Google Professional Cloud Network Engineer (PCNE) — Questions 751825

982 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selectmedium

A company uses Shared VPC to centralize network management. The host project contains subnets for production and development environments. Which two statements accurately describe the capabilities of Shared VPC? (Choose TWO.)

Select 2 answers
A.Service project VMs can use internal IP addresses from the shared subnets.
B.Shared VPC supports transitive peering across service projects.
C.IAM policies on shared subnets can be delegated to service project administrators.
D.Service project administrators can create subnets in the host project.
E.Service projects cannot have their own VPCs when using Shared VPC.
AnswersA, C

VMs in service projects are assigned internal IPs from the shared subnets.

Why this answer

Shared VPC allows a host project to share subnets with service projects. IAM on shared subnets can be delegated to service project administrators, and VMs in service projects can use internal IPs from the shared subnets.

752
Multi-Selectmedium

An engineer needs to plan IP address ranges for a new GCP environment that will connect to an on-premises network via Dedicated Interconnect. The on-premises network uses 10.0.0.0/8. The GCP VPC must support GKE pods and services and future expansion. Which THREE best practices should the engineer follow? (Choose three.)

Select 3 answers
A.Plan secondary IP ranges for GKE pods and services
B.Use the same IP range as on-premises for simplicity
C.Use a public IP range for the VPC to avoid overlap
D.Select a CIDR block that does not overlap with the on-premises network
E.Use a RFC 1918 private IP range for the VPC
AnswersA, D, E

Secondary ranges are required for GKE.

Why this answer

Best practices: Use RFC 1918 private ranges, avoid overlapping with on-premises, plan secondary ranges for GKE (pods and services), and use non-overlapping ranges for future expansion.

753
Multi-Selectmedium

Which TWO factors should be considered when selecting a Google Cloud region for deploying a globally distributed application to minimize latency for users?

Select 2 answers
A.Availability of required Google Cloud services in the region
B.Compliance with data residency requirements
C.Proximity to the majority of users
D.Number of zones in the region
E.Cost of resources in the region
AnswersA, C

The region must support the services needed (e.g., Compute Engine, Cloud Load Balancing).

Why this answer

Option A is correct because the availability of required Google Cloud services in a region is a fundamental constraint: if a service (e.g., Cloud Spanner, BigQuery, or a specific machine series) is not offered in a region, you cannot deploy that component there, regardless of latency benefits. Option C is correct because minimizing latency for a globally distributed application requires placing compute and data resources as close as possible to the majority of users, reducing round-trip time (RTT) and improving user experience. Google Cloud's global network and edge caching locations (e.g., Cloud CDN) further amplify the benefit of proximity.

Exam trap

Google Cloud often tests the misconception that compliance or cost are primary factors for latency minimization, when in fact they are separate design constraints that may conflict with latency goals.

754
MCQhard

An organization uses a hierarchical firewall policy at the organization level with a deny-all egress rule (priority 100). They also have a VPC-level firewall rule allowing egress to a specific external IP (priority 1000). Will traffic to that external IP be allowed?

A.Yes, because VPC firewall rules override hierarchical policies for the same traffic.
B.Yes, because the VPC rule has a higher priority number and is more specific.
C.No, because hierarchical firewall policies take precedence over VPC firewall rules.
D.No, because both rules deny and allow cancel out, resulting in default deny.
AnswerC

Hierarchical policies are evaluated first and if they deny, traffic is denied regardless of VPC rules.

Why this answer

Hierarchical firewall policies are evaluated before VPC firewall rules and have higher precedence. A deny rule at the org level with priority 100 will override a VPC allow rule with lower priority (higher number).

755
MCQhard

A network engineer is troubleshooting connectivity between an on-premises network and Google Cloud. The on-premises router has two BGP sessions configured for redundancy with a Cloud Router. The engineer runs the command above. Which issue does the output indicate?

A.Both BGP sessions are down
B.The BGP session for peer-a is down
C.The on-premises router is not advertising any routes to the Cloud Router
D.The Cloud Router is not advertising any routes to on-premises
AnswerC

learnedRoutes is empty for peer-a, indicating no routes received from on-premises.

Why this answer

The output shows that both BGP sessions are established (state = Established), so options A and B are incorrect. However, the 'Received routes' count is 0 for both peers, meaning the on-premises router is not sending any routes to the Cloud Router. This prevents the Cloud Router from learning the on-premises prefixes, breaking connectivity from Google Cloud to on-premises.

Exam trap

The trap here is that candidates see 'Established' sessions and assume full connectivity, overlooking that BGP session up does not guarantee routes are being exchanged, which is the actual root cause of the connectivity failure.

How to eliminate wrong answers

Option A is wrong because the BGP session state for both peers is 'Established', indicating the TCP connection and BGP session are up, not down. Option B is wrong because peer-a's session state is also 'Established', so it is not down. Option D is wrong because the 'Advertised routes' count is non-zero (e.g., 5 for peer-a), showing the Cloud Router is sending routes; the issue is with received routes, not advertised routes.

756
Multi-Selectmedium

A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?

Select 2 answers
A.You must create a separate Cloud Router for each VLAN attachment.
B.You can configure the Cloud Router to advertise the same IP prefixes over both VLAN attachments.
C.You should use BGP MED to load balance outbound traffic from Google Cloud.
D.You can use the same BGP ASN for both VLAN attachments.
E.Load balancing across VLAN attachments requires a single BGP session.
AnswersB, D

Advertising the same prefixes over multiple VLANs enables load balancing.

Why this answer

Option B is correct because a Cloud Router can advertise the same IP prefixes over multiple VLAN attachments to enable load balancing. This allows Google Cloud to use ECMP (Equal-Cost Multi-Path) routing to distribute outbound traffic across the two VLAN attachments, as long as the BGP attributes (e.g., AS path length, MED) are equal.

Exam trap

Google Cloud often tests the misconception that BGP MED controls outbound traffic, but in reality, MED is a hint for inbound path selection, while outbound load balancing relies on equal BGP attributes and ECMP.

757
MCQeasy

A company has a Dedicated Interconnect with one 10 Gbps connection. They need high availability for critical workloads. Which design is the best practice according to Google Cloud recommendations?

A.Provision a second Dedicated Interconnect connection to a different PoP.
B.Add a second connection to the same PoP using the same provider.
C.Rely on the single connection and monitor for failures.
D.Use Cloud VPN as a backup to the Dedicated Interconnect.
AnswerA

Connections to different PoPs provide geographic redundancy and higher availability.

Why this answer

Google Cloud best practice for high availability with Dedicated Interconnect requires at least two physical connections, each to a different edge point of presence (PoP), to eliminate single points of failure at the network edge. A single 10 Gbps connection, even with a backup VPN, does not provide the same SLA or bandwidth guarantees for critical workloads. Option A ensures that if one PoP or provider fails, the other connection can maintain connectivity.

Exam trap

The trap here is that candidates often assume a second connection to the same PoP or a VPN backup is sufficient for high availability, but Google Cloud explicitly requires diverse PoPs to protect against facility-level failures, and VPN backup lacks the bandwidth and SLA for critical workloads.

How to eliminate wrong answers

Option B is wrong because adding a second connection to the same PoP using the same provider still creates a single point of failure at that PoP; both connections share the same physical location and provider infrastructure, so an outage at that PoP or provider will take down both links. Option C is wrong because relying on a single connection with monitoring does not provide high availability; any failure of that single link will cause downtime for critical workloads, and Google Cloud recommends at least two connections for HA. Option D is wrong because Cloud VPN as a backup to Dedicated Interconnect does not provide the same bandwidth (typically limited to 3 Gbps per tunnel) or latency guarantees, and it introduces additional encryption overhead; it is suitable for lower-bandwidth or non-critical failover, not for maintaining 10 Gbps throughput for critical workloads.

758
MCQmedium

An organization needs to reduce egress costs for a global application serving users worldwide. The application serves static content from Compute Engine instances. Which action is most cost-effective?

A.Move all instances to a single region to reduce cross-region traffic
B.Use Cloud CDN to cache content at edge locations
C.Upgrade to premium tier networking
D.Enable Private Google Access
AnswerB

Cloud CDN reduces egress by serving cached content from edge PoPs, lowering bandwidth to origin.

759
MCQmedium

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

A.The VM is in a different zone than the Cloud NAT gateway
B.The VPC firewall rules are blocking outbound traffic from the VM to the Cloud NAT IP
C.Cloud Router is misconfigured and not advertising the Cloud NAT IP
D.The VM has a custom route that does not use the default route through Cloud NAT
AnswerD

Traffic must match the default route to be source NATed by Cloud NAT.

Why this answer

Option D is correct because Cloud NAT relies on the default route (0.0.0.0/0) pointing to the Cloud Router to direct traffic through the NAT gateway. If a VM has a custom route that overrides the default route (e.g., a more specific route to an external IP or a route to a different next hop), the VM's outbound traffic will bypass Cloud NAT entirely, resulting in the source IP being the VM's private IP instead of the Cloud NAT IP. This causes external firewalls to block the traffic as the source IP is not the expected NAT IP.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is zone-dependent or that firewall rules are the cause, when in reality the issue is almost always a routing override that prevents traffic from reaching the NAT gateway.

How to eliminate wrong answers

Option A is wrong because Cloud NAT operates at the VPC level and is not zone-specific; a VM in any zone within the same region can use the same Cloud NAT gateway as long as the subnet is associated with the NAT configuration. Option B is wrong because VPC firewall rules control traffic at the instance level (ingress/egress) but do not affect the routing path; if outbound traffic were blocked by firewall rules, the traffic would not reach the Cloud NAT IP at all, but the symptom here is that traffic reaches the internet with the wrong source IP, indicating a routing issue, not a firewall block. Option C is wrong because Cloud Router is used for dynamic routing (e.g., BGP) with on-premises or VPN connections, not for advertising Cloud NAT IPs; Cloud NAT IPs are not advertised via BGP—they are used for source NAT and are not routable from the internet.

760
Multi-Selecteasy

Which TWO of the following methods can be used to encrypt traffic between VPC networks?

Select 2 answers
A.Use of SSL/TLS at the application layer.
B.VPC peering.
C.Cloud Interconnect with VLAN attachments.
D.Cloud VPN with IPsec.
E.Cloud NAT.
AnswersA, D

SSL/TLS encrypts application data end-to-end.

Why this answer

Option A is correct because SSL/TLS operates at the application layer (Layer 7) of the OSI model, providing end-to-end encryption for traffic between VPC networks. When applications use HTTPS (HTTP over TLS), the payload is encrypted before leaving the source, ensuring confidentiality even if the underlying network path is untrusted. This method is independent of the underlying network connectivity, making it suitable for encrypting traffic across VPCs connected via any means, including the public internet.

Exam trap

Google Cloud often tests the misconception that VPC peering or Cloud Interconnect inherently encrypts traffic, when in fact they only provide private connectivity without encryption, and candidates must remember that encryption requires explicit protocols like IPsec or TLS.

761
MCQeasy

A company wants to establish a dedicated physical connection between their on-premises network and Google Cloud. They need a 10 Gbps connection and are willing to manage the circuit and colocation facility themselves. Which Google Cloud service should they use?

A.Dedicated Interconnect
B.Partner Interconnect
C.Cloud CDN
D.Cloud VPN
AnswerA

Dedicated Interconnect provides a direct physical connection up to 10 Gbps (or 100 Gbps) and requires the customer to manage circuit ordering and colocation.

Why this answer

Dedicated Interconnect provides a direct physical connection between the on-premises network and Google's network via a colocation facility and Google Partner PoP. It is managed by the customer for circuit ordering and colocation.

762
Multi-Selecthard

A company is experiencing a BGP session flap between Cloud Router and an on-premises router. Which THREE actions should the engineer take to diagnose the issue?

Select 3 answers
A.Check VPN tunnel status and IKE parameters
B.Examine Cloud Router logs for BGP state changes
C.Enable VPC Flow Logs on the subnet
D.Review Network Topology for path changes
E.Verify firewall rules allow tcp/179 between peer IPs
AnswersA, B, E

If BGP over VPN, tunnel issues can cause flaps.

Why this answer

Check Cloud Router logs for BGP events, verify firewall rules allow BGP traffic (TCP 179), and check VPN tunnel status if using VPN. VPC Flow Logs and Network Topology are less relevant.

763
MCQmedium

A company uses Identity-Aware Proxy (IAP) to secure access to a group of Compute Engine instances running a web application. The instances have no external IP addresses and are accessed via IAP TCP forwarding. Recently, the security team discovered that some users can access the instances directly via SSH from other instances within the same VPC, bypassing IAP. What is the most effective way to ensure all SSH access goes through IAP?

A.Modify the VPC firewall rule to deny ingress traffic on TCP port 22 from all sources except the IAP IP range (35.235.240.0/20).
B.Assign a service account to each instance with the IAP-secured Tunnel User role.
C.Remove SSH keys from the instances and use OS Login.
D.Create a new firewall rule that allows SSH only from the IAP IP range and delete the existing SSH rule.
AnswerA

This ensures only IAP can initiate SSH connections.

Why this answer

Option A is correct because the IAP TCP forwarding source IP range (35.235.240.0/20) is the only range that should be allowed to initiate SSH connections to the instances. By modifying the VPC firewall rule to deny all other sources on TCP port 22, you ensure that any SSH traffic not originating from the IAP IP range is blocked, even from other instances within the same VPC. This directly addresses the bypass scenario where users SSH from other internal instances.

Exam trap

Google Cloud often tests the misconception that IAP alone enforces access control, when in reality it relies on VPC firewall rules to restrict traffic to only the IAP source IP range; candidates may incorrectly choose options that change authentication (OS Login) or authorization (service account roles) instead of addressing the network path.

How to eliminate wrong answers

Option B is wrong because assigning a service account with the IAP-secured Tunnel User role controls who can use IAP to connect, but does not prevent direct SSH access from other instances within the VPC; it does not enforce traffic to go through IAP. Option C is wrong because removing SSH keys and using OS Login changes the authentication method but does not restrict the network path; instances can still be reached directly via SSH from other VPC instances, bypassing IAP. Option D is wrong because creating a new firewall rule that allows SSH only from the IAP IP range and deleting the existing SSH rule is functionally identical to Option A, but the question asks for the most effective way; Option A is more precise as it modifies the existing rule rather than deleting and recreating, but both achieve the same result; however, the key distinction is that Option D's wording could imply a less controlled change, and in practice, modifying the existing rule is the recommended approach to avoid accidental exposure during the transition.

764
Multi-Selecthard

A company has VPC peering between two VPC networks. They want to ensure that traffic from VPC A to VPC B can use a custom route in VPC A that points to a next-hop appliance in VPC A. Which TWO conditions must be met?

Select 2 answers
A.VPC B must have a route back to VPC A.
B.VPC peering must be set up with 'export custom routes' enabled from VPC A.
C.The appliance must be in the same region as VPC A.
D.The appliance must have a firewall rule allowing traffic from VPC B.
E.VPC A must have a route with destination inside VPC B and next-hop set to the appliance.
AnswersB, E

Export of custom routes is required for the peer to see and use them.

Why this answer

Option B is required because custom routes must be exported via peering to be used by the peer network. Option C is required because a route in VPC A with destination in VPC B and next-hop appliance is needed. Option A is not required; the appliance can be in any region.

Option D is not required for the forward path, though return path needs separate configuration. Option E is a general firewall requirement but not specific to the custom route usage.

765
MCQeasy

An organization is using Cloud CDN to deliver content globally. Which of the following is a primary benefit of using Cloud CDN?

A.Provides DDoS protection only
B.Increases bandwidth to the origin server
C.Eliminates the need for SSL certificates
D.Reduces latency for users by caching content at edge locations
AnswerD

Correct: Cloud CDN caches content at Google's edge locations, reducing latency and origin load.

Why this answer

Cloud CDN caches content at edge locations, reducing egress costs from the origin and improving latency for users.

766
MCQmedium

Your company has deployed a hybrid cloud environment with a Cloud VPN tunnel between Google Cloud VPC and an on-premises data center. The VPC has a custom mode with subnet 10.0.1.0/24 in us-east1. On-premises uses subnet 192.168.1.0/24. The VPN tunnel is established using dynamic routing (BGP). Both sides advertise the correct prefixes. A Compute Engine VM in the VPC (10.0.1.10) can ping the on-premises gateway (192.168.1.1), but cannot ping a server on-premises (192.168.1.100). The on-premises network team confirms that 192.168.1.100 is reachable from the on-premises gateway. Firewall rules in GCP allow ingress from 192.168.1.0/24 to all VMs. What is the most likely cause?

A.The on-premises router does not have a route for the GCP subnet (10.0.1.0/24) pointing to the VPN tunnel.
B.The on-premises server is not configured with a default gateway pointing to the on-premises gateway.
C.The Cloud VPN tunnel is not configured with an IKE version supported by the on-premises device.
D.A firewall rule on the GCP VPC is blocking ICMP traffic from 192.168.1.100.
AnswerA

Without a return route, the on-premises server sends replies through the default route (likely internet), causing asymmetric routing and packet drop.

Why this answer

The correct answer is A. Since the VM can ping the on-premises gateway (192.168.1.1) but not the server (192.168.1.100), the VPN tunnel and BGP session are working, and GCP has the correct route. The issue is that the on-premises router is not advertising or does not have a route for the GCP subnet 10.0.1.0/24 pointing back to the VPN tunnel, so return traffic from the server to the VM is dropped.

Without this route, the on-premises router cannot forward packets destined for 10.0.1.10 back through the VPN.

Exam trap

Google Cloud often tests the misconception that a successful ping to the remote gateway proves full bidirectional connectivity, but the trap here is that the gateway responds from its own IP stack, not from behind it, so a missing return route for the GCP subnet on the on-premises router breaks traffic to hosts beyond the gateway.

How to eliminate wrong answers

Option B is wrong because if the on-premises server lacked a default gateway pointing to the on-premises gateway, the server would not be able to reach any off-subnet destination, including the gateway itself, but the problem states the server is reachable from the gateway. Option C is wrong because an IKE version mismatch would prevent the VPN tunnel from establishing at all, yet the VM can ping the on-premises gateway, proving the tunnel is up and BGP is exchanging routes. Option D is wrong because the GCP firewall rule explicitly allows ingress from 192.168.1.0/24 to all VMs, and the VM can receive ICMP from the gateway (192.168.1.1), so a firewall block on 192.168.1.100 specifically is inconsistent with the rule and the successful ping from the gateway.

767
MCQmedium

Refer to the exhibit. A VM with the 'ssh-allowed' tag is unreachable via SSH from the internet, while other VMs with the same tag work. What is the most likely cause?

A.A firewall rule with priority 500 denies ingress traffic to the VM's tag or IP range.
B.The rule source range is set to 0.0.0.0/0, which includes all internet IPs, so it should allow SSH.
C.The VM is in a different VPC that does not have the allow-ssh rule.
D.The firewall rule 'allow-ssh' has a higher priority (1000) than the implicit deny (65535), so it should work.
AnswerA

A higher priority deny rule can override the allow rule.

Why this answer

The most likely cause is that a firewall rule with priority 500 explicitly denies ingress traffic to the specific VM's tag or IP range, overriding the allow-ssh rule (which has a lower priority, i.e., a higher numerical value). In Google Cloud Platform (GCP), firewall rules are evaluated from lowest to highest priority number, and a deny rule with a lower priority number (e.g., 500) takes precedence over an allow rule with a higher priority number (e.g., 1000). This explains why other VMs with the same 'ssh-allowed' tag remain reachable, as they are not affected by the specific deny rule.

Exam trap

Google Cloud often tests the misconception that a higher priority number means higher priority, when in fact a lower priority number (e.g., 500) takes precedence over a higher one (e.g., 1000), causing candidates to overlook the effect of a deny rule with a lower priority number.

How to eliminate wrong answers

Option B is wrong because the source range 0.0.0.0/0 does allow all internet IPs, but the issue is that a higher-priority deny rule (priority 500) is blocking the traffic, not that the allow rule is misconfigured. Option C is wrong because if the VM were in a different VPC without the allow-ssh rule, no VM in that VPC would be reachable via SSH, but the question states that other VMs with the same tag work, implying they are in the same VPC. Option D is wrong because while the allow-ssh rule with priority 1000 is higher than the implicit deny (65535), a deny rule with a lower priority number (500) takes precedence over the allow rule, blocking the traffic.

768
Multi-Selectmedium

An organization is designing a hybrid connectivity architecture using Cloud Router and BGP. They need to advertise a specific prefix from an on-premises network to GCP, and they want to control the route priority. Which two BGP features should they configure? (Choose TWO.)

Select 2 answers
A.Global dynamic routing mode
B.Custom route exchange
C.Custom learned routes
D.BGP route aggregation
E.Route advertisement with MED
AnswersB, E

Custom route exchange allows advertising specific prefixes via BGP.

Why this answer

Cloud Router can advertise custom routes, and BGP allows setting MED values to influence route priority.

769
MCQhard

A company is using Traffic Director with Envoy sidecars to manage traffic between microservices. They want to inject faults to test service resilience. Which Traffic Director feature should they use?

A.Traffic splitting
B.Fault injection
C.Circuit breakers
D.mTLS
AnswerB

Correct: fault injection allows testing resilience by injecting delays or errors.

Why this answer

Fault injection is a feature of Traffic Director that allows injecting delays or abort errors into requests for testing.

770
Multi-Selecthard

An organization needs to design a hybrid connectivity solution with 99.99% availability for a mission-critical application. They have a co-location facility near a GCP region. Which THREE components are required to meet this SLA?

Select 3 answers
A.Two VLAN attachments
B.Two Dedicated Interconnect links in different edge availability domains
C.One Dedicated Interconnect link with multiple VLAN attachments
D.Cloud Router with BGP sessions
E.Classic VPN as a backup
AnswersA, B, D

Each link typically has its own VLAN attachment.

Why this answer

For 99.99% SLA with Dedicated Interconnect, you need two links in different edge availability domains, two VLAN attachments, and BGP sessions with Cloud Router.

771
MCQmedium

An organization has a VPC with several subnets and wants to monitor firewall rule usage to identify rules that are overly permissive (e.g., allowing all traffic from 0.0.0.0/0). Which Google Cloud service provides this insight?

A.Cloud Monitoring
B.Firewall Insights
C.VPC Flow Logs
D.Cloud Logging
AnswerB

Firewall Insights identifies overly permissive and shadowed firewall rules.

Why this answer

Firewall Insights in Network Intelligence Center provides analytics on firewall rules, including overly permissive rules and shadowed rules.

772
MCQmedium

A company is using a global external HTTP(S) load balancer to serve traffic from multiple regions. They notice high egress costs for traffic served to users in Asia. What change could reduce costs?

A.Switch to a regional internal load balancer
B.Enable VPC Flow Logs to analyze traffic
C.Use a regional external load balancer in Asia and enable Cloud CDN
D.Increase the number of backend instances in Asia
AnswerC

Correct: Regional LB reduces global routing costs, and CDN caches content, reducing egress from origin.

Why this answer

A regional load balancer can be used for each region where users are located, avoiding the cost of global load balancing, and Cloud CDN can cache content closer to users, reducing origin egress.

773
MCQeasy

A company wants to restrict access to Google Cloud APIs from a specific set of VMs based on the VM's service account. Which type of firewall rule target should be used?

A.Target tags
B.All instances
C.Source service accounts
D.Target service accounts
AnswerD

Target service accounts specify which instances to apply the rule to based on their service account.

Why this answer

Firewall rules can target instances by service account, allowing fine-grained control based on identity rather than network tags.

774
MCQmedium

A company is hitting the quota for number of firewall rules per VPC network. They need to add more rules without requesting a quota increase. Which approach can reduce the number of rules?

A.Convert all deny rules to allow rules
B.Use hierarchical firewall policies at the folder level
C.Use Cloud Firewall to manage rules
D.Delete unused subnets
AnswerB

Hierarchical policies have their own quotas and can reduce VPC-level rule usage.

Why this answer

Firewall rules can be consolidated using service accounts or tags. By grouping instances with tags and applying rules to those tags, you can reduce the number of rules. Also, hierarchical firewall policies (at folder or org level) have separate quotas and can offload rules from VPC-level quotas.

775
Multi-Selecteasy

Which TWO of the following are benefits of using Cloud Interconnect over Cloud VPN for hybrid connectivity? (Choose two.)

Select 2 answers
A.Lower and more consistent latency.
B.Always provides encryption for data in transit.
C.Easier to set up as no physical connection is needed.
D.Lower cost for small bandwidth requirements.
E.Higher bandwidth capacity (up to 80 Gbps per circuit).
AnswersA, E

Dedicated connections avoid internet variability.

Why this answer

Cloud Interconnect provides a dedicated, private connection between your on-premises network and Google Cloud, bypassing the public internet. This results in lower and more consistent latency compared to Cloud VPN, which relies on the public internet and is subject to variable network conditions and potential congestion.

Exam trap

Google Cloud often tests the misconception that Cloud Interconnect provides encryption by default, when in fact it does not; the trap is that candidates confuse the private nature of the connection with inherent security, forgetting that encryption must be separately implemented.

776
MCQhard

A company's application requires TLS termination at the load balancer, with backend instances in multiple regions running on Compute Engine. The backend instances must see the original client IP address. Which load balancer should be used?

A.Global external HTTPS load balancer
B.Regional external TCP/UDP Network Load Balancer
C.Global SSL Proxy load balancer
D.Regional internal HTTP(S) load balancer
AnswerC

Global SSL Proxy terminates TLS and can use Proxy Protocol to preserve client IP to backend instances.

Why this answer

Global SSL Proxy LB terminates TLS (SSL offload) and adds the Proxy Protocol header to preserve client IP. Global HTTPS LB does not support Proxy Protocol. NLB does not terminate TLS.

Internal LB is not external.

777
MCQeasy

A startup is setting up their first GCP VPC. They want minimal manual configuration and need subnets in multiple regions. Which VPC creation mode should they use, and why?

A.Auto mode, because it allows overlapping IP ranges with on-premises networks.
B.Auto mode, because it automatically creates subnets in all regions with predefined IP ranges.
C.Custom mode, because it is the only mode that supports Shared VPC.
D.Custom mode, because it provides full control over IP ranges.
AnswerB

Auto mode creates subnets automatically in each region, which is ideal for minimal manual setup.

Why this answer

Auto mode VPCs automatically create a subnet in each region with predefined IP ranges, reducing manual effort. Custom mode requires manual subnet creation.

778
MCQmedium

A company has a Cloud VPN between their on-premises network and Google Cloud. They want to ensure that traffic flows symmetrically, meaning that traffic from Google Cloud to on-premises uses the same VPN tunnel as traffic from on-premises to Google Cloud. Which best practice should they implement?

A.Use dynamic routing with BGP and ensure that the AS path length is the same on both sides.
B.Implement policy-based routing that forces traffic to and from specific subnets to use the same tunnel.
C.Deploy multiple VPN tunnels and use different priorities for each.
D.Use static routes pointing to the VPN tunnel on both sides.
AnswerB

Policy-based routing can enforce symmetric flows.

Why this answer

Option B is correct because policy-based routing (PBR) allows you to explicitly define forwarding rules based on source/destination IP addresses, ensuring that traffic from Google Cloud to on-premises uses the same VPN tunnel as the reverse direction. This enforces symmetric flow, which is critical for stateful firewalls and NAT devices that expect packets to arrive on the same interface they left. Dynamic routing (BGP) or static routes alone do not guarantee symmetry unless combined with PBR or tunnel interface configurations.

Exam trap

Google Cloud often tests the misconception that dynamic routing protocols like BGP inherently provide symmetric routing, but in reality, BGP only controls the best path selection independently on each router, so without additional configuration (e.g., PBR or tunnel interface binding), traffic can easily become asymmetric.

How to eliminate wrong answers

Option A is wrong because BGP with equal AS path length does not enforce symmetric traffic flow; BGP selects the best path based on multiple attributes, and the return path is determined independently by the remote router, so asymmetry can still occur. Option C is wrong because deploying multiple VPN tunnels with different priorities (e.g., using route metrics) only controls which tunnel is preferred for outbound traffic, but the return path is decided by the remote side, which may not match the priority settings. Option D is wrong because static routes pointing to the VPN tunnel on both sides do not guarantee symmetry; if the on-premises router has multiple equal-cost paths or a different routing table, return traffic could take a different tunnel, breaking symmetry.

779
MCQhard

A network engineer has configured a Dedicated Interconnect with a VLAN attachment and Cloud Router. BGP sessions are up and routes are exchanged. However, traffic from a specific on-premises subnet is not reaching a VPC instance. The route table shows a custom static route with priority 1000 for that subnet pointing to a VPN tunnel, and a BGP learned route with priority 100 for the same subnet via Interconnect. What is the most likely reason for the traffic not using the Interconnect route?

A.The BGP route's next hop is not reachable due to a missing firewall rule on the on-premises side
B.Route propagation is disabled on the Cloud Router
C.VPC firewall rules are blocking traffic on the Interconnect VLAN attachment
D.The BGP route has a lower MED than the static route
AnswerA

If the on-premises next hop is unreachable, Cloud Router cannot forward traffic, causing blackhole.

Why this answer

The BGP route with priority 100 is preferred over the static route with priority 1000. However, if the BGP route's next hop is not reachable (e.g., due to a missing firewall rule on the on-premises side blocking the necessary ICMP or BGP session traffic), the route will be considered invalid and not installed in the routing table. This causes traffic to fall back to the less preferred static route via the VPN tunnel, explaining why the Interconnect path is not used.

Exam trap

Google Cloud often tests the misconception that route priority alone determines path selection, but the trap here is that a BGP route with a lower priority can still be invalid if its next hop is unreachable, causing the router to use a higher-priority static route instead.

How to eliminate wrong answers

Option B is wrong because route propagation is enabled by default on Cloud Router when BGP sessions are up and routes are exchanged, as stated in the scenario. Option C is wrong because VPC firewall rules apply to instances, not to the Interconnect VLAN attachment itself; the attachment operates at Layer 2/3 and is not subject to VPC firewall rules. Option D is wrong because MED is a BGP attribute used for path selection among multiple paths from the same AS, but a static route (priority 1000) is always less preferred than a BGP route (priority 100) regardless of MED values.

780
MCQmedium

A company wants to allow on-premises DNS servers to resolve Google Cloud private VM names. They need to configure a Google-managed forwarding server IP. Which Cloud DNS feature should they use?

A.Outbound DNS forwarding
B.Cloud Router with BGP
C.Inbound DNS policy
D.Private DNS zone with peering
AnswerC

Inbound policy provides a Google-managed forwarding IP for on-premises to query.

Why this answer

Inbound DNS policy creates a forwarding zone and provides a Google-managed inbound server IP that on-premises servers can use to resolve GCP private DNS names.

781
Multi-Selecteasy

Which TWO configurations can enable VM instances without external IPs to access the internet? (Choose TWO.)

Select 2 answers
A.Direct peering with Google
B.VPC peering with a network that has Cloud NAT
C.Private Google Access
D.Using a proxy instance with an external IP
E.Cloud NAT
AnswersB, E

Through VPC peering, VMs can use the NAT of the peered network for outbound traffic.

Why this answer

Cloud NAT (Option A) provides source network address translation for VMs in a subnet. VPC peering to a network with Cloud NAT (Option C) allows VMs to use the NAT of the peered network. Option B only provides access to Google APIs, not the full internet.

Option D is for on-premises connectivity. Option E is possible but not a native Google Cloud service.

782
MCQeasy

An organization needs to create a VPC that automatically creates subnets in every region as new regions become available. Which VPC type should they use?

A.VPC Network Peering
B.Shared VPC
C.Auto mode VPC
D.Custom mode VPC
AnswerC

Correct. Auto mode VPCs automatically create subnets in each region.

Why this answer

Auto mode VPCs create subnets in all regions automatically and expand to new regions as they become available.

783
Multi-Selectmedium

A company is designing a Shared VPC environment with a host project and several service projects. Which two steps are required to allow a service project team to create Compute Engine instances with internal IP addresses from a shared subnet?

Select 2 answers
A.Create a VPC peering connection between the host and service projects
B.Ensure the host project and service project are in the same organization
C.Grant the service project's network team the roles/compute.networkAdmin role on the host project
D.Grant the service project's Compute Engine service account the roles/compute.networkUser role on the host project's subnet
E.Assign the roles/compute.securityAdmin role to the service project team
AnswersB, D

Shared VPC requires projects to be in the same organization.

Why this answer

To use a shared subnet, the host project must grant the service project's Compute Engine service account the necessary IAM role on the subnet. The service project team must also have permissions to use the subnet.

784
Multi-Selecthard

A Cloud VPN with dynamic routing (BGP) is established between an on-premises network and Google Cloud. The on-premises BGP router is advertising a default route (0.0.0.0/0). The Cloud Router in Google Cloud is receiving this route, but network traffic from Google Cloud VMs to the internet is not being routed through the VPN. Which THREE troubleshooting steps should you take? (Choose three.)

Select 3 answers
A.Verify that the VPC's dynamic routing mode is set to 'global' if using regional routing.
B.Check VPC firewall rules to ensure they allow egress traffic from VMs.
C.Check the route priority (preference) of the default route learned via BGP compared to the default internet gateway route.
D.Verify that the Cloud Router is configured to advertise the default route to the VPC.
E.Ensure that the on-premises router is sending the default route with a higher local preference.
AnswersA, C, D

Global routing ensures the default route is propagated to all regions.

Why this answer

Option A is correct because the VPC's dynamic routing mode determines the scope of route propagation. If the VPC uses regional dynamic routing, Cloud Router only propagates routes within the region where the VPN tunnel is attached. A global dynamic routing mode is required for the BGP-learned default route to be available across all regions, ensuring VMs in any region can use the VPN for internet egress.

Exam trap

The trap here is that candidates often assume firewall rules are the issue when traffic fails to route, but the core problem is route selection and propagation—specifically, the default internet gateway route competing with the BGP-learned route, and the Cloud Router's advertisement settings.

785
Multi-Selectmedium

Which TWO are best practices for securing a VPC network? (Choose 2.)

Select 2 answers
A.Use VPC Network Peering to connect to other projects.
B.Create a VPC with default firewall rules.
C.Enable Private Google Access on all subnets.
D.Use firewall rules to restrict ingress traffic to only necessary ports and IPs.
E.Enable VPC Flow Logs to monitor traffic patterns.
AnswersD, E

This minimizes attack surface.

Why this answer

Option D is correct because firewall rules are the primary mechanism for controlling ingress traffic in a VPC. By restricting traffic to only necessary ports and source IPs, you minimize the attack surface and enforce the principle of least privilege. This is a fundamental security best practice for network segmentation and access control.

Exam trap

Google Cloud often tests the misconception that default firewall rules are secure or that enabling features like Private Google Access or VPC Peering directly improve VPC security, when in fact they serve different purposes and can introduce risks if not configured correctly.

786
Multi-Selecthard

A company uses Network Connectivity Center (NCC) to connect multiple on-premises sites and VPCs. They have a hub in us-central1 and spokes including two on-premises networks and three VPCs. Which two statements about NCC are accurate? (Choose TWO.)

Select 2 answers
A.NCC requires a Dedicated Interconnect for on-premises spokes.
B.Each spoke can be connected to multiple hubs.
C.Traffic between spokes must traverse the hub.
D.NCC supports both VPC spokes and on-premises spokes.
E.NCC provides transitive routing across all spokes automatically.
AnswersC, D

NCC is hub-and-spoke; all inter-spoke traffic goes through the hub.

Why this answer

NCC uses a hub-and-spoke model; spokes connect to a hub, and the hub can route traffic between spokes. NCC supports multiple types of spokes including VPCs and on-premises networks via Interconnect or VPN.

787
Multi-Selecthard

A company currently uses Cloud VPN with dynamic routing to connect to Google Cloud. They want to migrate to Dedicated Interconnect without downtime. Which THREE steps should they take to achieve a seamless migration? (Choose three.)

Select 3 answers
A.Order and provision the Dedicated Interconnect
B.Configure BGP on the on-premises router for the Interconnect and start advertising routes
C.Create a new VLAN attachment and attach it to the existing Cloud Router to peer with both VPN and Interconnect
D.Decrease the BGP route priority (MED) on the VPN advertisements to make VPN less preferred
E.Update on-premises firewall rules to allow traffic over the new Interconnect
AnswersA, B, C

First, you need to have the physical connection ready.

Why this answer

Option A is correct because ordering and provisioning the Dedicated Interconnect is the foundational step to establish the physical connection between the on-premises network and Google Cloud. Without this, no migration can occur. This involves working with a Google Cloud partner to ensure the cross-connect is completed and the VLAN attachments are created.

Exam trap

Google Cloud often tests the misconception that firewall rules must be updated when migrating connectivity types, but in reality, the migration is driven by BGP route preference adjustments, not firewall changes.

788
Multi-Selecthard

Which THREE of the following are requirements for VPC Network Peering?

Select 3 answers
A.The VPCs must have non-overlapping subnet IP ranges.
B.Peering supports transitive routing.
C.Routes are automatically exchanged.
D.You need IAM permissions to establish the peering.
E.The VPCs must be in the same project.
AnswersA, C, D

Overlapping IP ranges cannot be peered due to routing conflicts.

Why this answer

VPC Network Peering requires non-overlapping subnet IP ranges to prevent routing conflicts and ensure that traffic is correctly directed between the peered VPCs. Overlapping CIDR blocks would cause ambiguous routing, as the same IP address could exist in both VPCs, making it impossible for the VPC routers to determine the correct destination.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing, but the correct behavior is that peering is non-transitive and each pair must be explicitly configured.

789
MCQmedium

An organization has two VPCs, VPC-A and VPC-B, in the same project. They need to allow communication between instances in these VPCs without using the public internet. The solution must support dynamic routes and be non-transitive. What should they configure?

A.Add a route in each VPC pointing to the other's subnet via the default internet gateway
B.Create a VPN tunnel between VPC-A and VPC-B
C.Configure VPC Network Peering between the two VPCs
D.Use Shared VPC with a host project and attach both VPCs as service projects
AnswerC

VPC Peering provides direct, non-transitive connectivity with dynamic route exchange, meeting all requirements.

Why this answer

VPC Network Peering allows direct connectivity between two VPCs with non-transitive peering. It supports dynamic routes via custom route exchange and does not use the internet.

790
MCQhard

A network engineer is troubleshooting BGP route propagation between an on-premises network and a GCP VPC via Cloud Router. The on-premises router is advertising a specific subnet (10.1.0.0/16), but GCP is not receiving the route. Cloud Router BGP sessions are established. Which configuration could be the issue?

A.The Cloud Router is configured to only accept routes from a specific set of prefixes
B.The VPC firewall rules are blocking BGP traffic (TCP port 179)
C.The Cloud Router is configured with a higher MED value for the route
D.The on-premises router is not sending the AS_PATH attribute
AnswerA

Cloud Router can be configured with custom route advertisements or filters that limit which prefixes are accepted from a BGP peer.

Why this answer

Cloud Router has an option to set custom route advertisements. If the on-premises route is not being accepted, it could be because the Cloud Router is configured with 'advertised route priority' or 'advertised IP ranges' that exclude the on-premises prefixes. More likely, the BGP peer is configured to accept only specific prefixes via 'advertised route priority' or 'advertised groups'.

Another common issue: the on-premises router needs to advertise the route; Cloud Router must have 'advertise custom routes' enabled or the route must be within the allowed prefixes.

791
MCQhard

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

A.The firewall rule allow-ssh is missing a source IP range or has a source IP range that does not include the user's IP
B.The firewall rule allow-ssh is for the wrong network
C.The firewall rule allow-ssh is disabled
D.The VM's external IP (34.67.89.10) is blocked by Cloud NAT
AnswerA

If the rule does not specify sourceRanges, it defaults to 0.0.0.0/0, but if it was created with an incorrect source range, traffic from 203.0.113.5 would be blocked. The exhibit does not show sourceRanges, but a common misconfiguration is to set sourceRanges to an internal range.

Why this answer

The most likely cause is that the firewall rule 'allow-ssh' is missing a source IP range or has a source IP range that does not include the user's public IP (203.0.113.5). In Google Cloud, firewall rules are stateful and by default deny all ingress traffic unless explicitly allowed; without a source IP range (or with an incorrect one), the SSH traffic from the user's workstation is dropped at the VPC firewall level, preventing access to the VM's external IP (34.67.89.10).

Exam trap

Google Cloud often tests the misconception that a firewall rule's existence alone is sufficient, but the trap here is that the source IP range must be explicitly defined or set to 0.0.0.0/0 for external access; candidates may overlook the source filter configuration and assume the rule name implies it works for all sources.

How to eliminate wrong answers

Option B is wrong because the firewall rule 'allow-ssh' is associated with the VM's network (as per the exhibit), and if it were for the wrong network, the VM would not be reachable at all, but the question states the rule exists and is likely correctly assigned. Option C is wrong because if the rule were disabled, the user would see a different error (e.g., 'connection refused' or timeout), but the question implies the rule exists and is active; disabling would be a more obvious configuration issue. Option D is wrong because Cloud NAT is used for outbound traffic from private instances to the internet, not for inbound SSH traffic to a VM's external IP; blocking by Cloud NAT would not affect ingress traffic destined to the VM's public IP.

792
Multi-Selecthard

A company is designing a VPC for a production environment that must meet the following requirements: support multiple projects, centralized network administration, and allow each project to have its own firewall rules. Which THREE components should be used?

Select 3 answers
A.Service projects
B.Host project
C.Cloud VPN
D.VPC peering
E.Shared VPC
AnswersA, B, E

Service projects consume Shared VPC networks.

Why this answer

A is correct because service projects in a Shared VPC architecture allow each project to host its own resources (e.g., Compute Engine instances) while maintaining separate firewall rules and security policies. This enables centralized network administration via the host project while giving each project autonomy over its own firewall configurations, meeting the requirement for multiple projects with independent firewall rules.

Exam trap

Google Cloud often tests the distinction between connectivity solutions (Cloud VPN, VPC peering) and network administration models (Shared VPC), leading candidates to mistakenly choose VPC peering for multi-project setups when Shared VPC is required for centralized control with per-project firewall rules.

793
MCQmedium

You need to invalidate Cloud CDN cached content for specific URLs after updating files in Cloud Storage. Which command should you use?

A.gcloud compute cdn-cache invalidate
B.gcloud compute backend-buckets update
C.gcloud compute url-maps invalidate-cdn-cache
D.gcloud compute ssl-certificates update
AnswerC

Correct command to invalidate CDN cache for a URL map.

Why this answer

gcloud compute url-maps invalidate-cdn-cache invalidates CDN cache for a specific URL map. gcloud compute ssl-certificates is for certificates. gcloud compute backend-buckets update is for updating backend bucket configuration. gcloud compute cdn-cache invalidate does not exist.

794
MCQmedium

You need to protect an HTTPS load-balanced application from SQL injection and cross-site scripting attacks. Which Google Cloud service should you use?

A.Firewall Rules
B.Cloud IDS
C.VPC Service Controls
D.Cloud Armor
AnswerD

Cloud Armor offers WAF rules to protect against web attacks.

Why this answer

Cloud Armor provides Web Application Firewall (WAF) capabilities, including preconfigured rules to detect and block SQLi and XSS attacks. It attaches to HTTPS Load Balancers.

795
MCQeasy

A network engineer wants to test whether a VM in VPC A can reach a VM in VPC B that is connected via VPC peering. The engineer suspects that firewall rules or routes are blocking traffic. Which Google Cloud service should they use to test the path and identify the blocking rule?

A.Performance Dashboard
B.VPC Flow Logs
C.Connectivity Tests
D.Firewall Insights
AnswerC

Connectivity Tests is designed to test reachability and diagnose firewall/route blocking.

Why this answer

Connectivity Tests in Network Intelligence Center allows you to check reachability between source and destination endpoints, analyzing firewall rules, routes, and VPC peering configurations to identify the blocking rule.

796
MCQeasy

A company wants to protect its HTTP(S) Load Balancer against DDoS attacks and common web exploits like SQL injection and cross-site scripting. Which Google Cloud service should they use?

A.VPC Service Controls
B.Cloud Armor
C.Firewall Rules
D.Cloud NAT
AnswerB

Cloud Armor provides WAF rules for SQLi, XSS, and DDoS protection.

Why this answer

Cloud Armor is Google's web application firewall (WAF) and DDoS protection service. It integrates with Cloud Load Balancing to provide security policies that inspect traffic and block attacks like SQLi and XSS using pre-configured WAF rules.

797
MCQhard

An organization uses HA VPN with dynamic routing and active-active BGP sessions. One tunnel fails, but traffic continues to flow through the other tunnel. However, they notice increased latency. What is the most likely explanation?

A.BGP multipath is enabled, causing all traffic to be sent through the remaining tunnel.
B.The remaining tunnel is using a different encryption algorithm.
C.The BGP timers are misconfigured.
D.The failed tunnel's routes are still in the routing table.
AnswerA

With multipath, traffic is normally split; after failure, all traffic goes through one tunnel, potentially causing congestion.

Why this answer

When BGP multipath is enabled on an HA VPN with active-active BGP sessions, the router can load-balance traffic across multiple tunnels. If one tunnel fails, all traffic is redirected through the remaining tunnel, which can cause increased latency due to congestion or suboptimal path selection. The correct answer is A because this behavior directly explains the latency increase after a tunnel failure.

Exam trap

Google Cloud often tests the misconception that increased latency after a tunnel failure is due to routing table issues or encryption changes, when in fact it is the result of BGP multipath concentrating all traffic onto a single tunnel, causing congestion.

How to eliminate wrong answers

Option B is wrong because encryption algorithms (e.g., AES-128 vs AES-256) affect security and CPU overhead, not latency in a way that would suddenly increase after a tunnel failure; the remaining tunnel would have been using the same algorithm before the failure. Option C is wrong because misconfigured BGP timers (e.g., keepalive or hold timers) would cause session instability or flapping, not a gradual latency increase after a single tunnel failure. Option D is wrong because if the failed tunnel's routes were still in the routing table, traffic would attempt to use the failed tunnel and result in packet loss or blackholing, not increased latency; BGP withdraws routes from the failed tunnel upon session loss.

798
MCQmedium

A global HTTPS load balancer is configured with a backend service that points to a serverless NEG for Cloud Run services. Some requests are failing with 502 errors. What is a likely cause?

A.The SSL certificate is expired.
B.The Cloud Run service requires IAP authentication.
C.The health check is misconfigured for serverless NEGs.
D.The serverless NEG is in a different region than the load balancer's forwarding rule.
AnswerD

For a global load balancer, the serverless NEG must be in a supported region and the load balancer must be configured to route to that region.

Why this answer

Serverless NEGs require the load balancer to be in the same region as the Cloud Run service, or use a global external load balancer with serverless NEGs in multiple regions. A 502 error often indicates connectivity issues, such as the load balancer not being able to reach the backend due to missing network endpoint group or incorrect region.

799
Multi-Selecthard

A company wants to deploy a network appliance (e.g., firewall) on a Compute Engine instance that requires inspecting traffic between two VPCs. The instance must have interfaces in both VPCs. Which three configurations are required? (Choose three.)

Select 3 answers
A.Assign an external IP to each interface
B.Attach at least two network interfaces (NIC0 and NIC1)
C.Use the same subnet for both interfaces
D.Configure static routes in both VPCs pointing to the appliance's IP
E.Enable IP forwarding on the instance
AnswersB, D, E

Required to connect to two different VPCs.

Why this answer

For a multi-NIC network appliance, you need at least two network interfaces (NIC0, NIC1) attached to different VPCs. Each interface must be in a different subnet. Also, IP forwarding must be enabled on the instance to allow it to forward traffic between interfaces.

800
MCQeasy

A company wants to use Cloud DNS to resolve queries for a private zone (e.g., example.internal) from multiple VPCs in the same project. They need to ensure that instances in all VPCs can resolve the zone. What is the simplest approach?

A.Configure each VM to use a custom DNS resolver
B.Use Cloud DNS peering to forward queries between VPCs
C.Create a public zone and set visibility to private
D.Create a private zone and associate it with all relevant VPCs
AnswerD

Cloud DNS private zones can be associated with up to 10 VPCs per zone; this allows resolution from those VPCs.

Why this answer

A private managed zone can be associated with one or more VPCs in the same project. By associating the zone with all VPCs that need resolution, instances in those VPCs can resolve the zone without additional peering.

801
MCQhard

A company is deploying a GKE cluster with Dataplane V2 and wants to enforce micro-segmentation using network policies. They also need to monitor policy violations. What should they do?

A.Enable Packet Mirroring.
B.Use Cloud IDS to monitor traffic.
C.Use VPC firewall rules with pod IP ranges.
D.Enable GKE Dataplane V2 and use Kubernetes Network Policies with audit logging.
AnswerD

Dataplane V2 natively enforces network policies and audit logs record violations.

Why this answer

Option D is correct because Dataplane V2 uses eBPF to implement Kubernetes Network Policies directly in the kernel, providing native support for micro-segmentation. Enabling audit logging on the cluster captures denied or allowed policy actions, allowing the company to monitor policy violations without additional infrastructure.

Exam trap

The trap here is that candidates confuse VPC firewall rules (Option C) with Kubernetes Network Policies, not realizing that VPC firewalls cannot enforce pod-level segmentation because they lack pod IP awareness and are applied at the node or subnet level.

How to eliminate wrong answers

Option A is wrong because Packet Mirroring copies pod traffic for analysis but does not enforce or monitor network policy violations; it is a troubleshooting tool, not a policy enforcement or audit mechanism. Option B is wrong because Cloud IDS is an intrusion detection service that inspects traffic for threats, not a tool for monitoring Kubernetes Network Policy violations; it operates at a different layer and does not integrate with policy audit logs. Option C is wrong because VPC firewall rules operate at the node network level, not at the pod level, and cannot enforce Kubernetes Network Policies; they lack the pod identity awareness needed for micro-segmentation within a cluster.

802
MCQhard

A network engineer is troubleshooting a failing HA VPN tunnel. They need to view VPN gateway logs to identify the issue. Which Google Cloud service should they use to access the logs?

A.Cloud Audit Logs
B.Cloud Debugger
C.Cloud Monitoring
D.Cloud Logging
AnswerD

Cloud Logging stores and allows querying of VPN gateway logs.

Why this answer

Cloud Logging captures logs from Cloud VPN gateways, including tunnel events, IKE negotiations, and error messages.

803
Multi-Selectmedium

A cloud engineer is configuring a Global External HTTPS Load Balancer with a backend service that targets a Cloud Run service via a serverless NEG. They want to enable Cloud CDN and set cache behavior to cache all responses regardless of origin headers. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Configure a cache key policy that includes the query string
B.Generate a signed URL key
C.Set the cache mode to FORCE_CACHE_ALL on the backend service
D.Create a backend bucket instead of a backend service
E.Enable Cloud CDN on the backend service
AnswersA, C, E

Often needed to ensure proper caching per request, though not always required; but recommended.

Why this answer

To force cache all, you set cache mode to FORCE_CACHE_ALL. You also need to enable Cloud CDN on the backend service and set the appropriate cache key policy. Signed URL key is not required for basic caching.

The URL map is not modified for caching.

804
MCQeasy

An e-commerce website uses Cloud CDN to cache static content. The origin is an external HTTP load balancer. What is the benefit of enabling Cloud CDN in this scenario?

A.It eliminates the need for SSL certificates.
B.It provides DDoS protection only.
C.It increases compute instance capacity.
D.It reduces latency by serving content from edge locations.
AnswerD

Content is cached at edges closer to users, reducing round-trip time.

Why this answer

Cloud CDN caches content at Google's global edge locations, which are geographically closer to end users. By serving static content from these edge caches instead of the origin HTTP load balancer, the request latency is significantly reduced because the data travels a shorter distance over the network.

Exam trap

Google Cloud often tests the misconception that CDN replaces security features like SSL or DDoS protection, but the trap here is that candidates confuse caching benefits with infrastructure scaling or security capabilities.

How to eliminate wrong answers

Option A is wrong because Cloud CDN does not eliminate the need for SSL certificates; the origin load balancer still requires an SSL certificate to terminate HTTPS, and the CDN can use Google-managed certificates for edge termination. Option B is wrong because while Cloud CDN can absorb some volumetric attacks through caching, it is not a dedicated DDoS protection service; Google Cloud Armor is the primary DDoS protection solution. Option C is wrong because Cloud CDN does not increase compute instance capacity; it offloads requests from the origin, reducing the load on backend instances, but does not add compute resources.

805
MCQmedium

A company has a Global SSL Proxy Load Balancer handling HTTPS traffic. They want to offload SSL decryption to the load balancer and forward encrypted traffic to backends. Which backend protocol should they use?

A.HTTPS
B.TCP
C.HTTP
D.SSL
AnswerD

Correct: SSL Proxy forwards traffic using SSL to backends.

Why this answer

Global SSL Proxy LB terminates SSL and forwards traffic using SSL (TCP with SSL) to backends, allowing end-to-end encryption.

806
MCQmedium

A company has deployed a web application on Compute Engine instances in a VPC with subnet 10.1.0.0/20. The instances need to access an external API that whitelists IP addresses. The company uses Cloud NAT to provide outbound connectivity. The API integration tests are failing, and the operations team suspects that the source IP addresses seen by the API are not consistent. What is the most likely cause and solution?

A.Cloud NAT is configured with endpoint-independent mapping; change to endpoint-dependent mapping to ensure consistent source IP.
B.Cloud NAT is configured with dynamic port allocation; use static port allocation instead.
C.Cloud NAT is using a manual NAT IP address that is not assigned to the instances; assign the NAT IP to the instances as an alias IP range.
D.Cloud NAT is configured with a default rule that does not include the subnet; add a custom NAT rule that specifically includes subnet 10.1.0.0/20.
AnswerD

If the subnet is not in a NAT rule, instances may not use NAT or use different NAT IPs, causing inconsistent source IPs. Adding the subnet ensures consistent NAT IP usage.

Why this answer

Option D is correct because if Cloud NAT's default rule does not include the subnet 10.1.0.0/20, instances in that subnet will not have their outbound traffic translated through the NAT gateway, causing them to use their ephemeral public IPs (if any) or fail to reach the external API. Adding a custom NAT rule that explicitly includes the subnet ensures all outbound traffic from those instances uses the consistent NAT IP address that the API whitelist expects.

Exam trap

The trap here is that candidates assume Cloud NAT automatically applies to all subnets in the VPC, but in reality, the default rule must explicitly include the subnet, and if it is removed or not configured, traffic from that subnet will not be NATed.

How to eliminate wrong answers

Option A is wrong because endpoint-independent mapping (which preserves the same source IP and port for all sessions to a given destination) actually provides consistency; endpoint-dependent mapping would change the source IP per destination, causing inconsistency. Option B is wrong because dynamic port allocation is the default and does not affect source IP consistency; static port allocation is used for specific port forwarding rules, not for ensuring a consistent source IP. Option C is wrong because a manual NAT IP address is assigned to the Cloud NAT gateway, not to the instances; assigning it as an alias IP range to instances would bypass Cloud NAT and use the instance's own IP, defeating the purpose of NAT.

807
MCQhard

A company uses Cloud CDN with an external HTTP(S) load balancer. They have two origin server groups: a primary in us-central1 and a backup in europe-west1. They want traffic directed to the primary unless it is unhealthy, in which case traffic should fail over to the backup. Which configuration is required?

A.Create a Cloud CDN with two origins and enable failover in the CDN settings.
B.Use a TCP/UDP network load balancer with two target pools.
C.Configure a weighted round-robin with primary weight 100 and backup weight 0, and change weights manually.
D.Create a backend service with two backends (primary and failover) and a failover policy that marks the primary as failover when unhealthy.
AnswerD

This is the correct architecture for failover across origins.

Why this answer

Option D is correct because Cloud CDN with an external HTTP(S) load balancer uses a backend service that can contain multiple backends (e.g., instance groups or NEGs) with a failover policy. When the primary backend is marked as unhealthy by the health check, the load balancer automatically routes traffic to the failover backend. This configuration meets the requirement without manual intervention.

Exam trap

The trap here is that candidates confuse Cloud CDN's origin settings with backend service failover policies, assuming CDN itself handles failover, when in fact failover is a property of the backend service used by the external HTTP(S) load balancer.

How to eliminate wrong answers

Option A is wrong because Cloud CDN does not have a built-in failover setting for origins; failover is configured at the backend service level, not within CDN settings. Option B is wrong because a TCP/UDP network load balancer uses target pools and does not support HTTP(S) traffic or failover policies between backends in different regions. Option C is wrong because weighted round-robin requires manual weight changes to fail over, which does not provide automatic failover based on health checks.

808
MCQeasy

Which Cloud DNS routing policy should you use to direct users to the nearest healthy backend based on their geographic location?

A.Failover
B.Geolocation
C.Weighted round robin
D.Response policy
AnswerB

Routes traffic based on the DNS resolver's geographic location.

Why this answer

Geolocation routing policy directs traffic based on the user's geographic location. Weighted round robin distributes by weight, failover is for primary/backup.

809
MCQeasy

You need to distribute incoming TCP traffic to a set of Compute Engine instances in the same region while preserving the client IP address. The load balancer must be used for non-HTTP(S) workloads. Which load balancer should you choose?

A.Global TCP Proxy Load Balancer
B.Regional External TCP/UDP Network Load Balancer
C.Global HTTPS Load Balancer
D.Regional Internal TCP/UDP Load Balancer
AnswerB

This is a pass-through LB for TCP/UDP that preserves client IP.

Why this answer

Regional External TCP/UDP Network Load Balancer is a pass-through load balancer that preserves client IP and works for TCP/UDP traffic.

810
Multi-Selectmedium

A company wants to restrict access to Google Cloud Storage so that only traffic originating from a specific VPC network is allowed. They also need to prevent data exfiltration to other VPCs. Which two services should they use? (Choose two.)

Select 2 answers
A.VPC Service Controls
B.Cloud VPN
C.Cloud NAT
D.Firewall rules
E.Private Google Access
AnswersA, E

Creates a perimeter to restrict access.

Why this answer

VPC Service Controls creates a service perimeter around the Storage API, and Private Google Access enables VMs without external IPs to access Google APIs from within the VPC.

811
MCQhard

A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (10.0.0.0/16). They want to establish VPC Network Peering between them. What is the outcome?

A.Peering succeeds, and only non-overlapping subnets are used
B.Peering succeeds, and routes are exchanged, but traffic may be unpredictable
C.Peering fails because subnets overlap
D.Peering succeeds, but routes are not exchanged
AnswerC

Overlapping IP ranges prevent VPC peering from being established.

Why this answer

VPC Network Peering requires that the subnets in the two VPCs do not overlap. Since both VPCs use the same CIDR block (10.0.0.0/16), peering will fail due to subnet overlap.

812
MCQhard

A network engineer runs the gcloud command above for a Cloud NAT configured in us-central1. The VPC has 20 instances without external IPs in us-central1. They notice that only three instances have NAT mappings displayed. What could explain this?

A.Only instances with active outbound connections are shown.
B.The NAT gateway is configured only for a specific subnet.
C.Only instances with external IPs are mapped.
D.The other instances are using a different NAT gateway.
AnswerA

NAT gateway info displays only active NAT mappings; idle instances have no mapping.

Why this answer

The `gcloud compute nat-gateways list-mappings` command only displays NAT mappings for instances that currently have active outbound connections traversing the Cloud NAT gateway. Cloud NAT uses dynamic port address translation (PAT) and only creates a mapping entry when an instance sends traffic that requires source NAT. Instances without active sessions will not appear in the listing, even though they are configured to use the NAT gateway.

Exam trap

The trap here is that candidates assume the `list-mappings` command shows all instances configured to use the NAT gateway, rather than understanding it only shows instances with currently active NAT sessions.

How to eliminate wrong answers

Option B is wrong because even if the NAT gateway is configured for a specific subnet, all 20 instances in that subnet would still be eligible for NAT mappings; the command would show mappings for any instance with active connections, not just three. Option C is wrong because Cloud NAT is specifically designed for instances without external IPs; instances with external IPs do not use NAT and would not appear in NAT mappings at all. Option D is wrong because if the other 17 instances were using a different NAT gateway, the command would show zero mappings for the queried gateway, not exactly three; the question states only three instances have mappings, implying the others simply have no active connections.

813
MCQmedium

A company needs to ensure that all traffic between GCP VMs in different regions is encrypted in transit. What is the recommended approach?

A.Use VPC peering with encryption enabled
B.By default, traffic between GCP VMs is encrypted
C.Use Cloud VPN between the two regions
D.Enable IPsec on the VPC
AnswerB

Google encrypts all inter-region traffic at the physical layer.

Why this answer

Google Cloud encrypts all traffic between VMs at the hypervisor level, regardless of region, using application-layer encryption (e.g., TLS) and network-layer encryption (e.g., IPSec) by default. This encryption is transparent, always-on, and does not require any configuration, making option B the correct answer. The encryption covers all VM-to-VM traffic within the same VPC or across VPCs, including inter-region communication.

Exam trap

The trap here is that candidates assume inter-region traffic requires explicit encryption configuration (like VPN or IPsec), but Google Cloud encrypts all VM-to-VM traffic by default, making those options unnecessary and incorrect.

How to eliminate wrong answers

Option A is wrong because VPC peering does not have an 'encryption enabled' toggle; traffic over VPC peering is already encrypted by default at the Google network layer, and there is no separate encryption setting for peering. Option C is wrong because Cloud VPN is used to connect on-premises networks or other cloud providers to GCP, not for encrypting traffic between GCP VMs in different regions, as that traffic is already encrypted by default. Option D is wrong because IPsec cannot be 'enabled on the VPC' as a whole; IPsec is a protocol used for site-to-site VPNs, and applying it to VPC-level traffic is unnecessary and not supported as a VPC-wide feature.

814
MCQmedium

A company has a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They have two VLAN attachments (vlan-100 and vlan-200) connected to two separate Cloud Routers in the same region. Each Cloud Router has a BGP session with the on-premises router. The on-premises router advertises the same prefixes (10.0.0.0/8) over both sessions. In Google Cloud, they have workloads in two different VPCs: VPC-A and VPC-B. They want traffic to VPC-A to use vlan-100, and traffic to VPC-B to use vlan-200. Cloud Router 1 is attached to VPC-A, Cloud Router 2 is attached to VPC-B. Currently, traffic from on-premises to VPC-A sometimes goes through vlan-200, causing asymmetric routing. What configuration change should they make to ensure traffic is symmetric?

A.Set a higher MED on the on-premises router for routes advertised to vlan-200, making vlan-100 preferred for all traffic.
B.Configure static routes on the on-premises router to force traffic to VPC-A via vlan-100 and to VPC-B via vlan-200.
C.Create two separate VPCs and assign each VLAN attachment to a different VPC.
D.Use BGP community tags on the on-premises router to label routes for VPC-A and VPC-B, and configure route priority on Cloud Router to match these communities.
AnswerD

BGP communities allow granular route manipulation, ensuring traffic for each VPC uses the designated attachment.

Why this answer

Option D is correct because BGP community tags allow the on-premises router to tag routes for VPC-A and VPC-B differently. Cloud Router can then use these community tags to influence route priority (e.g., via local preference or MED matching), ensuring that traffic to VPC-A is always routed through vlan-100 and traffic to VPC-B through vlan-200, solving the asymmetric routing issue without relying on static routes or MED manipulation that would affect all traffic.

Exam trap

The trap here is that candidates often assume MED or static routes can solve asymmetric routing, but they overlook that MED affects all routes from a neighbor and static routes on-premises cannot control Google Cloud's return path selection, whereas BGP communities provide the necessary granularity to influence path selection per prefix in both directions.

How to eliminate wrong answers

Option A is wrong because setting a higher MED on the on-premises router for routes advertised to vlan-200 would make vlan-100 preferred for all prefixes, not just those destined for VPC-A; this would force all traffic through vlan-100, breaking the requirement for VPC-B traffic to use vlan-200. Option B is wrong because static routes on the on-premises router cannot override BGP-learned routes on the Google Cloud side; the asymmetric routing occurs because Google Cloud's Cloud Routers may still prefer the alternate path due to equal-cost multi-path (ECMP) or BGP best-path selection, and static routes on-premises do not control return path selection in Google Cloud. Option C is wrong because the two VLAN attachments are already connected to separate VPCs (VPC-A and VPC-B) via their respective Cloud Routers; creating two separate VPCs again would not change the routing behavior—the issue is that both Cloud Routers receive the same prefix (10.0.0.0/8) and Google Cloud may load-balance or choose the wrong path, not a VPC attachment problem.

815
MCQhard

A large enterprise has two on-premises data centers (DC1 and DC2) connected to Google Cloud via two separate VPN tunnels to the same VPC. Each tunnel terminates on a different Cloud VPN gateway (gateway1 in us-east1, gateway2 in us-west1). The on-premises routers advertise the same CIDR 172.16.0.0/12 from both DCs. Cloud Router is configured with BGP and uses default route priority. You notice that after a failover event where one tunnel goes down, traffic continues to flow, but there is a significant increase in latency for traffic coming from GCP to on-premises. You verify that both tunnels have re-established. What is the most likely cause of the increased latency?

A.The on-premises routers are using site-to-site VPN between themselves causing a routing loop
B.The on-premises routers do not use AS path prepending to prefer the local DC's path for the prefix
C.The Cloud VPN tunnels are using different preshared keys
D.Bidirectional Forwarding Detection (BFD) is not enabled on the Cloud VPN tunnels
AnswerB

Without AS path prepending, GCP may choose a suboptimal path (e.g., sending DC1 traffic via DC2) if the routes have equal AS path length, causing increased latency.

Why this answer

When both on-premises routers advertise the same CIDR (172.16.0.0/12) to Google Cloud via BGP, Cloud Router selects the path with the shorter AS path length by default. Without AS path prepending on the backup DC's router, both routes have equal AS path length, causing Cloud Router to load-balance or pick a suboptimal path after failover. After the tunnel re-establishes, traffic from GCP may still be routed to the remote DC (e.g., DC2) instead of the local DC (DC1), resulting in higher latency due to cross-country or inter-DC transit.

Exam trap

Google Cloud often tests the misconception that increased latency after failover is due to a routing loop or BFD misconfiguration, when the real issue is the lack of AS path prepending to influence BGP path selection for the same prefix advertised from multiple locations.

How to eliminate wrong answers

Option A is wrong because site-to-site VPN between on-premises routers would not cause a routing loop in this scenario; the increased latency is due to suboptimal path selection, not a loop. Option C is wrong because different preshared keys would prevent the VPN tunnels from establishing at all, not cause increased latency after re-establishment. Option D is wrong because BFD is used for fast failure detection, not for influencing path selection or latency after tunnels are up; its absence would delay failover detection, not increase latency post-failover.

816
MCQeasy

A company has a single VPC with subnets in us-central1 and europe-west1. They have Compute Engine instances in both subnets that need to communicate with each other. The security team wants to ensure that only specific instances in us-central1 can connect to a database instance in europe-west1 on port 3306. Currently, the default firewall rules allow all internal traffic (priority 65535). The network engineer first creates a new ingress firewall rule to allow TCP traffic on port 3306 from instances with the network tag 'app' to instances with the tag 'db', with priority 1000. Then, to enforce the restriction, they delete the default allow internal rule (priority 65535). However, after applying the changes, the app instances (tagged 'app') in us-central1 cannot connect to the database instance (tagged 'db') in europe-west1. The engineer verifies that the tags are correctly applied to the instances. What is the most likely cause of the connectivity failure?

A.The firewall rule only allows ingress from instances with tag 'app' but the egress traffic from app instances is blocked.
B.The app instances need a firewall rule to allow egress traffic to the database on port 3306.
C.The firewall rule is applied to the wrong VPC network.
D.The database instance's network tag 'db' was not applied to the database instance.
AnswerB

With the default allow internal rule removed, egress must be explicitly allowed.

Why this answer

B is correct because in Google Cloud VPC, firewall rules are stateful for ingress but not for egress. The ingress rule allowing traffic from 'app' to 'db' on port 3306 only controls incoming packets to the database instance. The app instance still needs an egress firewall rule to allow outbound traffic on port 3306, otherwise the outbound SYN packet is dropped before it reaches the database.

Deleting the default allow internal rule (priority 65535) removed the implicit egress permission, so a specific egress rule is required.

Exam trap

Google Cloud often tests the misconception that an ingress rule alone is sufficient for bidirectional communication, but in Google Cloud VPC, egress rules are required for outbound traffic initiation unless a default allow egress rule exists.

How to eliminate wrong answers

Option A is wrong because the ingress rule is correctly defined to allow traffic from 'app' to 'db' on port 3306; the issue is not that ingress is blocked but that egress from the app instance is missing. Option C is wrong because the question states there is a single VPC, and the rule is applied to that same VPC; there is no indication of a wrong VPC selection. Option D is wrong because the engineer verified that the tags are correctly applied, so the database instance does have the 'db' tag; the failure is not due to missing tags.

817
Multi-Selecthard

A company is using Traffic Director with Envoy sidecars. They want to enable mutual TLS (mTLS) between services. Which two steps are required? (Choose two.)

Select 2 answers
A.Enable mTLS in Traffic Director configuration
B.Deploy a service mesh with Istio
C.Configure Envoy sidecars with certificates
D.Use a Global HTTPS Load Balancer
E.Set up Cloud DNS
AnswersA, C

Correct: mTLS must be enabled in Traffic Director.

Why this answer

To enable mTLS, you need to enable mTLS in Traffic Director and configure Envoy sidecars with certificates.

818
MCQmedium

An engineer needs to provide outbound internet access to a set of Compute Engine instances that do not have external IP addresses. The instances are in a VPC subnet with a Cloud NAT configured. However, the instances still cannot reach the internet. The engineer verified that Cloud NAT is configured on the same region and VPC as the instances. What is the most likely cause?

A.The firewall rules block all outbound traffic from the subnet
B.The instances are using a custom network that does not support Cloud NAT
C.The instances are not tagged with the correct network tag used in the Cloud NAT configuration
D.The Cloud NAT gateway uses dynamic port allocation, which is disabled
AnswerC

Cloud NAT uses tags or service accounts to determine which instances can use it for outbound connectivity.

Why this answer

Cloud NAT requires the instances to have the 'allow NAT' network tag or service account configured in the NAT gateway rules. If the instances are not tagged or the service account is not specified, traffic is not forwarded.

819
Multi-Selecthard

A company wants to set up a hybrid network with HA VPN between an on-premises network and GCP. They need a 99.99% SLA. Which THREE conditions must be met to achieve this SLA?

Select 3 answers
A.Cloud Router configured with global dynamic routing mode
B.Two Cloud VPN gateways in GCP, each with one interface
C.Each tunnel uses a unique IKE pre-shared key
D.Two or more tunnels established with BGP sessions
E.On-premises VPN gateway with two distinct public IP addresses
AnswersC, D, E

Unique PSKs per tunnel improve security and are recommended for HA VPN.

Why this answer

HA VPN provides 99.99% SLA when at least two tunnels are up, each using a separate external IP address on the GCP side, and the on-premises VPN gateway is also redundant with two peer IPs.

820
Multi-Selecthard

A company wants to use Cloud Armor to block traffic from a specific IP range (198.51.100.0/24) and also apply rate limiting. Which TWO components are needed? (Select 2)

Select 2 answers
A.A Cloud CDN cache rule
B.A Cloud Armor security policy with one rule that combines IP deny and rate limiting
C.A Cloud Armor security policy with two rules: one for IP deny and one for rate limiting
D.A network firewall rule to block the IP range
E.An HTTPS load balancer with the security policy attached
AnswersC, E

A single policy can contain multiple rules to achieve both requirements.

Why this answer

Cloud Armor security policies contain rules with conditions like IP ranges and rate limiting. The policy is attached to a backend service of an HTTPS load balancer.

821
MCQhard

A company has a VPC with a subnet in us-central1. Compute Engine instances in that subnet have no external IPs but need to reach the internet for software updates. The engineer configured Cloud NAT with the default settings. However, instances fail to reach the internet. What is the most likely cause?

A.Cloud NAT is not configured in the correct region.
B.An egress firewall rule is missing that allows traffic from the instances to the internet via NAT.
C.Private Google Access is enabled on the subnet, which overrides Cloud NAT.
D.The Cloud NAT router is not attached to the correct VPC network.
AnswerB

Firewall rules control egress traffic; Cloud NAT does not bypass them. A rule allowing egress to 0.0.0.0/0 is needed.

Why this answer

Cloud NAT requires that the instances are allowed egress traffic to the internet. Without a suitable egress firewall rule, NAT traffic is blocked. The default firewall rules only allow egress to Google APIs (private.googleapis.com) but not to general internet destinations.

A firewall rule allowing egress to 0.0.0.0/0 on the appropriate ports is required.

822
Matchingmedium

Match each Cloud Load Balancing type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Global, proxy-based, for HTTP/S traffic from internet

Regional, pass-through, for traffic within VPC

Regional, proxy-based, for non-HTTP/S internet traffic

Regional, proxy-based, for internal HTTP/S traffic

Global, terminates SSL, for non-HTTPS SSL traffic

Why these pairings

Google Cloud offers various load balancers for different use cases.

823
Multi-Selectmedium

A company is using Cloud Interconnect with multiple VLAN attachments. They want to implement traffic shaping to prioritize real-time traffic over bulk transfers. Which THREE actions should they take?

Select 3 answers
A.Set up Cloud Router with BGP QoS policies to match DSCP values
B.Enable Cloud NAT to handle traffic shaping
C.Create VPC firewall rules to classify traffic based on source/destination
D.Configure DSCP markings on the on-premises routers for different traffic types
E.Use VPC flow logs to identify heavy traffic flows
AnswersA, C, D

Cloud Router can apply QoS based on DSCP.

Why this answer

Option A is correct because Cloud Router with BGP QoS policies can match DSCP values to prioritize traffic. By configuring BGP QoS policies, you can map specific DSCP values to different traffic classes, allowing Cloud Interconnect to apply traffic shaping that prioritizes real-time traffic (e.g., VoIP) over bulk transfers. This leverages BGP community attributes to signal QoS requirements across the hybrid connection.

Exam trap

The trap here is that candidates confuse monitoring tools (VPC flow logs) or unrelated services (Cloud NAT) with traffic shaping mechanisms, overlooking that DSCP marking and BGP QoS policies are the correct approach for prioritizing traffic on Cloud Interconnect.

824
MCQeasy

A company needs private connectivity between its on-premises data center and Google Cloud with consistent low latency and high throughput. The on-premises location is close to a Google Cloud point of presence that supports Dedicated Interconnect. The company expects to use more than 10 Gbps of bandwidth in the near future. Which connectivity solution should they choose?

A.Dedicated Interconnect
B.Partner Interconnect
C.HA VPN with dynamic routing
D.Cloud VPN with static routing
AnswerA

Dedicated Interconnect provides a direct, private connection with low latency and high bandwidth (10/100 Gbps) suitable for growing needs.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between the on-premises data center and Google Cloud, offering consistent low latency and high throughput. Since the on-premises location is near a Google Cloud point of presence that supports Dedicated Interconnect and the bandwidth requirement exceeds 10 Gbps (Dedicated Interconnect supports up to 10 Gbps per circuit, with multiple circuits for higher aggregate bandwidth), this is the optimal solution.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect is equivalent to Dedicated Interconnect for high-bandwidth needs, but the key trap is that Partner Interconnect introduces a third-party provider's network, which cannot guarantee the same consistent low latency and throughput as a direct physical connection.

How to eliminate wrong answers

Option B is wrong because Partner Interconnect relies on a third-party service provider's network, which introduces additional latency and potential throughput variability, and typically supports lower bandwidths (up to 10 Gbps per VLAN attachment) compared to Dedicated Interconnect's direct physical links. Option C is wrong because HA VPN with dynamic routing uses the public internet or a third-party network, cannot guarantee consistent low latency or high throughput, and is limited to bandwidths far below 10 Gbps (typically up to 3 Gbps per tunnel). Option D is wrong because Cloud VPN with static routing also uses the public internet, lacks the performance guarantees needed for >10 Gbps, and static routing does not provide the redundancy or dynamic failover required for enterprise-grade hybrid connectivity.

825
MCQmedium

An organization has multiple VPCs in a Shared VPC setup. They want to allow only certain service projects to use a specific subnet in the host project. What should they configure?

A.Use VPC peering between host and service projects
B.Grant the compute.networkUser role to the service project
C.Create a separate host project for each service project
D.Use shared subnet IAM to grant compute.subnetUser on the specific subnet
AnswerD

Correct. Shared subnet IAM allows fine-grained access.

Why this answer

Shared VPC allows IAM permissions on individual subnets. You can grant the compute.subnetUser role on a specific subnet to a service project.

Page 10

Page 11 of 14

Page 12