Google Professional Cloud Network Engineer (PCNE) — Questions 826900

982 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

A developer wants to create a GKE cluster with a separate subnet for pods and services to avoid IP address exhaustion. What type of secondary IP ranges should they configure on the VPC subnet?

A.Primary IP ranges
B.External IP ranges
C.Alias IP ranges
D.Secondary IP ranges for pods and services
AnswerD

Correct. GKE requires secondary ranges for pods and services.

Why this answer

GKE uses secondary IP ranges for pods and services. You specify these ranges when creating the subnet.

827
MCQhard

An organization wants to allow only certain users to access a service published via Private Service Connect. They need to restrict access based on the source VPC network. What should they use?

A.Firewall rules in the consumer VPC
B.IAM permissions on the service attachment
C.Consumer allow lists in the service attachment
D.VPC Service Controls
AnswerC

Consumer allow lists restrict which projects or VPCs can access the published service.

Why this answer

Private Service Connect allows publishing services with access control using service attachment with consumer allow lists that specify which projects or VPCs can connect.

828
Multi-Selectmedium

A company has a VPC with a subnet in us-central1 and needs to allow HTTP traffic (port 80) from the internet to a VM instance. Which TWO configurations are required?

Select 2 answers
A.Configure Cloud NAT for the VPC.
B.Assign an external IP address to the VM.
C.Enable Private Google Access on the subnet.
D.Assign a static internal IP address to the VM.
E.Create a firewall rule to allow ingress on TCP port 80 from 0.0.0.0/0.
AnswersB, E

An external IP allows the VM to be reachable from the internet.

Why this answer

Option B is correct because a VM must have an external (public) IP address assigned to be directly reachable from the internet. Without an external IP, the VM cannot receive inbound traffic initiated from outside the VPC, even with proper firewall rules. This is a fundamental requirement for internet-facing workloads in Google Cloud.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or Private Google Access can substitute for an external IP when allowing inbound internet traffic, but these services only support outbound or API-specific connectivity, not inbound internet access.

829
MCQeasy

A company wants to serve static content from a Cloud Storage bucket and dynamic content from Compute Engine VMs behind a single external URL. Which GCP feature allows this configuration?

A.URL map
B.Traffic Director
C.Cloud CDN
D.Cloud DNS
AnswerA

Correct: URL map routes traffic to different backends based on URL path.

Why this answer

URL map in the Global HTTPS Load Balancer can route requests to different backends (backend bucket for static, backend service for dynamic) based on URL path.

830
Multi-Selectmedium

Which TWO considerations are important when designing a VPC peering strategy between multiple projects in Google Cloud?

Select 2 answers
A.Peering is transitive by default
B.Subnet IP ranges in peered VPCs must not overlap
C.Firewall rules in one VPC automatically apply to peered VPCs
D.VPC peering can only be used within the same project
E.Custom routes can be exchanged between peered VPCs if configured
AnswersB, E

Overlapping ranges cause routing issues.

Why this answer

Option B is correct because VPC peering requires that subnet IP ranges in peered VPCs do not overlap. This is a fundamental constraint of VPC peering in Google Cloud: if two VPCs have overlapping CIDR blocks, routes cannot be exchanged unambiguously, and the peering connection will fail to establish or will cause routing conflicts. Overlapping ranges would break the ability to route traffic correctly between the VPCs, as there would be no way to determine which subnet a packet should be delivered to.

Exam trap

Google Cloud often tests the misconception that VPC peering is transitive by default, leading candidates to incorrectly select Option A, when in fact transitivity must be explicitly engineered.

831
MCQmedium

A company is using Partner Interconnect with a service provider that offers Layer 3 connectivity. The service provider manages the BGP sessions. The engineer needs to create a VLAN attachment on the Google side. Which attachment type should they choose?

A.PARTNER
B.MANAGED
C.DEDICATED
D.PARTNER_PROVIDER
AnswerD

PARTNER_PROVIDER attachment type is for Layer 3 connectivity where the service provider manages BGP.

Why this answer

For Partner Interconnect, when the service provider manages Layer 3 (BGP), the VLAN attachment type must be PARTNER_PROVIDER. The PARTNER type is for Layer 2 connectivity where the customer manages BGP.

832
Multi-Selectmedium

A company has a VPC with firewall rules. They want to ensure that only traffic from known IP ranges can access their web server instances. Which two firewall rule configurations are appropriate? (Choose two.)

Select 2 answers
A.Ingress rule with source IP range of the company's public IPs and allow tcp:443
B.Ingress rule with source IP range 0.0.0.0/0 and allow tcp:80
C.Ingress rule with source IP range of the company's public IPs and allow tcp:80
D.Ingress rule with source tag 'web' and allow tcp:80
E.Ingress rule with destination IP range 0.0.0.0/0 and allow tcp:80
AnswersA, C

Restricts HTTPS traffic to company IPs.

Why this answer

Options C and E are correct because ingress rules with source IP ranges from known company IPs on the required ports (HTTP/HTTPS) restrict access appropriately. Option A is incorrect because it allows all traffic. Option B is incorrect because a source tag is not used to identify source IPs; tags are for target instances.

Option D is incorrect because it uses destination IP range, which is not the correct way to restrict incoming traffic.

833
MCQmedium

An engineer is configuring Dedicated Interconnect between an on-premises data center and Google Cloud. Cloud Router is set up with BGP sessions. The BGP session remains in Idle state. Which of the following is the most likely cause?

A.The Cloud Router's BGP IP address is not in the same subnet as the on-premises router's interface.
B.The on-premises router is not advertising the Google Cloud VPC subnet routes.
C.The interconnect is not configured with redundant links.
D.The VLAN attachment is not in the same region as the Cloud Router.
AnswerA

IP mismatch is a common cause of BGP Idle state.

Why this answer

The BGP session remains in Idle state because the Cloud Router's BGP IP address is not in the same subnet as the on-premises router's interface. For BGP peering over Dedicated Interconnect, the two routers must be directly connected at Layer 3, meaning their BGP peer IP addresses must belong to the same /30 or /31 subnet. If they are in different subnets, the TCP connection for BGP cannot be established, keeping the session in Idle state.

Exam trap

The trap here is that candidates often confuse BGP session states with route advertisement issues, assuming missing routes cause Idle state, when in fact Idle state is a Layer 3 connectivity problem, not a routing policy problem.

How to eliminate wrong answers

Option B is wrong because the on-premises router not advertising the Google Cloud VPC subnet routes would not cause the BGP session to remain in Idle state; it would instead cause routes to be missing from the routing table after the session is established. Option C is wrong because redundant links are not required for a single BGP session to transition out of Idle state; redundancy affects high availability, not the initial BGP peering process. Option D is wrong because the VLAN attachment must be in the same region as the Cloud Router for the interconnect to function, but if it were not, the BGP session would not even be configured or would fail at a lower layer, not specifically remain in Idle state.

834
Multi-Selecthard

An organization has a VPC with multiple subnets. They want to log all outbound connections from instances to the internet for compliance. They also want to use a cost-effective solution that doesn't require a proxy. Which three components are needed? (Choose three.)

Select 3 answers
A.Cloud NAT
B.Cloud Logging
C.Cloud VPN
D.Cloud Router
E.VPC Flow Logs
AnswersA, B, D

Provides outbound connectivity with optional logging.

Why this answer

Cloud NAT with logging enabled provides logs of outbound connections. Cloud Router is required to set up Cloud NAT. Firewall rules allow the traffic but are not specifically needed for logging; the NAT logs capture the connections.

835
MCQmedium

An organization uses Cloud CDN to serve static content from a backend bucket. They want to ensure that content is always served from the edge regardless of cache-control headers from the origin. Which cache mode should they set?

A.USE_ORIGIN_HEADERS
B.ENABLE_CACHE
C.FORCE_CACHE_ALL
D.CACHE_ALL_STATIC
AnswerC

Forces caching of all content regardless of origin headers.

Why this answer

FORCE_CACHE_ALL mode forces Cloud CDN to cache all content, ignoring origin cache directives. CACHE_ALL_STATIC caches based on file type, USE_ORIGIN_HEADERS respects origin headers.

836
MCQhard

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

A.Yes, if they use a global load balancer in front of the endpoint.
B.No, unless the VPC is peered with another VPC that contains the endpoint.
C.Yes, because the endpoint is accessible from any region in the VPC.
D.No, because the endpoint is only accessible from the same region.
AnswerD

Private Service Connect endpoints are regional; instances must be in the same region to access the endpoint.

Why this answer

Private Service Connect (PSC) endpoints are regional resources. An endpoint created in us-central1 is only accessible from Compute Engine instances within the same region (us-central1) of the VPC. Instances in europe-west1 cannot directly reach the endpoint because traffic would need to cross regional boundaries, which PSC does not support for producer endpoints.

Option D correctly identifies this regional restriction.

Exam trap

The trap here is that candidates assume a VPC is a global construct and therefore any resource within it is globally accessible, but Cisco tests the specific regional nature of Private Service Connect endpoints, which are not globally routable within the VPC without additional configuration.

How to eliminate wrong answers

Option A is wrong because a global load balancer does not extend the regional scope of a PSC endpoint; the endpoint itself remains regional, and the load balancer would still need to forward traffic to the endpoint in us-central1, which does not change the regional access limitation. Option B is wrong because VPC peering does not enable cross-region access to a PSC endpoint; the endpoint is tied to the region where it is created, and peering does not override that regional constraint. Option C is wrong because PSC endpoints are not globally accessible within a VPC; they are regional resources, and instances in other regions cannot reach them directly without additional constructs like inter-region VPC peering or VPN, which still do not make the endpoint itself global.

837
MCQmedium

A company is using VPC Flow Logs to analyze traffic patterns. They need to reduce the volume of logs by approximately 75% while still capturing representative data for troubleshooting. What is the most effective configuration change?

A.Export logs only to BigQuery instead of Stackdriver
B.Filter logs to only include traffic on port 80
C.Disable VPC Flow Logs on subnets with low traffic
D.Set the sampling rate to 0.25
AnswerD

Reducing sampling from 0.5 to 0.25 cuts log volume by half, achieving ~75% reduction from original.

Why this answer

VPC Flow Logs allow sampling rate configuration (from 0.5 to 1.0). The default is 0.5 (50%). Setting it to 0.25 (25%) reduces logs by half again, roughly 75% reduction from original, but still provides representative samples.

838
Multi-Selecthard

A company has a Hybrid Connectivity setup using Cloud VPN with BGP. They want to migrate to Dedicated Interconnect for better performance. During the migration, they need to avoid downtime. Which THREE steps should they take?

Select 3 answers
A.Set a lower local preference on the Interconnect BGP session
B.Remove the VPN tunnels immediately after Interconnect is up
C.Provision the Dedicated Interconnect and VLAN attachments
D.Configure BGP on the Interconnect with a higher local preference than the VPN
E.Gradually withdraw VPN routes after verifying Interconnect traffic
AnswersC, D, E

Must have the Interconnect physical path ready.

Why this answer

Option C is correct because provisioning the Dedicated Interconnect and VLAN attachments is the foundational step to establish the new high-performance connection. Without this, there is no physical or logical path to migrate traffic onto. This must be done before any BGP configuration or route manipulation can occur.

Exam trap

Google Cloud often tests the misconception that you should immediately remove the old connection (VPN tunnels) once the new one (Interconnect) is up, but the correct approach is to gracefully shift traffic using BGP attributes and then decommission the old path only after verification.

839
MCQeasy

A network engineer wants to see a real-time graphical representation of the topology of their VPC network, including instances, subnets, and load balancers. Which Network Intelligence Center tool should they use?

A.Performance Dashboard
B.Network Topology
C.Connectivity Tests
D.Firewall Insights
AnswerB

Network Topology displays a live graph of VPC resources.

Why this answer

Network Topology provides a visual map of your VPC network's resources and their relationships, updated in near real-time.

840
MCQeasy

A developer needs to create a GKE cluster that uses a secondary IP range for pods and another for services. During VPC subnet creation, they set a primary IP range and two secondary ranges. Which flag must be used when creating the subnet to specify the pods range?

A.--pods-range
B.--secondary-range
C.--additional-ip-range
D.--auxiliary-range
AnswerB

This flag allows specifying secondary IP ranges for pods and services during subnet creation.

Why this answer

When creating a subnet with secondary IP ranges, the '--secondary-range' flag is used to specify the name and range for pods (or services). The CLI command allows multiple secondary ranges.

841
MCQmedium

A company uses Cloud CDN to cache content from a backend bucket. They want to ensure that only objects with a Cache-Control header indicating public cacheability are cached. Which cache mode should they select?

A.CACHE_ALL_STATIC
B.USE_ORIGIN_HEADERS
C.None of the above
D.FORCE_CACHE_ALL
AnswerB

This mode caches only if the origin's Cache-Control headers allow caching.

Why this answer

USE_ORIGIN_HEADERS mode respects the origin's Cache-Control headers. Only objects with Cache-Control: public or similar will be cached.

842
MCQeasy

A company wants to forward DNS queries from their on-premises network to Google Cloud for resolution of private zone names. Which configuration is required?

A.DNS peering
B.DNS inbound server policy
C.DNS forwarding zone
D.Managed private zone
AnswerB

DNS inbound server policy allows on-premises resolvers to forward queries to Cloud DNS over VPN/Interconnect.

Why this answer

Option B is correct because a DNS inbound server policy allows an on-premises DNS resolver to forward queries to Google Cloud, enabling resolution of private zone names. This policy creates a forwarding path from on-premises to Cloud DNS using a specific inbound endpoint, which is required for hybrid cloud DNS resolution.

Exam trap

The trap here is that candidates confuse the direction of DNS forwarding—assuming a forwarding zone (which sends queries from Cloud to on-premises) is the same as an inbound policy (which receives queries from on-premises)—and overlook that the question specifies forwarding from on-premises to Google Cloud.

How to eliminate wrong answers

Option A is wrong because DNS peering is used to enable resolution between two Google Cloud VPC networks, not for forwarding queries from an on-premises network. Option C is wrong because a DNS forwarding zone is a Cloud DNS configuration that forwards queries from Google Cloud to an on-premises resolver, not the reverse direction required here. Option D is wrong because a managed private zone only hosts DNS records within Google Cloud and does not provide any mechanism to receive or forward queries from external networks.

843
MCQmedium

An engineer is troubleshooting outbound connectivity from a Compute Engine instance that has no external IP. The instance needs to reach an external service on the internet. Cloud NAT is configured on the VPC network. However, the instance cannot connect. What is the most likely cause?

A.Private Google Access is not enabled
B.The instance has an external IP assigned
C.Egress firewall rules are blocking the traffic
D.The Cloud NAT gateway is in a different region than the instance
AnswerC

Correct. Even with Cloud NAT, egress firewall rules must allow the traffic; by default, egress is allowed, but if custom rules are applied, they might deny.

Why this answer

For Cloud NAT to work, the instance must be in a subnet for which a Cloud NAT gateway is configured, and the instance should not have an external IP. Additionally, firewall rules must allow egress traffic. The most common issue is missing egress firewall rules or incorrect NAT configuration.

844
MCQmedium

A security team wants to enforce a policy that blocks all egress traffic to the internet from a specific set of VMs across multiple projects in an organization. The policy should be centrally managed and override VPC-level firewall rules. Which approach should they use?

A.Create VPC firewall rules with deny egress for the specific VMs in each VPC.
B.Deploy a hierarchical firewall policy at the organization level with a deny egress rule targeting the VMs.
C.Use a network firewall policy attached to each VPC network.
D.Configure Cloud Armor security policies on the load balancer to block egress.
AnswerB

Hierarchical firewall policies are centrally managed and can override VPC firewall rules.

Why this answer

Hierarchical firewall policies at the organization level can enforce rules that apply to all VPCs and override VPC-level rules with lower priority.

845
MCQhard

An organization uses Shared VPC with multiple service projects. They want to ensure that only certain service projects can use a specific subnet. How can this be achieved?

A.Use VPC subnet secondary IP ranges.
B.Use IAM roles on the subnet to grant access to specific service projects.
C.Use VPC Network Tags on the VM instances.
D.Use VPC firewall rules with service accounts to restrict access.
AnswerB

Subnet-level IAM allows fine-grained access control to service projects.

Why this answer

Option A is correct because Shared VPC subnet-level IAM allows granting access to specific service projects. Option B is wrong because firewall rules with service accounts control traffic, not subnet access. Option C is wrong because network tags are used for firewall rules, not subnet permissions.

Option D is wrong because secondary IP ranges do not control project access.

846
MCQmedium

A company is using Partner Interconnect to connect their on-premises network to Google Cloud. They need to choose between Layer 2 and Layer 3 connectivity options offered by the service provider. Which statement correctly describes the difference between Layer 2 and Layer 3 connectivity in Partner Interconnect?

A.Layer 2 connectivity requires the customer to configure BGP with Google Cloud, while Layer 3 does not require any BGP on the customer side.
B.Layer 2 connectivity is only available for Dedicated Interconnect, not Partner Interconnect.
C.Both Layer 2 and Layer 3 require the customer to manage VLAN attachments inside GCP.
D.Layer 3 connectivity requires the customer to have a BGP session with the partner's router, while Layer 2 allows direct BGP with Google Cloud.
AnswerD

This correctly describes the difference: Layer 2 is direct BGP with Google, Layer 3 uses the partner as a routing hop.

Why this answer

With Layer 2, the partner provides a transparent VLAN; with Layer 3, the partner handles the IP routing, requiring a BGP session from the customer's on-prem router to the partner's router.

847
MCQhard

A network engineer is setting up HA VPN between an on-premises network and a GCP VPC. They have configured two Cloud VPN gateways in GCP, each with two interfaces, and four tunnels. They are using BGP with Cloud Router. However, only one of the four tunnels is established. What is the most likely cause?

A.The Cloud Router ASN is not unique to the project
B.The on-premises VPN gateway is using the same peer IP for multiple tunnels
C.The Cloud Router is not advertising the default route
D.The VPC firewall rules are blocking UDP port 500
AnswerB

HA VPN requires distinct peer IPs for each tunnel. Using the same IP for multiple tunnels prevents BGP session establishment.

Why this answer

For HA VPN, each VPN gateway has two external IP addresses. Tunnels should be configured between each GCP IP and the corresponding on-premises peer IP. If the on-premises peer IPs are not unique per tunnel (e.g., both tunnels on-prem use the same IP), BGP sessions may not form correctly.

The issue is often due to duplicate peer IPs or misconfiguration of BGP ASNs.

848
MCQhard

A company is using Partner Interconnect with a 2 Gbps VLAN attachment. They notice that throughput is only about 500 Mbps during peak hours. They have verified that the on-premises link is not saturated. What is the most likely cause?

A.The VLAN attachment is configured with a lower bandwidth cap
B.Cloud Router is not using the partner's ASN
C.The VPC MTU is set to 1500 bytes
D.The on-premises router does not support BGP multipath
AnswerA

VLAN attachments have a configurable bandwidth limit (e.g., 500 Mbps, 1 Gbps). If set lower than the physical link, throughput will be capped.

Why this answer

Partner Interconnect VLAN attachments have a maximum throughput that depends on the partner's capability. If the throughput is lower than expected, it may be due to the partner limiting the bandwidth or the VLAN attachment configuration. However, a common cause is that the BGP session's route advertisement or Cloud Router configuration is not using multiple paths.

Another possibility: the traffic is not using the VLAN attachment because of routing preferences. But given the scenario, the most plausible cause is that the VLAN attachment is configured with a lower bandwidth limit than the physical link.

849
MCQhard

A company uses VPC Flow Logs for traffic analysis. They notice that logs are missing for a specific Compute Engine instance that handles high traffic. The subnet has Flow Logs enabled. What is the most likely reason?

A.The instance is using Private Google Access.
B.Flow Logs are sampled and may drop high-throughput traffic.
C.The instance's network interface has an external IP.
D.The instance is in a different region from the log sink.
AnswerB

Flow Logs sample traffic, and at high throughput, sampling rate may be reduced or logs dropped.

Why this answer

VPC Flow Logs use sampling; high throughput can lead to sampling reduction or dropped logs.

850
Multi-Selectmedium

Which THREE components are required to set up Identity-Aware Proxy (IAP) for TCP forwarding to a VM?

Select 3 answers
A.A firewall rule that allows ingress from 35.235.240.0/20 to the VM on the desired port.
B.The user or group must have the IAP-secured Tunnel User role on the project.
C.The VM must have an external IP address.
D.IAP API enabled in the project.
E.A NAT gateway configured for the VPC.
AnswersA, B, D

This IP range is used by IAP.

Why this answer

Option A is correct because IAP TCP forwarding requires that the VM allows ingress traffic from the IAP health-check and forwarding source IP range (35.235.240.0/20) on the desired TCP port. Without this firewall rule, the IAP proxy cannot establish a connection to the VM, even if the user is authenticated and authorized.

Exam trap

Google Cloud often tests the misconception that a VM must have a public IP to be accessed remotely, but IAP TCP forwarding specifically eliminates that requirement by tunneling through the internal network.

851
MCQhard

A financial services company is deploying a new payment processing application in Google Cloud. The architecture consists of: a VPC named 'payment-vpc' with subnet 'payment-subnet' (10.1.0.0/16), a managed instance group (MIG) of backend servers in payment-subnet, an internal TCP load balancer (ILB) with IP 10.1.0.10 distributing traffic to the MIG, and a Cloud NAT for outbound internet access. The application must communicate with an external payment gateway over TLS. The security policy requires that all outbound traffic from the backend servers to the internet must egress through a single, centralized Cloud NAT instance to allow traffic inspection. To meet this requirement, the network team has configured: a Cloud Router, a Cloud NAT gateway named 'payment-nat' in payment-vpc, and a default route (0.0.0.0/0, next hop: default internet gateway) in payment-vpc. They have also configured VPC firewall rules to allow outbound HTTPS traffic. During testing, the backend servers cannot connect to the external payment gateway. The team has verified that the Cloud NAT is properly configured and that the VPC firewall rules allow egress traffic. What is the most likely cause of the connectivity failure?

A.The VPC firewall rules are blocking outbound HTTPS traffic from the backend servers.
B.The default route (0.0.0.0/0) with next hop 'default internet gateway' preempts the Cloud NAT route.
C.The Cloud NAT gateway is not in the same region as the backend servers.
D.The Cloud Router's BGP ASN is not properly configured.
AnswerB

The default route sends traffic directly to the internet, bypassing Cloud NAT. Cloud NAT requires that the default route have a higher priority (lower number) than the automatically created route for Cloud NAT, or the default route must be removed.

Why this answer

The default route (0.0.0.0/0) with next hop 'default internet gateway' directs all outbound internet traffic directly to the internet gateway, bypassing the Cloud NAT gateway. Cloud NAT only applies when the next hop for 0.0.0.0/0 is the Cloud Router (or when no default route to the internet gateway exists), because NAT is performed on packets that are routed through the Cloud Router. Since the default route with next hop 'default internet gateway' has a higher priority (lower numeric value) than any dynamically learned route, it preempts the Cloud NAT path, causing outbound traffic to egress without NAT and thus fail to reach the external payment gateway if the backend servers have only private IPs.

Exam trap

Google Cloud often tests the misconception that Cloud NAT automatically intercepts all outbound traffic regardless of routing, when in fact the default route's next hop must point to the Cloud Router for NAT to apply.

How to eliminate wrong answers

Option A is wrong because the team has verified that VPC firewall rules allow outbound HTTPS traffic, so firewall rules are not blocking the connection. Option C is wrong because Cloud NAT is a regional resource that can be configured to serve all zones within a region; the backend servers in payment-subnet are in the same region as the Cloud NAT, and the subnet is within that region, so region mismatch is not the issue. Option D is wrong because the Cloud Router's BGP ASN configuration is irrelevant for Cloud NAT; Cloud NAT does not use BGP for its operation—it relies on the Cloud Router only to hold the NAT configuration and to enable dynamic routing, but the ASN does not affect NAT functionality.

852
MCQmedium

An organization needs to route traffic to a group of Compute Engine VM instances in the same zone for a high-throughput TCP application. The solution must preserve the client source IP address and support connection draining. Which load balancer type meets these requirements?

A.Regional external HTTP(S) load balancer
B.Global TCP Proxy load balancer
C.Global external HTTP(S) load balancer
D.Regional external TCP/UDP Network Load Balancer
AnswerD

NLB is pass-through, preserves client IP, and supports connection draining.

Why this answer

Regional external TCP/UDP Network Load Balancer (NLB) is pass-through and preserves client IP. Connection draining is supported for NLB backends. Global Proxy LBs rewrite source IP.

853
Multi-Selectmedium

A company is using Cloud Router with BGP for connectivity to an on-premises network via Partner Interconnect. The BGP session is flapping. Which THREE actions should the engineer take to diagnose the issue?

Select 3 answers
A.Verify BGP timers (keepalive/hold) match on both sides
B.Review the BGP route advertisements for policy conflicts
C.Disable ECMP on Cloud Router
D.Check the MTU on the on-premises router
E.Enable VPC Flow Logs on the interconnect subnet
AnswersA, B, D

Mismatched timers cause session flaps.

Why this answer

Common causes of BGP flaps include MTU mismatch, misconfigured timers, or routing policy issues. Checking MTU, BGP timers, and route advertisements helps identify the root cause.

854
MCQmedium

An organization is using Cloud VPN with dynamic routing (BGP) to connect their on-premises network to Google Cloud. They want to prioritize traffic from on-premises to GCP over one VPN tunnel when multiple tunnels are available. Which BGP attribute should they configure on their on-premises router?

A.MED (Multi-Exit Discriminator)
B.AS path prepending
C.Origin attribute
D.Local Preference (LP)
AnswerB

AS path prepending makes a route less preferred, so the tunnel without prepending will be preferred for inbound traffic from on-premises.

Why this answer

AS path prepending makes a route less preferred by adding AS numbers to the path, which influences inbound traffic direction. To prioritize a tunnel, you would use a shorter AS path (or no prepending) on the preferred tunnel.

855
MCQhard

An on-premises DNS server is configured to forward queries for a private zone in GCP. They set up inbound DNS forwarding from on-prem to GCP using Cloud DNS forwarding. What must be configured on the VPC?

A.DNS peering zone
B.Outbound DNS server policy
C.Inbound DNS server policy
D.Private zone with an authoritative name server
AnswerC

Correct. Inbound policy allows on-prem to forward to GCP.

Why this answer

Inbound DNS forwarding requires a Cloud DNS inbound server policy that specifies the VPC and the IP addresses of the on-premises DNS resolvers.

856
Multi-Selectmedium

Which TWO of the following are required steps to set up a Dedicated Interconnect?

Select 2 answers
A.Create an interconnect (physical connection) in the colocation facility
B.Establish a VPN tunnel as a backup
C.Create a Cloud Router and VLAN attachment
D.Deploy a Google-provided router in the colocation facility
E.Configure MD5 authentication on the BGP session
AnswersA, C

The physical cross-connect is necessary.

Why this answer

Creating an interconnect (physical connection) in the colocation facility is a required step because Dedicated Interconnect requires a direct, physical cross-connect between your on-premises router and a Google Cloud edge router at a colocation facility. This physical link is the foundation of the dedicated, high-bandwidth connection, and without it, no Layer 2 or Layer 3 connectivity can be established.

Exam trap

Google Cloud often tests the misconception that you must deploy a Google-provided router in the colocation facility, but in reality, you use your own router and Google provides only the edge router in their network.

857
MCQhard

A company runs a Kubernetes cluster on GKE with a VPC-native cluster (alias IP ranges). They have pods that need to communicate with on-premises services via a Cloud VPN tunnel. Which networking configuration is required to enable pod-to-on-premises communication?

A.Enable VPC Flow Logs for the subnets to allow traffic to be routed.
B.Advertise the pod IP ranges over the Cloud Router BGP session to the on-premises router.
C.Configure a firewall rule allowing traffic from pod CIDR to on-premises subnets.
D.Create a VPC peering connection between the VPC and the on-premises network.
AnswerB

BGP advertising ensures on-premises knows how to route back to pods.

Why this answer

Option B is correct because VPC-native clusters assign alias IP ranges to pods directly from the VPC subnet's secondary CIDR ranges. To enable on-premises routing to these pods, the pod IP ranges must be advertised over the Cloud Router BGP session to the on-premises router. This ensures the on-premises network learns the routes to the pod CIDRs and can forward traffic back through the Cloud VPN tunnel.

Exam trap

The trap here is that candidates often confuse firewall rules with routing, assuming that allowing traffic in a firewall rule is sufficient for connectivity, when in fact the on-premises router must have a route to the pod CIDRs via BGP advertisement for bidirectional communication.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only capture metadata about network flows for monitoring and troubleshooting; they do not influence routing or enable traffic to be forwarded. Option C is wrong because firewall rules control which traffic is allowed or denied, but they do not create routes; without route advertisement, the on-premises router has no path to the pod CIDRs. Option D is wrong because VPC peering is used for connectivity between two VPC networks within Google Cloud, not for connecting a VPC to an on-premises network; on-premises connectivity requires Cloud VPN or Dedicated Interconnect with Cloud Router BGP sessions.

858
Multi-Selectmedium

You need to allow instances with network tag 'db' in subnet-a to only accept connections on TCP port 3306 from instances with network tag 'app' in subnet-b. Which TWO firewall rules should you create? (Choose 2)

Select 1 answer
A.Ingress rule: target tag 'db', source tag 'app', allow tcp:3306, priority 1000.
B.Egress rule: target tag 'app', destination tag 'db', allow tcp:3306, priority 1000.
C.Ingress rule: target tag 'db', source 0.0.0.0/0, deny tcp:3306, priority 2000.
D.Ingress rule: target tag 'db', source tag 'app', deny tcp:3306, priority 1000.
E.Ingress rule: target tag 'db', source 0.0.0.0/0, deny all ports, priority 500.
AnswersA

This allows 'app' instances to connect to 'db' on 3306.

Why this answer

The correct approach is to create an ingress rule on subnet-a targeting 'db' tags, allowing TCP 3306 from source tag 'app' (which implies source instances with that tag). Alternatively, an egress rule on subnet-b could allow traffic to 'db' instances. However, the typical solution is ingress rule on the target.

The options require two rules to ensure only 'app' instances can connect to 'db' and also block other sources.

859
MCQmedium

A company is deploying an internal HTTP application on Compute Engine instances. The application must be load-balanced across multiple instances in different regions, but only accessible from within the same VPC. Which load balancer type meets these requirements?

A.Internal HTTP(S) Load Balancer
B.External TCP/UDP Load Balancer
C.External HTTP(S) Load Balancer
D.Internal TCP/UDP Load Balancer
AnswerA

Internal HTTP(S) LB can be configured with backends in multiple regions and is internal to the VPC.

Why this answer

An Internal HTTP(S) Load Balancer is a regional, internal-only load balancer that distributes HTTP/HTTPS traffic among Compute Engine instances within the same VPC network. It uses an internal IP address and is not accessible from outside the VPC, meeting the requirement for internal-only access while providing cross-region load balancing via a multi-region backend service.

Exam trap

Google Cloud often tests the misconception that any 'internal' load balancer can handle HTTP traffic, but the Internal TCP/UDP Load Balancer (option D) operates at layer 4 and cannot inspect or route HTTP application-layer data, making it unsuitable for an HTTP application.

How to eliminate wrong answers

Option B is wrong because an External TCP/UDP Load Balancer is designed for traffic originating from the internet, using external IP addresses, and does not support internal-only VPC access. Option C is wrong because an External HTTP(S) Load Balancer also uses external IP addresses and is intended for internet-facing applications, not for traffic confined to a VPC. Option D is wrong because an Internal TCP/UDP Load Balancer handles non-HTTP traffic (TCP/UDP) and cannot perform HTTP-level content-based routing or terminate TLS, which is required for an HTTP application.

860
Multi-Selecthard

An organization is deploying a Global HTTPS Load Balancer with Cloud Armor and Cloud CDN. They want to ensure that only requests with a valid signed cookie can access private content. Which three steps are required? (Choose THREE.)

Select 3 answers
A.Configure a Cloud Armor security policy to validate the cookie.
B.Create the signed cookie using the key and set it in the client.
C.Enable Cloud CDN on the backend bucket or service.
D.Create a Cloud CDN signed request key.
E.Set a Cache-Control header to private.
AnswersB, C, D

The client must present the signed cookie.

Why this answer

To use signed cookies with Cloud CDN, you must: 1) Enable Cloud CDN on the backend service or bucket, 2) Create a Cloud CDN signed request key (key name and secret), 3) Create the signed cookie with the key and set it on the client. The load balancer will then validate the cookie. There is no need to configure a separate IAM policy for the cookie.

861
MCQmedium

A company wants to analyze firewall rule effectiveness by identifying rules that are never hit or are shadowed. Which Network Intelligence Center tool should be used?

A.Network Topology
B.Firewall Insights
C.Performance Dashboard
D.Connectivity Tests
AnswerB

Firewall Insights provides analysis of firewall rules, including shadowed and overly permissive rules.

862
MCQhard

A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?

A.Cloud VPN with two tunnels each using 1 Gbps
B.Dedicated Interconnect with two 10 Gbps connections
C.Direct Peering
D.Partner Interconnect with two 10 Gbps connections
AnswerB

Dedicated Interconnect provides 99.99% SLA with redundant connections.

Why this answer

Dedicated Interconnect provides direct, private connections between your on-premises network and Google Cloud, supporting up to 10 Gbps per circuit. By using two 10 Gbps connections in an active-active or active-passive configuration, you can achieve the required 20 Gbps aggregate bandwidth and meet the 99.99% SLA, as Google guarantees this SLA when you have at least two redundant connections.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming that two 10 Gbps connections from a partner automatically provide a 99.99% SLA from Google, but only Dedicated Interconnect offers a Google-backed SLA when using redundant connections.

How to eliminate wrong answers

Option A is wrong because Cloud VPN is limited to a maximum of 3 Gbps per tunnel (using IPsec over the public internet) and cannot provide a 99.99% SLA, as it relies on best-effort internet connectivity. Option C is wrong because Direct Peering is an exchange of traffic at an internet exchange point, does not offer an SLA, and is limited to a maximum of 10 Gbps per session, with no guarantee of bandwidth or availability. Option D is wrong because Partner Interconnect, while offering up to 10 Gbps per connection via a service provider, does not provide a 99.99% SLA from Google; the SLA is only offered by the partner, and the aggregate bandwidth of 20 Gbps would require two 10 Gbps connections, but the SLA requirement is not met by Google's commitment.

863
MCQeasy

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They have deployed Compute Engine instances that need to communicate with an on-premises database via a Cloud VPN tunnel using BGP. The on-premises network advertises the database subnet 192.168.0.0/16. The instances can reach the database for a few minutes after reboot, but then connectivity drops. The Cloud VPN logs show no errors. The BGP session remains established. What is the most likely issue?

A.The on-premises firewall has an idle timeout that kills the TCP session.
B.The GCP route to the on-premises database is being preempted by a more specific route.
C.The VPN tunnel's IKE session expires.
D.The BGP session is flapping.
AnswerA

After a period of inactivity, the firewall drops the session; reboot resets it.

Why this answer

The on-premises firewall is likely configured with an idle timeout that terminates TCP sessions when no traffic is exchanged for a certain period. After the instances reboot, they initiate new connections that work briefly, but once the session becomes idle (e.g., no keepalives or application traffic), the firewall drops the stateful session, causing connectivity loss. The Cloud VPN and BGP session remain up, indicating the issue is at the application or firewall layer, not the tunnel or routing.

Exam trap

The trap here is that candidates often focus on routing or VPN tunnel issues (B, C, D) because the problem involves BGP and Cloud VPN, but the key clue is that connectivity drops after a few minutes while the tunnel and BGP remain healthy, pointing to a session timeout at the firewall layer rather than a network-layer failure.

How to eliminate wrong answers

Option B is wrong because GCP routes are not preempted by more specific routes in this scenario; the on-premises database subnet 192.168.0.0/16 is advertised via BGP and would be installed as a dynamic route, and no other conflicting route is mentioned. Option C is wrong because the IKE session expiring would cause the VPN tunnel to drop, but the Cloud VPN logs show no errors and the BGP session remains established, indicating the tunnel is stable. Option D is wrong because the BGP session is not flapping; the question explicitly states the BGP session remains established, so routing updates are not disrupted.

864
MCQeasy

A company needs to connect multiple on-premises sites and cloud VPCs in a hub-and-spoke topology using a fully managed service. Which Google Cloud service should they use?

A.VPC Network Peering
B.Cloud Interconnect
C.Cloud VPN
D.Network Connectivity Center
AnswerD

NCC is designed for hub-and-spoke topologies, connecting VPCs and on-premises networks via a single hub.

Why this answer

Network Connectivity Center (NCC) provides a hub-and-spoke model for connecting on-premises networks and VPCs, reducing configuration complexity.

865
MCQeasy

A company has a Cloud VPN tunnel to on-premises. They want on-premises clients to resolve private DNS names in the VPC. Which service should they configure?

A.Inbound DNS policy
B.Outbound DNS policy
C.Cloud NAT
D.Private Google Access
AnswerA

An inbound DNS policy allows on-premises DNS servers to forward queries to Cloud DNS.

Why this answer

Option C is correct: An inbound DNS policy forwards DNS queries from on-premises DNS servers to Cloud DNS, enabling resolution of private zone names. Option A is for outbound internet; Option B only gives VMs access to Google APIs; Option D is for VMs to forward queries to on-premises.

866
MCQmedium

An engineer needs to configure a Cloud Router for a VPN tunnel to an on-premises network. The on-premises BGP ASN is 64512. Which ASN should the engineer assign to the Cloud Router?

A.64512
B.64513
C.Any public ASN
D.0
AnswerB

A different private ASN avoids conflict and allows BGP peering.

Why this answer

Cloud Router requires a unique ASN (typically a private ASN from 64512-65534) that does not conflict with the on-premises ASN. The default ASN for Cloud Router is 64512, but it must be changed if the on-premises ASN is the same. The engineer should use a different private ASN, such as 64513.

867
MCQhard

A Dedicated Interconnect VLAN attachment is in ACTIVE state. The Cloud Router has learned routes from on-premises, and the on-premises router has learned routes from GCP. However, traffic from on-premises to a GCP VM fails. What should the engineer check first?

A.Check firewall rules on the GCP VPC for ingress from the on-premises range.
B.Confirm that the Cloud Router is advertising the on-premises subnets back to the VPC.
C.Verify that the VPC subnet routes exist in the routing table.
D.Both A and C.
AnswerD

Both firewall rules and Cloud Router advertisement must be verified.

Why this answer

The correct answer is D because both firewall rules and VPC subnet routes must be in place for traffic to reach a GCP VM. Even if the VLAN attachment is ACTIVE and routes are exchanged, the VPC firewall must permit ingress from the on-premises range, and the VPC subnet routes must exist in the routing table for the VM's subnet. Without both, traffic will be dropped or not forwarded.

Exam trap

Google Cloud often tests the misconception that route exchange alone guarantees connectivity, but in GCP, both firewall rules and subnet routes are mandatory for traffic to reach a VM, even when the interconnect is ACTIVE and BGP sessions are established.

How to eliminate wrong answers

Option A is wrong because checking only firewall rules is insufficient; the VPC subnet routes must also exist for the traffic to be routed to the VM. Option B is wrong because the Cloud Router advertising on-premises subnets back to the VPC is not required for traffic from on-premises to GCP; the on-premises router already learned GCP routes, and the Cloud Router's job is to advertise GCP routes to on-premises, not the reverse. Option C is wrong because verifying only subnet routes ignores the firewall rules that control ingress traffic; both are necessary.

868
Multi-Selectmedium

Which TWO statements about HA VPN are correct?

Select 2 answers
A.Both VPN gateways must be in the same region.
B.It uses IKEv1 by default.
C.It supports both active-active and active-passive modes.
D.It supports static routing as well as dynamic routing.
E.It requires two Cloud VPN gateways.
AnswersC, E

HA VPN can be configured in either mode depending on redundancy needs.

Why this answer

Option C is correct because HA VPN supports both active-active and active-passive modes. In active-active mode, both tunnels forward traffic simultaneously, while in active-passive mode, one tunnel is used as a standby. This flexibility allows HA VPN to meet different high-availability and load-balancing requirements.

Exam trap

Google Cloud often tests the misconception that HA VPN requires both gateways in the same region or that it supports static routing, but the correct understanding is that HA VPN uses dynamic routing (BGP) and allows gateways in different regions.

869
Multi-Selecthard

An organization uses Cloud DNS with a managed zone for internal resolution. They want to implement a failover routing policy so that if the primary health-checked endpoint is unhealthy, traffic is directed to a secondary endpoint. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Create a health check for the secondary endpoint
B.Create a routing policy of type FAILOVER
C.Create a health check for the primary endpoint
D.Create a routing policy of type WEIGHTED
E.Create a response policy zone
AnswersA, B, C

Required to know when secondary is healthy.

Why this answer

Failover routing policy requires a primary and secondary target, each with an associated health check to determine health.

870
MCQmedium

An engineer is troubleshooting connectivity between an on-premises network and a GCP VPC over a Cloud VPN tunnel with dynamic routing (BGP). The tunnel is established and BGP session is up, but on-premises hosts cannot reach instances in the VPC. What should the engineer check first?

A.The advertised route from the on-premises router is a default route.
B.The MTU size of the VPN tunnel.
C.The Cloud VPN gateway is assigned an external IP address.
D.The firewall rules in the VPC allowing incoming traffic from the on-premises CIDR.
AnswerD

Firewall rules control inbound traffic; without an allow rule, traffic is denied.

Why this answer

Option C is correct because even with BGP routes, the VPC firewall rules must permit incoming traffic from the on-premises CIDR. If no appropriate ingress rule exists, traffic will be blocked. Option A is incorrect because MTU might cause packet loss but not complete failure.

Option B is incorrect because advertised routes from the on-premises router are being learned (BGP is up). Option D is incorrect because the VPN gateway's external IP is necessary for the tunnel but not the immediate cause of connectivity failure.

871
MCQmedium

An engineer needs to set up a firewall rule that allows health check probes from Google Cloud's health check ranges (130.211.0.0/22 and 35.191.0.0/16) to a backend instance group. The rule should apply only to instances with the 'backend' network tag. What is the correct configuration?

A.Create an ingress rule with destination IP ranges 130.211.0.0/22 and 35.191.0.0/16, and target tags 'backend'
B.Create an ingress rule with source IP ranges 130.211.0.0/22 and 35.191.0.0/16, and target tags 'backend'
C.Create a route with next hop as the backend instance group
D.Create an egress rule with source IP ranges 130.211.0.0/22 and 35.191.0.0/16, and target tags 'backend'
AnswerB

This ingress rule allows health check traffic from the specified source ranges to instances with the 'backend' tag.

Why this answer

Ingress firewall rules control incoming traffic. The rule must allow traffic from the health check source ranges to all instances (targets) with the tag 'backend'. Priority lower number means higher priority.

872
MCQeasy

An organization wants to connect multiple on-premises sites to multiple VPCs in GCP using a hub-and-spoke model. Which GCP service provides a centralized hub for managing such connectivity?

A.Cloud Router
B.Network Connectivity Center
C.VPC Peering
D.Cloud VPN
AnswerB

NCC provides hub-and-spoke connectivity.

Why this answer

Network Connectivity Center (NCC) is designed for hub-and-spoke topologies, connecting on-premises networks and VPCs through a hub.

873
MCQhard

An engineer runs 'gcloud compute networks peerings list' and sees state 'INACTIVE' for a peering connection. Which is the most likely cause?

A.The subnet CIDR ranges overlap.
B.The IAM permissions for the peer are insufficient.
C.The dynamic routing mode differs.
D.The firewall rules are missing.
AnswerA

Overlapping subnets result in an INACTIVE peering state.

Why this answer

Overlapping subnet CIDRs cause the peering to be INACTIVE.

874
MCQmedium

You are configuring Cloud Router for BGP sessions with an on-premises router. You need to ensure that the on-premises network can reach Google Cloud services using the advertiser’s IP addresses. Which option should you configure on the Cloud Router?

A.Set the global routing mode
B.Configure custom route exchange in VPC Peering
C.Enable VPC Flow Logs
D.Advertise all subnets visible by the Cloud Router
AnswerD

This ensures on-premises knows the VPC subnets.

Why this answer

Option D is correct because Cloud Router must advertise all subnets visible to it to ensure that the on-premises router learns the IP prefixes for Google Cloud services (e.g., Google APIs, GKE control planes) that are reachable via Private Google Access or Private Service Connect. By default, Cloud Router only advertises VPC subnet routes; enabling 'Advertise all subnets visible by the Cloud Router' includes custom IP ranges and service producer ranges, allowing the on-premises network to route traffic to those services using the advertiser's IP addresses.

Exam trap

The trap here is that candidates often confuse 'advertising all subnets' with 'global routing mode' or 'VPC peering route exchange,' thinking that enabling global routing or peering will automatically propagate service IPs to on-premises, when in fact Cloud Router's BGP advertisement settings are the specific mechanism required.

How to eliminate wrong answers

Option A is wrong because global routing mode is a VPC-level setting that controls whether dynamic routes are applied globally or per-region, but it does not affect which IP prefixes are advertised to on-premises via BGP. Option B is wrong because custom route exchange in VPC Peering is used to exchange routes between peered VPCs, not to advertise routes to an on-premises network via Cloud Router. Option C is wrong because VPC Flow Logs capture network traffic metadata for monitoring and troubleshooting; they have no role in BGP route advertisement or enabling on-premises reachability to Google Cloud services.

875
Multi-Selectmedium

Which THREE components are required when configuring an internal TCP/UDP load balancer? (Choose THREE.)

Select 3 answers
A.Health check
B.Backend service
C.External IP address
D.SSL certificate
E.Forwarding rule
AnswersA, B, E

Health checks determine which backends receive traffic.

Why this answer

An internal load balancer requires a backend service (Option A) to define the instance group and port mapping, a health check (Option B) to monitor backend health, and a forwarding rule (Option C) to assign the internal VIP. Option D is incorrect because internal LBs use internal IP addresses. Option E is only needed for HTTPS external LBs.

876
Multi-Selectmedium

Which THREE factors can affect the throughput of a Cloud VPN tunnel? (Choose three.)

Select 3 answers
A.VM instance types
B.Number of tunnels
C.Tunnel type (route-based vs policy-based)
D.Encryption algorithm
E.On-premises router CPU capacity
AnswersC, D, E

Different tunnel types have different overheads.

Why this answer

Tunnel type (route-based vs policy-based) affects throughput because route-based tunnels (e.g., using BGP or static routes) can leverage ECMP and do not require per-flow policy lookups, reducing CPU overhead. Policy-based tunnels require the VPN gateway to evaluate each packet against a security policy, which adds latency and can limit throughput, especially under high traffic loads.

Exam trap

Google Cloud often tests the misconception that VM instance types or the number of tunnels directly control VPN throughput, when in reality the tunnel type, encryption algorithm, and on-premises router CPU are the primary factors that limit or enhance throughput.

877
Multi-Selectmedium

You are deploying a new internal HTTP(S) load balancer for a microservice that runs on Compute Engine instances within the same region. The load balancer must be accessible only from within the VPC network. Which components are required? (Choose two.)

Select 2 answers
A.Global external HTTP(S) load balancer
B.Regional internal HTTP(S) load balancer
C.Backend service with health check
D.Cloud CDN enabled
E.SSL certificate
AnswersB, C

This is the correct LB type for internal L7 load balancing.

Why this answer

Regional internal HTTP(S) LB uses an internal IP address and forwards traffic to a backend service. Backend service requires a health check. An SSL certificate is optional if HTTP is used.

Global external LB is for external access.

878
Multi-Selecteasy

Which TWO network services can be used to provide secure connectivity between a VPC and an on-premises data center without traversing the public internet? (Choose two.)

Select 2 answers
A.Cloud VPN with IPsec
B.Cloud NAT
C.Dedicated Interconnect
D.VPC Network Peering
E.Partner Interconnect
AnswersC, E

Interconnect provides direct private connection.

Why this answer

Dedicated Interconnect (C) provides a direct, private physical connection between your on-premises network and Google's VPC, bypassing the public internet entirely. This ensures low latency, high bandwidth, and consistent network performance for secure hybrid cloud connectivity.

Exam trap

Google Cloud often tests the distinction between 'secure connectivity' and 'private connectivity' — candidates mistakenly choose Cloud VPN (IPsec) because it is encrypted, but the question explicitly requires no traversal of the public internet, which only Dedicated or Partner Interconnect can guarantee.

879
MCQmedium

A network engineer notices unexpected traffic being allowed through a VPC firewall rule. They want to analyze the logs to identify the source and destination. What is the best way to enable detailed logging for firewall rules?

A.Enable firewall rule logging on the specific rule and view logs in Cloud Logging.
B.Enable VPC Flow Logs for the subnet.
C.Create a custom router with a log export.
D.Use Packet Mirroring to capture all traffic.
AnswerA

Firewall rule logging logs each packet that matches the rule.

Why this answer

Firewall rule logging in VPC is designed specifically to log metadata (source IP, destination IP, action, etc.) for each packet matched by a firewall rule. Enabling it on the specific rule and viewing logs in Cloud Logging provides the granular, per-rule detail needed to identify the source and destination of unexpected traffic. This is the direct and intended method for firewall rule analysis.

Exam trap

Google Cloud often tests the distinction between VPC Flow Logs (subnet-level flow metadata) and firewall rule logging (per-rule, per-packet decision logs), and the trap here is that candidates confuse VPC Flow Logs as a substitute for firewall rule logging, but Flow Logs lack rule-specific context.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs capture metadata about network flows at the subnet level (e.g., 5-tuple, packet/byte counts), but they do not log firewall rule-specific actions (allow/deny) or rule IDs, so they cannot pinpoint which firewall rule allowed the traffic. Option C is wrong because a custom router with a log export is used for exporting routes or BGP events, not for logging firewall rule traffic; it has no mechanism to capture per-packet firewall decisions. Option D is wrong because Packet Mirroring copies all traffic (including payloads) to a collector for deep packet inspection, which is overkill and not focused on firewall rule logging; it also incurs significant cost and complexity, and does not natively associate traffic with specific firewall rules.

880
MCQeasy

A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?

A.169.254.0.1
B.10.0.0.1
C.The tunnel's external IP address
D.The on-premises router's external IP address
AnswerA

Google requires BGP peer IPs to be in the 169.254.0.0/16 range for Cloud VPN tunnels.

Why this answer

The correct BGP peer IP is 169.254.0.1 because Cloud Router uses the first IP in the 169.254.0.0/16 link-local range for BGP peering over a VPN tunnel. This is required by Google Cloud's implementation, where the on-premises router must use a link-local address from the 169.254.0.0/16 range, and Cloud Router automatically assigns 169.254.0.1 as its own BGP peer IP. The on-premises router typically uses 169.254.0.2 as its BGP peer IP, ensuring a point-to-point link-local BGP session.

Exam trap

Google Cloud often tests the misconception that BGP peering over a VPN tunnel uses the tunnel's external IP addresses or private RFC 1918 addresses, but the correct answer requires knowledge that Google Cloud mandates link-local 169.254.x.x addresses for BGP sessions.

How to eliminate wrong answers

Option B is wrong because 10.0.0.1 is a private RFC 1918 address, not a link-local address, and Cloud Router requires a 169.254.x.x address for BGP peering over VPN tunnels. Option C is wrong because the tunnel's external IP address is the public IP of the VPN gateway, which is used for the tunnel establishment itself, not for BGP peering; BGP peering uses link-local addresses within the tunnel. Option D is wrong because the on-premises router's external IP address is its public-facing IP, which is used for the VPN tunnel endpoint, not for the BGP session; BGP peering must use link-local addresses from the 169.254.0.0/16 range.

881
Multi-Selecthard

A company wants to serve private content over Cloud CDN with access control. They need to generate time-limited URLs that allow users to download files from Cloud Storage. Which TWO methods can they use? (Choose two.)

Select 2 answers
A.Create a CNAME record pointing to the Cloud CDN IP
B.Use IAM conditions on Cloud Storage to restrict access
C.Use Cloud Armor with IP allowlists
D.Use Cloud CDN signed cookies with a key defined in the backend bucket
E.Use Cloud CDN signed URLs with a key defined in the backend bucket
AnswersD, E

Signed cookies allow access to multiple objects or paths.

Why this answer

Cloud CDN supports signed URLs and signed cookies to control access to private content. IAM conditions are not supported directly with Cloud CDN. CNAME records are DNS configuration, not access control.

Cloud Armor is for security policies but not for generating signed URLs.

882
Multi-Selectmedium

A security team wants to capture and analyze all DNS queries from their Compute Engine instances to detect potential data exfiltration. They have enabled VPC Flow Logs. Which TWO additional steps should they take to capture DNS query details?

Select 2 answers
A.Enable Packet Mirroring on the instances
B.Enable Cloud DNS logging
C.Enable firewall rule logging
D.Increase VPC Flow Logs sampling rate to 100%
E.Export VPC Flow Logs to BigQuery
AnswersA, B

Packet Mirroring copies all traffic, including DNS packets, for deep analysis.

Why this answer

VPC Flow Logs do not include DNS query names. To capture DNS queries, they need to enable DNS logging (which logs queries sent to Cloud DNS) or use Packet Mirroring to capture the full DNS packets for analysis.

883
Multi-Selecteasy

A company is planning IP address ranges for a new VPC that will be peered with an existing VPC (10.1.0.0/16) and connected to an on-premises network (172.16.0.0/12). Which three considerations should they follow to avoid IP overlap? (Choose THREE.)

Select 3 answers
A.Use an RFC 1918 private IP range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).
B.Use a subnet size of /16 or larger to provide ample IP addresses.
C.Avoid using the same IP range used by other VPCs in the organization.
D.Ensure the new VPC's CIDR does not overlap with 10.1.0.0/16 or 172.16.0.0/12.
E.Allocate public IP addresses for private use to ensure uniqueness.
AnswersA, C, D

Private ranges are required for internal communication.

Why this answer

IP addresses must be unique across connected networks; using RFC 1918 private ranges is standard; avoiding overlapping with on-premises and peered VPC ranges is critical.

884
MCQeasy

An organization needs to connect two VPCs in different projects so that all subnets can communicate using internal IPs, but the connection must not be transitive (i.e., VPC A cannot use VPC B's connection to reach VPC C). Which GCP networking feature should they use?

A.Cloud VPN
B.VPC Network Peering
C.Shared VPC
D.Dedicated Interconnect
AnswerB

VPC peering is non-transitive and directly connects two VPCs without routing through a third.

Why this answer

VPC peering is non-transitive and directly connects two VPCs. Shared VPC is transitive; VPN and Interconnect are for hybrid connectivity.

885
MCQmedium

A company is designing a hybrid network using HA VPN with two external IP VPN gateways and four IKEv2 tunnels with BGP dynamic routing. They want to maintain connectivity during a zonal failure. What is the minimum number of Cloud VPN gateways needed in GCP?

A.8 Cloud VPN gateways
B.4 Cloud VPN gateways
C.2 Cloud VPN gateways
D.1 Cloud VPN gateway
AnswerD

One HA VPN gateway provides two external IPs (one per zone) and supports four tunnels, giving zonal redundancy.

Why this answer

HA VPN uses two external IP addresses on a single gateway, one in each zone. One gateway supports two IPs and four tunnels, meeting the requirement with 99.99% SLA.

886
MCQeasy

A company wants to connect two VPCs in the same region so that they can communicate using internal IP addresses without transiting the internet. They have no overlapping IP ranges. Which GCP networking feature should they use?

A.Cloud VPN
B.Cloud NAT
C.Cloud Interconnect
D.VPC peering
AnswerD

Correct. VPC peering enables private connectivity between VPCs using internal IPs.

Why this answer

VPC peering allows two VPCs to communicate using internal IPs without a VPN or internet gateway, as long as there is no IP overlap.

887
MCQeasy

A company requires a dedicated connection from their on-premises data center to Google Cloud with a guaranteed SLA of 99.99% and bandwidth starting at 10 Gbps. Which connectivity option meets these requirements?

A.Direct Peering
B.Cloud VPN
C.Dedicated Interconnect
D.Partner Interconnect
AnswerC

Offers 10 Gbps or higher and 99.99% SLA.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google Cloud, supporting bandwidths of 10 Gbps or 100 Gbps per circuit. It offers a 99.99% or 99.999% SLA depending on the configuration (e.g., dual connections with diverse paths), meeting the guaranteed SLA and bandwidth requirements specified in the question.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect can match Dedicated Interconnect's SLA and bandwidth guarantees, but Partner Interconnect's SLA is typically limited to the partner's network and does not meet the 99.99% requirement without additional redundancy from the partner.

How to eliminate wrong answers

Option A is wrong because Direct Peering is a public peering arrangement that does not provide a dedicated connection, offers no SLA, and bandwidth is not guaranteed at 10 Gbps. Option B is wrong because Cloud VPN uses the public internet with IPsec tunnels, providing no SLA and typically supporting lower bandwidth (up to 3 Gbps per tunnel with HA VPN). Option D is wrong because Partner Interconnect relies on a third-party service provider and does not guarantee a 99.99% SLA or 10 Gbps bandwidth directly from Google; the SLA and bandwidth depend on the partner's infrastructure.

888
MCQhard

A company has an on-premises data center connected to Google Cloud via Dedicated Interconnect. They have a VPC with subnets in us-central1 and us-west1. They want compute instances in us-central1 to access Google APIs (e.g., Cloud Storage) without traversing the internet, but the on-premises network must also be able to access those APIs via the interconnect. They have configured Private Google Access (PGA) on all subnets. However, on-premises users report that they cannot access Cloud Storage buckets using the private IP of a forward proxy in us-central1 (the proxy is configured to use the default internet gateway for egress). What is the most likely reason?

A.Private Google Access is not supported on subnets in us-central1.
B.The forward proxy must use an external IP address to use Private Google Access.
C.There is a custom static route for 199.36.153.4/30 (Google API VIP) that points to the interconnect, overriding the default route for the proxy's outbound traffic.
D.The on-premises network must be configured with a default route pointing to the internet.
AnswerC

A custom route for the Google API VIP would cause the proxy to route traffic to on-premises instead of using the internet gateway, breaking PGA for the proxy.

Why this answer

Private Google Access allows instances with only internal IPs to reach Google APIs via the default internet gateway. However, on-premises traffic coming via interconnect uses the VPC's internal IP range, and if the forward proxy does not have a route for Google API destinations via the internet gateway (default route), it will try to use the interconnect route, which points to on-premises. Since the proxy is configured to use the default internet gateway, but that gateway is only effective for instances with PGA; on-premises traffic does not go through the proxy's default gateway.

The issue is that the proxy's egress traffic to Google APIs is being routed via the on-premises network because the VPC's default route (0.0.0.0/0) points to the internet gateway only for instances with PGA, but for traffic sourced from the proxy that is destined to Google APIs, the proxy itself uses its default gateway which is the internet gateway. Actually, the on-premises users are using the proxy's internal IP as a forward proxy. The proxy will make requests to Google APIs.

For those requests, the proxy's VPC will route based on the most specific route. If there is a custom route for the Google API IP ranges (e.g., 199.36.153.4/30) that points to the interconnect, the proxy will send traffic to on-premises instead of internet. PGA does not create routes; it only allows the default route to be used for Google API destinations.

A common misconfiguration is having a custom route for the Google API IP range (e.g., from a previous VPN setup) that overrides the default route. Option B is correct.

889
MCQeasy

Your organization has a site-to-site Cloud VPN connection between an on-premises network with CIDR 10.0.0.0/8 and a VPC in us-central1 with subnet 192.168.1.0/24. The VPN tunnel is established, but you cannot reach a Compute Engine instance with internal IP 192.168.1.10 from a server on-premises with IP 10.0.0.50. Cloud VPN logs show no errors. On-premises firewall rules allow all outbound traffic. What is the most likely cause of the problem?

A.A firewall rule on the VPC blocking inbound traffic from 10.0.0.0/8
B.Missing a static route on the on-premises router for 192.168.1.0/24 pointing to the VPN gateway
C.The Compute Engine instance's OS firewall blocking ICMP
D.Incorrect IAM permissions on the Cloud VPN gateway
AnswerB

Without a proper route on-premises, traffic to GCP may not be forwarded to the VPN peer.

Why this answer

The VPN tunnel is established and Cloud VPN logs show no errors, indicating the cloud side is configured correctly. However, the on-premises server at 10.0.0.50 cannot reach 192.168.1.10 because the on-premises router lacks a static route for the VPC subnet 192.168.1.0/24 pointing to the VPN gateway. Without this route, the on-premises router does not know to send traffic destined for 192.168.1.0/24 through the VPN tunnel, so packets are dropped or sent to the default gateway instead.

Exam trap

Google Cloud often tests the misconception that a successful VPN tunnel establishment implies full bidirectional connectivity, when in fact routing must be explicitly configured on both sides for traffic to flow.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are stateful and by default allow inbound traffic from any source unless explicitly denied; the question states no errors in Cloud VPN logs, and a VPC firewall rule blocking 10.0.0.0/8 would generate logged denies, not a silent failure. Option C is wrong because the problem is about reachability at the network layer (IP routing), not the application layer; even if the instance's OS firewall blocks ICMP, the traffic would still reach the instance (the OS would receive it and drop it), but the symptom here is no connectivity at all, indicating a routing issue. Option D is wrong because IAM permissions control management of the VPN gateway (e.g., creating/modifying tunnels), not the data-plane forwarding of traffic through an established tunnel; the tunnel is up and logs show no errors, so IAM is irrelevant.

890
MCQeasy

A small company is moving their on-premises application to Google Cloud. They have a single on-premises office with a small router that supports IPsec VPN. They need a simple and low-cost connectivity solution that provides encryption and a consistent experience. They anticipate low bandwidth needs (under 100 Mbps). They also want the ability to use BGP for dynamic routing to avoid manual route updates. Which Google Cloud service should they use?

A.Partner Interconnect
B.Cloud HA VPN with dynamic routing (BGP)
C.Cloud Classic VPN with static routes
D.Direct Peering
AnswerB

HA VPN supports dynamic routing, provides encryption, and is cost-effective for low bandwidth.

Why this answer

Cloud HA VPN with dynamic routing (BGP) is the correct choice because it provides an encrypted IPsec tunnel, supports BGP for automatic route exchange, and is a low-cost, simple solution for sub-100 Mbps bandwidth needs. It meets the requirement for a consistent experience without the complexity or cost of dedicated interconnect services.

Exam trap

The trap here is that candidates often confuse Cloud Classic VPN with static routes as sufficient for dynamic routing, but Cisco tests the distinction that static routes require manual updates while BGP provides automatic route exchange, making Cloud HA VPN the only correct option for dynamic routing with encryption at low cost.

How to eliminate wrong answers

Option A is wrong because Partner Interconnect is a dedicated, high-bandwidth connection (typically >1 Gbps) that requires a service provider and incurs higher costs, making it overkill for low bandwidth under 100 Mbps. Option C is wrong because Cloud Classic VPN with static routes does not support BGP for dynamic routing, requiring manual route updates which contradicts the requirement for dynamic routing. Option D is wrong because Direct Peering is a non-encrypted, direct connection to Google's network that does not provide IPsec encryption and is intended for high-volume traffic, not simple low-cost connectivity with encryption.

891
Multi-Selecthard

Which THREE components are necessary to configure a global external HTTP(S) load balancer with Cloud CDN and an origin backend that requires authentication? (Choose three.)

Select 3 answers
A.A TCP or SSL proxy for protocol optimization.
B.A regional external HTTP(S) load balancer as the entry point.
C.An origin access identity (e.g., service account) to authenticate to the backend.
D.A backend bucket configured with Cloud CDN enabled.
E.Cloud Armor security policies to protect against attacks.
AnswersC, D, E

To access authenticated backends, you need a service account or signed URLs.

Why this answer

Option C is correct because when the origin backend (e.g., an external HTTP server or a custom origin) requires authentication, you must configure an origin access identity, typically a Google-managed service account, to authenticate requests from Cloud CDN to the origin. This ensures that only authorized CDN edge caches can fetch content from the backend, preventing direct unauthenticated access.

Exam trap

Google Cloud often tests the misconception that a regional load balancer can be used with Cloud CDN, but Cloud CDN requires a global external HTTP(S) load balancer to leverage the global anycast IP and edge cache infrastructure.

892
MCQmedium

An engineer wants to allow traffic from a specific service account to a Compute Engine instance. Which firewall rule option should they use for the source?

A.Source service accounts
B.Target service accounts
C.Source IP ranges
D.Source tags
AnswerA

Service accounts can be used as source to identify traffic from instances using that service account.

Why this answer

Firewall rules can use service accounts as source or target. For source, you specify the source service account using the --source-service-accounts flag.

893
MCQeasy

A developer wants to allow HTTP (port 80) traffic from the internet to a set of Compute Engine instances that have a tag "web-server". Which firewall rule should they create?

A.Egress rule: source 0.0.0.0/0, target tag "web-server", tcp:80
B.Ingress rule: source 0.0.0.0/0, target tag "web-server", tcp:80
C.Egress rule: destination 0.0.0.0/0, target tag "web-server", tcp:80
D.Ingress rule: source 0.0.0.0/0, target service account "web-server", tcp:80
AnswerB

This correctly allows inbound HTTP from anywhere to instances with the web-server tag.

Why this answer

An ingress firewall rule with source range 0.0.0.0/0, target tag "web-server", and protocol/port tcp:80 allows HTTP traffic from the internet to the tagged instances.

894
MCQmedium

A company is planning a hybrid cloud architecture with GCP. They need a dedicated, high-bandwidth connection from their on-premises data center to GCP with 99.99% SLA and the ability to scale beyond 10 Gbps. Which connection type should they choose?

A.Dedicated Interconnect
B.Classic VPN
C.HA VPN
D.Partner Interconnect
AnswerA

Dedicated Interconnect provides 10G/100G links, 99.99% SLA, and can scale beyond 10 Gbps with multiple connections.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between an on-premises data center and Google Cloud, supporting speeds of 10 Gbps or 100 Gbps per link. It offers a 99.99% SLA when configured with redundant links (two circuits) and can scale beyond 10 Gbps by adding additional 10 Gbps or 100 Gbps connections, meeting the requirement for high bandwidth and high availability.

Exam trap

Cisco often tests the misconception that HA VPN can match Dedicated Interconnect's bandwidth and SLA, but HA VPN is limited to 3 Gbps per tunnel and uses the public internet, making it unsuitable for high-bandwidth, dedicated connectivity needs.

How to eliminate wrong answers

Option B (Classic VPN) is wrong because it uses the public internet with IPsec tunnels, offering no SLA and limited bandwidth (typically up to 3 Gbps per tunnel), and cannot scale beyond 10 Gbps. Option C (HA VPN) is wrong because while it provides a 99.99% SLA for VPN gateways, it still relies on the public internet and is limited to 3 Gbps per tunnel (up to 6 Gbps with two tunnels), failing to meet the >10 Gbps requirement. Option D (Partner Interconnect) is wrong because it relies on a third-party service provider, which may introduce additional latency and does not guarantee the same direct, dedicated high-bandwidth path as Dedicated Interconnect; it also typically offers speeds up to 10 Gbps per connection but scaling beyond that depends on the partner's infrastructure.

895
MCQmedium

An organization wants to allow on-premises hosts to connect to a Cloud SQL instance privately without traversing the public internet. They have a Cloud VPN tunnel set up. What additional step is required?

A.Create a VPC peering connection
B.Add a route with next hop set to the VPN gateway
C.Configure Cloud NAT
D.Enable Private Service Connect on the Cloud SQL instance
AnswerD

Private Service Connect allows private access to managed services from on-premises via VPN.

Why this answer

Private Service Connect enables private connectivity to Google-managed services from on-premises via VPC and VPN.

896
MCQmedium

To enable DNSSEC for a Cloud DNS managed zone, what must be configured?

A.Create a response policy
B.Set the DNSSEC state to 'on' for the zone
C.Add DS records to the parent zone
D.Set the zone type to private
AnswerB

This is the primary step to enable DNSSEC.

Why this answer

DNSSEC is enabled at the zone level by setting the DNSSEC state to 'on'. This can be done via the console or gcloud with '--dnssec-state=on'.

897
MCQmedium

A DevOps team is configuring a VPC with a subnet in us-east1. They need to allow a specific VM (source IP 10.0.1.2) to access a database VM (destination IP 10.0.2.3) on port 3306, but only from that specific source. All other traffic should be denied. Which firewall rule configuration should they use?

A.Create an egress rule on the source VM's network interface allowing traffic to 10.0.2.3/32 on port 3306.
B.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol all, target service account = db-sa.
C.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol tcp:3306, target tags = db, and assign the 'db' tag to the database VM.
D.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol tcp:3306, target 10.0.2.3/32.
AnswerC

Ingress rule with specific source and port allows the required traffic when tag is assigned to destination VM.

Why this answer

Option C is correct because it creates an ingress firewall rule with the highest priority (1000 is the default for custom rules) that explicitly allows TCP traffic on port 3306 from source IP 10.0.1.2/32 to any VM tagged with 'db'. By assigning the 'db' tag to the database VM, the rule applies only to that target, and since VPC firewall rules are stateful, the corresponding return traffic is automatically allowed. All other traffic is denied by the implied deny-all rule (priority 65535), meeting the requirement.

Exam trap

The trap here is that candidates often confuse ingress vs. egress rules or try to target a specific destination IP in a firewall rule, but GCP firewall rules only support targets via tags, service accounts, or the entire network, not by IP address.

How to eliminate wrong answers

Option A is wrong because egress rules control outbound traffic from the source VM, but the requirement is to allow inbound traffic to the database VM; egress rules cannot permit ingress connections. Option B is wrong because it specifies 'protocol all', which would allow all protocols (including non-TCP) on all ports, violating the requirement to restrict to port 3306 only. Option D is wrong because firewall rules cannot target a specific IP address as a destination; they target VMs via tags, service accounts, or the entire VPC, and the destination IP is not a valid target specifier in GCP firewall rules.

898
MCQeasy

An organization wants to connect their on-premises network to Google Cloud using a Dedicated Interconnect. They have ordered a circuit from a network service provider and need to determine the correct co-location facility to connect to. Which factor is most critical when selecting a co-location facility?

A.The facility must offer Layer 2 connectivity to the Google Cloud VPC.
B.The facility must be a Google Cloud partner facility with access to a Google PoP in the same metro as the on-premises data center.
C.The facility must support 100 Gbps ports to maximize throughput.
D.The facility must be in a different continent to ensure geographic redundancy.
AnswerB

This ensures low latency and meets the requirements for Dedicated Interconnect.

Why this answer

The co-location facility must be a Google Cloud partner facility that provides access to a Google Point of Presence (PoP) in the same metro area as the organization's on-premises data center to minimize latency and meet SLA requirements.

899
MCQeasy

A network engineer is setting up Dedicated Interconnect and sees the output above. What does the 'encryption: IPSEC' field indicate about this VLAN attachment?

A.Traffic over this VLAN attachment is encrypted using IPsec
B.The attachment is using Cloud VPN as the underlying transport
C.The attachment requires a Cloud VPN tunnel in addition to the Interconnect
D.The attachment is using MACsec encryption at layer 2
AnswerA

IPsec encryption is enabled on this attachment.

Why this answer

The 'encryption: IPSEC' field in the VLAN attachment output for Dedicated Interconnect indicates that traffic traversing this attachment is encrypted using IPsec. This is a feature of Google Cloud's Dedicated Interconnect that allows you to enable IPsec encryption on the VLAN attachment itself, providing confidentiality and integrity for data in transit without requiring a separate Cloud VPN tunnel.

Exam trap

Google Cloud often tests the misconception that IPsec encryption on a VLAN attachment requires a separate Cloud VPN tunnel, but in reality, the encryption is a built-in feature of the attachment itself.

How to eliminate wrong answers

Option B is wrong because Cloud VPN is not the underlying transport; Dedicated Interconnect uses a direct physical connection between your on-premises network and Google's network, and IPsec encryption is applied on top of that direct link, not via a VPN tunnel. Option C is wrong because the IPsec encryption is configured directly on the VLAN attachment, so no additional Cloud VPN tunnel is required; the attachment itself handles the encryption. Option D is wrong because MACsec operates at Layer 2 (Ethernet) and uses different encryption mechanisms (IEEE 802.1AE), while the output explicitly states 'IPSEC', which is a Layer 3 protocol (RFC 4301).

900
MCQmedium

A company uses Shared VPC with multiple service projects. The network admin wants to restrict access to certain Compute Engine instances so that only specific service accounts can SSH into them. What is the best practice to achieve this?

A.Configure firewall rules that allow SSH only from source IP ranges of the allowed service accounts.
B.Use Identity-Aware Proxy (IAP) TCP forwarding with IAM conditions restricting which service accounts can use IAP.
C.Use Organization Policies to restrict SSH access.
D.Use VPC Service Controls with a service perimeter.
AnswerB

IAP provides secure access and IAM conditions allow granular control by service account.

Why this answer

Option B is correct because Identity-Aware Proxy (IAP) TCP forwarding allows SSH access to Compute Engine instances without exposing them to the public internet. By combining IAP with IAM conditions, the network admin can restrict which service accounts are permitted to use IAP, thereby controlling SSH access at the identity level rather than relying on source IP addresses. This approach aligns with Google Cloud's best practice for zero-trust network security.

Exam trap

The trap here is that candidates may confuse IAP with traditional firewall rules or VPC Service Controls, mistakenly thinking source IP filtering or perimeter-based controls can enforce identity-based access, whereas IAP is the only option that directly integrates service account identity with SSH access.

How to eliminate wrong answers

Option A is wrong because firewall rules filter traffic based on source IP addresses, not service accounts; service accounts are identities, not IP ranges, so this approach cannot restrict access by service account. Option C is wrong because Organization Policies are used to set constraints on resource configurations (e.g., disabling serial port access), not to control SSH access per service account. Option D is wrong because VPC Service Controls are designed to protect data exfiltration by defining perimeters around managed services (e.g., BigQuery, Cloud Storage), not to manage SSH access to Compute Engine instances.

Page 11

Page 12 of 14

Page 13