a service perimeter that restricts access to APIs from only authorized VPCs.

742
MCQhard

You have set up a Dedicated Interconnect with two VLAN attachments (each 10 Gbps) and configured ECMP on the Cloud Router. You observe that traffic from on-premises to a specific VM is only using one attachment. What is the most likely cause?

A.Route propagation is disabled on one Cloud Router interface
B.One of the VLAN attachments has a higher route priority
C.BGP ASN mismatch between the two attachments
D.The traffic consists of a single flow that is hashed to one attachment
AnswerD

ECMP per-flow hashing keeps each flow to one path.

Why this answer

D is correct because ECMP (Equal-Cost Multi-Path) relies on hashing of packet headers (e.g., 5-tuple: source/destination IP, protocol, source/destination port) to select a path. A single flow (e.g., a TCP connection between two specific IPs and ports) will always hash to the same attachment, so it cannot use both VLAN attachments simultaneously. This is expected behavior, not a fault.

Exam trap

Google Cloud often tests the misconception that ECMP should load-balance every packet across all links, but the trap here is that ECMP operates on a per-flow basis (not per-packet) to avoid packet reordering, so a single flow will always use only one path.

How to eliminate wrong answers

Option A is wrong because route propagation is a BGP setting that controls whether learned routes are advertised to VPC networks; if disabled on one interface, routes would be missing entirely, not just for a single flow. Option B is wrong because route priority (e.g., MED, local preference) affects which route is preferred for a prefix, but both attachments have equal cost (same bandwidth, same AS path length), so priority does not cause single-flow behavior. Option C is wrong because an ASN mismatch would prevent BGP peering from establishing at all, causing complete loss of connectivity on that attachment, not selective use of one attachment for a single flow.

743
MCQeasy

When setting up a Partner Interconnect, which Google Cloud resource is used to connect to the partner's network?

A.Cloud VPN gateway
B.Cloud Interconnect attachment
C.VLAN attachment
D.Cloud Router
AnswerC

A VLAN attachment is the logical connection between Google Cloud and the partner's network.

Why this answer

When setting up a Partner Interconnect, the correct Google Cloud resource is a VLAN attachment. This attachment is provisioned on a Cloud Interconnect connection that is managed by a supported service provider, and it defines the VLAN and the Cloud Router configuration used to exchange routes via BGP. The VLAN attachment is the logical construct that connects your VPC network to the partner's network through the partner's physical infrastructure.

Exam trap

Google Cloud often tests the distinction between the physical connection (Dedicated Interconnect or Partner Interconnect) and the logical attachment (VLAN attachment), so candidates mistakenly select 'Cloud Interconnect attachment' as a generic term instead of the precise 'VLAN attachment' resource name used in Google Cloud.

How to eliminate wrong answers

Option A is wrong because Cloud VPN gateway is used for IPsec VPN tunnels over the public internet, not for dedicated or partner-managed physical interconnections. Option B is wrong because 'Cloud Interconnect attachment' is not a specific Google Cloud resource; the correct term is 'VLAN attachment' which is the attachment created on a Dedicated or Partner Interconnect connection. Option D is wrong because Cloud Router is a dynamic routing appliance that exchanges BGP routes over the VLAN attachment, but it is not the resource that directly connects to the partner's network—the VLAN attachment is the connection point.

744
MCQhard

Refer to the exhibit. A Cloud Router has two BGP sessions. The first session is UP, the second is DOWN. What is the most likely cause for the second session being down?

A.The advertised route priority is too low.
B.The session initialization mode is set to PASSIVE.
C.The peer IP address 169.254.1.2 is not routable.
D.The BFD multiplier is too low (3).
AnswerB

If the peer is also PASSIVE, the session cannot establish. One side must be ACTIVE.

Why this answer

The second session has sessionInitializationMode set to PASSIVE. If the peer router is also configured as PASSIVE, the BGP session will never establish. The first session is ACTIVE, so it came up.

This is a common misconfiguration.

745
MCQeasy

A company wants to analyze VPC Flow Logs to understand which external IPs are generating the most outbound traffic. What is the most scalable way to store and query these logs?

A.BigQuery
B.Cloud Storage and analyze with gsutil
C.Cloud Logging with Logs Explorer
D.Cloud Monitoring Metrics
AnswerA

BigQuery offers scalable, SQL-based analysis of Flow Logs.

Why this answer

VPC Flow Logs can be exported to BigQuery, which provides scalable SQL analysis for large datasets. This is the recommended approach for complex queries.

746
MCQeasy

A company needs to connect their on-premises data center to Google Cloud using a VPN with high availability. They have two VPN appliances on-premises in different locations. What is the best design on the GCP side?

A.Deploy one Cloud VPN gateway with two tunnels to both on-premises appliances, using one Cloud Router.
B.Deploy two Cloud VPN gateways in the same region, each with a tunnel to a different on-premises appliance, using separate Cloud Routers.
C.Deploy one Cloud VPN gateway with a single tunnel to one on-premises appliance.
D.Deploy two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises appliance, using separate Cloud Routers.
AnswerD

Provides regional redundancy and full HA.

Why this answer

Option D is correct because it provides true high availability by using two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises appliance. This design ensures that if one region or gateway fails, traffic can still flow through the other region, meeting the requirement for high availability. Using separate Cloud Routers allows for dynamic routing with BGP, enabling automatic failover and load balancing across the two tunnels.

Exam trap

The trap here is that candidates often assume two tunnels from a single gateway provide high availability, but they overlook that the gateway itself is a single point of failure; true high availability requires redundancy at both the gateway and region level.

How to eliminate wrong answers

Option A is wrong because deploying one Cloud VPN gateway creates a single point of failure in the GCP region; if that gateway or region fails, both tunnels are lost, even though they connect to different on-premises appliances. Option B is wrong because deploying two Cloud VPN gateways in the same region still leaves the design vulnerable to a regional outage; if the entire region goes down, both gateways and their tunnels are unavailable. Option C is wrong because a single tunnel provides no redundancy at all; if the tunnel, gateway, or on-premises appliance fails, connectivity is completely lost.

747
MCQmedium

An organization wants to restrict data exfiltration from a GCP project. They need to prevent users from copying data to external cloud storage services like AWS S3, but allow access to Google Cloud Storage. Which VPC Service Controls (VPC-SC) configuration should they use?

A.Combine VPC Service Controls with a Cloud Firewall that denies egress to non-Google IPs.
B.Use Cloud Firewall rules to block egress to AWS IP ranges.
C.Enable Data Loss Prevention (DLP) API to inspect outgoing data.
D.Create a VPC Service Controls perimeter that includes the project and set access levels to allow only Google Cloud Storage.
AnswerA

VPC-SC secures Google services, and firewall rules can block external destinations.

Why this answer

Option A is correct because VPC Service Controls (VPC-SC) can create a perimeter that restricts data movement to only Google Cloud Storage, while Cloud Firewall egress rules can deny traffic to non-Google IP ranges (including AWS S3 endpoints). This combination ensures that even if a user attempts to copy data to an external cloud storage service, the firewall blocks the egress traffic, and VPC-SC prevents access to Google Cloud Storage from outside the perimeter.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls alone can block data exfiltration to external cloud storage services, when in fact they only control access to Google Cloud services and must be combined with network-level controls like Cloud Firewall egress rules to block traffic to non-Google endpoints.

How to eliminate wrong answers

Option B is wrong because Cloud Firewall rules alone cannot distinguish between Google Cloud Storage and external cloud storage services like AWS S3 based on IP ranges alone, as both may share overlapping or dynamic IP ranges; also, firewall rules do not enforce data exfiltration policies at the application layer. Option C is wrong because the Data Loss Prevention (DLP) API inspects data for sensitive content but does not block data exfiltration to external cloud storage services; it is a detection tool, not a prevention mechanism. Option D is wrong because setting access levels to allow only Google Cloud Storage within a VPC-SC perimeter does not prevent users from copying data to external cloud storage services like AWS S3, as VPC-SC perimeters control access to Google Cloud services, not egress traffic to non-Google endpoints.

748
MCQeasy

What is the default Maximum Transmission Unit (MTU) for Compute Engine virtual machines?

A.1460
B.1500
C.9001
D.1400
AnswerA

1460 is the default MTU for Compute Engine instances.

Why this answer

GCP uses an MTU of 1460 for both VMs and the underlying network infrastructure.

749
Multi-Selectmedium

You need to configure a health check for a backend service that uses HTTP2. Which THREE settings must be configured correctly for the health check to work? (Select three.)

Select 3 answers
A.Request path
B.Protocol: HTTP2
C.Proxy protocol
D.SSL certificate
E.Port
AnswersA, B, E

Required: health check sends a request to a path.

Why this answer

For an HTTP2 health check, you need to specify the protocol (HTTP2), a port, and a request path.

750
Multi-Selectmedium

A company is deploying a new application across three VPCs in the same project, using Shared VPC. The security team wants to restrict traffic such that only the frontend subnet (10.0.1.0/24) can send traffic to the backend subnet (10.0.2.0/24) on TCP port 8080. The backend instances have the service account 'backend-sa@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations achieve this goal?

Select 2 answers
A.Create an ingress firewall rule on the backend VPC with source service account 'frontend-sa@project.iam.gserviceaccount.com', protocol tcp:8080, and target service account 'backend-sa@project.iam.gserviceaccount.com'.
B.Create an egress firewall rule on the frontend VPC with source CIDR 10.0.1.0/24, protocol tcp:8080, and target CIDR 10.0.2.0/24.
C.Create an ingress firewall rule on the backend VPC with source CIDR 10.0.1.0/24, protocol tcp:8080, and target tag 'backend-tag'.
D.Create an ingress firewall rule on the backend VPC with source tag 'frontend-tag', protocol tcp:8080, and target tag 'backend-tag'.
E.Create a VPC firewall rule with priority 1000 that denies all traffic from 10.0.1.0/24 to 10.0.2.0/24, and then a higher priority rule allowing tcp:8080.
AnswersA, C

Using source and target service accounts precisely restricts traffic to only the frontend service account communicating to the backend service account on tcp:8080.

Why this answer

Option A is correct because it uses service accounts as both source and target in an ingress rule on the backend VPC. This allows only instances with the frontend service account to send traffic to instances with the backend service account on TCP 8080, meeting the security requirement without relying on IP addresses or network tags.

Exam trap

The trap here is that candidates often assume egress rules on the source VPC are sufficient to control inbound traffic to the backend, but Google Cloud requires ingress rules on the destination VPC to filter incoming packets, and service account-based rules are often overlooked in favor of IP-based rules.

Page 9

Page 10 of 14

Page 11
Google Professional Cloud Network Engineer PCNE Questions 676–750 | Page 10/14 | Courseiva