Google Professional Cloud Network Engineer (PCNE) — Questions 76150

497 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selectmedium

A company is planning to connect their on-premises network to Google Cloud using Dedicated Interconnect. They require high availability for the connection. Which TWO of the following are recommended by Google for achieving high availability? (Choose two.)

Select 2 answers
A.Use a single Dedicated Interconnect with double the bandwidth
B.Connect to two different edge availability domains in the same POP
C.Order connections from two different service providers
D.Order two Dedicated Interconnect connections in the same metro
E.Connect to two different Interconnect locations (POPs)
AnswersD, E

Two connections provide link redundancy, even in the same metro.

Why this answer

Option D is correct because Google recommends ordering two Dedicated Interconnect connections in the same metro to provide link-level redundancy. Option E is correct because connecting to two different Interconnect locations (POPs) provides site-level redundancy, protecting against a single POP failure. Together, these two approaches ensure high availability for the hybrid connection.

Exam trap

The trap here is that candidates often confuse 'high availability' with 'increased bandwidth' (Option A) or think that connecting to two edge availability domains in the same POP (Option B) is sufficient, when Google actually requires diversity at the POP level for full high availability.

77
Multi-Selectmedium

Which TWO are valid methods to allow on-premises traffic to reach Google Cloud resources that only have internal (private) IP addresses? (Choose two.)

Select 2 answers
A.Set up Cloud VPN or Interconnect and configure proper routing and firewall rules.
B.Assign public IP addresses to the resources and use firewall rules to allow on-premises traffic.
C.Use Cloud NAT to allow inbound connections from on-premises.
D.Use the default internet gateway route for the VPC.
E.Configure Private Google Access for on-premises hosts.
AnswersA, E

VPN/Interconnect provide direct connectivity to private IPs from on-premises.

Why this answer

Option A is correct because Cloud VPN or Interconnect creates a secure, private connection between on-premises and Google Cloud VPCs. By configuring proper routing (e.g., custom static routes or BGP) and firewall rules, on-premises traffic can reach internal-only IP addresses without needing public IPs, as the traffic traverses the private network path.

Exam trap

Google Cloud often tests the misconception that Cloud NAT can handle inbound connections, but it only supports outbound SNAT/DNAT for outbound traffic, not inbound-initiated connections from on-premises.

78
MCQmedium

A company has a Hybrid Connectivity setup using Cloud VPN with dynamic routing (BGP). They notice that traffic from their on-premises network to Google Cloud is intermittently dropping. The on-premises BGP speaker is sending routes with a higher local preference (200) than the Google Cloud router (default 100). What is the most likely cause of the intermittent drops?

A.AS path prepending is causing route flapping
B.Asymmetric routing is causing traffic to be dropped by stateful firewalls
C.Cloud Router is not configured for ECMP
D.The BGP MED attribute is misconfigured
AnswerB

Higher local preference can cause asymmetric routing, leading to stateful firewall drops.

Why this answer

The on-premises BGP speaker is sending routes with a higher local preference (200) than the default on Cloud Router (100). This makes the on-premises route preferred for return traffic from Google Cloud, but the forward traffic from on-premises may still use the Cloud VPN tunnel. This asymmetry causes stateful firewalls (e.g., on-premises firewall or Google Cloud firewall) to drop packets that do not match an existing session, leading to intermittent drops.

Exam trap

Google Cloud often tests the misconception that BGP attributes like local preference only affect inbound traffic, when in fact local preference influences outbound path selection from the router's perspective, and a mismatch between on-premises and cloud can cause asymmetric routing that stateful firewalls drop.

How to eliminate wrong answers

Option A is wrong because AS path prepending is used to influence inbound route selection by artificially lengthening the AS path, not to cause route flapping; route flapping is typically due to unstable BGP sessions or route withdrawals, not local preference manipulation. Option C is wrong because ECMP (Equal-Cost Multi-Path) is unrelated to the issue; the problem is asymmetric routing due to local preference mismatch, not load balancing across multiple paths. Option D is wrong because MED (Multi-Exit Discriminator) is used to influence inbound traffic from a neighboring AS, not outbound path selection within the same AS; the local preference mismatch is the direct cause of the asymmetry.

79
MCQhard

An organization is deploying a Shared VPC with one host project and three service projects. Each service project has multiple VPC networks. They want to ensure that only the host project's network admin can create firewall rules affecting the shared VPC network. Which architecture satisfies this requirement?

A.Create the shared VPC network in the host project and grant the network admin IAM role only to host project users.
B.Use VPC Network Peering between each service project and the host project, and allow each service project admin to manage their own firewall rules.
C.Assign the network admin role to users in each service project for the shared VPC network.
D.Create separate VPC networks in each service project and use VPC Network Peering to interconnect them.
AnswerA

Shared VPC firewall rules are managed in the host project, and IAM restricts who can modify them.

Why this answer

In a Shared VPC architecture, the host project owns the shared VPC network, and only IAM roles granted in the host project can manage that network's resources. By creating the shared VPC network in the host project and granting the network admin IAM role exclusively to host project users, you ensure that only those users can create firewall rules for the shared VPC. Service project users cannot modify the shared network's firewall rules because they lack the necessary IAM permissions on the host project.

Exam trap

The trap here is that candidates often confuse VPC Network Peering with Shared VPC, assuming peering provides centralized management, when in fact peering only enables connectivity without any cross-project IAM control over firewall rules.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering does not centralize firewall rule management; each peered network's admin can create firewall rules for their own network, and peering does not allow one side to control the other's firewall rules, so service project admins could still manage their own rules, violating the requirement. Option C is wrong because assigning the network admin role to users in each service project for the shared VPC network would give those service project users the ability to create firewall rules affecting the shared VPC, directly contradicting the requirement that only the host project's network admin can do so. Option D is wrong because creating separate VPC networks in each service project and using VPC Network Peering to interconnect them does not create a shared VPC; each service project would have full control over its own firewall rules, and peering does not centralize rule management, so the requirement is not met.

80
MCQmedium

An organization has multiple VPCs in Google Cloud that need to communicate with an on-premises network through a single Dedicated Interconnect. All VPCs are in the same project. What is the most efficient way to enable connectivity from all VPCs to on-premises?

A.Create a separate Interconnect for each VPC
B.Create a single VLAN attachment and use it for all VPCs
C.Create a Cloud Router per VPC, each with its own VLAN attachment on the same Interconnect
D.Use VPC Network Peering to connect VPCs and attach one VPC to Interconnect
AnswerC

Each VPC gets its own Cloud Router and VLAN attachment, allowing all to use the same Interconnect.

Why this answer

Option C is correct because each VPC requires its own Cloud Router and VLAN attachment to establish a dedicated BGP session over the same Dedicated Interconnect. This allows multiple VPCs in the same project to share a single physical interconnect while maintaining separate Layer 3 routing domains. A single VLAN attachment cannot be shared across VPCs, as each attachment is associated with exactly one Cloud Router and one VPC.

Exam trap

The trap here is that candidates assume a single VLAN attachment can be shared across multiple VPCs, but in Google Cloud, each VLAN attachment is a per-VPC resource that requires its own Cloud Router and BGP session.

How to eliminate wrong answers

Option A is wrong because creating a separate Interconnect for each VPC is unnecessary and cost-inefficient; a single Dedicated Interconnect can support multiple VLAN attachments. Option B is wrong because a single VLAN attachment is tied to one Cloud Router and one VPC; it cannot be used directly by multiple VPCs. Option D is wrong because VPC Network Peering does not extend the Interconnect connectivity; peering only allows communication between VPCs, but the on-premises network would still only be reachable from the VPC that has the VLAN attachment, unless additional routing is configured.

81
MCQhard

A company has a hybrid network with on-premises data center connected to Google Cloud via Dedicated Interconnect. They use Private Google Access for on-premises (on-premises hosts use the external IP addresses of Google APIs via the interconnect). However, they notice that traffic to certain Google APIs is being routed via the internet instead of the interconnect. What is a likely cause?

A.On-premises DNS is not configured to resolve Google API hostnames to the Private Google Access IP address range (199.36.153.4/30).
B.Firewall rules in the VPC are blocking the private API traffic.
C.Cloud NAT is not configured for the on-premises subnet.
D.VPC Flow Logs are not enabled, causing routing misconfiguration.
AnswerA

Without proper DNS, traffic goes to public IPs.

Why this answer

Private Google Access for on-premises requires on-premises DNS to resolve Google API hostnames to the specific IP range 199.36.153.4/30. If DNS resolution returns the public IP addresses instead, traffic will be routed over the internet rather than through the Dedicated Interconnect, even though the interconnect is available. This is because the on-premises hosts will use the public IPs and follow their default route to the internet.

Exam trap

Google Cloud often tests the misconception that firewall rules or Cloud NAT are the primary cause of routing failures in hybrid connectivity, when the real issue is DNS resolution not returning the correct private IP range for Private Google Access.

How to eliminate wrong answers

Option B is wrong because firewall rules in the VPC control traffic that has already entered Google Cloud; they do not affect how on-premises hosts route traffic before it reaches the interconnect. Option C is wrong because Cloud NAT is used for outbound traffic from Google Cloud VPC instances to the internet, not for on-premises traffic accessing Google APIs via Private Google Access. Option D is wrong because VPC Flow Logs are a monitoring feature that captures metadata about network flows; they do not cause or resolve routing misconfigurations.

82
MCQeasy

A company is designing a VPC for a multi-tier application. The web tier must be accessible from the internet, the app tier only from the web tier, and the db tier only from the app tier. Which combination of firewall rules is appropriate?

A.Ingress allow from web to app, ingress allow from app to db, no rule for web
B.Ingress allow from 0.0.0.0/0 to web, ingress allow from web subnets to app, ingress allow from app subnets to db
C.Ingress allow from 0.0.0.0/0 to web, ingress allow from all subnets to app, ingress allow from app to db
D.Ingress allow from web to app, ingress allow from web to db, ingress allow from app to db
AnswerB

Correctly restricts access at each tier.

Why this answer

Option B is correct because it follows the principle of least privilege for a multi-tier VPC. The web tier must be accessible from the internet (0.0.0.0/0) on ingress, the app tier must only accept ingress from the web tier subnets, and the db tier must only accept ingress from the app tier subnets. This ensures that each tier is isolated and only reachable from the immediate upstream tier, which is a fundamental security best practice for multi-tier architectures in Google Cloud.

Exam trap

The trap here is that candidates often confuse 'ingress allow from web to app' with 'ingress allow from web subnets to app', forgetting that firewall rules must specify source CIDR ranges (e.g., subnet IPs) rather than just the tier name, and they may also incorrectly allow direct web-to-db access, thinking it simplifies connectivity without realizing it breaks the isolation requirement.

How to eliminate wrong answers

Option A is wrong because it lacks an ingress rule allowing traffic from the internet (0.0.0.0/0) to the web tier, making the web tier inaccessible from the internet, which violates the requirement. Option C is wrong because it allows ingress from 'all subnets' to the app tier, which would permit traffic from the db tier or other subnets to the app tier, breaking the isolation requirement that the app tier should only be reachable from the web tier. Option D is wrong because it includes an ingress rule allowing traffic from the web tier directly to the db tier, which bypasses the app tier and violates the requirement that the db tier should only be accessible from the app tier.

83
MCQmedium

A company is setting up a Dedicated Interconnect connection between their on-premises network and Google Cloud. They have configured a VLAN attachment and assigned a Cloud Router with BGP sessions. They notice that traffic is being dropped intermittently. The BGP session status shows 'Established' but routes are not being exchanged consistently. What is the most likely cause?

A.Bidirectional Forwarding Detection (BFD) is not enabled on the BGP session
B.The on-premises firewall is blocking BGP port 179
C.The Cloud Router has reached the maximum number of routes
D.The MTU on the VLAN attachment is set too low
AnswerA

Without BFD, BGP may remain Established while the data plane is down, causing dropped traffic.

Why this answer

When BFD is not enabled on a BGP session, the BGP keepalive timers (typically 60 seconds) are used to detect failures, which can cause intermittent traffic drops because BGP does not detect link failures quickly enough. With BFD enabled (default interval of 300ms), failures are detected in sub-seconds, preventing route flapping and ensuring consistent route exchange. The 'Established' BGP state with inconsistent route exchange is a classic symptom of BFD being absent, as routes may be withdrawn and re-advertised due to transient link issues that BGP alone cannot react to fast enough.

Exam trap

Google Cloud often tests the misconception that a BGP session in 'Established' state guarantees stable route exchange, but the trap here is that BFD is required for fast failure detection in cloud interconnect scenarios, and its absence causes intermittent route flapping that does not break the BGP session itself.

How to eliminate wrong answers

Option B is wrong because if the on-premises firewall were blocking BGP port 179, the BGP session would never reach the 'Established' state; it would remain in 'Active' or 'Idle'. Option C is wrong because the Cloud Router maximum route limit (1000 routes by default, expandable) would cause routes to be rejected, not intermittent exchange; the BGP session would still show 'Established' but routes would be missing entirely, not inconsistently exchanged. Option D is wrong because a low MTU on the VLAN attachment would cause packet fragmentation or drops for large packets, but BGP route exchange uses small packets (typically 4096 bytes max for BGP updates) and would not cause intermittent route exchange; MTU issues manifest as connectivity failures for data traffic, not BGP route flapping.

84
Multi-Selecthard

Which THREE are true regarding Cloud HA VPN when used with dynamic routing (BGP)? (Choose three.)

Select 3 answers
A.Cloud HA VPN requires two Cloud Routers in the same region for redundancy.
B.Cloud HA VPN allows custom BGP timers.
C.Cloud HA VPN requires two interfaces per VPN gateway.
D.Cloud HA VPN BGP sessions use link-local addresses (169.254.x.x).
E.Cloud HA VPN supports using multiple tunnels for ECMP.
AnswersC, D, E

Each HA VPN gateway has two external interfaces for redundancy.

Why this answer

Option C is correct because Cloud HA VPN requires two interfaces per VPN gateway to provide high availability and redundancy. Each gateway interface connects to a separate Cloud Router, enabling active-active failover and ensuring continuous connectivity if one interface or tunnel fails.

Exam trap

Google Cloud often tests the misconception that Cloud HA VPN requires multiple Cloud Routers for redundancy, when in fact it uses multiple interfaces on a single Cloud Router, and that custom BGP timers are allowed, whereas Google Cloud enforces fixed timers for stability.

85
MCQhard

Refer to the exhibit. A VM in the default VPC with IP 10.0.0.5 is unable to receive traffic from another VM in the same VPC with IP 10.0.1.5. The firewall rule shown is in place. What is the most likely reason?

A.The source range does not include 10.0.1.5
B.The rule only allows TCP but the traffic is UDP
C.The target service account does not match the VM's service account
D.The priority is too low
AnswerC

The rule only applies to VMs with the specified service account.

Why this answer

The firewall rule shown uses a target service account, which means it applies only to VM instances that are associated with that specific service account. If the VM at 10.0.0.5 has a different service account (or no service account) than the one specified in the rule, the rule will not apply to it, and traffic will be blocked by the implicit deny-all egress/ingress firewall rules. This is the most likely reason the VM cannot receive traffic from 10.0.1.5.

Exam trap

Google Cloud often tests the distinction between target tags and target service accounts, and the trap here is that candidates assume a firewall rule with a broad source range (0.0.0.0/0) will apply to all VMs, overlooking that the target service account field restricts which VMs the rule actually applies to.

How to eliminate wrong answers

Option A is wrong because the source range in the rule is 0.0.0.0/0, which includes all IP addresses, including 10.0.1.5. Option B is wrong because the rule specifies 'tcp' as the protocol, but the exhibit does not indicate that the traffic is UDP; the question states the VM is unable to receive traffic, and if the traffic were UDP, the rule would not match, but the most likely reason given the target service account mismatch is more specific. Option D is wrong because the priority is 1000, which is the default priority; while a lower numerical value means higher priority, a priority of 1000 is not 'too low' to override the implicit deny rules, and the issue is not about priority but about the rule not being applied to the VM due to service account mismatch.

86
MCQeasy

A company wants to connect their on-premises data center to Google Cloud using a site-to-site VPN with dynamic routing. Which protocol should they use for route exchange?

A.OSPF
B.Static routing
C.BGP
D.RIP
AnswerC

BGP is used for dynamic route exchange in Cloud VPN.

Why this answer

C is correct because Cloud VPN with dynamic routing requires BGP (Border Gateway Protocol) to exchange routes between the on-premises router and the Cloud Router. BGP is the only dynamic routing protocol supported by Google Cloud for site-to-site VPN tunnels, as it allows route advertisement, failover, and policy-based control over multiple tunnels.

Exam trap

The trap here is that candidates often assume OSPF or RIP are valid for dynamic routing in cloud VPNs because they are common in on-premises networks, but Google Cloud exclusively supports BGP for dynamic route exchange over site-to-site VPN tunnels.

How to eliminate wrong answers

Option A is wrong because OSPF is a link-state interior gateway protocol (IGP) that is not supported by Google Cloud VPN; Cloud VPN only supports BGP for dynamic route exchange. Option B is wrong because static routing does not provide dynamic route exchange; it requires manual configuration and cannot adapt to network changes or support failover across multiple tunnels. Option D is wrong because RIP is a distance-vector IGP that is not supported by Google Cloud VPN; it is outdated and lacks the scalability and policy control needed for cloud-to-on-premises connectivity.

87
MCQhard

A company has two Dedicated Interconnects in different metro regions connecting to Google Cloud. They want to use BGP communities to influence Cloud Router's route selection to prefer the closer interconnect for outbound traffic to on-premises. Which community action can they apply on the on-premises routers?

A.Set BGP community 2:100 on routes to indicate MED change
B.Set BGP community 0:100 on routes to mark them as high preference
C.Set BGP community 79ba:100 on routes from the preferred interconnect
D.Set BGP community 79ba:101 on routes from the preferred interconnect
AnswerC

The community 79ba:100 (lowest RTT) is supported by Google's Cloud Router to influence route preference for outbound traffic.

Why this answer

Option C is correct because Google Cloud uses 16-bit ASN format for BGP communities, and the well-known community 79ba:100 (equivalent to 31210:256 in decimal) is a Google-defined community that sets a higher local preference on routes received from the preferred interconnect. This influences Cloud Router's route selection to prefer the closer interconnect for outbound traffic to on-premises, as higher local preference is evaluated before MED or AS-path length.

Exam trap

Google Cloud often tests the specific Google-defined BGP community format (79ba:xxxx) and its meaning, so candidates may confuse it with standard 2-byte communities or assume any community value works, leading them to pick generic options like 2:100 or 0:100.

How to eliminate wrong answers

Option A is wrong because BGP community 2:100 is not a Google-defined community; Google uses communities in the 79ba:xxxx range (31210:xxxx decimal) for route preference, and MED is not directly set via communities in this context. Option B is wrong because community 0:100 is not a valid Google-defined community; Google uses 79ba:100 for high preference, and community 0:100 has no meaning in Google Cloud's BGP implementation. Option D is wrong because community 79ba:101 is used to set a medium preference (lower than 79ba:100), not the highest preference; using it would not make the preferred interconnect the most preferred path.

88
MCQeasy

You are designing a hybrid network using Cloud VPN with dynamic routing (BGP) to connect multiple on-premises sites to Google Cloud. What is a best practice to avoid asymmetric routing when you have multiple VPN tunnels from different on-premises routers?

A.Use static routes instead of BGP to have precise control over path selection
B.Use a different BGP ASN for each on-premises router to ensure uniqueness
C.Configure all on-premises routers with the same BGP ASN and enable ECMP on the Cloud Router
D.Disable ECMP on the Cloud Router to avoid multipath issues
AnswerC

Same ASN allows multiple sessions to be treated as redundant, and ECMP load balances traffic.

Why this answer

Option C is correct because using the same BGP ASN on all on-premises routers and enabling ECMP on the Cloud Router allows the Cloud Router to treat multiple BGP sessions as equal-cost paths. This prevents asymmetric routing by ensuring that return traffic can be load-balanced across any available tunnel, while the same ASN avoids BGP loop-prevention mechanisms that would otherwise reject routes from routers with different ASNs.

Exam trap

The trap here is that candidates mistakenly think different ASNs are required for redundancy, but in fact, using the same ASN is necessary to allow ECMP and avoid BGP loop prevention rejecting routes from multiple on-premises routers.

How to eliminate wrong answers

Option A is wrong because static routes lack dynamic failover and cannot adapt to topology changes, leading to potential black-holing or asymmetric routing when tunnels go down. Option B is wrong because using different BGP ASNs on each on-premises router would cause the Cloud Router to see each path as a separate eBGP route, and the BGP best-path selection would prefer one path over the other, preventing ECMP and potentially causing asymmetric routing. Option D is wrong because disabling ECMP forces the Cloud Router to select a single best path, which can still result in asymmetric routing if the selected path differs from the path used by the on-premises router for return traffic.

89
MCQhard

A company uses Packet Mirroring to monitor traffic from a set of VMs. They want to ensure that mirrored traffic does not interfere with the production traffic. Which statement is correct?

A.Packet Mirroring uses a separate forwarding path and does not impact the performance of the monitored VMs.
B.If firewall rules block the mirrored traffic, the original traffic will also be blocked.
C.Packet Mirroring cannot capture traffic that is encrypted in transit.
D.Mirrored traffic is always sent over the same network path as the original traffic.
AnswerA

Mirroring is passive and does not affect the original traffic.

Why this answer

Packet Mirroring in Google Cloud (and similar platforms) operates by creating a separate, independent copy of the traffic at the virtual switch level, which is then forwarded to a collector destination without traversing the same network path as the original production traffic. This ensures that the mirrored traffic does not consume bandwidth or processing resources on the monitored VMs, and any issues with the mirroring pipeline (e.g., packet drops) have zero impact on the original traffic flow. The correct answer is A because the separate forwarding path guarantees no interference with production traffic.

Exam trap

Google Cloud often tests the misconception that mirrored traffic shares the same forwarding path as original traffic, leading candidates to incorrectly choose Option D, when in fact the entire purpose of mirroring is to use a separate path to avoid interference.

How to eliminate wrong answers

Option B is wrong because firewall rules apply to the original traffic path; mirrored traffic is a duplicate sent via a separate pipeline, so blocking the mirrored copy does not affect the original traffic. Option C is wrong because Packet Mirroring captures packets at Layer 2/3, including encrypted payloads (e.g., TLS), as it copies the entire packet regardless of encryption; it does not decrypt or inspect the content. Option D is wrong because mirrored traffic is explicitly sent over a different network path (e.g., via a separate VPC or tunnel) to avoid congestion or interference with the original traffic; it does not follow the same route.

90
MCQmedium

A company uses Cloud NAT to allow instances without external IPs to access the internet. They have a managed instance group (MIG) in us-central1 with 10 instances, all using the same Cloud NAT configured with a single NAT IP address. They notice that some instances are unable to connect to a specific external API endpoint, while others can. The error on the failing instances is 'Cannot connect to host'. The NAT IP is not blacklisted by the API. The Cloud NAT gateway has default settings with a minimum port per VM of 64 and a maximum of 65536. What is the most likely cause?

A.The instances are using different service accounts, and the NAT is not configured to allow all.
B.The Cloud NAT's idle timeout is set too low, causing connections to be dropped.
C.The external API endpoint has a rate limit that is being hit by the NAT IP.
D.Port exhaustion is occurring; increase the number of NAT IPs or increase the minimum ports per VM.
AnswerD

Port exhaustion affects VMs that make many outbound connections; increasing NAT IPs provides more ports.

Why this answer

Cloud NAT uses source network address translation (SNAT) and maps internal IPs to the NAT IP using ports. By default, Cloud NAT allocates a range of ports per VM. If the instances are making many connections, they may exhaust the allocated ports.

The symptom that only some instances fail suggests that the failing instances may have run out of ephemeral ports. Option D is correct: Increase the number of NAT IP addresses or increase the minimum ports per VM.

91
MCQmedium

A company needs to connect on-premises to GCP using Dedicated Interconnect with a 10 Gbps link, and they require high availability. They plan to use a single VLAN attachment. What is the best design?

A.Deploy two interconnects with one VLAN attachment each.
B.Deploy one interconnect with one VLAN attachment and a VPN as backup.
C.Deploy one interconnect with one VLAN attachment and use static routing.
D.Deploy two VLAN attachments on the same interconnect with separate BGP sessions.
AnswerA

This provides physical diversity and HA.

Why this answer

For high availability with Dedicated Interconnect, you need two separate physical connections (interconnects) to avoid a single point of failure. Each interconnect must have its own VLAN attachment and BGP session to ensure that if one link fails, traffic can still flow over the other. A single VLAN attachment cannot provide redundancy because it is tied to one physical interconnect.

Exam trap

Google Cloud often tests the misconception that multiple VLAN attachments on the same physical interconnect provide high availability, but in reality, they share the same physical path and single point of failure.

How to eliminate wrong answers

Option B is wrong because using a VPN as backup introduces lower bandwidth and higher latency, and does not meet the requirement for high availability with a 10 Gbps link; the VPN would be a significant bottleneck. Option C is wrong because static routing lacks the automatic failover capabilities of BGP, and a single interconnect is still a single point of failure. Option D is wrong because deploying two VLAN attachments on the same interconnect does not provide physical redundancy; if the interconnect fails, both VLAN attachments go down.

92
Multi-Selecteasy

A company is designing a VPC routing strategy. Which three are valid route types in Google Cloud VPC? (Choose three.)

Select 3 answers
A.System-generated routes
B.Dynamic routes learned through BGP
C.VPN tunnel routes
D.Custom static routes
E.Peering routes
AnswersA, B, D

Created automatically for subnets and default internet gateway.

Why this answer

Options A, B, and C are correct. System-generated routes are created automatically (e.g., subnet routes, default internet gateway routes). Custom static routes are manually created.

Dynamic routes are learned through BGP. Option D is incorrect because 'VPN tunnel routes' is not a route type; VPN tunnels use BGP or static routes. Option E is incorrect because 'Peering routes' are not a separate type; they are system-generated routes imported from peered VPCs.

93
MCQmedium

A company is using Partner Interconnect to connect their data center to Google Cloud. They notice that traffic from their on-premises network to a specific subnet in VPC is taking a suboptimal path. Which action should they take to influence the routing preference?

A.Use route priorities on the Cloud Router for the learned routes.
B.Change the VLAN attachment's mode to active-active.
C.Set a lower cost on the Cloud Router interface for the preferred VLAN attachment.
D.Configure BGP MED values on the on-premises router for the prefixes advertised to the Cloud Router.
AnswerD

MED influences the Cloud Router's path selection, giving preference to lower MED.

Why this answer

Option D is correct because BGP MED (Multi-Exit Discriminator) is the standard mechanism for influencing inbound traffic path selection when multiple connections exist between two autonomous systems. By setting a lower MED value on the on-premises router for prefixes advertised to the Cloud Router, the on-premises network can signal Google Cloud to prefer that specific VLAN attachment for traffic destined to the subnet, thereby correcting the suboptimal path.

Exam trap

The trap here is that candidates often confuse influencing inbound vs. outbound traffic and incorrectly choose options that affect Cloud Router's outbound path selection (like route priorities or interface cost) instead of using BGP MED to influence the on-premises router's advertisement.

How to eliminate wrong answers

Option A is wrong because route priorities on Cloud Router affect the selection among multiple learned routes for the same prefix within Google Cloud, but they do not influence the path that on-premises routers use to send traffic into Google Cloud; route priorities are for outbound traffic from Google Cloud. Option B is wrong because changing the VLAN attachment's mode to active-active affects high availability and load balancing of traffic across multiple attachments, but it does not influence routing preference or path selection for inbound traffic. Option C is wrong because setting a lower cost on the Cloud Router interface influences the outbound traffic path from Google Cloud to on-premises (via BGP cost metrics), not the inbound path from on-premises to Google Cloud; the question concerns traffic from on-premises to a subnet in VPC, which is inbound to Google Cloud.

94
MCQeasy

Which of the following is a benefit of using Shared VPC?

A.Centralized network administration and separation from application projects.
B.Lower cost compared to VPC peering.
C.Automatic failover for applications.
D.Reduced latency between instances.
AnswerA

This is the primary benefit of Shared VPC.

Why this answer

Shared VPC allows centralized network administration with separation of application projects.

95
MCQmedium

A gaming company uses Cloud Armor with an external HTTP(S) load balancer to protect against DDoS attacks. They need to restrict access to the load balancer based on geographic region. What should they configure?

A.Geo-based routing policy on the backend service
B.A firewall rule that blocks IPs from certain countries
C.Geo-match custom rule in Cloud Armor
D.Use Cloud CDN with geo filtering
AnswerC

Cloud Armor rules can filter traffic based on geographic region (e.g., country or continent).

Why this answer

Cloud Armor supports geo-match custom rules that allow you to allow or deny traffic based on the geographic region of the client IP address. When attached to an external HTTP(S) load balancer, these rules are evaluated at the edge before traffic reaches the backend, providing effective geo-based access control against DDoS attacks.

Exam trap

Google Cloud often tests the distinction between Cloud Armor's security policies (which include geo-match rules) and backend service routing policies, leading candidates to confuse geo-based routing with geo-based access control.

How to eliminate wrong answers

Option A is wrong because geo-based routing policy on the backend service is used for directing traffic to different backends based on client location, not for blocking or allowing access at the edge. Option B is wrong because firewall rules operate at the VPC network level and cannot be applied directly to an external HTTP(S) load balancer; they would block traffic after it has already passed through the load balancer, which is ineffective for DDoS protection. Option D is wrong because Cloud CDN with geo filtering is a feature of Cloud CDN that restricts content delivery based on geography, but it does not provide the same granular access control or DDoS mitigation capabilities as Cloud Armor's geo-match rules.

96
MCQmedium

A company is deploying a Global Cloud VPN with multiple tunnels from different Cloud Router instances to the same on-premises peer. The on-premises BGP speaker is configured with multiple peers. How should they configure the BGP ASN on the Cloud Routers to ensure optimal routing?

A.Use different private ASNs for each Cloud Router to differentiate the tunnels.
B.Use the same private ASN for all Cloud Routers in the same region.
C.Assign a unique public ASN to each Cloud Router.
D.Use the same ASN across all Cloud Routers globally.
AnswerB

Same private ASN ensures the on-premises router treats all Cloud Router peers from the same region as one entity, preventing loops and allowing ECMP.

Why this answer

Option B is correct because using the same private ASN on all Cloud Routers in the same region allows the on-premises BGP speaker to treat multiple tunnels from that region as a single BGP session, enabling load balancing and failover without creating BGP path selection issues. This approach aligns with Google Cloud's recommendation for redundant VPN tunnels, where the same ASN ensures the on-premises router sees the Cloud Routers as a single BGP peer, simplifying routing policy and avoiding unnecessary AS path prepending.

Exam trap

The trap here is that candidates often assume each BGP session needs a unique ASN for redundancy, but in Google Cloud's multi-tunnel VPN design, using the same ASN within a region is required to enable proper load balancing and failover without causing BGP path selection conflicts.

How to eliminate wrong answers

Option A is wrong because using different private ASNs for each Cloud Router would cause the on-premises BGP speaker to treat each tunnel as a separate BGP session, potentially leading to suboptimal routing due to AS path length differences and preventing effective load balancing. Option C is wrong because assigning a unique public ASN to each Cloud Router is unnecessary and wasteful; private ASNs (64512-65534) are sufficient for internal BGP peering, and public ASNs are typically reserved for internet-facing connections, not internal hybrid interconnectivity. Option D is wrong because using the same ASN across all Cloud Routers globally can cause BGP to reject routes from multiple peers with the same ASN if the on-premises router has BGP multi-hop or loop prevention enabled, and it does not account for regional routing policies or failover scenarios where distinct regional ASNs are beneficial.

97
MCQhard

An organization has a Dedicated Interconnect with Cloud Router configured for BGP. The on-premises network advertises a prefix that overlaps with an existing VPC subnet. How does Google Cloud handle the overlapping prefix?

A.It accepts the prefix but static routes have higher priority.
B.It accepts the prefix and gives it higher priority than the VPC subnet.
C.It rejects the prefix and does not install a dynamic route for it.
D.It accepts the prefix and load balances traffic between the two locations.
AnswerC

Google Cloud rejects overlapping prefixes to maintain routing integrity.

Why this answer

When a Dedicated Interconnect with Cloud Router receives a BGP advertisement for a prefix that overlaps with an existing VPC subnet, Google Cloud rejects the prefix and does not install a dynamic route for it. This is because VPC subnet routes always take precedence over dynamically learned routes, and accepting an overlapping prefix would create ambiguity in forwarding decisions. The Cloud Router enforces this behavior to maintain the integrity of the VPC's internal addressing.

Exam trap

The trap here is that candidates often assume BGP routes can override VPC subnet routes due to the dynamic nature of BGP, but Google Cloud enforces a strict priority hierarchy where VPC subnet routes are always preferred over any dynamically learned or static route.

How to eliminate wrong answers

Option A is wrong because static routes do not have higher priority than VPC subnet routes; VPC subnet routes are implicitly created and have the highest priority (0), while static routes have a priority of 1000. Option B is wrong because Google Cloud never gives a dynamically learned BGP route higher priority than a VPC subnet route; the VPC subnet route is always preferred. Option D is wrong because Google Cloud does not load balance traffic between overlapping prefixes; it rejects the overlapping prefix entirely to prevent routing conflicts.

98
MCQeasy

A company has a VPC with a subnet in us-central1. They have several private Compute Engine instances (no external IP) that need to download updates from a public repository on the internet. The network engineer has created a Cloud NAT gateway in the same region and attached it to the subnet. However, the instances still cannot reach the internet. The engineer has confirmed that the Cloud NAT gateway is correctly configured and that the subnet's Private Google Access is not relevant for this traffic. What should the engineer check first to resolve the issue?

A.Verify that the default route (0.0.0.0/0) is present in the VPC route table pointing to the internet gateway.
B.Confirm that the Cloud NAT router is configured with the correct network and subnet.
C.Ensure that the Cloud NAT gateway has a static external IP.
D.Check that the firewall rules allow egress traffic for the instances to the internet.
AnswerA

The default route is essential for internet-bound traffic to be routed to the NAT gateway.

Why this answer

Option A is correct because even with a properly configured Cloud NAT, instances require a default route (0.0.0.0/0) in the VPC route table that points to the internet gateway (IGW) to direct outbound traffic to the internet. Cloud NAT translates private IPs to public IPs, but it does not create the route; the route must exist for packets to leave the VPC. Without this route, traffic from the instances to 0.0.0.0/0 will be dropped, as there is no next-hop to forward packets to the internet.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone provides internet connectivity, but the trap here is that candidates overlook the fundamental requirement of a default route in the VPC route table, assuming NAT configuration is sufficient for outbound traffic.

How to eliminate wrong answers

Option B is wrong because the engineer has already confirmed that the Cloud NAT gateway is correctly configured with the correct network and subnet, so re-checking this is redundant and not the first step. Option C is wrong because Cloud NAT does not require a static external IP; it can use a dynamic IP or a pool of IPs, and the absence of a static IP does not prevent internet access. Option D is wrong because firewall rules are stateful in Google Cloud; if egress traffic is not explicitly blocked by a firewall rule (default allow egress), it is permitted, so checking firewall rules is not the primary issue when the route is missing.

99
Multi-Selecthard

A company has a VPC with multiple subnets. They want to restrict traffic between two subnets (Subnet-A and Subnet-B) using VPC firewall rules. Which THREE conditions must be met for a firewall rule to block traffic from Subnet-A to Subnet-B?

Select 3 answers
A.The rule must be applied using network tags on instances in Subnet-A.
B.The rule must be an ingress rule with source set to Subnet-A IP range and destination set to Subnet-B IP range.
C.The rule must have action set to 'deny' and apply to all instances in Subnet-B.
D.The rule must also allow return traffic from Subnet-B to Subnet-A.
E.The rule must have a lower priority number (higher priority) than any allow rules between the subnets.
AnswersB, C, E

To block traffic from A to B, the ingress rule on Subnet-B must block source A.

Why this answer

Option B is correct because VPC firewall rules in Google Cloud are stateful and defined as ingress or egress rules. To block traffic from Subnet-A to Subnet-B, you need an ingress rule on Subnet-B (the destination) with the source set to Subnet-A's IP range and the destination set to Subnet-B's IP range. This ensures the rule applies to incoming traffic from Subnet-A, and the action 'deny' will drop the packets.

Exam trap

Google Cloud often tests the misconception that firewall rules must be applied to both subnets or that return traffic requires a separate rule, but Google Cloud's stateful firewall automatically handles return traffic for allowed connections, so only the blocking rule is needed.

100
MCQhard

An organization has a hybrid network with multiple VPN tunnels connecting their on-premises network to Google Cloud. They use Cloud Router with BGP to propagate routes. They recently added a new subnet 192.168.100.0/24 in Google Cloud. On-premises devices can reach resources in the new subnet, but Google Cloud resources cannot initiate traffic to certain on-premises hosts in the 10.0.0.0/8 subnet. BGP sessions are all established. What is the most likely cause?

A.The VPC firewall rules are blocking outbound traffic from the new subnet.
B.The on-premises firewall is blocking traffic initiated from the 192.168.100.0/24 subnet because it is not in the permitted list.
C.There is a route conflict between the 192.168.100.0/24 route and an existing route in the on-premises routing table.
D.The on-premises BGP router is not advertising the 10.0.0.0/8 network because a mask mismatch.
AnswerB

On-premises firewalls often have stateful inspection; new subnet traffic may not be allowed.

Why this answer

The issue is that on-premises hosts in 10.0.0.0/8 can be reached from the new Google Cloud subnet (192.168.100.0/24) because BGP routes are propagated, but return traffic initiated from on-premises hosts is blocked by the on-premises firewall. Since BGP sessions are established and routes are exchanged, the problem is not routing but stateful firewall filtering: the on-premises firewall likely has a rule that permits traffic from known subnets but does not include 192.168.100.0/24, so return packets for connections initiated from Google Cloud are dropped.

Exam trap

Google Cloud often tests the distinction between routing (BGP/route tables) and firewall filtering, leading candidates to incorrectly blame route advertisement or VPC firewall rules when the actual issue is a missing permit entry in the on-premises firewall for the new subnet.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules control traffic entering or leaving Google Cloud resources, but the problem states that on-premises devices can reach the new subnet, so outbound traffic from the new subnet is not blocked; the issue is with traffic initiated from Google Cloud to on-premises. Option C is wrong because a route conflict would cause asymmetric routing or unreachability in both directions, but on-premises devices can reach the new subnet, and BGP sessions are established, so there is no route conflict. Option D is wrong because a mask mismatch would prevent the on-premises BGP router from advertising 10.0.0.0/8, but the problem states BGP sessions are all established and on-premises devices can reach the new subnet, implying the 10.0.0.0/8 route is present in Google Cloud; the issue is with return traffic filtering, not route advertisement.

101
MCQmedium

A company is deploying a multi-tier application on Google Cloud. The frontend tier runs in a managed instance group behind a global external HTTP(S) load balancer. The backend tier runs on Compute Engine instances in a different VPC subnet. The frontend instances must communicate with the backend instances using internal IP addresses only. Which configuration should the network engineer use?

A.Use Cloud NAT to allow the frontend to reach the backend via the internet.
B.Use an internal TCP/UDP load balancer in the backend VPC and configure the frontend to send traffic to the load balancer's internal IP.
C.Place both frontend and backend instances in the same VPC but different subnets, and use firewall rules to allow traffic.
D.Set up VPC Network Peering between the frontend VPC and the backend VPC.
AnswerD

VPC peering enables private IP communication across VPCs without requiring external IPs or gateways, meeting the requirement of internal-only communication.

Why this answer

Option D is correct because VPC Network Peering allows two separate VPC networks to communicate using internal IP addresses without traversing the internet or requiring a VPN. Since the frontend and backend are in different VPCs (implied by the need for peering), peering enables direct internal IP connectivity between the frontend instances and the backend instances, satisfying the requirement for internal-only communication.

Exam trap

The trap here is that candidates may assume placing instances in the same VPC (Option C) is the simplest solution, but the question explicitly implies the frontend and backend are in separate VPCs, making VPC Network Peering the correct choice for internal IP communication across VPCs.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used to allow outbound internet access from instances without external IPs, not for internal communication between VPCs; it would force traffic over the internet, violating the internal IP requirement. Option B is wrong because an internal TCP/UDP load balancer is used to distribute traffic within the same VPC or across peered VPCs, but it does not establish connectivity between separate VPCs on its own; peering is still required for the frontend to reach the load balancer's internal IP. Option C is wrong because placing instances in the same VPC but different subnets would work for internal communication, but the question states the frontend and backend are in different VPCs (implied by the need for a solution), so this option does not apply to the given architecture.

102
MCQmedium

An engineer runs the command above to check the status of a Dedicated Interconnect VLAN attachment. The state shows DEFECTIVE. The associated interconnect connection is in ACTIVE state. What is the most likely cause?

A.The VLAN ID is already in use on a different attachment on the same interconnect
B.The Cloud Router is not configured with a BGP session for this attachment
C.The maximum number of VLAN attachments for this interconnect has been exceeded
D.The data center power is down
AnswerA

Duplicate VLAN IDs cause the attachment to be DEFECTIVE.

Why this answer

A Dedicated Interconnect VLAN attachment showing DEFECTIVE state while the interconnect connection itself is ACTIVE indicates a configuration conflict at the VLAN level. The most common cause is that the VLAN ID specified for this attachment is already allocated to another VLAN attachment on the same interconnect, as VLAN IDs must be unique per interconnect. This conflict prevents the attachment from establishing proper Layer 2 connectivity, resulting in a DEFECTIVE state.

Exam trap

Google Cloud often tests the distinction between Layer 2 attachment health and Layer 3 BGP session status — candidates mistakenly assume a BGP misconfiguration causes the attachment to be DEFECTIVE, but the attachment state is independent of BGP and reflects only the VLAN-level connectivity.

How to eliminate wrong answers

Option B is wrong because a missing BGP session on the Cloud Router would cause the BGP session to be down or not established, but the VLAN attachment state would still be ACTIVE (or PENDING) — the attachment itself is a Layer 2 construct and does not depend on BGP configuration for its operational state. Option C is wrong because exceeding the maximum number of VLAN attachments would result in a failure to create the attachment or an error during provisioning, not a DEFECTIVE state on an already-created attachment; the attachment would either be rejected or show a different error. Option D is wrong because a data center power outage would affect the interconnect connection itself, causing it to go DOWN or UNAVAILABLE, not remain ACTIVE while only the VLAN attachment shows DEFECTIVE.

103
MCQhard

A company with multiple VPCs in a Shared VPC environment wants to connect their on-premises network to all VPCs with high availability and minimal cost. They already have a Dedicated Interconnect. What is the most efficient solution?

A.Set up Cloud VPN with dynamic routing to each VPC.
B.Create an HA VPN gateway for each VPC and peer with on-prem.
C.Use the existing Dedicated Interconnect to create multiple VLAN attachments, one per VPC.
D.Provision a new Partner Interconnect for each VPC.
AnswerC

VLAN attachments allow a single interconnect to connect multiple VPCs efficiently.

Why this answer

Option C is correct because a Dedicated Interconnect can support multiple VLAN attachments (each with a separate VLAN ID and BGP session) to connect to different VPCs in a Shared VPC environment. This approach leverages the existing physical connection, provides high availability through redundant attachments, and minimizes cost by avoiding additional circuits or VPN tunnels.

Exam trap

Google Cloud often tests the misconception that a single Dedicated Interconnect can only connect to one VPC, leading candidates to incorrectly choose VPN-based solutions or additional interconnects.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing would require separate tunnels to each VPC, increasing complexity and cost, and it does not utilize the existing Dedicated Interconnect, which is already paid for. Option B is wrong because creating an HA VPN gateway for each VPC duplicates effort and cost; the Dedicated Interconnect can handle multiple VPCs via VLAN attachments without needing separate VPN gateways. Option D is wrong because provisioning a new Partner Interconnect for each VPC would incur significant additional expense and is unnecessary when the existing Dedicated Interconnect can be extended with VLAN attachments.

104
MCQhard

A financial services firm needs to connect their on-premises data center to Google Cloud VPC with 50 Gbps of bandwidth and latency under 5 ms. They are in a metropolitan area with a Google Cloud region. They require an SLA of 99.99% and need to support VLAN attachments to multiple VPCs. Which connectivity option should they choose?

A.Direct Peering
B.Dedicated Interconnect
C.Cloud VPN with multiple tunnels and ECMP
D.Partner Interconnect
AnswerB

Dedicated Interconnect provides up to 100 Gbps per circuit, low latency, 99.99% SLA, and supports multiple VLAN attachments to different VPCs.

Why this answer

Dedicated Interconnect is the correct choice because it provides direct, private connections between the on-premises data center and Google Cloud VPC, supporting up to 80 Gbps per interconnect (via 8 x 10 Gbps links) and offering a 99.99% SLA when configured with redundant links. It supports VLAN attachments (VLANs) to multiple VPCs, enabling segmentation across different environments, and meets the sub-5 ms latency requirement within a metropolitan area with a Google Cloud region.

Exam trap

Google Cloud often tests the misconception that Cloud VPN with ECMP can scale to high bandwidths like 50 Gbps, but in reality, Cloud VPN is limited to 3 Gbps per tunnel and aggregate throughput is constrained by the underlying internet path and encryption overhead.

How to eliminate wrong answers

Option A (Direct Peering) is wrong because it is an ISP-based peering arrangement that does not offer an SLA, does not support VLAN attachments to multiple VPCs, and typically provides best-effort bandwidth without guaranteed 50 Gbps or sub-5 ms latency. Option C (Cloud VPN with multiple tunnels and ECMP) is wrong because Cloud VPN is limited to 3 Gbps per tunnel (even with ECMP, aggregate bandwidth is capped at ~10 Gbps) and does not meet the 50 Gbps requirement; it also lacks a 99.99% SLA. Option D (Partner Interconnect) is wrong because it relies on a third-party service provider, which introduces additional latency and does not guarantee the sub-5 ms latency or the 99.99% SLA that Dedicated Interconnect offers directly.

105
MCQhard

A large enterprise is migrating to Google Cloud and needs to establish connectivity between on-premises and VPCs in two different regions (us-east1 and europe-west1). They have a single Partner Interconnect connection at a co-location facility in New York. They want to use the same interconnect for both regions. Which configuration should they use?

A.Create two VLAN attachments, one for each region, over the same interconnect
B.Create one VLAN attachment and attach it to both VPCs
C.Use HA VPN over the interconnect to connect both regions
D.Create two Cloud VPN tunnels from on-prem to each VPC
AnswerA

VLAN attachments are regional; multiple can share same interconnect.

Why this answer

A is correct because a single Partner Interconnect connection can support multiple VLAN attachments, each associated with a different region. By creating two VLAN attachments over the same interconnect—one for us-east1 and one for europe-west1—the enterprise can route traffic from the on-premises network to both VPCs using the same physical link, leveraging Google Cloud's support for multiple VLAN attachments per interconnect.

Exam trap

Google Cloud often tests the misconception that a single VLAN attachment can serve multiple regions, but in Google Cloud, VLAN attachments are regional resources and cannot be shared across regions.

How to eliminate wrong answers

Option B is wrong because a VLAN attachment is a regional resource that can only be attached to a VPC in the same region; you cannot attach a single VLAN attachment to VPCs in two different regions. Option C is wrong because HA VPN over the interconnect is unnecessary and adds complexity; the interconnect already provides a dedicated, high-bandwidth connection, and using VPN over it would introduce encryption overhead and potential performance degradation without solving the multi-region requirement. Option D is wrong because Cloud VPN tunnels are typically used over the public internet or as a backup, not as a primary solution when a dedicated interconnect is available; moreover, using two VPN tunnels would bypass the interconnect's benefits of lower latency and higher reliability.

106
MCQmedium

A company has set up an HA VPN tunnel between their on-premises router and a Cloud Router in Google Cloud. The on-premises router establishes BGP sessions to both Cloud Router instances, but the routes learned from one Cloud Router instance are not being received. The other instance works fine. What is the most likely cause?

A.The tunnel is in a failed state
B.The on-premises router has incorrect ASN configured for that BGP session
C.The on-premises router has a firewall blocking BGP updates only on one IP address
D.The Cloud Router is set to advertisement mode 'Custom' and does not advertise all subnets
AnswerB

Incorrect ASN (Autonomous System Number) on one BGP session could prevent route exchange while the other session works.

Why this answer

The most likely cause is that the on-premises router has an incorrect ASN configured for the BGP session with the failing Cloud Router instance. In Google Cloud HA VPN, each Cloud Router instance uses a unique BGP IP address but both must use the same peer ASN as configured on the on-premises side. If the ASN mismatch occurs, BGP will not establish or will reject routes, while the other session with the correct ASN works fine.

Exam trap

Google Cloud often tests the concept that BGP session establishment and route exchange are separate phases, and an ASN mismatch specifically prevents route exchange even if the tunnel is up, leading candidates to incorrectly blame tunnel failure or firewall rules.

How to eliminate wrong answers

Option A is wrong because a failed tunnel would prevent both BGP sessions from working, not just one, and the question states the other instance works fine. Option C is wrong because a firewall blocking BGP updates on only one IP address would typically affect both TCP port 179 traffic and BGP session establishment, but the symptom here is routes not being received, not session failure, and a firewall would likely block the entire session. Option D is wrong because the Cloud Router's advertisement mode being set to 'Custom' would affect both BGP sessions equally, not selectively cause one to not receive routes while the other works.

107
MCQmedium

Refer to the exhibit. What is the purpose of the --enable-private-ip-google-access flag?

A.Enables the subnet to be used for Cloud VPN tunnels.
B.Allows external traffic to reach VMs using private IPs.
C.Enables Cloud NAT on this subnet.
D.Allows VMs to access Google APIs without requiring an external IP.
AnswerD

Private Google Access enables this.

Why this answer

The `--enable-private-ip-google-access` flag, when set to `true` on a subnet, allows VM instances in that subnet to reach Google APIs and services (e.g., Cloud Storage, BigQuery) using their private IP addresses, without requiring an external (public) IP. This works by routing traffic through Google's internal network to the Google API frontend, bypassing the public internet.

Exam trap

Google Cloud often tests the misconception that this flag enables Cloud NAT or provides general internet access, when in fact it only provides access to Google APIs and services, not arbitrary public IPs.

How to eliminate wrong answers

Option A is wrong because Cloud VPN tunnels are configured on the VPC network level or via a Cloud Router, not enabled by a subnet-level flag; the flag does not affect VPN functionality. Option B is wrong because external traffic cannot reach VMs using private IPs without a mechanism like a load balancer or Cloud NAT; this flag controls outbound access from VMs to Google APIs, not inbound external access. Option C is wrong because Cloud NAT is a separate resource configured on a Cloud Router, not enabled by a subnet flag; this flag provides direct private access to Google APIs, not NAT-based internet access.

108
MCQhard

Refer to the exhibit. An engineer is troubleshooting a dual-tunnel HA VPN. The BGP session on one interface is established (State/PfxRcd 1) but the other is stuck in Active state. What can cause this?

A.The on-premises router does not have a BGP configuration for the second peer IP address (169.254.x.x).
B.The Cloud Router is using the same BGP identifier for both sessions, causing a conflict.
C.The on-premises router is configured with BGP MD5 authentication that only matches the first peer.
D.The MTU on the second tunnel is not matching between the two ends.
AnswerA

If the on-premises router is not expecting a connection from the second peer IP, it will not respond, leaving the Cloud Router in Active state.

Why this answer

In a dual-tunnel HA VPN, each tunnel uses a separate BGP session with its own peer IP address (typically from the 169.254.x.x link-local range). If the on-premises router only has a BGP neighbor statement for the first peer IP, it will ignore incoming BGP packets from the second peer. The Cloud Router sees the session stuck in Active state because it is sending BGP OPEN messages but never receiving a response, as the on-premises router is not listening on that IP.

Exam trap

Google Cloud often tests the distinction between BGP session states — Active specifically means the TCP connection is not being completed by the remote end, often due to missing neighbor configuration or ACL blocking, not authentication or MTU issues.

How to eliminate wrong answers

Option B is wrong because using the same BGP identifier (router-id) for both sessions is allowed in BGP; it does not cause a session to remain in Active state — it may cause a warning or minor issue but not a stuck Active. Option C is wrong because MD5 authentication mismatch would cause the session to fail authentication and likely show a state of Idle or Connect, not Active; Active means the router is listening for a TCP connection that never completes. Option D is wrong because MTU mismatch does not prevent BGP session establishment; it would cause packet fragmentation or drops after the session is up, not keep it in Active state.

109
MCQmedium

A company is using Cloud VPN to connect to Google Cloud. They notice that traffic from their on-premises network to Google Cloud is not being routed correctly after a recent change. On the on-premises router, they verify that the BGP session is established and routes are received. Which step should they take next to troubleshoot?

A.Verify that the routes learned via BGP are being propagated to the VPC network by examining Cloud Router details
B.Check the on-premises firewall logs
C.Disable and re-enable the VPN tunnel
D.Check the tunnel status in Cloud Console
AnswerA

Routes learned via BGP must be propagated to the VPC. Cloud Router shows advertised and learned routes.

Why this answer

Since the BGP session is established and routes are received on the on-premises router, the issue is likely that those routes are not being propagated into the VPC network. Cloud Router acts as the BGP speaker for the VPC; even if the VPN tunnel is up and BGP peering is successful, the learned routes must be advertised into the VPC’s routing tables. Verifying Cloud Router details (e.g., using `gcloud compute routers get-status` or checking the Cloud Console) confirms whether the routes are being accepted and propagated, which directly addresses the routing failure.

Exam trap

Google Cloud often tests the misconception that a working BGP session and tunnel status guarantee correct routing, but the real failure point is the propagation of learned routes into the VPC’s routing tables, which requires explicit verification of Cloud Router’s learned routes and advertisements.

How to eliminate wrong answers

Option B is wrong because on-premises firewall logs would only show dropped or allowed packets at the on-premises side, but the problem is about route propagation within Google Cloud, not packet filtering. Option C is wrong because disabling and re-enabling the VPN tunnel is a disruptive, brute-force action that does not diagnose the root cause of route propagation; the tunnel and BGP session are already established. Option D is wrong because checking the tunnel status in Cloud Console only confirms the VPN tunnel is up, but the tunnel is already established and BGP is up, so this provides no insight into why routes are not being used in the VPC.

110
Multi-Selecteasy

Which THREE components are part of a typical Cloud Hybrid Networking architecture?

Select 3 answers
A.VPC
B.Cloud Router
C.Cloud Interconnect
D.Cloud CDN
E.Cloud VPN
AnswersB, C, E

Manages BGP sessions for dynamic routing between on-prem and GCP.

Why this answer

Cloud Router is a core component of Cloud Hybrid Networking because it enables dynamic route exchange between a GCP VPC and an on-premises network using BGP. It works with Cloud VPN or Cloud Interconnect to automatically learn and propagate routes, eliminating the need for static route management.

Exam trap

Google Cloud often tests the misconception that a VPC itself is a hybrid networking component, but candidates must remember that hybrid connectivity requires dedicated services like Cloud VPN, Cloud Interconnect, or Cloud Router to bridge the VPC with external networks.

111
MCQhard

A financial services company is required to encrypt all data in transit between their on-premises data center and Google Cloud. They have a Dedicated Interconnect connection. They want to meet the encryption requirement while minimizing overhead and complexity. Which solution should they implement?

A.Enable MACsec on the Dedicated Interconnect
B.Enable TLS encryption on all applications
C.Use Cloud VPN over the internet instead of Dedicated Interconnect
D.Establish an IPsec VPN tunnel over the Dedicated Interconnect
AnswerA

Provides link-layer encryption with minimal overhead.

Why this answer

MACsec (IEEE 802.1AE) provides Layer 2 encryption on the Dedicated Interconnect link itself, encrypting all traffic between the on-premises router and the Google Cloud edge router without requiring any changes to applications or additional VPN gateways. This meets the encryption requirement with minimal overhead and complexity because MACsec operates transparently at the data link layer, adding negligible latency and no per-packet processing overhead compared to IPsec or TLS.

Exam trap

Google Cloud often tests the misconception that IPsec VPNs are the only way to encrypt traffic over a dedicated connection, but MACsec is the correct choice when the requirement is to minimize overhead and complexity because it operates at Layer 2 with hardware offload.

How to eliminate wrong answers

Option B is wrong because TLS encryption must be implemented per application, requiring application-level changes and configuration, which adds significant complexity and does not encrypt all data in transit (e.g., non-HTTP traffic). Option C is wrong because using Cloud VPN over the internet introduces higher latency, lower reliability, and more operational overhead than Dedicated Interconnect, and it does not leverage the existing dedicated connection. Option D is wrong because establishing an IPsec VPN tunnel over Dedicated Interconnect adds unnecessary encapsulation and encryption overhead at Layer 3, increasing complexity and reducing throughput compared to MACsec's hardware-accelerated Layer 2 encryption.

112
MCQeasy

What is the maximum number of VLAN attachments that can be configured on a single 10 Gbps Dedicated Interconnect connection?

A.16
B.4
C.2
D.8
AnswerD

8 VLAN attachments per 10 Gbps interconnect.

Why this answer

A single 10 Gbps Dedicated Interconnect connection supports a maximum of 8 VLAN attachments. This limit is defined by Google Cloud's interconnect architecture, where each VLAN attachment consumes a portion of the 10 Gbps bandwidth and is mapped to a unique VLAN ID. The 8-attachment cap ensures predictable performance and avoids oversubscription on the physical link.

Exam trap

The trap here is that candidates often confuse the VLAN attachment limit for Dedicated Interconnect with the higher limits of Partner Interconnect or assume the limit scales linearly with bandwidth, leading them to select 16 or 2 instead of the correct 8.

How to eliminate wrong answers

Option A is wrong because 16 VLAN attachments exceed the maximum of 8 for a 10 Gbps Dedicated Interconnect; this limit is not configurable and is enforced by Google Cloud's resource allocation model. Option B is wrong because 4 VLAN attachments is too low; while a 10 Gbps interconnect can support up to 8 attachments, 4 is not the maximum and reflects a misunderstanding of the scaling limits. Option C is wrong because 2 VLAN attachments is far below the actual limit; this misconception might arise from confusing Dedicated Interconnect with Partner Interconnect, which has different attachment limits per connection.

113
Multi-Selectmedium

A company needs to connect three VPC networks in separate projects (two in the same organization, one in a different organization) to each other for private IP communication. Which TWO GCP solutions should they consider? (Choose 2.)

Select 2 answers
A.Cloud Interconnect
B.VPC Network Peering hub-and-spoke topology
C.Shared VPC
D.VPC Network Peering
E.Cloud VPN with dynamic routing
AnswersB, D

Central VPC peers with all other VPCs, enabling transitive routing.

Why this answer

Option B is correct because a VPC Network Peering hub-and-spoke topology allows a central hub VPC to peer with multiple spoke VPCs, enabling transitive routing between spokes via the hub. This is necessary when VPCs are in different organizations, as VPC peering does not support transitive peering directly, but a hub-and-spoke design with explicit peering between each spoke and the hub can achieve private IP communication across organizations.

Exam trap

The trap here is that candidates confuse VPC Network Peering with Shared VPC, assuming Shared VPC can span organizations, but Shared VPC is strictly limited to projects within the same organization, while VPC peering can cross organizations.

114
MCQeasy

A company wants to connect two VPCs in the same project using VPC Network Peering. Each VPC has non-overlapping subnets. What is the minimum number of peering connections required to enable full bidirectional communication?

A.One peering connection from VPC1 to VPC2.
B.Two peering connections from each VPC to the other (total four).
C.Two peering connections: one from VPC1 to VPC2, and one from VPC2 to VPC1.
D.A Shared VPC with subnetworks from both VPCs.
AnswerC

VPC peering is unidirectional, so two connections are needed for full mesh.

Why this answer

VPC Network Peering requires a peering connection to be established in each direction to enable full bidirectional communication. A single peering connection from VPC1 to VPC2 only allows VPC1 to initiate traffic to VPC2; for VPC2 to initiate traffic back to VPC1, a separate peering connection from VPC2 to VPC1 is needed. Therefore, two peering connections (one from each VPC to the other) are the minimum required.

Exam trap

The trap here is that candidates assume a single peering connection is sufficient because they think of it as a bidirectional link, but VPC Network Peering in Google Cloud requires explicit peering in each direction for full bidirectional traffic flow.

How to eliminate wrong answers

Option A is wrong because a single peering connection from VPC1 to VPC2 is unidirectional in terms of route propagation; without a reciprocal peering from VPC2 to VPC1, VPC2 cannot initiate traffic to VPC1. Option B is wrong because it suggests four connections, which is redundant; only two connections (one in each direction) are needed for full bidirectional communication. Option D is wrong because a Shared VPC is a different architecture that centralizes subnet management, not a method for peering two existing VPCs, and it does not replace the need for peering connections.

115
MCQhard

A company has a VPC with a subnet in us-central1 (10.0.0.0/16) and a Cloud VPN tunnel to an on-premises network (192.168.0.0/16). They also have a static route for 0.0.0.0/0 internet gateway. On-premises traffic to 10.0.0.0/16 is working. However, traffic from a GCE instance in the VPC to an on-premises IP 192.168.1.10 is timing out. What is the most likely cause?

A.Cloud NAT is not configured for the VPC
B.Missing a custom static route in the VPC for destination 192.168.0.0/16 with next hop VPN gateway
C.The VPN tunnel is down and BGP session is not established
D.Firewall rule does not allow inbound traffic from on-premises to the instance
AnswerB

Without this route, traffic is sent to the internet instead of the VPN.

Why this answer

Option B is correct because the VPC has a default route (0.0.0.0/0) pointing to the internet gateway, but no specific route for the on-premises network (192.168.0.0/16). Without a custom static route with next hop set to the VPN gateway, traffic from the GCE instance to 192.168.1.10 will be forwarded to the internet gateway instead of the VPN tunnel, causing a timeout.

Exam trap

The trap here is that candidates assume a working VPN tunnel automatically routes traffic in both directions, but GCP requires explicit static routes for each destination network behind the VPN, even when the tunnel itself is up.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used to enable outbound internet access for private instances, not for routing traffic to on-premises networks over a VPN; the issue here is routing, not NAT. Option C is wrong because the question states that on-premises traffic to 10.0.0.0/16 is working, which confirms the VPN tunnel and BGP session are established and functional. Option D is wrong because the problem is traffic from the GCE instance to on-premises, not inbound traffic to the instance; firewall rules for inbound traffic would not affect outbound traffic initiated by the instance.

116
MCQeasy

Refer to the exhibit. A network engineer is unable to SSH to instance-1 using IAP TCP forwarding. What is the most likely reason?

A.IAP TCP forwarding is not enabled for the project.
B.The instance does not have the 'ssh-iap' tag that the firewall rule applies to.
C.The instance's service account does not have the necessary IAP permissions.
D.SSH keys are not configured on the instance.
AnswerB

The firewall rule only applies to instances with tag 'ssh-iap'.

Why this answer

The exhibit shows a firewall rule that allows IAP TCP forwarding traffic from the IAP source range (35.235.240.0/20) to instances with the network tag 'ssh-iap'. Since instance-1 lacks this tag, the firewall rule does not apply, and SSH traffic from IAP is blocked. Without the tag, the instance's firewall policy drops the forwarded TCP connections, preventing SSH access.

Exam trap

Google Cloud often tests the distinction between IAM permissions (who can initiate the tunnel) and firewall rules (what traffic is allowed to reach the instance), leading candidates to incorrectly choose IAM-related options when the real issue is a missing network tag on the instance.

How to eliminate wrong answers

Option A is wrong because IAP TCP forwarding is enabled at the project level by default when IAP is activated; the exhibit does not indicate it is disabled, and the issue is specifically about the instance not matching the firewall rule's target tag. Option C is wrong because the instance's service account permissions for IAP (e.g., roles/iap.tunnelResourceAccessor) control authorization to initiate the tunnel, not the firewall rule that allows the forwarded traffic to reach the instance; the problem here is a network-level filter, not IAM. Option D is wrong because SSH keys are required for authentication once the SSH connection reaches the instance, but the failure occurs before that stage—the firewall is dropping the traffic, so SSH keys are irrelevant to the connectivity issue.

117
MCQmedium

Your company has a VPC with two subnets: 10.0.1.0/24 in us-central1 and 10.0.2.0/24 in us-east1. They have a Cloud VPN tunnel to the on-premises data center using dynamic routing (BGP). The Cloud Router was created in the us-central1 region with default settings. On-premises hosts can successfully communicate with instances in the 10.0.1.0/24 subnet, but cannot reach instances in the 10.0.2.0/24 subnet. All instances have appropriate firewall rules allowing traffic from on-premises. The BGP session is established and routes from on-premises are received in Cloud Router. What is the most likely reason for the issue?

A.Cloud Router by default only advertises subnets in its own region.
B.The firewall rules in us-east1 are blocking incoming traffic from on-premises.
C.The BGP session is down for the us-east1 region.
D.The VPN tunnel is only configured to route traffic for us-central1.
AnswerA

Subnets outside the router's region are not advertised unless 'Advertise all subnets' is enabled.

Why this answer

Cloud Router with default settings only advertises subnets that are in the same region as the Cloud Router itself. Since the Cloud Router was created in us-central1, it only advertises the 10.0.1.0/24 subnet to the on-premises BGP peer. The 10.0.2.0/24 subnet in us-east1 is not advertised, so on-premises hosts have no route to it, even though the BGP session is up and firewall rules are correct.

Exam trap

The trap here is that candidates assume Cloud Router automatically advertises all VPC subnets, but the default regional mode restricts advertisements to the router's own region, which is a common misconfiguration in multi-region VPN designs.

How to eliminate wrong answers

Option B is wrong because the question explicitly states that appropriate firewall rules allow traffic from on-premises, so firewall blocking is not the issue. Option C is wrong because the BGP session is established and routes from on-premises are received, indicating the session is up; Cloud Router does not have per-region BGP sessions. Option D is wrong because the VPN tunnel is a single tunnel using dynamic routing (BGP), and the tunnel itself does not filter which subnets are advertised; the Cloud Router's advertisement settings control route propagation.

118
MCQeasy

A developer wants to SSH into a Compute Engine instance that has no public IP. Which service should they use?

A.Direct Peering.
B.Cloud NAT.
C.Identity-Aware Proxy (IAP) TCP forwarding.
D.Cloud VPN.
AnswerC

IAP allows SSH access without a public IP.

Why this answer

Identity-Aware Proxy (IAP) TCP forwarding allows secure, authenticated, and authorized SSH access to Compute Engine instances that have no public IP addresses. It works by establishing a tunnel through the IAP service, which proxies the SSH connection over HTTPS (port 443) to the instance's internal IP, eliminating the need for a public IP or bastion host.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or Cloud VPN can provide inbound SSH access to private instances, but Cloud NAT is outbound-only and Cloud VPN requires a routable private IP and does not include IAM-based authentication, making IAP TCP forwarding the only correct choice for secure, authenticated SSH without a public IP.

How to eliminate wrong answers

Option A is wrong because Direct Peering is a network connectivity option that connects your on-premises network to Google Cloud via a direct physical connection, but it does not provide a mechanism for SSH access to instances without public IPs; it still requires routing and firewall rules, not a proxy service. Option B is wrong because Cloud NAT provides outbound internet connectivity for private instances (e.g., for software updates) but does not allow inbound SSH connections; it translates private IPs to a public IP for outbound traffic only. Option D is wrong because Cloud VPN creates an encrypted tunnel between your on-premises network and VPC, but it requires the instance to have a private IP reachable via VPN and does not provide the authentication or authorization layer that IAP TCP forwarding offers for SSH access.

119
MCQmedium

A network engineer is designing a VPC with custom subnet mode. They need to allocate IP addresses for three tiers: web (100 instances), app (200 instances), and db (50 instances). The VPC will be in the us-central1 region. Which subnet plan is most cost-effective and scalable?

A.Use one subnet per zone: us-central1-a: 10.0.0.0/22, us-central1-b: 10.0.4.0/22, us-central1-c: 10.0.8.0/22
B.Create two subnets: 10.0.1.0/24 (web+app) and 10.0.3.0/24 (db)
C.Create one subnet 10.0.0.0/20 and use network tags to isolate tiers via firewall rules
D.Create three subnets: 10.0.1.0/24 (web), 10.0.2.0/23 (app), 10.0.4.0/26 (db)
AnswerD

Adequate sizes, separate subnets provide security and flexibility.

Why this answer

Option D is correct because it allocates IP addresses efficiently for each tier: a /24 (256 IPs) for web (100 instances), a /23 (512 IPs) for app (200 instances), and a /26 (64 IPs) for db (50 instances). This minimizes wasted IP space while providing room for growth, and using separate subnets per tier allows granular firewall rules and routing. In a custom VPC, this design is both cost-effective (no over-provisioning) and scalable (each tier can expand within its subnet).

Exam trap

Google Cloud often tests the misconception that larger subnets are always better for scalability, but the trap here is that over-provisioning IPs (e.g., /22 or /20) wastes address space and can lead to higher costs or management overhead, whereas right-sizing subnets per tier with room for growth is the most cost-effective and scalable approach.

How to eliminate wrong answers

Option A is wrong because using three /22 subnets (each with 1024 IPs) across three zones wastes significant IP address space for the given instance counts, and the question does not require zonal separation for tiers; this design is not cost-effective. Option B is wrong because combining web and app into a single /24 (256 IPs) cannot support 300 total instances (100 web + 200 app) without IP exhaustion, and the db /24 is also over-provisioned for 50 instances. Option C is wrong because a single /20 subnet (4096 IPs) is massively over-provisioned for only 350 instances, and while network tags can isolate traffic, they do not provide the subnet-level segmentation needed for scalable tier management; this design wastes IPs and is not cost-effective.

120
MCQeasy

A company wants to migrate a legacy application to Google Cloud that requires low-latency communication with on-premises databases. The application is latency-sensitive and must use private IP addresses only. Which hybrid connectivity solution should they choose?

A.Partner Interconnect
B.Cloud VPN
C.Carrier Peering
D.Direct Peering
AnswerA

Partner Interconnect provides dedicated, low-latency private connectivity.

Why this answer

Partner Interconnect is the correct choice because it provides a dedicated, high-bandwidth connection with low latency, supports private IP addresses, and meets the requirement for latency-sensitive communication with on-premises databases. Unlike other options, it offers a Service Level Agreement (SLA) for uptime and performance, ensuring consistent low-latency connectivity.

Exam trap

Google Cloud often tests the misconception that Cloud VPN is sufficient for low-latency requirements, but the trap here is that VPNs introduce encryption overhead and rely on the public internet, which cannot guarantee the low latency and private IP addressing needed for latency-sensitive applications.

How to eliminate wrong answers

Option B (Cloud VPN) is wrong because it uses the public internet with IPsec encryption, which introduces higher latency and jitter, making it unsuitable for latency-sensitive applications. Option C (Carrier Peering) is wrong because it provides connectivity to Google Cloud through a carrier's network but does not offer a private connection with guaranteed low latency or an SLA, and it may still traverse the public internet. Option D (Direct Peering) is wrong because it is designed for exchanging traffic between Google and a customer's network at an edge location, but it does not support private IP addresses and lacks an SLA, making it inappropriate for latency-sensitive hybrid connectivity.

121
MCQmedium

Refer to the exhibit. Users report that HTTP (port 80) traffic is still reaching instances in my-vpc despite the deny-all rule. What is the most likely reason?

A.The allow-ssh rule has priority 1000 and is evaluated before the deny rule.
B.A default firewall rule allowing HTTP exists with a higher priority.
C.The deny-all rule does not specify target tags.
D.The deny-all rule has priority 2000, which is higher than the allow rule.
AnswerB

The default-allow-http rule (priority 1000) allows HTTP before the deny-all (priority 2000) is evaluated.

Why this answer

In Google Cloud Platform (GCP), firewall rules are evaluated in order of priority, with lower numbers having higher priority. The default-allow-http rule has a priority of 1000, which is higher (lower number) than the deny-all rule's priority of 2000. Therefore, HTTP traffic is allowed by the default rule before the deny rule is evaluated, causing HTTP traffic to still reach instances.

Exam trap

Google Cloud often tests the misconception that higher priority numbers mean higher precedence, but in GCP firewall rules, lower priority numbers are evaluated first, so a deny rule with a higher priority number (e.g., 2000) is actually evaluated after an allow rule with a lower priority number (e.g., 1000).

How to eliminate wrong answers

Option A is wrong because priority values in GCP firewall rules are evaluated with lower numbers having higher priority, not higher numbers; the allow-ssh rule (priority 1000) is actually evaluated before the deny rule (priority 2000), but it only permits SSH traffic, not HTTP. Option C is wrong because target tags are not required for a deny-all rule to function; a deny-all rule without target tags applies to all instances in the VPC, but it is still overridden by higher-priority allow rules. Option D is wrong because priority 2000 is lower (not higher) than priority 1000; the deny-all rule has a lower priority, meaning it is evaluated after the allow rule, so HTTP traffic is allowed first.

122
MCQeasy

A company wants to connect two VPC networks using VPC Network Peering. What is required for this setup?

A.A Cloud VPN tunnel must be established.
B.Both VPCs must belong to the same organization.
C.The VPCs must have non-overlapping IP ranges.
D.Both VPCs must be in the same region.
AnswerC

Overlapping IP ranges cause routing conflicts.

Why this answer

VPC Network Peering requires that the IP ranges of the peered networks do not overlap. Option B is correct. Option A is wrong because peering is not dependent on region.

Option C is wrong because Cloud VPN is a separate technology. Option D is wrong because peering can be within the same organization or across different organizations.

123
MCQeasy

A company wants to connect an on-premises network to Google Cloud using Cloud VPN. The on-premises network has a single subnet and no dynamic routing capabilities. The company needs a simple, low-cost solution. Which VPN configuration should they choose?

A.Classic VPN with route-based configuration
B.HA VPN with dynamic routing (BGP)
C.HA VPN with static routing
D.Classic VPN with policy-based configuration
AnswerA

Classic VPN route-based supports static routing without BGP, ideal for simple setups.

Why this answer

Classic VPN with route-based configuration is the correct choice because the on-premises network lacks dynamic routing capabilities and requires a simple, low-cost solution. Route-based VPNs use static routes and do not require BGP, making them ideal for environments without dynamic routing support. Classic VPN is the legacy, lower-cost option compared to HA VPN, and route-based configuration allows traffic to be forwarded based on routing table entries rather than policy-based selectors.

Exam trap

Google Cloud often tests the misconception that HA VPN is always superior, but the trap here is that HA VPN is unnecessary and more expensive for a simple, single-subnet network without dynamic routing, leading candidates to overlook the simpler Classic VPN option.

How to eliminate wrong answers

Option B is wrong because HA VPN with dynamic routing (BGP) requires BGP support on the on-premises side, which the company does not have, and it is more complex and costly than needed. Option C is wrong because HA VPN with static routing, while technically possible, is overkill for a simple, low-cost solution; HA VPN is designed for high availability and incurs higher costs and complexity than Classic VPN. Option D is wrong because Classic VPN with policy-based configuration requires defining traffic selectors (source/destination subnets and protocols), which adds complexity and is less flexible than route-based configuration; route-based is simpler and more suitable for a single-subnet network.

124
MCQmedium

A company wants to serve global static content from a Cloud Storage bucket. They need low latency worldwide and SSL termination at the edge. Which solution should they choose?

A.Use a TCP/UDP network load balancer with the bucket as backend.
B.Configure a global external HTTP(S) load balancer with a backend bucket.
C.Deploy an internal TCP/UDP load balancer with the bucket as backend.
D.Set up Cloud CDN directly on the bucket without a load balancer.
AnswerB

This provides global anycast IP, SSL termination, and integrates with Cloud CDN.

Why this answer

A global external HTTP(S) load balancer with a backend bucket is the correct choice because it provides SSL termination at the edge (using Google Front Ends) and routes traffic over Google's global network to the nearest Cloud Storage bucket, ensuring low latency worldwide. The HTTP(S) load balancer supports global anycast IP addresses and integrates natively with Cloud Storage backends, making it ideal for serving static content globally.

Exam trap

Google Cloud often tests the misconception that Cloud CDN alone can provide SSL termination at the edge, but in reality, Cloud CDN requires a load balancer (HTTP(S) or external) to terminate SSL and route traffic, as the bucket's native HTTPS endpoint does not offer edge-based SSL termination or global anycast IP.

How to eliminate wrong answers

Option A is wrong because a TCP/UDP network load balancer does not support SSL termination at the edge (it operates at Layer 4) and cannot use a Cloud Storage bucket as a backend (buckets require HTTP(S)-based backends). Option C is wrong because an internal TCP/UDP load balancer is designed for private VPC traffic within a region, not for global public content delivery, and lacks SSL termination and bucket backend support. Option D is wrong because Cloud CDN directly on a bucket without a load balancer does not provide SSL termination at the edge (SSL is handled by the bucket's default HTTPS endpoint, which is not edge-terminated) and lacks the global anycast IP and advanced routing of a global HTTP(S) load balancer.

125
MCQhard

A company uses Cloud VPN tunnels to connect multiple sites to Google Cloud. They have a primary and a backup tunnel for redundancy, each with a different Cloud Router (both in the same region). BGP sessions are established on both routers. The network team notices that during a failover test, traffic fails over to the backup tunnel but then after 30 seconds, the backup tunnel traffic stops and does not recover until the primary tunnel comes back. The engineer finds that the backup Cloud Router is advertising the same routes as the primary, but the backup tunnel's BGP session shows that the routes are being withdrawn after 30 seconds. Additionally, the BGP session remains established. What is the most likely cause?

A.The backup Cloud Router is configured with a lower MED value, causing the routes to be withdrawn.
B.The backup Cloud Router's BGP session is experiencing a keepalive timeout due to incorrect timers.
C.The backup tunnel is using a static routing method instead of dynamic BGP.
D.The backup tunnel's Cloud Router is in a different region, and the routes are not propagated globally.
AnswerB

Keepalive timer mismatch can cause the on-premises router to withdraw routes while the session remains established from Google's perspective.

Why this answer

The backup Cloud Router's BGP session remains established, but routes are withdrawn after 30 seconds. This is classic behavior of a BGP keepalive or hold timer mismatch: if the backup router expects a keepalive within a shorter interval than the peer sends, the hold timer expires, causing the router to withdraw all routes learned from that peer while keeping the TCP session alive (or re-establishing it). The 30-second interval matches the default BGP hold timer (90 seconds) divided by three, suggesting a timer misconfiguration on the backup router.

Exam trap

The trap here is that candidates assume route withdrawal always indicates a BGP session failure, but Google Cloud often tests the nuance that hold timer expiration can cause route withdrawal while the TCP session remains established (or quickly re-establishes), leading to the mistaken belief that the session is stable when routes are actually being withdrawn.

How to eliminate wrong answers

Option A is wrong because a lower MED value would influence route selection (preferring the lower MED), not cause route withdrawal; MED is a metric exchanged in UPDATE messages, not a trigger for withdrawing all routes. Option C is wrong because the question explicitly states BGP sessions are established on both routers, so the backup tunnel is using dynamic BGP, not static routing; static routing would not have BGP sessions or route withdrawals. Option D is wrong because both Cloud Routers are in the same region (as stated in the scenario), and even if they were in different regions, Cloud Router routes are propagated globally by default in Google Cloud; region mismatch does not cause route withdrawal.

126
Multi-Selectmedium

Which TWO of the following are valid use cases for Cloud IDS? (Choose TWO)

Select 2 answers
A.Blocking malicious traffic at the network perimeter.
B.Inspecting traffic between an on-premises network and Google Cloud via Cloud VPN.
C.Replacing VPC firewall rules for access control.
D.Only inspecting traffic that is destined for the internet.
E.Detecting and alerting on malware spreading between VMs in the same VPC.
AnswersB, E

Cloud IDS can inspect traffic traversing VPN.

Why this answer

Cloud IDS (Intrusion Detection System) inspects traffic for threats like malware and policy violations. Option B is correct because Cloud IDS can inspect traffic traversing Cloud VPN, enabling east-west and hybrid traffic inspection between on-premises and Google Cloud networks, which is a key use case for detecting threats in encrypted VPN tunnels.

Exam trap

Google Cloud often tests the misconception that IDS can block traffic (like a firewall), but Cloud IDS is detection-only and requires separate mitigation tools like Cloud Armor or firewall rules for blocking.

127
MCQeasy

An organization uses Partner Interconnect to connect their on-premises network to Google Cloud. They are experiencing intermittent connectivity issues and suspect the partner service provider is causing the problem. Which Google Cloud tool or feature can help verify the connection status and performance from the Google Cloud side?

A.Cloud Router logs
B.Network Service Tiers
C.VPC flow logs
D.Cloud Interconnect monitoring
AnswerD

Cloud Interconnect monitoring provides metrics and alerts for interconnect attachments, including partner interconnects.

Why this answer

Cloud Interconnect monitoring provides detailed metrics and status information for Partner Interconnect connections, including VLAN attachment health, throughput, and packet loss. This tool allows you to verify connectivity and performance from the Google Cloud side, helping isolate issues that may originate from the partner service provider.

Exam trap

The trap here is that candidates confuse Cloud Router logs (which show BGP routing events) with the ability to monitor the underlying interconnect link status, but Cloud Interconnect monitoring is the correct tool for verifying physical/virtual circuit health and performance from Google's perspective.

How to eliminate wrong answers

Option A is wrong because Cloud Router logs capture BGP routing events and route advertisements, not the underlying physical or virtual circuit health or performance metrics of the interconnect. Option B is wrong because Network Service Tiers control the quality of service for internet egress traffic (Premium vs. Standard), not the monitoring or troubleshooting of dedicated interconnect links.

Option C is wrong because VPC flow logs record metadata about network flows within a VPC (e.g., source/destination IPs, ports, protocols), but they do not provide status or performance data for the interconnect connection itself.

128
MCQeasy

A company uses a VPC with two subnets: subnet-a (10.0.1.0/24) with VMs tagged 'web', and subnet-b (10.0.2.0/24) with VMs tagged 'db'. They have a Cloud VPN tunnel to an on-premises network (172.16.0.0/16). The VPN tunnel is up and BGP is exchanging routes. A custom route for 172.16.0.0/16 with next hop VPN gateway exists, but it has a tag 'web', meaning it applies only to VMs with the 'web' tag. VMs in subnet-a can reach on-premises, but VMs in subnet-b cannot. Which step should be taken to allow subnet-b VMs to reach on-premises?

A.Create a new route for 172.16.0.0/16 with priority 1000 and no tag.
B.Add the 'db' tag to the custom route.
C.Remove the tag from the existing route.
D.Add a firewall rule to allow egress traffic from subnet-b.
AnswerB

Adding the tag will make the route applicable to VMs in subnet-b, allowing them to reach on-premises.

Why this answer

The custom route for 172.16.0.0/16 is tagged with 'web', so it only applies to VMs that have the 'web' tag. Subnet-b VMs are tagged 'db', so they do not match the route and cannot reach on-premises. Adding the 'db' tag to the route makes it apply to both tagged groups, enabling connectivity for subnet-b VMs without affecting existing traffic.

Exam trap

Google Cloud often tests the misconception that firewall rules are the cause of connectivity issues when the real problem is route scope or tag-based route applicability, leading candidates to incorrectly choose a firewall-related option like D.

How to eliminate wrong answers

Option A is wrong because creating a new route with priority 1000 and no tag would introduce a lower-priority route that applies to all VMs, but the existing tagged route (default priority 1000) would still take precedence for 'web' VMs; however, the real issue is that the route must match the 'db' tag, and a new untagged route would work but is unnecessary and could cause confusion. Option C is wrong because removing the tag from the existing route would make it apply to all VMs, including 'db' VMs, but it would also remove the intended restriction for 'web' VMs, potentially breaking security or routing policy. Option D is wrong because the problem is a routing issue, not a firewall issue; egress firewall rules control packet filtering, not route selection, and subnet-b VMs already have implicit egress allowed unless explicitly blocked.

129
Multi-Selectmedium

A company is setting up a VPC with private Google Access enabled for on-premises connectivity via Cloud VPN. Which TWO of the following are required for on-premises hosts to access Google APIs (e.g., Cloud Storage) using private IP addresses?

Select 2 answers
A.Cloud DNS forwarding zone to forward requests to Google APIs' public DNS.
B.Private Google Access enabled on the subnet where the VPN gateway resides.
C.Firewall rule allowing ingress from on-premises to 0.0.0.0/0.
D.Cloud NAT configured in the VPC.
E.A custom route in the VPC that sends traffic to 199.36.153.4/30 and 199.36.153.8/30 to the VPN tunnel.
AnswersB, E

This allows on-premises traffic to reach Google APIs via the VPN.

Why this answer

Private Google Access enables on-premises hosts to reach Google APIs using private IP addresses when connected via Cloud VPN. It must be enabled on the subnet where the VPN gateway resides so that the VPC routes traffic from the VPN tunnel to Google's private API endpoints. This allows the on-premises hosts to use their private IPs without needing public IPs or internet access.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for private access, but Private Google Access and custom routes to the 199.36.153.4/30 and 199.36.153.8/30 ranges are the correct components for on-premises private API access via Cloud VPN.

130
MCQhard

Your company runs a multi-tier web application on Google Cloud. The frontend is in us-central1 (3 instances behind an external HTTP(S) Load Balancer), the backend is in us-west1 (3 instances behind an internal TCP/UDP Load Balancer). The frontend instances are in a managed instance group (MIG) with autoscaling based on CPU utilization. Recently, you noticed that during traffic spikes, the frontend instances' CPU utilization remains low, but the backend instances' CPU utilization spikes to 90% and causes timeouts. The application uses a synchronous REST API; the frontend instances make requests to the internal load balancer's IP. What should you do to resolve the backend scaling issue?

A.Create a backend service with the backend MIG and attach it to the internal TCP/UDP load balancer, enabling connection draining.
B.Configure the internal TCP/UDP load balancer with a health check that monitors CPU utilization and adjust the autoscaling metric of the backend MIG accordingly.
C.Replace the internal TCP/UDP load balancer with an internal HTTP(S) load balancer and configure the backend MIG to autoscale based on the load balancing serving capacity or request count.
D.Enable Cloud Armor on the external load balancer to rate-limit requests and prevent backend overload.
AnswerC

Internal HTTP(S) load balancer supports autoscaling based on request rate, allowing the backend to scale with traffic.

Why this answer

Option C is correct because the internal TCP/UDP load balancer cannot provide request-level metrics (like requests per second) for autoscaling, as it operates at layer 4. Replacing it with an internal HTTP(S) load balancer (layer 7) allows the backend MIG to autoscale based on the load balancing serving capacity or request count, which directly correlates with the frontend's synchronous REST API calls. This resolves the backend CPU spike issue by scaling the backend instances before they become overloaded, rather than relying on CPU utilization which lags behind traffic spikes.

Exam trap

The trap here is that candidates assume CPU-based autoscaling is sufficient for all tiers, but Cisco tests the nuance that synchronous REST APIs require layer-7 load balancing to expose request-level metrics for proactive autoscaling, while layer-4 load balancers only provide connection-level metrics that lag behind traffic spikes.

How to eliminate wrong answers

Option A is wrong because connection draining only gracefully terminates existing connections during instance removal; it does not address the root cause of backend scaling during traffic spikes. Option B is wrong because the internal TCP/UDP load balancer's health check cannot monitor CPU utilization—health checks only verify instance responsiveness (e.g., TCP port check), and autoscaling metrics must be configured on the MIG itself, not on the load balancer. Option D is wrong because Cloud Armor rate-limiting on the external load balancer would throttle requests before they reach the frontend, but the issue is backend scaling; rate-limiting does not enable the backend to scale dynamically and could cause legitimate traffic to be dropped.

131
MCQmedium

A company uses Dedicated Interconnect to connect their on-premises data center to Google Cloud. They have enabled Private Google Access on the VPC subnet to allow on-premises hosts to access Google APIs via private IPs over the interconnect. Performance tests show that throughput to Google APIs is lower than expected, and the interconnect link utilization is below 30%. What should they do to improve throughput?

A.Reduce the MTU on the interconnect to reduce packet loss.
B.Add another Dedicated Interconnect attachment.
C.Create a Private Service Connect endpoint for Google APIs with multiple IP addresses.
D.Enable Cloud NAT to provide multiple public IPs.
AnswerC

This provides multiple IPs, avoiding per-IP limits and improving throughput.

Why this answer

Private Google Access (PGA) uses the default Internet Gateway to route traffic to Google APIs, which can lead to throughput limitations due to source NAT and flow hashing constraints. Creating a Private Service Connect (PSC) endpoint for Google APIs with multiple IP addresses allows traffic to be load-balanced across multiple endpoints, improving throughput by enabling ECMP (Equal-Cost Multi-Path) routing over the Dedicated Interconnect, thus better utilizing the available bandwidth.

Exam trap

The trap here is that candidates assume low interconnect utilization means the link is underutilized and needs more capacity (Option B), when the real issue is a lack of multipathing to the destination, which is solved by creating multiple endpoints via Private Service Connect.

How to eliminate wrong answers

Option A is wrong because reducing the MTU on the interconnect would increase overhead and potentially cause fragmentation, not improve throughput; packet loss is not indicated by low utilization. Option B is wrong because adding another interconnect attachment does not address the bottleneck at the Google API access layer; the issue is not link capacity but how traffic is routed and load-balanced to Google APIs. Option D is wrong because Cloud NAT provides outbound connectivity to the internet, not to Google APIs via private IPs, and would not improve throughput over the existing Private Google Access configuration.

132
MCQhard

Refer to the exhibit. What is the purpose of the IP address 169.254.0.1 assigned to the Cloud Router interface?

A.It is the public IP address of the VPN gateway.
B.It is a private IP address for BGP peering with the on-premises router.
C.It is the management IP address of the Cloud Router.
D.It is a link-local IP address used for BGP sessions between the Cloud Router and the VPN gateway.
AnswerD

BGP uses link-local addresses (169.254.x.x) for peering.

Why this answer

The IP address 169.254.0.1 falls within the 169.254.0.0/16 range, which is reserved for link-local addressing (RFC 3927). In Google Cloud, Cloud Routers use link-local addresses for BGP sessions with VPN gateways (both HA VPN and Classic VPN). This address is not routable and is used exclusively for BGP peering between the Cloud Router and the VPN gateway, ensuring that the BGP session operates over the VPN tunnel without conflicting with other IP assignments.

Exam trap

Google Cloud often tests the distinction between link-local, private, and public IP addresses, and the trap here is that candidates see 'BGP peering' and assume a private IP is used, failing to recognize that GCP specifically uses link-local addresses from the 169.254.0.0/16 range for BGP sessions with VPN gateways.

How to eliminate wrong answers

Option A is wrong because 169.254.0.1 is not a public IP address; public IPs are globally routable and assigned by an ISP or cloud provider, whereas link-local addresses are non-routable and used only on a single link. Option B is wrong because 169.254.0.1 is not a private IP address (private ranges are 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16); it is a link-local address, and while it is used for BGP peering, calling it 'private' is technically incorrect and misleading. Option C is wrong because the management IP address of a Cloud Router is not 169.254.0.1; Cloud Routers are managed via the Google Cloud API and console, and their management plane does not use link-local addressing.

133
Multi-Selecteasy

Which TWO actions should you take to configure Private Google Access for on-premises hosts connected via Cloud Interconnect?

Select 2 answers
A.Configure Cloud NAT for the on-premises network.
B.Configure DNS forwarding to 8.8.8.8.
C.Advertise the reserved IP ranges (199.36.153.4/30, 199.36.153.8/30) to the on-premises router via BGP.
D.Create a Private Service Connect endpoint in the VPC.
E.Enable Private Google Access on the VPC subnet that has the interconnect attachment.
AnswersC, E

These ranges are used for Private Google Access for on-premises.

Why this answer

Correct answers: B (Enable Private Google Access on the VPC subnet) and D (Configure custom route advertisement to include the 199.36.153.4/30 and 199.36.153.8/30 ranges for restricted.googleapis.com). Option A is wrong because Cloud NAT is for VMs without external IPs. Option C is wrong because Private Service Connect is for managed services, not for general Private Google Access.

Option E is wrong because DNS resolution is done via Private Google Access; forwarding is not required.

134
MCQhard

A multinational corporation is connecting five on-premises data centers to Google Cloud using Cloud Interconnect. Each data center has a dedicated 10 Gbps connection. They want to ensure that if one Interconnect fails, traffic is automatically redistributed across the remaining connections without manual intervention. Which solution meets this requirement?

A.Configure multiple VLAN attachments on a single Cloud Router and rely on link aggregation
B.Deploy Cloud VPN tunnels as backup and configure static routes with lower priority
C.Configure VPC Network Peering between all data centers and Google Cloud
D.Use a Cloud Router with BGP and establish multiple BGP sessions over each Interconnect
AnswerD

BGP with ECMP allows automatic failover across multiple Interconnects.

Why this answer

Option D is correct because Cloud Router with BGP enables dynamic routing, allowing multiple BGP sessions over each Cloud Interconnect. When one interconnect fails, BGP withdraws the affected routes, and traffic is automatically redistributed across the remaining BGP sessions without manual intervention. This meets the requirement for automatic failover and load balancing across the five 10 Gbps connections.

Exam trap

Google Cloud often tests the misconception that static routes or VPN tunnels can provide seamless automatic failover for high-bandwidth interconnects, but the correct approach requires dynamic BGP routing to react to link failures without manual intervention.

How to eliminate wrong answers

Option A is wrong because VLAN attachments on a single Cloud Router do not provide automatic failover; link aggregation (LAG) bundles multiple connections into a single logical link but does not redistribute traffic if one physical link fails—it only provides increased bandwidth and redundancy within the bundle, not across separate interconnects. Option B is wrong because Cloud VPN tunnels as backup with static routes require manual intervention or additional automation to fail over; static routes with lower priority do not dynamically react to interconnect failures, and VPN tunnels typically have lower bandwidth (e.g., 3 Gbps per tunnel) compared to 10 Gbps interconnects, making them unsuitable for seamless redistribution. Option C is wrong because VPC Network Peering is used for connecting VPC networks within Google Cloud, not for connecting on-premises data centers to Google Cloud; it does not support Cloud Interconnect or BGP-based dynamic routing for hybrid connectivity.

135
MCQhard

A company uses Cloud Armor with WAF rules to protect an HTTPS load balancer. They notice that legitimate traffic from certain IPs is being blocked. How should they troubleshoot?

A.Check firewall rule logs.
B.Enable Packet Mirroring.
C.Review Cloud Armor security policy logs.
D.Use VPC Flow Logs.
AnswerC

Cloud Armor logs show exactly which rules matched and blocked traffic.

Why this answer

Option C is correct because Cloud Armor security policy logs record the actions taken by WAF rules, including which requests were blocked and why. By reviewing these logs, you can identify the specific rule that is blocking legitimate traffic and adjust its configuration, such as modifying IP allowlists or threshold values.

Exam trap

Google Cloud often tests the distinction between different logging mechanisms (firewall logs, flow logs, WAF logs) to see if candidates understand which logs capture application-layer security policy decisions versus network-layer traffic metadata.

How to eliminate wrong answers

Option A is wrong because firewall rule logs apply to VPC firewall rules, which operate at the network layer (L3/L4) and are not involved in Cloud Armor WAF decisions at the application layer (L7). Option B is wrong because Packet Mirroring copies traffic for analysis but does not provide logs of WAF rule evaluations; it is used for network monitoring and troubleshooting, not for reviewing security policy actions. Option D is wrong because VPC Flow Logs capture metadata about IP traffic flows (e.g., source/destination, ports, protocols) but do not include information about Cloud Armor WAF rule matches or blocking decisions.

136
Multi-Selecteasy

Which TWO of the following are valid methods to restrict access to a Compute Engine VM that has no external IP?

Select 2 answers
A.Using a NAT gateway to allow SSH from the internet.
B.Configuring a SOCKS proxy on a bastion host.
C.A Cloud VPN tunnel from an on-premises network.
D.Assigning an external IP and using firewall rules.
E.Identity-Aware Proxy (IAP) TCP forwarding.
AnswersC, E

VPN provides private connectivity from on-premises.

Why this answer

Option C is correct because a Cloud VPN tunnel creates an encrypted, RFC-compliant IPsec tunnel between an on-premises network and a VPC, allowing on-premises hosts to reach the VM over its internal IP without requiring an external IP on the VM. Option E is correct because Identity-Aware Proxy (IAP) TCP forwarding uses the IAP service as a proxy to establish an SSH or RDP connection to a VM that has no external IP, by tunneling traffic through the IAP service using the `gcloud compute start-iap-tunnel` command.

Exam trap

Google Cloud often tests the misconception that a NAT gateway or a bastion host with a SOCKS proxy can provide inbound access to a private VM, when in fact NAT gateways only support outbound traffic and SOCKS proxies require the bastion to have an external IP and the VM to be reachable from the bastion, which does not satisfy the 'no external IP' constraint for the target VM itself.

137
MCQhard

A large organization uses Shared VPC with multiple service projects. They have an on-premises network connected via Cloud Interconnect. They want the on-premises network to be able to reach instances in all service projects. What is the recommended configuration?

A.Configure Cloud NAT in each service project for on-prem access.
B.Use VPC peering between the host project and each service project.
C.Configure Cloud Router in the host project to advertise all subnets via BGP.
D.Create separate Interconnect VLAN attachments for each service project.
AnswerC

Cloud Router in the host project automatically includes subnets from all service projects in the Shared VPC.

Why this answer

Option C is correct because in a Shared VPC architecture, the host project owns the VPC network and subnets, and Cloud Router with BGP is used to advertise the subnets from the host project to the on-premises network over Cloud Interconnect. This allows the on-premises network to reach instances in all service projects, as those instances reside in the host project's subnets. Cloud Router dynamically advertises the host project's VPC subnets via BGP, enabling seamless Layer 3 connectivity without additional per-service-project configurations.

Exam trap

Google Cloud often tests the misconception that each service project needs its own interconnect or NAT configuration, but the key is that Shared VPC centralizes networking in the host project, so a single Cloud Router with BGP advertisement in the host project provides connectivity to all service project instances.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private instances, not inbound connectivity from on-premises networks; it does not establish routing between on-premises and VPC subnets. Option B is wrong because VPC peering is used for connectivity between separate VPC networks, but in Shared VPC, service projects do not have their own VPCs—they use the host project's VPC, so peering is unnecessary and would not provide the required routing. Option D is wrong because creating separate Interconnect VLAN attachments for each service project is unnecessary and does not solve the routing issue; the on-premises network needs a single BGP session to learn all subnets from the host project's VPC, not separate attachments per project.

138
MCQmedium

A company is planning to migrate their on-premises application to Google Cloud. The application requires consistent high bandwidth and low latency to on-premises databases. They have a Dedicated Interconnect connection with a 10 Gbps link. To improve availability, they decide to add a second Interconnect connection. Which of the following is a best practice for configuring BGP sessions?

A.Configure two BGP sessions with the same ASN and MED values
B.Configure two BGP sessions, each on a separate connection, with different ASNs and MED values to influence path selection
C.Enable ECMP across the two connections with a single BGP session
D.Use a single BGP session across both connections
AnswerB

Separate sessions with different ASNs and MED values allow for load balancing and failover.

Why this answer

Option B is correct because using different ASNs on each BGP session allows the on-premises router to treat the two Dedicated Interconnect connections as separate routing peers, enabling path selection control via MED values. This ensures that if one connection fails, traffic can be rerouted through the other, improving availability without relying on ECMP or a single session, which would not provide the desired redundancy and traffic engineering.

Exam trap

Google Cloud often tests the misconception that a single BGP session can be used across multiple physical connections, but in Google Cloud, each Dedicated Interconnect link requires its own BGP session, and using different ASNs is a best practice for path selection and redundancy.

How to eliminate wrong answers

Option A is wrong because using the same ASN and MED values on both BGP sessions would cause the on-premises router to see them as equal-cost paths, potentially leading to suboptimal load balancing or failover behavior without the ability to influence path selection. Option C is wrong because ECMP across two connections with a single BGP session is not supported; each Dedicated Interconnect connection requires its own BGP session, and ECMP would require multiple sessions with equal route metrics. Option D is wrong because a single BGP session across both connections is not possible; BGP sessions are established per VLAN attachment or per connection, and a single session cannot span multiple physical links.

139
Multi-Selectmedium

Which three of the following are best practices for designing a highly available Dedicated Interconnect connection to Google Cloud? (Choose three.)

Select 3 answers
A.Use a single Cloud Router for both interconnect attachments.
B.Ensure that the on-premises routers are in different failure zones.
C.Configure both connections to use the same BGP session.
D.Use VLAN attachments in different regions to provide geographic redundancy.
E.Deploy two physical connections to different Google edge availability domains.
AnswersB, D, E

Diverse on-premises routers prevent single point of failure.

Why this answer

Option B is correct because deploying on-premises routers in different failure zones ensures that a single zone failure does not disrupt both BGP sessions. This aligns with Google Cloud's recommendation to use diverse failure domains for on-premises equipment to maintain high availability for Dedicated Interconnect.

Exam trap

The trap here is that candidates often assume a single Cloud Router or a single BGP session simplifies management, but this creates a single point of failure that violates high-availability design principles.

140
Multi-Selectmedium

Which TWO network services are required to enable private Google access for on-premises hosts using a Dedicated Interconnect connection? (Choose two.)

Select 2 answers
A.Cloud Router with BGP
B.Cloud NAT
C.VPC Flow Logs
D.Private Service Access (PSA) / Private Google Access for on-premises
E.Cloud VPN
AnswersA, D

Cloud Router is needed to exchange routes and enable private access.

Why this answer

Cloud Router with BGP is required because Dedicated Interconnect uses BGP sessions between the on-premises router and Google's edge router to exchange routes. Without BGP, the on-premises network cannot advertise or receive the routes necessary for private Google access, such as the 199.36.153.4/30 or 199.36.153.8/30 ranges used for Private Google Access for on-premises.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is needed for private access, but the trap here is that Cloud NAT is for outbound internet from VMs, while Private Google Access for on-premises uses BGP-advertised IP ranges and does not involve NAT.

141
MCQeasy

Refer to the exhibit. A user within the perimeter project '111111111111' tries to access BigQuery from a VM that has an external IP address. The request is denied. What is the most likely reason?

A.The VPC Accessible Services restriction requires that the request originate from an internal IP address or through VPC-controlled access.
B.BigQuery is not listed in the restricted services, so it is blocked.
C.The user does not meet the access level conditions defined in 'trusted_ips'.
D.The VM's project is not in the resources list.
AnswerA

With vpcAccessibleServices enabled, requests from external IPs are blocked unless allowed.

Why this answer

The VPC Accessible Services restriction, when enabled, forces all traffic to Google APIs to use internal IP addresses or VPC-controlled access (such as Private Google Access or Private Service Connect). Since the VM has an external IP address and the request is denied, the most likely reason is that this restriction is in place, requiring the request to originate from an internal IP or through a VPC endpoint, not from a public external IP.

Exam trap

Google Cloud often tests the distinction between network-level restrictions (VPC Accessible Services) and identity/access-level conditions (Access Context Manager), causing candidates to confuse the 'trusted_ips' condition with IP-based network restrictions.

How to eliminate wrong answers

Option B is wrong because BigQuery is a supported service for VPC Accessible Services; it is not blocked by default, and the restriction only applies to services listed in the 'restricted services' list, but BigQuery is typically allowed unless explicitly restricted. Option C is wrong because the 'trusted_ips' access level condition applies to Identity-Aware Proxy (IAP) or Access Context Manager policies, not to VPC Accessible Services; the question describes a network-level restriction, not an identity or access level condition. Option D is wrong because the VM's project being in the resources list is irrelevant to VPC Accessible Services; the restriction applies to all projects in the perimeter unless the VM uses internal IP or VPC-controlled access.

142
Multi-Selecteasy

A company is troubleshooting connectivity issues between their on-premises network and Google Cloud over a Dedicated Interconnect. They can ping the VLAN attachment IP but cannot reach Compute Engine instances. Which TWO checks should they perform?

Select 2 answers
A.Verify that the on-premises network has IAM permissions to access instances
B.Confirm that the subnet routes for the instance IP ranges are present in the VPC
C.Verify that VPC firewall rules allow traffic from the on-premises subnets
D.Ensure that the VLAN attachment IP is in the same subnet as the instances
E.Check that BGP sessions are established between Cloud Router and on-premises router
AnswersB, C

Routes must exist for return traffic.

Why this answer

Option B is correct because for on-premises traffic to reach Compute Engine instances over Dedicated Interconnect, the VPC must have a subnet route (either automatically created or custom static/dynamic route) that matches the instance IP ranges. Without this route, packets from the on-premises network will be dropped by the VPC router, even if the VLAN attachment is reachable.

Exam trap

Google Cloud often tests the misconception that pinging the VLAN attachment IP confirms end-to-end connectivity to instances, but in reality it only confirms BGP session health and Layer 3 reachability to the Cloud Router interface, not the VPC routing or firewall rules required for instance access.

143
MCQmedium

A company has set up a Cloud VPN with dynamic routing (BGP) between their on-premises network (AS 65001) and Google Cloud (AS 64514). They are using Cloud Router with a regional dynamic routing mode. The on-premises router is advertising a subnet 10.1.0.0/16. The Google Cloud VPC has subnet 10.2.0.0/16 in the same region as the Cloud Router. Both subnets are unique. The connection has been working for months. However, after a recent maintenance window, the on-premises router started experiencing BGP flapping with the Cloud Router. The Cloud Router logs show 'BGP notification sent: Hold timer expired'. The on-premises router logs show similar errors. The network team has verified that the VPN tunnel is established and stable. What is the most likely cause of the BGP flapping?

A.The VPN tunnel's MTU is set to 1500 bytes, but BGP packets are larger and are being fragmented.
B.The Cloud Router's BGP keepalive interval is set to 30 seconds, while the on-premises router is using 10 seconds.
C.The on-premises router's BGP hold timer is set to 30 seconds, but the Cloud Router's hold timer is set to 180 seconds.
D.The on-premises router is advertising too many routes, causing the Cloud Router to run out of memory.
AnswerC

If the remote side sends keepalives less frequently than the local hold timer, the session drops.

Why this answer

The BGP hold timer defines the maximum time a router waits to receive a keepalive or update message from a peer before declaring the session dead. When the on-premises router uses a hold timer of 30 seconds and the Cloud Router uses 180 seconds, the on-premises router expects keepalives every 10 seconds (one-third of hold time). If the Cloud Router sends keepalives at its own negotiated interval (e.g., 60 seconds based on its hold timer), the on-premises router will not receive them within its 30-second window, causing it to send a 'Hold timer expired' notification and flap the BGP session.

The VPN tunnel remains stable because the issue is at the BGP session layer, not the underlying tunnel.

Exam trap

Google Cloud often tests the misconception that BGP flapping is always caused by VPN tunnel instability, but here the tunnel is stable and the issue is specifically a BGP hold timer mismatch, which is a common misconfiguration when connecting to cloud providers with fixed BGP timers.

How to eliminate wrong answers

Option A is wrong because BGP packets are typically small (keepalives are 19 bytes, updates rarely exceed 1500 bytes) and fragmentation is handled by IP, not a common cause of hold timer expiry. Option B is wrong because BGP keepalive intervals are derived from the negotiated hold timer (one-third of hold time), not independently configured; mismatched keepalive intervals would be overridden by the hold timer negotiation. Option D is wrong because advertising too many routes would cause memory or CPU issues, not a 'Hold timer expired' error; the Cloud Router would log route limit or memory errors instead.

144
MCQmedium

A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?

A.Remove the deny rule for that region and rely on other security measures
B.Add a new allow rule for that region with a lower priority number than the deny rule
C.Remove all rules and add a single allow rule for the legitimate region
D.Reorder the rules so that the deny rule is at the bottom of the list
AnswerB

Lower priority number means higher precedence, so the allow rule will be evaluated first.

Why this answer

Cloud Armor security rules are evaluated in order of priority, where a lower priority number means higher precedence. To allow traffic from a specific region that is currently blocked by a deny rule, you must add an allow rule with a lower priority number (e.g., 100) than the deny rule (e.g., 1000). This ensures the allow rule is evaluated first, permitting the legitimate traffic before the deny rule can block it, while the deny rule still protects against attacks from other regions.

Exam trap

Google Cloud often tests the misconception that reordering rules in the list (like moving the deny rule to the bottom) changes evaluation order, but Cloud Armor strictly uses priority numbers, not list order, to determine which rule is evaluated first.

How to eliminate wrong answers

Option A is wrong because simply removing the deny rule for that region would leave the region unprotected against attacks, as there would be no rule to block malicious traffic from that region. Option C is wrong because removing all rules and adding a single allow rule for the legitimate region would remove all other security protections, leaving the load balancer vulnerable to attacks from other regions and sources. Option D is wrong because reordering rules so that the deny rule is at the bottom does not change the evaluation order; Cloud Armor uses priority numbers, not list order, and the deny rule would still block the traffic if its priority is higher (lower number) than any allow rule for that region.

145
MCQhard

A company is designing a multi-region architecture with Active/Active failover across two regions using Cloud VPN. They want to ensure that traffic from on-premises to a global external HTTPS load balancer is routed to the nearest region based on latency. What should they configure on the on-premises side?

A.Local preference on the on-premises router.
B.Multi-Exit Discriminator (MED) on the Google Cloud side.
C.Static routes pointing to the VPC subnet in each region.
D.BGP AS Path prepending to make one path appear longer.
AnswerD

AS Path prepending can influence outbound routing to prefer the path with shorter AS path, but for latency, you may need other mechanisms like IGP metrics or BGP communities; however, among these options, AS Path prepending is a common technique to influence route selection.

Why this answer

To direct traffic to the nearest region based on latency, on-premises routers should use BGP with AS Path prepending to influence path selection. Option D is correct. Option A is wrong because static routes don't consider latency.

Option B is wrong because MED is used for inbound traffic, not outbound. Option C is wrong because local preference influences outbound traffic from on-premises but is not the primary method for latency-based routing.

146
MCQeasy

A small company has a single VPC with one subnet in us-central1 (10.0.1.0/24). They have a Compute Engine instance that needs to be reachable from the internet via HTTP (port 80) and HTTPS (port 443). The instance has an external IP address (ephemeral). They have created firewall rules allowing ingress on TCP 80 and 443 from 0.0.0.0/0, with target tags 'web-server'. The instance has been assigned the tag 'web-server'. However, external users report that they cannot access the instance's public IP on either port. The instance's OS firewall (iptables) is default allow. What is the most likely cause?

A.The instance's external IP is ephemeral and may have changed, so users should use the new IP or reserve a static IP.
B.The instance's OS firewall is blocking the traffic; check iptables.
C.The VPC needs a custom route for the internet gateway.
D.The firewall rules must be applied to the subnet, not the instance tag.
AnswerA

Ephemeral IPs can change, causing connectivity issues; a static IP is recommended.

Why this answer

The instance likely has an ephemeral external IP that may have changed after a stop/start, or the firewall rules are not properly applied. Since they have a tag, the rule should work. But a common mistake is not having a default route (0.0.0.0/0) in the VPC to allow internet traffic to reach the instance.

Actually, the VPC automatically has a default route that sends traffic to the internet gateway, so that should be fine. Another possibility is that the instance's firewall (iptables) is blocking. But the most likely cause is that the external IP is ephemeral and may have changed, and users are using the old IP.

Option B is correct: The external IP might have changed after a restart.

147
Multi-Selectmedium

Which TWO of the following are required when setting up an internal TCP/UDP load balancer (ILB) in a shared VPC environment?

Select 2 answers
A.A health check must be configured for the backend service.
B.A firewall rule must allow traffic from the proxy-only subnet.
C.The forwarding rule's IP address must be from the host project's subnet.
D.The load balancer forwarding rule must be in the same region as the backend instances.
E.Global routing must be enabled in the VPC.
AnswersA, D

Health checks are required to determine instance health.

Why this answer

Correct answers: A (The load balancer must be in the same region as the backend instances) and C (The backend service must reference a health check). Option B is wrong because ILB does not require an internal IP address from the host project; it can use an IP from the service project's subnet. Option D is wrong because ILB does not require global routing; it works within a region.

Option E is wrong because the firewall rule for health checks must allow traffic from the health check ranges, not from the proxy subnet (ILB does not use proxy subnets like in HTTP LB).

148
Multi-Selecteasy

Which TWO of the following are valid reasons to use a Shared VPC architecture?

Select 2 answers
A.To reduce latency by placing resources in the same region within a single VPC
B.To improve network connectivity between different organizational units without using VPN or peering
C.To prevent individual projects from creating their own VPCs and force them to use a common VPC
D.To allow a central network team to manage VPC resources while allowing application teams to deploy resources in separate projects
E.To reduce egress costs by having all resources in one VPC
AnswersC, D

Controls VPC creation via IAM.

Why this answer

Option C is correct because a Shared VPC architecture allows an organization to enforce that individual projects cannot create their own VPCs; instead, they must use a common VPC that is centrally managed. This is achieved by designating a host project that contains the shared VPC network, and attaching service projects to it, which prevents the service projects from having their own independent VPC networks.

Exam trap

Google Cloud often tests the misconception that Shared VPC reduces latency or egress costs, when in fact its primary benefits are centralized network management and policy enforcement, not performance or cost optimization.

149
MCQmedium

A company has deployed Dedicated Interconnect with a 10 Gbps connection. They are experiencing packet loss when transferring large files. The on-premises MTU is set to 1500. What is the maximum MTU that can be set on the Cloud Router interface to avoid fragmentation?

A.1460 bytes
B.1500 bytes
C.1400 bytes
D.8896 bytes
AnswerB

Must match the on-premises MTU to avoid fragmentation.

Why this answer

Dedicated Interconnect uses VLAN attachments that encapsulate packets with an additional 4-byte 802.1Q VLAN tag and a 4-byte outer Ethernet header. With an on-premises MTU of 1500 bytes, the maximum payload that can traverse the interconnect without fragmentation is 1500 bytes, because the interconnect path supports jumbo frames up to 1440 bytes for the payload after overhead, but the Cloud Router interface MTU must match the on-premises MTU to avoid fragmentation. Setting the Cloud Router MTU to 1500 bytes ensures that packets are not fragmented at the router, as the interconnect handles the encapsulation overhead transparently.

Exam trap

Google Cloud often tests the misconception that the Cloud Router MTU must be reduced to account for VLAN encapsulation overhead, but in Google Cloud Dedicated Interconnect, the Cloud Router MTU should match the on-premises MTU because the interconnect handles the additional headers transparently.

How to eliminate wrong answers

Option A is wrong because 1460 bytes assumes an additional 40-byte overhead (e.g., IPsec or GRE tunnel), but Dedicated Interconnect does not add such overhead; the VLAN tag is only 4 bytes and is handled by the interconnect, not the Cloud Router MTU. Option C is wrong because 1400 bytes is an arbitrary low value that would cause unnecessary fragmentation and performance degradation, as the actual path supports 1500-byte packets without issue. Option D is wrong because 8896 bytes is the maximum MTU for Google Cloud's jumbo frame support, but the on-premises MTU is 1500, so setting the Cloud Router MTU higher would cause fragmentation when packets exceed the on-premises limit.

150
Multi-Selecthard

Which THREE considerations are important when designing a Cloud CDN configuration for a global web application that serves both static and dynamic content?

Select 3 answers
A.Enable negative caching for 404 responses to prevent unnecessary backend hits.
B.Configure the cache key to ignore query parameters that are session-specific to improve cache hit ratio.
C.Set different cache modes: FORCE_CACHE_ALL for static content and USE_ORIGIN_HEADERS for dynamic content.
D.Enable origin shield to reduce the number of requests to the origin server.
E.Use signed URLs for all content to ensure only authenticated users can access it.
AnswersB, C, D

Ignoring session parameters allows multiple users to share cache.

Why this answer

Correct answers: A (Cache keys should exclude session-specific parameters), C (Use separate cache modes for static vs dynamic content), and E (Enable origin shield to reduce load on the backend). Option B is wrong because signed URLs are for content protection, not caching. Option D is wrong because negative caching is not recommended for dynamic content.

Page 1

Page 2 of 7

Page 3

All pages