Google Professional Cloud Network Engineer (PCNE) — Questions 151225

497 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQmedium

An organization has a Shared VPC with several service projects. They want to restrict which service projects can create firewall rules in the host project. What should they do?

A.Use IAM roles with compute.firewalls.create permission at the host project level.
B.Use VPC Service Controls.
C.Use hierarchical firewall policies.
D.Use organization policies to deny firewall rule creation.
AnswerA

IAM allows fine-grained control over who can create firewall rules in the host project.

Why this answer

Option A is correct because IAM roles with the `compute.firewalls.create` permission at the host project level allow you to precisely control which service projects can create firewall rules in the Shared VPC host project. By assigning a custom or predefined role (e.g., Compute Security Admin) that includes this permission to specific service project identities, you can restrict firewall rule creation to only authorized service projects while preventing others from doing so.

Exam trap

The trap here is that candidates confuse VPC Service Controls or hierarchical firewall policies with IAM-based permission control, mistakenly thinking these features can restrict which service projects can create firewall rules, when they actually serve different purposes (data exfiltration prevention and rule enforcement, respectively).

How to eliminate wrong answers

Option B is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs from outside a service perimeter, not to manage IAM permissions for creating firewall rules within a Shared VPC. Option C is wrong because hierarchical firewall policies are used to enforce consistent firewall rules across an organization hierarchy (folders, projects) and do not control which service projects can create rules; they apply rules, not permissions. Option D is wrong because organization policies can deny firewall rule creation globally (e.g., using a constraint like `compute.disableFirewallCreation`), but they cannot selectively allow or deny specific service projects; they are a blunt instrument that would block all firewall rule creation in the host project, including for authorized service projects.

152
MCQmedium

A company is designing a global application that requires low-latency access to GCP services like Cloud Storage and BigQuery. They also need to minimize egress costs for traffic to the internet. Which network service tier should they choose for their GCP resources?

A.Use a CDN to reduce latency and no specific tier
B.Premium Tier for all resources
C.Premium Tier for Compute Engine instances and Standard Tier for Cloud Storage
D.Standard Tier for all resources
AnswerB

Premium Tier uses Google's global network, reduces latency, and egress costs are lower for many Google services.

Why this answer

The Premium Tier routes traffic over Google's global network backbone, providing lower latency and higher performance for accessing GCP services like Cloud Storage and BigQuery. It also minimizes egress costs to the internet by keeping traffic on Google's private network for as long as possible, reducing reliance on public transit.

Exam trap

Google Cloud often tests the misconception that Standard Tier is sufficient for global applications, but the trap here is that Standard Tier uses public internet routing, which increases both latency and egress costs, making Premium Tier the correct choice for low-latency and cost-efficient global access to GCP services.

How to eliminate wrong answers

Option A is wrong because using a CDN does not replace the need for a network service tier; the tier determines how traffic is routed to GCP resources, and a CDN is a separate optimization for content delivery. Option C is wrong because mixing Premium Tier for Compute Engine and Standard Tier for Cloud Storage would cause inconsistent routing, with Cloud Storage traffic using the public internet (higher latency and egress costs), defeating the low-latency and cost-minimization goals. Option D is wrong because Standard Tier routes traffic over the public internet, which increases latency and egress costs, making it unsuitable for a global application requiring low-latency access to GCP services.

153
MCQmedium

A security team wants to allow traffic from a specific set of VMs with service account 'web-sa@project.iam.gserviceaccount.com' to access a database VM with tag 'db'. The VMs are in the same VPC. Which firewall rule configuration achieves this?

A.Ingress rule: allow tcp:3306, source IP range 10.0.0.0/8, target tags 'db'
B.Ingress rule: allow tcp:3306, source tags 'web', target service account 'db-sa'
C.Egress rule: allow tcp:3306, source service account 'web-sa', target tags 'db'
D.Ingress rule: allow tcp:3306, source service account 'web-sa', target tags 'db'
AnswerD

This rule only allows traffic from VMs with the specified service account to the tagged database VMs.

Why this answer

Option D is correct because it defines an ingress firewall rule that allows TCP traffic on port 3306 (MySQL) from VMs using the service account 'web-sa@project.iam.gserviceaccount.com' as the source, targeting VMs with the network tag 'db'. In GCP VPC firewall rules, source service accounts can be used to filter traffic based on the identity of the source VM, while target tags apply the rule to destination VMs that have the specified tag, enabling identity-based access control without relying on IP addresses.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules in the context of service account filtering, and the trap here is that candidates may confuse the direction of traffic (thinking an egress rule on the web VMs is needed) or incorrectly mix source/target tags with service accounts, leading them to pick options that use IP ranges or mismatched attributes.

How to eliminate wrong answers

Option A is wrong because it uses a broad source IP range (10.0.0.0/8) instead of the specific service account, which would allow traffic from any VM in that IP range, not just those with the 'web-sa' service account, violating the principle of least privilege. Option B is wrong because it incorrectly uses source tags 'web' (which filter by network tag, not service account) and target service account 'db-sa' (which would apply the rule to VMs with that service account, not the database VM with tag 'db'), and it also specifies an ingress rule but the direction is correct; the main issue is the mismatch in filtering attributes. Option C is wrong because it defines an egress rule, but the requirement is to allow traffic from the web VMs to the database VM, which is an inbound connection to the database; egress rules control outbound traffic from the source, not inbound access to the target.

154
Multi-Selecteasy

Which THREE of the following are required to use Private Google Access for on-premises hosts through a Cloud VPN or Interconnect? (Choose THREE)

Select 3 answers
A.Firewall rules allowing traffic from on-premises to the restricted VIP IP range.
B.VPC Flow Logs enabled on the VPC.
C.Configuring DNS on-premises to resolve Google API hostnames to the restricted Google APIs IP address (199.36.153.4/30).
D.A Cloud VPN tunnel or Dedicated Interconnect connection to Google Cloud.
E.Cloud NAT configured for the on-premises subnet.
AnswersA, C, D

Traffic must be allowed to reach the VIP.

Why this answer

Private Google Access for on-premises hosts requires firewall rules that allow traffic from on-premises to the restricted VIP IP range (199.36.153.4/30). This is necessary because on-premises hosts must be able to reach the restricted Google APIs VIP over the VPN or Interconnect, and firewall rules control which source IPs can access that VIP. Without these rules, traffic from on-premises would be blocked at the Google Cloud perimeter.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for on-premises traffic, but Cloud NAT is only for Google Cloud VMs without external IPs, not for on-premises hosts using Private Google Access.

155
Multi-Selectmedium

Which THREE components are required to set up a Cloud VPN with dynamic routing (BGP) between an on-premises network and Google Cloud?

Select 3 answers
A.Cloud VPN gateway
B.Cloud Router
C.Cloud NAT
D.BGP peer on the on-premises router
E.Static routes for the remote network
AnswersA, B, D

The VPN gateway terminates the VPN tunnel on the Google Cloud side.

Why this answer

A Cloud VPN gateway is required because it acts as the Google Cloud-side endpoint for the VPN tunnel, handling the encryption and encapsulation of traffic. Without a VPN gateway, there is no secure tunnel termination point in GCP, making it impossible to establish the VPN connection.

Exam trap

The trap here is that candidates often confuse Cloud NAT as a required component for VPN connectivity, but Cloud NAT is unrelated to VPN tunnel establishment or BGP routing.

156
MCQeasy

An organization wants to migrate legacy on-premises applications to Google Cloud but must maintain low-latency connectivity for real-time data synchronization. The on-premises data center is in a colocation facility that is not directly served by Google Cloud. Which hybrid connectivity option is most cost-effective while meeting the latency requirement?

A.Direct Peering
B.Cloud VPN with dynamic routing
C.Partner Interconnect
D.Dedicated Interconnect
AnswerC

Uses a service provider to connect to Google Cloud, cost-effective and low latency.

Why this answer

Partner Interconnect is the most cost-effective option because it provides a dedicated, low-latency connection through a supported service provider that can extend connectivity from the colocation facility to a Google Cloud region. Unlike Dedicated Interconnect, it does not require physical cross-connects in a Google Cloud colocation facility, making it ideal when the on-premises site is not directly served by Google Cloud. It meets the real-time synchronization latency requirement by offering a reliable, high-bandwidth connection with SLA-backed uptime.

Exam trap

Google Cloud often tests the misconception that Direct Peering or Cloud VPN can meet low-latency requirements, but the trap here is that only Partner Interconnect or Dedicated Interconnect provide SLA-backed, low-latency connectivity, and Partner Interconnect is the correct choice when the on-premises site is not in a Google Cloud colocation facility.

How to eliminate wrong answers

Option A is wrong because Direct Peering is not a Google Cloud connectivity product; it is a BGP-based peering arrangement at an IXP that does not provide SLA-backed connectivity or guaranteed bandwidth, and it is not designed for hybrid cloud connectivity to Google Cloud. Option B is wrong because Cloud VPN with dynamic routing uses the public internet, which introduces variable latency and jitter that cannot guarantee the low-latency requirement for real-time data synchronization. Option D is wrong because Dedicated Interconnect requires a physical cross-connect in a Google Cloud colocation facility, and the on-premises data center is in a colocation facility not directly served by Google Cloud, making it impractical and more expensive to implement.

157
MCQeasy

A customer wants to use Cloud VPN to connect a small branch office to Google Cloud. The branch office has a dynamic public IP address. Which Cloud VPN type should they use?

A.Classic VPN with a static IP on the peer
B.A custom SSL VPN appliance on Compute Engine
C.HA VPN with a single VPN gateway and a dynamic peer IP
D.HA VPN with two VPN gateways and static peer IPs
AnswerC

HA VPN supports dynamic peer IP addresses, making it suitable for branches with dynamic IPs.

Why this answer

Option C is correct because HA VPN supports dynamic peer IP addresses through its use of IKEv2 and route-based VPN tunnels. When the branch office has a dynamic public IP, HA VPN can establish tunnels using the peer's current IP address, which is discovered during IKE negotiation. Classic VPN (option A) requires a static peer IP, and option D requires two static peer IPs, making them unsuitable for a dynamic IP scenario.

Exam trap

The trap here is that candidates often assume HA VPN always requires static peer IPs, but Cisco tests the nuance that HA VPN with a single gateway (and dynamic peer IP support) is the correct choice when the remote peer has a dynamic public IP, not the dual-gateway HA configuration.

How to eliminate wrong answers

Option A is wrong because Classic VPN with a static IP on the peer requires the branch office to have a static public IP address, which contradicts the given dynamic IP condition. Option B is wrong because a custom SSL VPN appliance on Compute Engine is not a native Cloud VPN service; it introduces additional complexity, licensing, and management overhead, and is not the recommended or simplest solution for site-to-site IPsec VPN connectivity. Option D is wrong because HA VPN with two VPN gateways and static peer IPs requires both peer IPs to be static, which is not possible when the branch office has a single dynamic public IP.

158
MCQmedium

A customer has established a Dedicated Interconnect, but traffic from on-premises to Google Cloud is still using the internet path instead of the interconnect. What is the most likely cause?

A.The on-premises firewall blocks BGP traffic.
B.The Google Cloud Router has not learned any routes.
C.The VLAN attachment is in a different region.
D.The BGP routes from on-premises have a lower priority than the default route via internet.
AnswerD

Route priority (e.g., weight, MED) determines which path is used; lower priority routes are less preferred.

Why this answer

Option D is correct because when both an internet default route and more specific BGP routes from the Dedicated Interconnect exist, the route with the highest administrative distance (lowest priority) wins. By default, static routes or internet-learned routes often have a lower administrative distance (e.g., 1 for static) compared to eBGP routes (AD 20). If the on-premises router is sending BGP routes with a higher AD or the cloud router prefers the internet default route due to route priority, traffic will not use the interconnect.

Exam trap

Google Cloud often tests the misconception that BGP routes are always preferred over static routes, but the trap here is that administrative distance (or route priority in Google Cloud) can cause the internet default route to take precedence over BGP-learned routes from the interconnect.

How to eliminate wrong answers

Option A is wrong because if the on-premises firewall blocks BGP traffic, the BGP session would not establish at all, resulting in no routes learned via the interconnect, not a scenario where traffic still uses the internet path while BGP is up. Option B is wrong because if the Google Cloud Router has not learned any routes, there would be no path via the interconnect, and traffic would default to the internet; however, the question states the interconnect is established, implying BGP sessions are up and routes are exchanged, so this is not the most likely cause. Option C is wrong because the VLAN attachment must be in the same region as the Cloud Router for the interconnect to function; if it were in a different region, the interconnect would not be operational, and the customer would not have a working Dedicated Interconnect.

159
MCQeasy

A startup wants to minimize costs for their development VPC. They have a few VMs that need occasional internet access for updates. What is the most cost-effective approach?

A.Use Private Google Access
B.Use Cloud NAT with a static IP
C.Use a VPN to an on-prem network for internet
D.Assign external IPs to each VM
AnswerB

Cloud NAT allows private VMs to access the internet using one or more static IPs, minimizing costs.

Why this answer

Cloud NAT with a static IP is the most cost-effective approach because it allows multiple VMs to share a single static IP address for outbound internet access, eliminating the need for individual external IPs. This reduces costs since external IP addresses incur charges, and Cloud NAT provides managed, scalable outbound connectivity without requiring a VPN or dedicated gateway.

Exam trap

Google Cloud often tests the misconception that Private Google Access (option A) provides general internet access, but it only covers Google APIs and services, not arbitrary internet destinations like update servers.

How to eliminate wrong answers

Option A is wrong because Private Google Access only enables VMs without external IPs to reach Google APIs and services, not the general internet for updates. Option C is wrong because using a VPN to an on-prem network for internet access introduces additional latency, complexity, and costs (VPN gateway, traffic egress) without benefit if the on-prem network is not already used. Option D is wrong because assigning external IPs to each VM incurs per-IP charges and increases the attack surface, making it less cost-effective than a shared NAT solution.

160
MCQmedium

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth up to 10 Gbps. Which connectivity option should they choose?

A.VPN with Cloud Router
B.Direct Peering
C.Dedicated Interconnect with a single connection
D.Partner Interconnect with redundant connections
AnswerD

Partner Interconnect supports up to 10 Gbps and can be deployed with redundant connections for high availability.

Why this answer

Option D is correct because the requirement for high availability (redundancy) and bandwidth up to 10 Gbps is best met by Partner Interconnect with redundant connections. Partner Interconnect supports bandwidths from 50 Mbps to 10 Gbps and allows you to connect through a supported service provider, while redundant connections ensure failover and meet the high-availability requirement. Dedicated Interconnect offers up to 10 Gbps per circuit but requires two separate connections for high availability, not a single connection.

Exam trap

The trap here is that candidates often confuse 'Dedicated Interconnect with a single connection' as sufficient for high availability, but Cisco tests that a single physical circuit is a single point of failure, and high availability requires at least two redundant connections, which is explicitly supported by Partner Interconnect with redundant connections as the correct choice.

How to eliminate wrong answers

Option A is wrong because VPN with Cloud Router typically provides up to ~3 Gbps per tunnel (with IPsec overhead) and does not guarantee 10 Gbps bandwidth, nor does it offer the same latency or reliability as a dedicated physical connection. Option B is wrong because Direct Peering is a direct connection between your on-premises network and Google at an edge exchange location, but it does not offer SLA-backed bandwidth or support for 10 Gbps; it is intended for exchanging traffic with Google services, not for dedicated hybrid connectivity. Option C is wrong because Dedicated Interconnect with a single connection provides up to 10 Gbps per circuit, but a single connection is a single point of failure and does not meet the high-availability requirement; Google recommends at least two redundant connections for HA.

161
MCQmedium

A financial services company needs to audit all VPC firewall rule changes in real time. They want to receive notifications whenever a rule is created, modified, or deleted. What is the most efficient way to achieve this?

A.Enable VPC Flow Logs and export them to BigQuery for analysis.
B.Use Cloud Logging with a filter on firewall rule updates and create a logs-based metric with an alert.
C.Enable VPC Firewall Rules Logging and send logs to Pub/Sub with a Cloud Function trigger.
D.Store Cloud Audit Logs in a Cloud Storage bucket and periodically check for changes.
AnswerB

Cloud Logging captures Admin Activity audit logs for firewall changes; a logs-based metric with alert policy provides real-time notification.

Why this answer

Option D is correct because VPC Firewall Rules Logging with a sink to Pub/Sub can filter change events. Option A is wrong because export to BigQuery is for batch analysis. Option B is wrong because Stackdriver (Cloud Logging) by itself doesn't create alerts easily; Option C is wrong because Cloud Audit Logs track changes but require additional setup to send alerts.

162
Multi-Selecthard

A network engineer is troubleshooting a BGP session between an on-premises router and a Cloud Router. The BGP session state is 'CONNECT' and never transitions to 'ESTABLISHED'. The engineer has verified that the Cloud Router and on-premises router have the same BGP ASN, and that the peer IP addresses are correctly configured. Which two additional steps should the engineer take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Change the BGP ASN on the Cloud Router to a different number
B.Ensure the on-premises router has a route to the Cloud Router's BGP peer IP address
C.Increase the BGP hold timer on the Cloud Router
D.Change the BGP keepalive interval to 10 seconds
E.Verify the Cloud VPN tunnel is established and passing traffic
AnswersB, E

Without a return route, BGP packets cannot reach the Cloud Router.

Why this answer

When the BGP session state is stuck in 'CONNECT', it indicates that the router is actively trying to initiate a TCP connection to the peer but is not receiving a response. For BGP to establish a TCP session (port 179), the on-premises router must have a valid IP route to the Cloud Router's BGP peer IP address. Without this route, TCP SYN packets are dropped, preventing the session from transitioning to 'ESTABLISHED'.

Exam trap

Google Cloud often tests the misconception that BGP session issues in the 'CONNECT' state are caused by BGP timer or ASN misconfigurations, when the real root cause is almost always a lack of IP reachability (missing route or tunnel failure) preventing the TCP connection from forming.

163
Matchingmedium

Match each Google Cloud Armor feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pre-configured rules to block common web attacks

Limits requests per client to prevent abuse

Allows or denies traffic from specific IPs

ML-based detection of DDoS and application attacks

Rules attached to backend services or load balancers

Why these pairings

Cloud Armor provides web application firewall and DDoS protection.

164
Drag & Dropmedium

Drag and drop the steps to configure a Cloud NAT for private instances to access the internet into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud NAT requires a Cloud Router first. Then create NAT, assign IPs, and apply to subnets. Testing confirms internet access.

165
MCQhard

A company has deployed an external HTTPS load balancer with a Cloud CDN backend. The load balancer uses a managed SSL certificate. Recently, the company updated their DNS record to point to a different IP address of a new load balancer. After the change, some users are still being served from the old load balancer's cache. The network engineer has confirmed that the DNS TTL has expired. What is the most likely cause of this issue?

A.Cloud CDN cached responses from the old load balancer may still be served until their cache TTL expires.
B.The old load balancer's SSL certificate is still cached by clients.
C.The DNS change has not propagated globally despite the TTL expiring.
D.The old load balancer's IP address is still being served by Google's edge network due to anycast.
AnswerA

Cloud CDN caches content at edge locations; if the cache TTL has not expired, users may receive the old content even after DNS changes.

Why this answer

Cloud CDN caches content at Google's edge caches based on the cache-control headers or default cache TTL. When the DNS record is updated to point to a new load balancer, the old load balancer's cached responses may still be served from edge caches until their cache TTL expires, even after the DNS TTL has expired. This is because Cloud CDN caches are independent of DNS resolution and are governed by HTTP caching rules.

Exam trap

Google Cloud often tests the distinction between DNS TTL (which controls how long DNS records are cached by resolvers) and HTTP cache TTL (which controls how long content is cached by CDN edge nodes), leading candidates to incorrectly attribute the issue to DNS propagation rather than CDN cache expiration.

How to eliminate wrong answers

Option B is wrong because SSL certificates are not cached by clients in a way that would cause them to be served content from the old load balancer; certificate caching affects TLS handshake validation, not content delivery. Option C is wrong because the question explicitly states that the DNS TTL has expired, meaning the DNS change has propagated globally; the issue is not DNS propagation. Option D is wrong because Google's edge network uses anycast to route traffic to the nearest healthy load balancer IP, but the old load balancer's IP is no longer advertised once the DNS points to a new IP; anycast does not serve stale IPs.

166
MCQmedium

A company has an on-premises data center connected to GCP via Cloud VPN with dynamic routing (BGP). Recently, connectivity to a specific subnet (10.1.0.0/16) in GCP became intermittent. The VPN tunnel is up, and BGP sessions are established. What is the most likely cause?

A.The shared secret is misconfigured.
B.The VPN tunnel is flapping due to packet loss.
C.A firewall rule is blocking traffic from on-premises.
D.The Cloud Router is not advertising the correct subnet range to the on-premises router.
AnswerD

If the subnet is not advertised, on-premises traffic may not be routed correctly.

Why this answer

Since the VPN tunnel is up and BGP sessions are established, the issue is not with the tunnel or BGP peering itself. Intermittent connectivity to a specific subnet (10.1.0.0/16) while other subnets remain reachable strongly indicates a route advertisement problem. The Cloud Router must be configured to advertise the correct subnet range to the on-premises router via BGP; if it is not, the on-premises router will lack a route for that subnet, causing intermittent or no connectivity.

Exam trap

Google Cloud often tests the misconception that if the VPN tunnel and BGP session are up, all subnets must be reachable, but the trap is that route advertisement misconfiguration can cause selective subnet unreachability even when the control plane is healthy.

How to eliminate wrong answers

Option A is wrong because a misconfigured shared secret would prevent the VPN tunnel from establishing or cause it to fail authentication, but the tunnel is up and BGP sessions are established. Option B is wrong because tunnel flapping due to packet loss would cause the entire tunnel to go up and down, affecting all traffic, not just a specific subnet, and BGP sessions would also flap. Option C is wrong because a firewall rule blocking traffic from on-premises would cause consistent failure for all traffic from that source, not intermittent connectivity to a single subnet, and the tunnel and BGP being up suggests no such block at the network layer.

167
Multi-Selectmedium

A company is designing a hybrid network with Partner Interconnect. They need to ensure high availability and meet a 99.99% SLA. Which TWO actions should they take?

Select 2 answers
A.Provision two Partner Interconnects from different providers or locations
B.Create two VLAN attachments, each on a different Interconnect
C.Enable VPN as a backup to the Interconnect
D.Create a single VLAN attachment with multiple BGP sessions
E.Provision a single Partner Interconnect with two VLAN attachments
AnswersA, B

Redundant Interconnects are required for high availability.

Why this answer

To meet a 99.99% SLA, the design must eliminate single points of failure at both the physical interconnect and the logical attachment level. Provisioning two Partner Interconnects from different providers or locations ensures physical diversity, while creating two VLAN attachments (each on a different Interconnect) provides logical redundancy, allowing traffic to fail over if one attachment or interconnect fails.

Exam trap

Google Cloud often tests the misconception that multiple BGP sessions on a single attachment or a single interconnect provide sufficient redundancy, but the trap here is that the 99.99% SLA requires both physical and logical diversity, so candidates must recognize that a single interconnect (even with two VLAN attachments) is a single point of failure.

168
MCQmedium

A company has a VPC with subnets in us-east1 and us-west1. They have established a Cloud VPN tunnel to their on-premises network through a Cloud Router in us-east1. They want to ensure that traffic from on-premises to resources in us-west1 uses the VPN tunnel and not the public internet. What must be configured?

A.Configure a custom dynamic route on the Cloud Router for us-west1 subnets
B.Create a separate VPN tunnel from on-premises to a Cloud Router in us-west1
C.Add a route on the on-premises router for us-west1 subnets with next hop pointing to the VPN tunnel
D.Configure VPC firewall rules to allow traffic from on-premises to us-west1
AnswerC

The on-premises router must have a route for the remote subnets pointing to the VPN tunnel to forward traffic through it.

Why this answer

The correct answer is C because the on-premises router must have a route for the us-west1 subnets with the VPN tunnel as the next hop. Without this, the on-premises router will use its default route (typically the public internet) to reach us-west1, bypassing the VPN tunnel. The Cloud Router in us-east1 advertises the us-west1 subnets via BGP over the VPN tunnel, but the on-premises router must be explicitly configured to forward traffic for those subnets into the tunnel.

Exam trap

The trap here is that candidates assume the Cloud Router automatically directs traffic to the correct region, but the on-premises router must have an explicit route for the remote subnets pointing to the VPN tunnel, as the Cloud Router only advertises routes and does not control the on-premises forwarding table.

How to eliminate wrong answers

Option A is wrong because the Cloud Router already advertises the us-west1 subnets via BGP if they are in the same VPC; configuring a custom dynamic route on the Cloud Router is unnecessary and does not control the on-premises router's forwarding decision. Option B is wrong because a separate VPN tunnel to us-west1 is not required; the existing VPN tunnel in us-east1 can carry traffic to us-west1 as long as the on-premises router has a route pointing to it, and Cloud Router can advertise the us-west1 prefixes over the existing BGP session. Option D is wrong because VPC firewall rules control traffic within Google Cloud, not routing decisions on the on-premises side; they do not force traffic to use the VPN tunnel.

169
MCQmedium

An organization has a Cloud NAT configured for a VPC network to allow outbound internet access for private instances. They notice that some instances are failing to connect to a specific external API that requires a static source IP. What should they do to resolve this?

A.Use Private Google Access instead of Cloud NAT.
B.Assign a static external IP to the instances and use Cloud NAT with static IPs.
C.Configure Cloud NAT with a static NAT IP address and ensure all traffic uses that IP.
D.Use a VPN tunnel to the API provider's network.
AnswerC

This provides a consistent source IP for all outbound traffic, meeting the API's requirement.

Why this answer

Cloud NAT with a static NAT IP address ensures that all outbound traffic from private instances uses a consistent, predictable source IP. This satisfies the external API's requirement for a static source IP without needing to assign public IPs directly to instances. Option C correctly configures Cloud NAT to use a static IP, which is the intended solution for this scenario.

Exam trap

Google Cloud often tests the misconception that assigning static external IPs to instances is necessary for static source IP requirements, when in fact Cloud NAT with a static IP achieves the same goal without compromising the private nature of the instances.

How to eliminate wrong answers

Option A is wrong because Private Google Access only enables access to Google APIs and services, not to external third-party APIs, and does not provide a static source IP. Option B is wrong because assigning a static external IP to instances defeats the purpose of using private instances and Cloud NAT; Cloud NAT with static IPs is designed to handle this without exposing instances directly. Option D is wrong because a VPN tunnel provides encrypted connectivity to a specific network but does not inherently provide a static source IP for outbound internet traffic to an external API; it would require additional NAT configuration.

170
Multi-Selecthard

Which THREE of the following are valid use cases for VPC Service Controls?

Select 3 answers
A.Controlling access to a Cloud SQL database from a specific VPC.
B.Preventing data exfiltration from Google Cloud Storage.
C.Allowing access to a managed instance group from the internet.
D.Enabling private access to Cloud APIs from on-premises.
E.Restricting access to BigQuery from outside a perimeter.
AnswersA, B, E

VPC SC can restrict Cloud SQL access to authorized VPC networks.

Why this answer

Option A is correct because VPC Service Controls allow you to define a service perimeter that restricts access to a Cloud SQL database (or other Google Cloud services) to requests originating from a specific VPC network. This is achieved by configuring an access level that references the VPC network, ensuring that only traffic from that VPC can reach the database, even if the database is exposed via private IP.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a general-purpose network access control tool (like firewall rules or VPN), when in fact they are specifically for creating a data exfiltration prevention perimeter around Google Cloud services, not for allowing inbound internet access or extending access to on-premises networks.

171
MCQhard

A company is experiencing asymmetric routing between their VPC and on-premises network over two Cloud VPN tunnels with different BGP sessions. Some traffic from GCP to on-premises is dropped by firewall stateful inspection on-premises. What is the most likely cause?

A.BGP keepalive timers are set too low, causing session flapping.
B.The MTU is mismatched between the tunnels.
C.The on-premises router is not receiving the VPC routes via BGP.
D.Traffic is taking one tunnel for outbound and the other for return, causing stateful firewall to drop packets.
AnswerD

Asymmetric paths break stateful firewalls that expect return traffic on same interface.

Why this answer

The most likely cause is asymmetric routing, where outbound traffic from GCP to on-premises takes one VPN tunnel while return traffic takes the other. Stateful firewalls track connection state based on the first packet seen; if return packets arrive via a different tunnel (and thus a different source IP or interface), the firewall does not recognize them as part of an existing session and drops them. This is a classic symptom of asymmetric routing with multiple BGP sessions over separate tunnels.

Exam trap

The trap here is that candidates often confuse asymmetric routing with route propagation failures or MTU issues, but the key clue is 'stateful firewall inspection' dropping traffic, which directly points to a session state mismatch caused by different paths for forward and return traffic.

How to eliminate wrong answers

Option A is wrong because BGP keepalive timers set too low would cause session flapping, not asymmetric routing; flapping would result in intermittent connectivity, not a consistent one-way drop. Option B is wrong because MTU mismatch typically causes fragmentation issues or packet loss, not stateful firewall drops due to asymmetric paths; it would manifest as connectivity failures for large packets, not a directional traffic drop. Option C is wrong because if the on-premises router were not receiving VPC routes via BGP, traffic from on-premises to GCP would fail entirely, not just be dropped by the firewall on return; the question states traffic is dropped by firewall inspection, implying routes are present.

172
MCQeasy

A developer needs to allow a VM in subnet A to reach a VM in subnet B in the same VPC. What is the default behavior?

A.A custom route must be added to route between subnets.
B.A firewall rule must be added to allow traffic between subnets.
C.The default firewall rule allows all internal traffic within the VPC.
D.VPC peering is required for communication between subnets.
AnswerC

The default allow-internal firewall rule permits all traffic within the VPC.

Why this answer

By default, VPC networks allow all internal traffic between subnets. Option B correctly states this. Option A is wrong because no firewall rule is needed for internal traffic.

Option C is wrong because VPC peering is for cross-VPC connectivity. Option D is wrong because custom routes are not required for internal subnet communication.

173
MCQmedium

A company has a VPC with subnets in us-central1 and europe-west1. They want to deploy a Cloud NAT to allow VMs in both regions to access the internet. How many Cloud NAT gateways are needed?

A.None; Cloud NAT is not required for internet access.
B.One Cloud NAT gateway per subnet.
C.Two Cloud NAT gateways, one per region.
D.One Cloud NAT gateway covering both regions.
AnswerC

Cloud NAT is regional, so one per region is needed.

Why this answer

Cloud NAT is regional; one gateway is needed per region. Therefore, two Cloud NAT gateways are required. Option A is correct.

Option B is wrong because a single gateway covers only one region. Option C is wrong because each subnet typically uses the regional gateway. Option D is wrong because Cloud NAT is not global.

174
Multi-Selecteasy

An organization is experiencing high latency on their Partner Interconnect connection. Which TWO tools or features can they use to diagnose the issue from within Google Cloud? (Choose two.)

Select 2 answers
A.Network Intelligence Center performance dashboard
B.Cloud Router logs
C.Cloud Load Balancing logs
D.VPC Flow Logs
E.Cloud Interconnect monitoring metrics
AnswersD, E

Flow logs can show RTT and help pinpoint which traffic is experiencing latency.

Why this answer

VPC Flow Logs capture metadata about network traffic flowing to and from VPC instances, including latency-related metrics such as packet loss and retransmissions. By analyzing these logs, you can identify if high latency is caused by dropped packets or congestion on the Partner Interconnect link. This makes VPC Flow Logs a direct diagnostic tool for latency issues from within Google Cloud.

Exam trap

Google Cloud often tests the misconception that Cloud Router logs or Load Balancing logs can diagnose network latency, when in fact they are designed for BGP routing events and application-layer metrics, respectively, not for interconnect-level packet loss or latency.

175
MCQmedium

A company has a VPC with subnets in us-east1 and europe-west1. They need low-latency communication between instances in these regions using private IPs only. Which solution should they use?

A.Use Cloud VPN to connect the regions.
B.Use Cloud Interconnect to connect the regions.
C.Use VPC Network Peering between the two regional subnets.
D.Use a Global VPC (default VPC mode).
AnswerD

Global VPC provides automatic cross-region routing.

Why this answer

A Global VPC (default VPC mode) allows subnets in multiple regions to communicate using private IPs natively, without any additional VPN or peering configuration. This is because a Global VPC spans all regions, and instances within the same VPC can reach each other via internal IPs using Google's global network, providing low-latency communication.

Exam trap

The trap here is that candidates often confuse VPC Network Peering (which connects separate VPCs) with the native inter-region communication within a single Global VPC, leading them to select option C instead of recognizing that a Global VPC already provides private IP connectivity across regions.

How to eliminate wrong answers

Option A is wrong because Cloud VPN creates encrypted tunnels over the public internet, which adds latency and does not use private IPs natively; it is designed for hybrid connectivity, not for inter-region VPC communication. Option B is wrong because Cloud Interconnect provides dedicated on-premises to GCP connectivity, not connectivity between GCP regions; it is used for hybrid cloud, not for VPC-to-VPC within GCP. Option C is wrong because VPC Network Peering connects two separate VPCs, not subnets within the same VPC; it requires explicit peering setup and does not apply to subnets in the same VPC, which already communicate via the global VPC.

176
MCQeasy

Based on the exhibit, what is the purpose of Cloud Router's BGP configuration?

A.To advertise the VPC's IP range to the on-premises network.
B.To load balance traffic across multiple VPN tunnels.
C.To receive a default route from the on-premises network.
D.To advertise a default route to the on-premises network.
AnswerA

Cloud Router advertises 10.0.0.0/16 to on-premises.

Why this answer

Cloud Router uses BGP to dynamically exchange routes between a VPC network and an on-premises network over a VPN tunnel or Dedicated Interconnect. In this configuration, the purpose is to advertise the VPC's IP range (the custom or auto-mode subnet CIDR) to the on-premises router, enabling on-premises hosts to route traffic back to the VPC. This is achieved by configuring the Cloud Router with a BGP session and setting the advertised route for the VPC's IP range.

Exam trap

Google Cloud often tests the misconception that Cloud Router's primary function is to load balance traffic or receive default routes, but the core purpose is to dynamically advertise and learn specific IP prefixes via BGP for hybrid connectivity.

How to eliminate wrong answers

Option B is wrong because Cloud Router does not perform load balancing across VPN tunnels; load balancing is handled by Cloud VPN with dynamic routing, which uses multiple tunnels and BGP to distribute traffic, but the Cloud Router itself only manages BGP sessions and route advertisements. Option C is wrong because Cloud Router can be configured to receive custom routes from the on-premises network, but receiving a default route is not the purpose shown in the exhibit; the exhibit focuses on advertising the VPC's IP range, not receiving routes. Option D is wrong because while Cloud Router can advertise a default route (0.0.0.0/0) to the on-premises network if explicitly configured, the exhibit's purpose is to advertise the VPC's specific IP range, not a default route.

177
MCQhard

Refer to the exhibit. A network engineer configured a Cloud Router to advertise the on-premises subnet 10.0.0.0/8 to the VPC. However, traffic from VPC instances to 10.0.0.0/8 is being dropped. What is the most likely issue?

A.The advertised route has a priority that is too low.
B.The Cloud Router's ASN is private, causing routes to be rejected.
C.The subnet 10.0.0.0/8 overlaps with the VPC's auto-allocated IP range.
D.The on-premises router is not configured to accept the advertised route.
AnswerC

Overlap causes VPC to prefer local routes, dropping traffic destined for on-premises.

Why this answer

Option C is correct because Cloud Router uses custom route advertisements, and if the on-premises subnet 10.0.0.0/8 overlaps with the VPC's auto-allocated IP range (e.g., the default or custom subnet ranges within the VPC), Google Cloud will not install or will drop traffic for that route due to a conflict. Overlapping routes cause the VPC to prefer its own local routes, resulting in dropped traffic to the on-premises subnet.

Exam trap

Google Cloud often tests the misconception that route priority or BGP ASN issues cause traffic drops, but the trap here is that overlapping IP ranges between on-premises and VPC subnets silently cause traffic to be dropped due to VPC local route precedence, not because of BGP configuration errors.

How to eliminate wrong answers

Option A is wrong because route priority (preference) in Cloud Router is used for route selection among multiple paths, but a low priority does not cause traffic to be dropped; it would simply make the route less preferred, not block it entirely. Option B is wrong because Cloud Router supports private ASNs (e.g., 64512-65534) by default, and BGP does not reject routes based solely on ASN being private; the on-premises router must be configured to accept private ASNs if needed, but this is not the cause of traffic being dropped within the VPC. Option D is wrong because the on-premises router not accepting the advertised route would prevent the route from being learned on-premises, but the question states traffic from VPC instances to 10.0.0.0/8 is being dropped, which is a VPC-side issue, not an on-premises acceptance problem.

178
MCQeasy

A company wants to connect their on-premises data center to Google Cloud using Dedicated Interconnect. They have ordered a 10 Gbps connection and plan to use a single VLAN attachment. How many Cloud Router interfaces are required for a single VLAN attachment with active/active BGP?

A.4 interfaces (two for each BGP session)
B.2 interfaces (one for each VLAN)
C.1 interface
D.2 interfaces (one for each BGP session)
AnswerC

A single VLAN attachment corresponds to one Cloud Router interface; you configure two BGP sessions on that same interface.

Why this answer

For a single VLAN attachment using Dedicated Interconnect with active/active BGP, only one Cloud Router interface is required. The Cloud Router interface represents the VLAN attachment itself, and BGP sessions are configured as sub-interfaces under that single interface. Active/active BGP does not require multiple interfaces; it uses two BGP sessions (one for each router in the pair) but both sessions share the same VLAN attachment and Cloud Router interface.

Exam trap

Google Cloud often tests the misconception that each BGP session requires its own interface, leading candidates to choose option D, but the correct behavior is that both sessions share the same single Cloud Router interface for a given VLAN attachment.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that each BGP session requires two interfaces (one per session), but in reality, both BGP sessions are established over the same single VLAN attachment and Cloud Router interface. Option B is wrong because it suggests one interface per VLAN, but a single VLAN attachment uses exactly one VLAN, so only one interface is needed, not two. Option D is wrong because it claims one interface per BGP session, but both BGP sessions (active/active) share the same single Cloud Router interface; they are not separate interfaces.

179
MCQhard

A company has a VPC with multiple subnets and uses Cloud VPN tunnels to connect to on-premises. They want to ensure that only traffic destined for on-premises is sent through the VPN tunnels; all other traffic should use the internet. Which route configuration should they implement?

A.Add a static route for 0.0.0.0/0 with next hop VPN gateway, and set a lower priority than the internet default route.
B.Use Cloud Router with BGP to exchange specific routes with on-premises, and keep the default internet route for other traffic.
C.Configure the Cloud VPN to advertise a default route to on-premises, and rely on local preference.
D.Use VPC Network Peering with the on-premises network and configure custom route exchange.
AnswerB

BGP-learned specific routes will override the default route for those destinations.

Why this answer

Option B is correct because using Cloud Router with BGP allows the VPC to dynamically learn specific routes from the on-premises network via the VPN tunnels. The default route (0.0.0.0/0) remains pointing to the internet gateway, so only traffic destined for the learned on-premises prefixes is sent through the VPN, while all other traffic uses the internet. This provides precise control without overriding the default route.

Exam trap

Google Cloud often tests the misconception that a default route (0.0.0.0/0) must be manipulated to direct traffic to on-premises, when in fact the correct approach is to use more specific routes learned via BGP to selectively direct only on-premises-destined traffic through the VPN.

How to eliminate wrong answers

Option A is wrong because adding a static route for 0.0.0.0/0 with next hop VPN gateway would send all traffic (including internet-bound) through the VPN, contradicting the requirement; setting a lower priority does not help because the VPN route would still be more specific than the default internet route only if it has a higher priority, but the question states 'lower priority' which would make it less preferred, but the real issue is that a 0.0.0.0/0 route to VPN would capture all traffic. Option C is wrong because configuring the Cloud VPN to advertise a default route to on-premises would cause on-premises to send all its traffic to the cloud, not the other way around, and does not control which cloud traffic uses the VPN. Option D is wrong because VPC Network Peering is used for connecting VPCs within Google Cloud, not for connecting to on-premises networks; it does not support VPN tunnels or on-premises connectivity.

180
MCQeasy

A network engineer needs to design a VPC network for a global application that will have Compute Engine instances in multiple regions. The instances need to communicate with each other using internal IP addresses. What is the simplest way to enable this communication?

A.Use Dedicated Interconnect to connect regions.
B.Use Cloud VPN to connect the instances.
C.Create a single VPC network with subnets in each region.
D.Create separate VPC networks per region and peer them.
AnswerC

A global VPC network inherently provides internal connectivity across regions.

Why this answer

A single VPC network is global and can contain subnets in any region. By placing subnets in each required region within the same VPC, instances can communicate using internal IP addresses (RFC 1918) without any additional connectivity services. This is the simplest and most scalable approach because VPCs inherently provide global routing between subnets.

Exam trap

The trap here is that candidates may overcomplicate the solution by thinking inter-region communication requires explicit connectivity services like VPN or peering, when in fact a single global VPC network provides this natively.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect is a hybrid connectivity service for connecting on-premises networks to GCP, not for enabling inter-region communication within GCP. Option B is wrong because Cloud VPN is also a hybrid connectivity solution for connecting external networks to GCP; using it to connect instances within the same cloud would add unnecessary complexity and latency. Option D is wrong because peering separate VPC networks per region would require explicit peering configurations and does not provide the automatic, global routing that a single VPC offers, making it more complex and less efficient.

181
Multi-Selecteasy

Which TWO of the following are required to enable Private Google Access for a subnet?

Select 2 answers
A.Create a private services access connection.
B.Enable Private Google Access on the subnet.
C.Create a Cloud NAT.
D.Configure a default route with next-hop internet gateway.
E.Enable VPC flow logs.
AnswersB, D

This setting is required at the subnet level.

Why this answer

To enable Private Google Access, you must enable the setting on the subnet (A) and have a default route with next-hop internet gateway (C) for traffic to Google APIs. Option B is incorrect because Cloud NAT is not required. Option D is incorrect because private services access is for Google managed services like Cloud SQL.

Option E is incorrect because VPC flow logs are optional.

182
MCQmedium

A customer is configuring a route-based IPsec VPN tunnel to Google Cloud. On their on-premises router, they must specify traffic selectors (proxy IDs). What should they set the local and remote traffic selectors to?

A.Configure IKE version to match.
B.Set local to on-prem subnet and remote to VPC subnet.
C.Use policy-based VPN instead.
D.Set both local and remote traffic selectors to 0.0.0.0/0.
AnswerD

Route-based tunnels use wildcard selectors; routing decisions are based on routes, not selectors.

Why this answer

Option A is correct: For route-based VPN, traffic selectors should be set to 0.0.0.0/0 (any) because route-based tunnels use routing tables to determine which traffic is sent through the tunnel, rather than policy-based selectors. Option B is wrong because policy-based VPN uses specific selectors, but the question specifies route-based. Option C is wrong because IKE version does not affect traffic selectors.

Option D is wrong.

183
MCQhard

A global company has multiple on-premises data centers connected to Google Cloud via separate Dedicated Interconnects. Each on-premises site advertises the same IP prefix for a critical application. They want to ensure that traffic from Google Cloud to that prefix is load-balanced across the two interconnects and also provide automatic failover. Which configuration on Cloud Router meets this requirement?

A.Configure Cloud Router with the same MED value for both paths
B.Use BGP multipath on Cloud Router with 'maximum-paths' set to 2
C.Ensure on-premises routers advertise the prefix with the same AS_PATH length and MED
D.Enable 'set-community' on the on-premises routers to mark routes equally
AnswerC

ECMP requires equal BGP path attributes including AS_PATH length and MED.

Why this answer

To load-balance and provide failover, you need equal-cost multi-path (ECMP) routing. Cloud Router supports ECMP only when the routes have the same MED and AS_PATH length. Setting both on-premises routers to advertise with the same attributes allows ECMP.

184
Multi-Selectmedium

A company wants to establish a VPC peering connection between two VPCs in different projects. Which two steps are mandatory to create the peering connection?

Select 2 answers
A.Assign a public IP to the VMs in both VPCs.
B.Ensure the VPCs have non-overlapping subnet IP address ranges.
C.Create a peering connection from each project's VPC to the other.
D.Create a firewall rule allowing all traffic between the VPCs.
E.Configure a Cloud Router with BGP sessions.
AnswersB, C

Overlapping ranges cause routing conflicts and are not allowed in VPC peering.

Why this answer

Option B is correct because VPC peering relies on private IP routing between the two VPCs. If the IP address ranges overlap, the VPC route tables cannot distinguish which VPC a packet belongs to, causing routing conflicts and preventing the peering connection from being established. Google Cloud requires that the VPCs have non-overlapping subnet CIDR blocks for successful peering.

Exam trap

Google Cloud often tests the misconception that firewall rules are mandatory for creating a VPC peering connection, but in reality, the peering is a network-layer connectivity setup that can exist without any firewall rules, which are only needed to allow traffic after the peering is active.

185
Multi-Selectmedium

A company is planning to migrate workloads to Google Cloud and needs to establish hybrid connectivity with high bandwidth (10 Gbps) and low latency. They also require the ability to scale bandwidth up to 80 Gbps in the future. Which TWO options should they consider?

Select 2 answers
A.CDN Interconnect
B.Dedicated Interconnect
C.Direct Peering
D.Cloud VPN with multiple tunnels
E.Partner Interconnect
AnswersB, E

Supports up to 10 Gbps per attachment and can scale up to 80 Gbps with multiple attachments.

Why this answer

Dedicated Interconnect provides direct, private physical connections between your on-premises network and Google Cloud, supporting 10 Gbps or 100 Gbps per circuit. This meets the requirement for high bandwidth (10 Gbps) and low latency, and allows scaling up to 80 Gbps by adding multiple 10 Gbps circuits or using a 100 Gbps circuit. It is the only option that offers dedicated, non-shared bandwidth with guaranteed performance.

Exam trap

Google Cloud often tests the misconception that Direct Peering or Cloud VPN can meet high-bandwidth, low-latency requirements, but Direct Peering lacks SLA and scalability, and Cloud VPN is limited by internet performance and cannot guarantee 10 Gbps.

186
MCQmedium

A company has deployed a web application behind an External HTTP(S) Load Balancer with Cloud Armor. They want to restrict access to a specific URL path /admin to only users from a specific IP range (198.51.100.0/24). The engineer creates a Cloud Armor security policy with two rules: Rule 1 (priority 1000) with match expression "request.path == '/admin' && inIpRange(source.ip, '198.51.100.0/24')" and action "allow". Rule 2 (priority 2147483647) with match "request.path == '/admin'" and action "deny". After testing, users from the allowed IP range receive a 403 error when accessing /admin. The Cloud Armor logs show that the request was denied. The engineer confirms that the policy is attached to the backend service and that the source IP in the logs matches the allowed range. What is the most likely cause of the denial?

A.The allow rule is missing a condition to also check the request path because the path condition is not supported in Cloud Armor.
B.The allow rule's condition is incorrect because it should use "origin.ip" instead of "source.ip".
C.The user's source IP is being translated by a NAT or proxy, so it doesn't match the allowed range.
D.The allow rule's priority is 1000, which is lower than the deny rule, but the deny rule still overrides.
AnswerC

This is the most likely cause; the actual source IP seen by the load balancer is different.

Why this answer

Option C is correct because the most likely cause is that the user's source IP is being translated by a NAT or proxy before reaching the load balancer. Cloud Armor evaluates the source IP as seen by the load balancer, which may differ from the original client IP if traffic passes through an intermediate device. The logs confirm the source IP matches the allowed range, but if the request arrives via a proxy, the actual source IP in the packet could be the proxy's IP, not the user's, causing the deny rule to match.

Exam trap

Google Cloud often tests the misconception that the source IP in Cloud Armor logs is always the original client IP, when in reality it is the IP of the last hop before the load balancer, which can be a NAT or proxy.

How to eliminate wrong answers

Option A is wrong because Cloud Armor fully supports the request.path condition in match expressions; the path condition is valid and commonly used. Option B is wrong because Cloud Armor uses 'source.ip' (not 'origin.ip') to refer to the client IP address in match expressions; 'origin.ip' is not a valid attribute. Option D is wrong because the priority system works as intended: lower numeric priority (1000) is evaluated before higher priority (2147483647), so the allow rule should take precedence; the deny rule only applies if the allow rule does not match, but here the allow rule should match based on the IP range.

187
MCQhard

Refer to the exhibit. A Cloud Armor security policy with the shown rules is applied to an HTTPS load balancer. Users from IP 10.0.1.1 are reporting they cannot access the website. What is the issue?

A.The load balancer is not configured to use the security policy.
B.The allow rule with priority 2000 does not apply because the deny rule is evaluated first.
C.The deny rule has higher priority and blocks traffic from 10.0.0.0/8.
D.The IP range in the deny rule is too broad.
AnswerC

The deny rule with priority 1000 matches 10.0.1.1 and blocks it.

Why this answer

Option C is correct because Cloud Armor security policies evaluate rules in priority order, with lower numbers having higher priority. The deny rule at priority 1000 matches the source IP range 10.0.0.0/8, which includes the user's IP 10.0.1.1, and is evaluated before the allow rule at priority 2000. Since the deny rule is matched first, the request is blocked, preventing access to the HTTPS load balancer.

Exam trap

Google Cloud often tests the misconception that deny rules are always evaluated before allow rules, but the trap here is that Cloud Armor uses numeric priority to determine evaluation order, not rule type.

How to eliminate wrong answers

Option A is wrong because the exhibit explicitly states the security policy is applied to the HTTPS load balancer, so the load balancer is configured to use it. Option B is wrong because Cloud Armor does not evaluate rules in a 'deny-first' order; it uses numeric priority, and the deny rule at priority 1000 is evaluated before the allow rule at priority 2000, not because it is a deny rule but because it has higher priority. Option D is wrong because the IP range 10.0.0.0/8 is not too broad for the intended purpose; the issue is that the deny rule's priority causes it to block the user's IP, not that the range is excessively wide.

188
MCQeasy

A startup wants to create a VPC with a subnet that can grow automatically as they add more VM instances. Which subnet type should they use?

A.Custom mode subnet
B.Dynamic subnet
C.Legacy network
D.Auto mode subnet
AnswerD

Auto mode subnets automatically allocate IP ranges and expand as needed.

Why this answer

An auto mode subnet automatically creates subnets in each region and assigns IP address ranges from a predefined pool that can expand as you add more VM instances. This allows the subnet to grow without manual intervention, making it ideal for startups that need dynamic scaling.

Exam trap

Google Cloud often tests the distinction between auto mode and custom mode subnets, where candidates mistakenly think 'dynamic subnet' is a real option or assume custom mode can auto-expand, but only auto mode provides automatic regional subnet creation and growth.

How to eliminate wrong answers

Option A is wrong because a custom mode subnet requires manual IP range configuration and does not automatically expand; you must explicitly add new subnets or modify CIDR blocks. Option B is wrong because 'Dynamic subnet' is not a valid VPC subnet type in Google Cloud; the correct terms are auto mode and custom mode. Option C is wrong because a legacy network is a deprecated, flat network model that lacks VPC features like subnets, routing, and firewall rules, and cannot automatically grow with VM instances.

189
Multi-Selectmedium

Which TWO of the following are valid methods to reduce latency between users in Europe and a GCP-hosted application?

Select 2 answers
A.Establish a Cloud VPN tunnel to the user's ISP.
B.Use Cloud CDN to cache content at edge locations.
C.Use Premium Tier networking instead of Standard Tier.
D.Use Cloud NAT for outbound traffic.
E.Deploy Compute Engine instances in a European region.
AnswersB, E

Brings content closer to users.

Why this answer

Cloud CDN uses Google's globally distributed edge caches to serve content from locations closer to users, reducing round-trip time and latency. For users in Europe, cached static or dynamic content is delivered from a nearby edge PoP, bypassing the need to fetch from the origin server in a potentially distant region.

Exam trap

Google Cloud often tests the misconception that Premium Tier networking alone reduces latency for end users, but the real latency reduction comes from deploying resources in the same continent as the users (Option E) or using CDN edge caching (Option B), not just the network tier.

190
Multi-Selecthard

A company wants to prevent data exfiltration from a Google Cloud Storage bucket that contains sensitive data. They plan to use VPC Service Controls. Which two steps are necessary to implement this? (Choose two.)

Select 2 answers
A.Add the storage bucket to a VPC Service Controls perimeter and restrict access to only trusted VPC networks.
B.Enable VPC Service Controls on the project and define ingress and egress rules.
C.Set up an Organization Policy to deny all public access to storage buckets.
D.Configure the service perimeter to allow access only from authorized IP ranges.
E.Create a service perimeter that includes the storage bucket and the VPC network.
AnswersA, B

The bucket (via its project) is added to the perimeter, and ingress rules restrict access from trusted VPCs.

Why this answer

Option A is correct because VPC Service Controls allows you to define a service perimeter that includes a Cloud Storage bucket, and within that perimeter you can restrict access to only trusted VPC networks. This prevents data exfiltration by ensuring that only resources within the specified VPC networks can access the bucket, blocking any access from outside the perimeter, including the public internet or other networks.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls uses IP-based allowlisting (like firewall rules) or that you can add individual resources (like a bucket) directly to a perimeter, when in reality perimeters are project-based and rely on network context rather than IP addresses.

191
MCQeasy

A company has two VPCs in the same project: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). They want to allow SSH from VPC-A to instances in VPC-B. The network admin creates a firewall rule with source range 10.0.0.0/16 and protocol tcp:22, but connectivity fails. What is the most likely cause?

A.The rule is created in VPC-A instead of VPC-B.
B.The source range should be 10.0.0.0/8.
C.The target tag is not specified.
D.The source tag is missing.
AnswerA

Firewall rules apply to the VPC they are created in. An ingress rule for VPC-B must be created in VPC-B.

Why this answer

Firewall rules in Google Cloud are applied at the network level, not the instance level. To allow inbound SSH traffic from VPC-A to instances in VPC-B, the firewall rule must be created in VPC-B (the destination network) with the source range set to 10.0.0.0/16. Creating the rule in VPC-A would only affect traffic destined for instances in VPC-A, not VPC-B.

Exam trap

Google Cloud often tests the misconception that firewall rules are applied at the source network or that rules are global across VPCs, when in fact each VPC has its own independent set of firewall rules and ingress rules must be in the destination VPC.

How to eliminate wrong answers

Option B is wrong because using 10.0.0.0/8 would unnecessarily broaden the source range to include other RFC 1918 addresses, which is not the cause of the failure and could introduce security risks. Option C is wrong because target tags are optional; if no target tags are specified, the rule applies to all instances in the VPC, so missing tags would not prevent connectivity. Option D is wrong because source tags are not used in this scenario; source filtering is done via source ranges (CIDR blocks), not tags, and omitting a source tag does not affect the rule's operation.

192
MCQhard

Refer to the exhibit. A request arrives with User-Agent 'GoodBot' and path '/admin'. What action does Cloud Armor take?

A.Deny the request because the rule with priority 300 has a higher priority number but matches path.
B.Allow the request because of the default rule at priority 1000.
C.Deny the request because both rules match and deny takes precedence.
D.Allow the request because the rule with priority 200 matches and allows it.
AnswerD

Priority 200 is evaluated before 300 and matches.

Why this answer

Option D is correct because Cloud Armor evaluates rules in order of priority (lowest number = highest priority). The rule with priority 200 matches the request (User-Agent 'GoodBot' and path '/admin') and explicitly allows it. Once a matching allow rule is found, evaluation stops, and the request is allowed, overriding any lower-priority rules.

Exam trap

Google Cloud often tests the misconception that deny rules always override allow rules, but in Cloud Armor, the first matching rule (by priority) determines the action, regardless of whether it is allow or deny.

How to eliminate wrong answers

Option A is wrong because priority 300 is a higher number (lower priority) than 200, and Cloud Armor evaluates rules from lowest to highest priority number; the rule at priority 200 matches first and allows the request, so the rule at priority 300 is never reached. Option B is wrong because the default rule at priority 1000 only applies if no higher-priority rule matches; here, priority 200 matches and allows the request, so the default rule is not invoked. Option C is wrong because deny does not automatically take precedence; Cloud Armor uses first-match semantics based on priority, and the first matching rule (priority 200) allows the request, so no deny action occurs.

193
MCQmedium

A company has deployed a Global External Application Load Balancer with Premium Tier and enables Cloud CDN. Users in Europe report high latency, while users in the US have good performance. The backend is a regional NEG in us-west1. What is the most likely cause?

A.The load balancer is using Premium Tier, which routes to the nearest backend; the backend is only in us-west1.
B.Cloud CDN is not enabled on the load balancer.
C.The load balancer is using Standard Tier, which does not support global anycast.
D.The origin server is sending 'Cache-Control: private' headers, preventing Cloud CDN from caching.
AnswerD

Cloud CDN respects origin cache headers; private or no-store headers prevent caching, so all requests hit the backend.

Why this answer

Option D is correct because Cloud CDN cannot cache responses that include a 'Cache-Control: private' header. This header instructs intermediate caches (including CDN nodes) not to store the response, forcing all requests to go to the origin server in us-west1. Users in Europe experience high latency because their requests must traverse the long distance to the US origin, while US users benefit from shorter paths.

Enabling Cloud CDN alone does not guarantee caching; the origin must also allow caching by omitting 'private' or setting appropriate 'Cache-Control: public' and 'max-age' directives.

Exam trap

Google Cloud often tests the misconception that enabling Cloud CDN automatically caches all content, when in reality the origin's cache-control headers dictate cacheability, and 'Cache-Control: private' is a common reason for CDN bypass.

How to eliminate wrong answers

Option A is wrong because Premium Tier uses Google's global anycast network to route traffic to the nearest frontend IP address, not to the nearest backend; the backend location does not affect routing to the load balancer's global IP. Option B is wrong because the question states Cloud CDN is enabled on the load balancer, so the issue is not that CDN is disabled. Option C is wrong because the question explicitly states Premium Tier is used, not Standard Tier; Standard Tier would route traffic regionally and could cause high latency for European users, but that is not the case here.

194
Multi-Selecthard

Which THREE of the following are required to set up a highly available Cloud VPN with dynamic routing? (Choose THREE.)

Select 3 answers
A.A Cloud Router with BGP configured for each tunnel.
B.Two Cloud VPN gateways in different regions.
C.Redundant on-premises VPN gateways.
D.Two VPN tunnels from each gateway to the on-premises router.
E.A unique external IP address for each VPN gateway.
AnswersA, B, E

Cloud Router handles dynamic routing via BGP.

Why this answer

A is correct because Cloud VPN with dynamic routing requires a Cloud Router with BGP configured for each tunnel. BGP enables the exchange of routes between the on-premises network and Google Cloud, allowing automatic failover and route propagation. Without BGP, dynamic routing cannot function, and the VPN would rely on static routes, which do not support high availability.

Exam trap

The trap here is that candidates often think redundant on-premises gateways or multiple tunnels per gateway are required for high availability, but Google Cloud's HA VPN only requires two gateways in different regions, each with a unique IP and a Cloud Router with BGP, while on-premises redundancy is optional and not a Cloud-side requirement.

195
MCQhard

Refer to the exhibit. A Cloud VPN tunnel is configured between an on-premises router and Google Cloud. The BGP session is not established. The on-premises router shows 'Connection refused'. What is the most likely cause?

A.The Cloud VPN tunnel is not established.
B.The on-premises router's BGP configuration has the wrong ASN.
C.The BGP MD5 password is mismatched between the two peers.
D.The Cloud Router is not configured to accept BGP connections from this on-premises peer.
AnswerD

'Connection refused' indicates the Cloud Router TCP port 179 is not accepting the connection, likely because the BGP peer is not defined on the Cloud Router or the interface is down.

Why this answer

The 'Connection refused' error on the on-premises router indicates that the Cloud Router is actively rejecting the TCP connection attempt for the BGP session. This typically occurs when the Cloud Router does not have a BGP peer configured with the on-premises router's IP address, or the peer is in an 'inactive' state. Since the Cloud VPN tunnel itself can be established (option A is not necessarily true), the most likely cause is that the Cloud Router is not configured to accept BGP connections from this specific on-premises peer.

Exam trap

Google Cloud often tests the distinction between TCP-level errors (like 'Connection refused') and BGP-level errors (like ASN mismatch or MD5 failure), leading candidates to incorrectly choose B or C when they see a BGP-related symptom without analyzing the specific error message.

How to eliminate wrong answers

Option A is wrong because a 'Connection refused' error occurs at the TCP layer, which requires the underlying IP connectivity to be working; if the Cloud VPN tunnel were not established, the on-premises router would likely see 'No route to host' or a timeout, not a TCP reset. Option B is wrong because a mismatched ASN would cause the BGP session to be rejected after the TCP connection is established, resulting in a 'BGP Notification' or 'Open message error', not a 'Connection refused' at the TCP handshake stage. Option C is wrong because an MD5 password mismatch would still allow the TCP three-way handshake to complete; the BGP session would then fail with an authentication error (e.g., 'MD5 mismatch' or 'BGP Notification sent' after the OPEN message), not a 'Connection refused'.

196
Multi-Selecthard

A company has a VPC that is connected to an on-premises network via a Cloud VPN tunnel using dynamic routing (BGP). They have set up a Cloud Router with an advertised IP range of 10.0.0.0/8. The on-premises network advertises 172.16.0.0/12. They also have a custom static route in the VPC for 10.0.0.0/8 that points to a next-hop VPN tunnel (the same tunnel) with priority 100. Recently, they added a new subnet 10.1.0.0/24 in the VPC. Traffic from on-premises to 10.1.0.0/24 is not working. Which THREE steps should they take to troubleshoot and resolve the issue? (Choose 3.)

Select 3 answers
A.Change the static route priority to 1000 to match dynamic routes.
B.Verify that the Cloud Router is advertising the 10.1.0.0/24 subnet to on-premises.
C.Verify that the new subnet's range is allowed in the on-premises firewall and route tables.
D.Delete the static route for 10.0.0.0/8 and rely solely on dynamic routing.
E.Check the BGP session status between the Cloud Router and the on-premises router.
AnswersB, C, E

The Cloud Router may not automatically advertise new subnets unless configured to do so via custom advertisements.

Why this answer

The issue is that the static route for 10.0.0.0/8 with priority 100 may be overwriting the dynamically learned routes for the new subnet. Dynamic routes from Cloud Router have a higher priority (1000) by default, but the static route with lower priority (100) will take precedence. However, since the static route points to the same VPN tunnel, it should still work, but if the static route is for the entire range, it may not be specific enough for the new subnet? Actually, the most specific route wins.

The subnet 10.1.0.0/24 is more specific than 10.0.0.0/8, so a dynamic route for 10.1.0.0/24 should be propagated. But since the static route covers 10.0.0.0/8, it does not prevent more specific routes. The problem might be that the Cloud Router is not advertising the new subnet to on-premises, or the on-premises router is not accepting the update, or the BGP session is down.

Option A is correct: check if the Cloud Router is advertising the subnet. Option B is correct: check the BGP session status. Option E is correct: check on-premises route tables.

Option C is incorrect because changing priority might not help, and Option D is incorrect because you can keep the static route for other subnets.

197
MCQeasy

Refer to the exhibit. Instances in subnet-b cannot access the internet through Cloud NAT. What is the most likely reason?

A.The firewall rules in subnet-b block egress.
B.The NAT IP address pool is exhausted.
C.Subnet-b has overlapping subnets.
D.Subnet-b is not included in the Cloud NAT configuration.
AnswerD

The exhibit shows only subnet-a in the NAT, so subnet-b has no NAT.

Why this answer

The Cloud NAT configuration only includes subnet-a, so subnet-b is not NATed.

198
MCQeasy

An engineer creates a Cloud NAT configuration as shown in the exhibit. The test-instance is created without an external IP address. However, the instance cannot reach the internet. What is the most likely cause?

A.The subnet subnet-a is in a region different from us-central1
B.The Cloud Router is not in the same zone as the instance
C.A firewall rule is blocking outbound traffic from the instance
D.Logging is enabled but not configured to send logs to Cloud Logging
AnswerA

Cloud NAT covers only subnets in the same region as the NAT router. If subnet-a is in another region, it is not covered.

Why this answer

Option A is correct because Cloud NAT is a regional resource that applies to all instances within a given region. The exhibit shows subnet-a is in a different region than us-central1, so the NAT gateway cannot route traffic from instances in that subnet. Even though the instance is in us-central1, the subnet's region mismatch means the NAT configuration does not apply, leaving the instance without internet access.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is zonal or that Cloud Router must be in the same zone as the instance, but the key trap here is that candidates overlook the regional scope of Cloud NAT and assume subnet location is irrelevant.

How to eliminate wrong answers

Option B is wrong because Cloud Router is a regional resource, not zonal, and does not need to be in the same zone as the instance; it only needs to be in the same region. Option C is wrong because the question states the instance cannot reach the internet, but no firewall rule is mentioned or implied; by default, VPC firewall rules allow outbound traffic, and the issue is specifically about NAT configuration. Option D is wrong because enabling logging is optional and does not affect the ability to reach the internet; it only controls whether NAT connection logs are sent to Cloud Logging.

199
MCQhard

Your company has a Dedicated Interconnect between on-premises and Google Cloud. After a maintenance window, some routes are missing from the on-premises side. On the Cloud Router, you see that the BGP session status is 'ESTABLISHED'. However, the route table on the on-premises router does not contain any of the VPC subnets. What is the most likely cause?

A.The Cloud Router is not configured to advertise any custom routes
B.MD5 authentication is enabled but passwords differ
C.The Cloud Router has an empty 'Advertised IP ranges' list
D.BGP configuration mismatch on the on-premises router
AnswerC

If the list is empty, no prefixes are advertised.

Why this answer

The BGP session is 'ESTABLISHED', confirming that the TCP connection and BGP peering are working correctly. However, the on-premises router is not receiving any VPC subnet routes because the Cloud Router's 'Advertised IP ranges' list is empty, meaning it is not advertising any routes to the peer. This is a common misconfiguration where the Cloud Router is configured to use custom route advertisements but the list of prefixes to advertise is left blank.

Exam trap

Google Cloud often tests the misconception that an 'ESTABLISHED' BGP session guarantees that routes are being exchanged, but in reality, the session can be up while no prefixes are advertised due to missing or empty route advertisement configurations.

How to eliminate wrong answers

Option A is wrong because the Cloud Router can be configured to advertise custom routes, but the issue is that the 'Advertised IP ranges' list is empty, not that custom routes are disabled entirely. Option B is wrong because if MD5 authentication passwords differed, the BGP session would not reach the 'ESTABLISHED' state; it would remain in 'ACTIVE' or 'IDLE'. Option D is wrong because a BGP configuration mismatch on the on-premises router would typically prevent the session from establishing, but the session is 'ESTABLISHED', indicating the BGP parameters (ASN, neighbor IP, etc.) match.

200
MCQhard

A multinational company has a Shared VPC environment with multiple service projects. They need to allow a specific service project to use its own Cloud DNS private zone that resolves to internal IPs in the Shared VPC. Which configuration ensures this without exposing the zone to other projects?

A.Create a private zone in the service project and use an inbound server policy.
B.Use VPC peering and allow the service project to manage DNS records.
C.Grant the service project access to the Shared VPC's private zone via IAM roles.
D.Create a DNS response policy in the Shared VPC host project and associate it with the service project's VPC.
AnswerD

Response policies enable selective DNS resolution for specific VPC networks.

Why this answer

Option A is correct: DNS response policies allow controlling DNS resolution per VPC. By creating a response policy in the host project and associating it with the service project's VPC, only that project can use the private zone. Option B places the zone in the service project but inbound server policy is for on-premises resolution; Option C would expose the zone to all projects; Option D adds unnecessary complexity.

201
MCQhard

A company is deploying a global HTTP load balancer with a backend service that spans multiple regions. The backend instances are in a managed instance group. They want to use Cloud CDN to cache content. What is the minimal set of configurations required on the backend bucket or instance group to enable Cloud CDN?

A.Configure Identity-Aware Proxy (IAP) on the backend service to allow cache
B.Use the gcloud compute backend-services update command with the --enable-cdn flag on the load balancer itself
C.Enable Cloud CDN on the backend service and ensure that the load balancer's frontend uses HTTP or HTTPS protocol
D.Create a Cloud Storage bucket with public access and set it as the backend
AnswerC

Cloud CDN is enabled at the backend service level; protocol must be HTTP(S).

Why this answer

Cloud CDN must be enabled on the backend service of the HTTP(S) load balancer, and the frontend must use HTTP or HTTPS because Cloud CDN only supports HTTP(S) protocols. This is the minimal configuration; no changes to the backend bucket or instance group are required beyond ensuring the backend service is correctly associated with the load balancer.

Exam trap

Google Cloud often tests the misconception that Cloud CDN requires a Cloud Storage bucket or that it can be enabled on the load balancer itself rather than on the backend service, leading candidates to select options that involve bucket creation or incorrect command syntax.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) is an authentication and authorization layer that does not affect caching; enabling IAP does not allow or enable Cloud CDN. Option B is wrong because the --enable-cdn flag is applied to the backend service, not directly to the load balancer itself; the command syntax is gcloud compute backend-services update BACKEND_SERVICE_NAME --enable-cdn. Option D is wrong because creating a Cloud Storage bucket with public access is not required; Cloud CDN can be enabled on a backend service that uses a managed instance group as its backend, and the bucket is only one possible backend type.

202
Matchingmedium

Match each network pricing model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data leaving Google Cloud to the internet

Data entering Google Cloud (typically free)

Data transferred between regions within Google Cloud

Global network with consistent performance, higher cost

Lower cost, uses ISP networks for some hops

Why these pairings

Understanding pricing helps optimize network costs.

203
Multi-Selectmedium

A company is designing a network architecture with multiple VPCs and on-premises connectivity via Cloud VPN. They want to avoid IP address conflicts and ensure secure communication. Which three best practices should they follow? (Choose three.)

Select 3 answers
A.Use Cloud NAT for all outbound internet traffic from private VMs.
B.Use unique RFC 1918 IP address ranges for each VPC.
C.Enable VPC Network Peering between all VPCs to enable direct communication.
D.Set up firewall rules to allow only required traffic between VPCs and on-premises.
E.Configure Cloud Router with BGP to advertise on-premises prefixes to Cloud VPN.
AnswersB, D, E

Prevents IP overlap and routing issues.

Why this answer

Option B is correct because using unique RFC 1918 IP address ranges for each VPC prevents overlapping IP spaces, which is critical when connecting multiple VPCs and on-premises networks via Cloud VPN. Overlapping ranges would cause routing conflicts and make it impossible for Cloud Router and BGP to establish proper path selection, leading to dropped or misrouted traffic.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering alone solves IP conflicts, but in reality, peering requires non-overlapping IP ranges to function correctly, and overlapping ranges will cause peering to fail or produce unpredictable routing behavior.

204
MCQmedium

An organization has Compute Engine instances in a VPC without external IP addresses. They need to allow these instances to access Google Cloud Storage buckets but not the internet. What should they configure?

A.Enable Private Google Access on the subnets where the instances reside.
B.Set up Cloud NAT and configure a firewall rule to allow egress to Google Cloud Storage IP ranges.
C.Peer the VPC with the Google Cloud Storage service VPC.
D.Create an egress firewall rule allowing traffic to 0.0.0.0/0 and a route to the default internet gateway.
AnswerA

Allows instances to reach Google APIs and services using internal IPs.

Why this answer

Private Google Access allows Compute Engine instances without external IP addresses to reach Google APIs and services, including Cloud Storage, through the VPC network's default route to the internet gateway, but only to Google's published IP ranges. This is the correct solution because it provides the required access without exposing the instances to the general internet.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for outbound access to Google APIs, but Private Google Access is the correct mechanism for instances without external IPs to access Google services while blocking general internet traffic.

How to eliminate wrong answers

Option B is wrong because Cloud NAT would provide outbound connectivity to the internet, which is explicitly not allowed, and it would also require a default route to the internet gateway, defeating the restriction. Option C is wrong because Google Cloud Storage does not expose a VPC that can be peered; it is a global service accessed via API endpoints, not through VPC peering. Option D is wrong because allowing traffic to 0.0.0.0/0 with a route to the default internet gateway would grant full internet access, which violates the requirement to block internet access.

205
MCQmedium

An organization has multiple VPCs in different regions that need to connect to a single on-premises data center via Dedicated Interconnect. They want to minimize cost and complexity. What is the recommended architecture?

A.Use a single VPC and then use VPC Peering to connect to the other VPCs.
B.Use Cloud VPN for the additional VPCs to avoid additional interconnect costs.
C.Create a separate interconnect connection for each VPC.
D.Create a single interconnect connection and use multiple VLAN attachments, one per VPC.
AnswerD

One physical connection can support multiple VLAN attachments, each assigned to a different VPC.

Why this answer

Option D is correct because a single Dedicated Interconnect connection can support multiple VLAN attachments (each with a unique VLAN ID) to connect multiple VPCs in different regions to the same on-premises data center. This minimizes cost by using one physical connection and reduces complexity by avoiding separate interconnects or VPNs for each VPC.

Exam trap

The trap here is that candidates often assume each VPC requires its own physical interconnect, but Cisco tests the understanding that a single Dedicated Interconnect can be partitioned into multiple VLAN attachments to serve multiple VPCs, reducing cost and complexity.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not provide connectivity to an on-premises data center; it only connects VPCs within Google Cloud, and a single VPC cannot span multiple regions for Dedicated Interconnect attachments. Option B is wrong because Cloud VPN introduces additional latency and bandwidth limitations compared to Dedicated Interconnect, and it does not eliminate the need for interconnect costs if you already have a Dedicated Interconnect for the primary VPC. Option C is wrong because creating a separate interconnect connection for each VPC significantly increases cost and operational complexity, as each connection requires its own physical circuit and Google Cloud charges per connection.

206
MCQmedium

A company is migrating its on-premises data center to Google Cloud. They currently have a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises router (ASN 65001) to a Cloud Router in us-central1 (ASN 64512). The on-premises network uses IP range 10.0.0.0/8, and the Google Cloud VPC uses 172.16.0.0/12. After migration, they notice intermittent connectivity issues: traffic from on-premises to a new VM (172.16.1.2) is sometimes dropped, while other VMs in the same subnet work fine. The VM 172.16.1.2 is fine when accessed from other Google Cloud VMs. The team suspects asymmetric routing. Investigation shows that the on-premises router receives two routes for 172.16.1.2/32: one with next-hop as the Cloud VPN tunnel and another with next-hop as the internet (default route). No custom route advertisements are configured on the Cloud Router. The VPC has a default route (0.0.0.0/0) pointing to the internet gateway. What should the network engineer do to resolve the issue without breaking other connectivity?

A.Configure an inbound route filter on the Cloud Router to reject the BGP route 0.0.0.0/0 from the on-premises router.
B.Enable global routing on the VPC and create a more specific static route for 172.16.1.2/32 with next-hop as the VPN tunnel.
C.Create a second Cloud VPN tunnel from a different region and establish a new BGP session to load balance traffic.
D.Change the Cloud Router's BGP advertise-mode to 'custom' and advertise only the subnets that contain migrated VMs.
AnswerA

This prevents the on-premises router from injecting a default route, eliminating the asymmetric routing issue.

Why this answer

The intermittent connectivity to 172.16.1.2 is caused by asymmetric routing: on-premises traffic uses the BGP-learned /32 route (via VPN) to reach the VM, but return traffic from the VM follows the VPC's default route (0.0.0.0/0) to the internet gateway, which drops the packet because the source IP is from the on-premises range. By configuring an inbound route filter on the Cloud Router to reject the BGP route 0.0.0.0/0 from the on-premises router, the on-premises router will no longer have a default route pointing to the VPN tunnel, forcing it to use the more specific /32 route for 172.16.1.2 and eliminating the asymmetric path.

Exam trap

The trap here is that candidates focus on the on-premises router's routing table (the /32 route) and assume the issue is on-premises, but the real problem is the VPC's default route causing asymmetric return traffic, which is resolved by filtering the BGP advertisement of 0.0.0.0/0 from the Cloud Router to the on-premises router.

How to eliminate wrong answers

Option B is wrong because enabling global routing does not affect route selection for a single VM, and creating a static route for 172.16.1.2/32 with next-hop as the VPN tunnel would not fix the root cause—the on-premises router already has a more specific /32 route via BGP, and the issue is the default route on the VPC side causing asymmetric return traffic. Option C is wrong because adding a second VPN tunnel from a different region does not address the asymmetric routing problem; it would only provide additional paths without resolving the conflicting default route. Option D is wrong because changing the Cloud Router's advertise-mode to 'custom' and advertising only subnets would not prevent the on-premises router from receiving the default route (0.0.0.0/0) from the VPC, which is the source of the asymmetric routing; the issue is inbound filtering on the Cloud Router, not outbound advertisement.

207
MCQmedium

Refer to the exhibit. A BGP session between a Cloud Router and an on-premises router is not establishing. The Cloud Router logs show 'BGP_OPEN_MSG_ERROR: unsupported capability'. What is the most likely issue?

A.The on-premises router cannot reach the Cloud Router's BGP IP.
B.The BGP session is stuck in the Connect state due to firewall blocking TCP port 179.
C.The BGP ASN configured on the Cloud Router doesn't match the peer.
D.The on-premises router is attempting to negotiate a BGP capability that Cloud Router does not support, such as 4-byte ASNs or IPv6 unicast.
AnswerD

Cloud Router supports only basic BGP; advanced capabilities like 4-byte ASN or IPv6 may cause this error.

Why this answer

The error message 'BGP_OPEN_MSG_ERROR: unsupported capability' indicates that during the BGP OPEN message exchange, the on-premises router advertised a BGP capability (such as 4-byte ASN support or IPv6 unicast address family) that the Cloud Router does not support. This causes the Cloud Router to reject the OPEN message and reset the session. Option D correctly identifies this mismatch in negotiated capabilities.

Exam trap

Google Cloud often tests the distinction between BGP session failures caused by TCP-level issues (firewall, reachability) versus BGP protocol-level errors (OPEN message parameters), and the trap here is that candidates confuse a generic 'BGP session not establishing' with connectivity or ASN problems, ignoring the specific error message that points to capability negotiation.

How to eliminate wrong answers

Option A is wrong because reachability issues would manifest as a TCP connection failure (session stuck in Idle or Active state), not a BGP OPEN message error. Option B is wrong because firewall blocking TCP port 179 would prevent the TCP three-way handshake entirely, resulting in a Connect or Active state, not an OPEN message error after the TCP session is established. Option C is wrong because an ASN mismatch triggers a 'BGP_OPEN_MSG_ERROR: bad peer AS' or 'BGP Notification: OPEN Message Error/2 (bad peer AS)', not an 'unsupported capability' error.

208
Multi-Selectmedium

A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)

Select 2 answers
A.Add the project containing the service account to the VPC Service Controls perimeter
B.Create a firewall rule in the client VPC allowing egress to the BigQuery API
C.Configure an IAM condition on the service account's roles to restrict access to the perimeter
D.Grant the appropriate IAM roles (e.g., BigQuery Data Viewer) to the service account on the BigQuery dataset
E.Enable Private Google Access on the subnet where the service account's VMs are located
AnswersA, D

Accessible resources are limited to perimeters that include the client project.

Why this answer

Option A is correct because VPC Service Controls use a perimeter to restrict access to managed services like BigQuery. Adding the project containing the service account to the perimeter allows that service account to access the protected BigQuery datasets, as the perimeter explicitly includes the project as an allowed member.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewall rules, Private Google Access) can bypass VPC Service Controls, but the perimeter operates at the API layer and requires explicit project inclusion and IAM permissions.

209
MCQeasy

You are troubleshooting an HA VPN connection between Google Cloud and on-premises. The tunnels appear as 'UP' but no routes are exchanged. The Cloud Router logs show 'BGP session state: IDLE'. What is the most likely cause?

A.The BGP keepalive timer is set too high on the on-premises router
B.BGP is not enabled on the Cloud Router
C.Firewall rules are blocking UDP port 179
D.The on-premises BGP peer is configured with a different next-hop IP
AnswerB

Without BGP, session remains IDLE.

Why this answer

B is correct because the BGP session state IDLE indicates that BGP is not configured or enabled on the Cloud Router. Even though the IPsec tunnels are UP, no BGP routes can be exchanged if the BGP process itself is not running. In Google Cloud, you must explicitly enable BGP on the Cloud Router for each VPN tunnel; otherwise, the BGP session cannot transition from IDLE to any other state.

Exam trap

Google Cloud often tests the misconception that a BGP session stuck in IDLE is always a firewall or reachability issue, but in Google Cloud HA VPN, the most common cause is that BGP was never enabled on the Cloud Router, especially when the IPsec tunnels are UP and the candidate assumes BGP is automatically active.

How to eliminate wrong answers

Option A is wrong because a high BGP keepalive timer would cause the session to flap or time out (transition to IDLE after the hold timer expires), but the session would initially establish and show an ACTIVE or CONNECT state, not remain persistently IDLE. Option C is wrong because firewall rules blocking UDP port 179 would prevent the TCP connection for BGP (port 179 is TCP, not UDP), and the session would show CONNECT or ACTIVE, not IDLE. Option D is wrong because a different next-hop IP on the on-premises peer would affect route propagation or next-hop reachability, not the BGP session state; the session would still establish and show ESTABLISHED if the TCP connection and BGP open messages succeed.

210
Multi-Selecteasy

Which TWO of the following load balancer types can distribute traffic to backends in multiple regions?

Select 2 answers
A.Internal HTTP(S) Load Balancer
B.External HTTP(S) Load Balancer
C.Internal TCP/UDP Load Balancer
D.External TCP/UDP Load Balancer
E.External SSL Proxy Load Balancer
AnswersB, E

This global LB can route traffic to backends in various regions based on location.

Why this answer

The External HTTP(S) Load Balancer is a global load balancer that can distribute traffic to backends in multiple regions using anycast IP addresses and Google's global network. It supports cross-regional backend services, making it suitable for global applications.

Exam trap

Google Cloud often tests the misconception that all external load balancers are global, but the External TCP/UDP Load Balancer is regional unless explicitly configured as a global proxy load balancer, which is a separate type (SSL Proxy or TCP Proxy).

211
MCQhard

A financial company requires encrypted traffic between on-premise and GCP. They have strict compliance requiring that encryption keys are managed on-premise and rotated every 30 days. Which connectivity solution should they use?

A.Cloud VPN with certificate-based authentication using on-prem CA
B.Cloud Interconnect with MACsec
C.Cloud VPN with IKEv2 and pre-shared keys
D.Cloud Interconnect with VLAN attachments
E.Partner Interconnect with a service provider that supports MACsec
AnswerB

MACsec provides encryption with customer-managed keys, easily rotated.

Why this answer

B is correct because MACsec (IEEE 802.1AE) provides encryption at Layer 2, which is required for Cloud Interconnect to secure traffic between on-premise and GCP. Unlike VPN solutions, MACsec allows the customer to manage encryption keys on-premise and rotate them every 30 days, meeting strict compliance requirements. Cloud Interconnect with MACsec ensures low-latency, high-bandwidth connectivity while keeping key management under the customer's control.

Exam trap

Google Cloud often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and the trap here is that candidates assume Cloud VPN with IKEv2 or certificate-based authentication can satisfy on-premise key management, but GCP manages the IPsec keys, not the customer.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with certificate-based authentication uses TLS/IPsec encryption, which is managed by GCP and does not allow the customer to control key rotation on-premise. Option C is wrong because Cloud VPN with IKEv2 and pre-shared keys uses IPsec encryption where keys are managed by GCP, not on-premise, and pre-shared keys are not rotated every 30 days by default. Option D is wrong because Cloud Interconnect with VLAN attachments provides Layer 2 connectivity but does not include encryption; it relies on the customer to implement encryption separately, which does not meet the requirement for encrypted traffic.

Option E is wrong because Partner Interconnect with a service provider that supports MACsec still requires the service provider to manage the MACsec keys, violating the compliance requirement that keys be managed on-premise.

212
Drag & Dropmedium

Drag and drop the steps to configure Cloud Router with BGP for on-premises connectivity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud Router requires a router first, then a tunnel, followed by BGP configuration. Custom advertisements and verification complete the setup.

213
MCQeasy

A company wants to connect on-premise to GCP via Cloud VPN with dynamic routing. They have two on-prem routers for redundancy. Which configuration ensures automatic failover?

A.Create two VPN tunnels each with static routes pointing to the other router
B.Create one VPN tunnel with BGP and two interfaces
C.Create two VPN tunnels using Cloud Router with BGP and the same ASN
D.Create two VPN tunnels with BGP but different ASNs on each tunnel
AnswerC

This allows BGP to automatically fail over traffic if one peer goes down.

Why this answer

Option C is correct because creating two VPN tunnels with Cloud Router using BGP and the same ASN on both on-prem routers enables dynamic routing and automatic failover. Cloud Router establishes BGP sessions with each on-prem router, and when both tunnels advertise the same routes with the same ASN, Cloud Router can detect a BGP session failure and automatically route traffic through the remaining healthy tunnel. This setup ensures seamless failover without manual intervention.

Exam trap

The trap here is that candidates often think different ASNs provide better redundancy, but in GCP Cloud Router, the same ASN is required for proper ECMP and automatic failover, as different ASNs can cause routing loops or incomplete failover.

How to eliminate wrong answers

Option A is wrong because static routes do not support dynamic failover; if one tunnel goes down, traffic continues to be sent to the failed tunnel until the static route is manually updated or a separate health-check mechanism is implemented. Option B is wrong because a single VPN tunnel with two interfaces does not provide redundancy; if the tunnel itself fails, both interfaces become unavailable, offering no failover. Option D is wrong because using different ASNs on each tunnel would cause the on-prem routers to be treated as separate BGP peers, preventing proper route advertisement and failover; Cloud Router expects the same ASN for redundant paths to correctly handle route selection and failover.

214
Multi-Selecteasy

A company is designing a hybrid network with Cloud VPN. Which TWO best practices should they follow? (Choose TWO.)

Select 2 answers
A.Use a VPN tunnel per subnet.
B.Use static routes for simplicity.
C.Use pre-shared keys for authentication.
D.Use BGP with Cloud Router for dynamic routing.
E.Use a single VPN tunnel for all traffic.
AnswersC, D

Pre-shared keys are the default authentication method for Cloud VPN.

Why this answer

Pre-shared keys (PSKs) are a valid and commonly used authentication method for IPsec VPN tunnels in Google Cloud. They provide a simple, symmetric key-based mechanism to authenticate the VPN peers without requiring a PKI infrastructure, making them a best practice for straightforward deployments.

Exam trap

The trap here is that candidates often assume static routes are simpler and therefore better for hybrid networks, but the PCNE exam emphasizes dynamic routing (BGP) for reliability and scalability, and they may also overlook the need for multiple tunnels for redundancy.

215
MCQmedium

A company plans to connect an on-premises network to Google Cloud using HA VPN with dynamic routing (BGP). The on-premises side supports BGP and has two independent routers for redundancy. The company wants to ensure failover within seconds if one tunnel goes down. Which configuration meets this requirement?

A.Create two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises router, and configure a separate Cloud Router on each gateway with BGP.
B.Create two VPN tunnels from one Cloud VPN gateway to both on-premises routers, and configure one Cloud Router with active/passive BGP.
C.Create two Cloud VPN gateways in the same region, each with a tunnel to a different on-premises router, and use static routing with route metrics for failover.
D.Create two VPN tunnels from one Cloud VPN gateway to both on-premises routers, and configure a single Cloud Router with BGP.
AnswerA

Regional redundancy plus independent BGP sessions enable fast failover via BGP route withdrawals and advertisements.

Why this answer

Option A is correct because deploying two Cloud VPN gateways in different regions with separate Cloud Routers ensures true regional redundancy. If one gateway or its tunnel fails, BGP sessions on the other gateway remain active, and Google Cloud's network can immediately route traffic via the surviving path. This architecture meets the sub-second failover requirement by avoiding a single point of failure at the gateway level and leveraging BGP's fast convergence.

Exam trap

The trap here is that candidates assume multiple tunnels from a single gateway provide sufficient redundancy, overlooking that the gateway itself is a single point of failure; Google Cloud's HA VPN gateway is regional, not zonal, so a regional outage can bring down all tunnels on that gateway.

How to eliminate wrong answers

Option B is wrong because using a single Cloud VPN gateway creates a single point of failure; if the gateway fails, both tunnels fail, violating the failover requirement. Option C is wrong because static routing with route metrics does not provide dynamic failover within seconds; BGP is required for fast convergence, and static routes rely on manual intervention or slow timer-based failover. Option D is wrong because a single Cloud Router with two tunnels to the same gateway still has a single point of failure at the gateway; if the gateway goes down, both tunnels are lost, and BGP sessions cannot failover.

216
MCQeasy

A company wants to connect their VPC to an on-premises network using Cloud VPN. They need to ensure that traffic from Google Cloud to on-premises uses a specific route only when the primary path is available, and otherwise fails over to a backup path. Which configuration should they use?

A.Configure Cloud NAT to route traffic through the backup path
B.Configure BGP on Cloud Router and advertise custom routes with appropriate metrics
C.Use static routes with a higher priority for the primary path
D.Create firewall rules to allow failover traffic
AnswerB

BGP allows dynamic failover and route selection based on metrics.

Why this answer

Option B is correct because Cloud VPN with dynamic routing (BGP) allows you to control path selection by advertising custom routes with different metrics (MED values) for the primary and backup paths. When the primary path is available, the lower metric route is preferred; if the BGP session fails, the route is withdrawn and traffic automatically fails over to the backup path with a higher metric. This meets the requirement for active/passive failover without manual intervention.

Exam trap

The trap here is that candidates confuse static route priority with dynamic BGP metric-based failover, assuming that a higher-priority static route will automatically fail over when the tunnel is down, but Google Cloud static routes do not have health-check awareness and will continue to forward traffic into a dead tunnel unless the route is removed.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for controlling routing between a VPC and on-premises over VPN; it does not influence path selection or failover. Option C is wrong because static routes in Google Cloud have a fixed priority (lower number = higher priority), but they do not support dynamic failover based on path availability; if the primary static route is still present in the routing table, traffic will continue to use it even if the VPN tunnel is down, unless you manually remove it. Option D is wrong because firewall rules control which traffic is allowed or denied, not how traffic is routed; they cannot trigger failover or change the forwarding path.

217
MCQhard

A company is designing a network for a critical application that requires sub-millisecond latency between two Compute Engine instances. The instances are located in different zones within the same region. Which VPC configuration will provide the lowest latency?

A.Use VPC Network Peering between two different VPCs.
B.Place instances in different VPCs and use a VPN between them.
C.Place both instances in the same VPC, using internal IP addresses.
D.Assign external IP addresses to both instances and communicate over the internet.
AnswerC

Internal IPs stay within Google's network, providing lowest latency.

Why this answer

Option C is correct because placing both Compute Engine instances in the same VPC and using internal IP addresses ensures traffic stays within Google's private network backbone, bypassing any external gateways or internet hops. This configuration leverages Google's internal routing with sub-millisecond latency between zones in the same region, as traffic is forwarded at the hypervisor level without encapsulation or additional network hops.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering provides equivalent latency to a single VPC, but the trap here is that peering adds a logical routing boundary and potential latency overhead, making a single VPC with internal IPs the only option for guaranteed sub-millisecond performance.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects two separate VPCs, introducing an additional routing hop and potential latency from peering gateway processing, which cannot match the direct internal path within a single VPC. Option B is wrong because using a VPN between different VPCs adds encapsulation overhead (IPsec) and encryption processing, significantly increasing latency beyond sub-millisecond requirements. Option D is wrong because communicating over the internet via external IP addresses forces traffic through Google's external edge routers and the public internet, adding unpredictable latency and jitter, and is fundamentally slower than internal VPC routing.

218
MCQmedium

A network engineer is configuring a Cloud VPN tunnel with route-based VPN and BGP. The tunnel is established, but the Cloud Router does not learn any routes from the on-premises peer. What is the most likely cause?

A.Firewall rules on the on-prem router block UDP port 179.
B.The BGP session is not configured on the VPN tunnel.
C.All of the above are possible causes.
D.The Cloud Router does not have an ASN configured.
AnswerC

Multiple factors commonly cause BGP route learning failure, including missing BGP config, ASN mismatch, firewall blocking TCP 179, etc.

Why this answer

Option C is correct because both A and B are independently plausible causes for the Cloud Router not learning routes from the on-premises peer. Firewall rules blocking UDP port 179 would prevent BGP session establishment entirely, while failing to configure the BGP session on the VPN tunnel interface means the BGP peering cannot form even if the tunnel is up. Since the question asks for the 'most likely cause' and both are valid, 'All of the above are possible causes' is the best answer.

Exam trap

Google Cloud often tests the misconception that BGP uses UDP port 179 (it uses TCP), and that a VPN tunnel being 'established' automatically implies BGP is configured, when in fact BGP configuration is a separate step required for route exchange.

How to eliminate wrong answers

Option A is wrong because it is a possible cause—UDP port 179 is used by BGP for session establishment, and if blocked by on-premises firewall rules, the BGP session cannot form, so routes would not be learned. Option B is wrong because it is also a possible cause—if the BGP session is not explicitly configured on the VPN tunnel interface (e.g., using 'neighbor <peer-ip> remote-as <asn>' under the tunnel interface or BGP process), the session will not establish, and no routes will be exchanged. Option D is wrong because the Cloud Router must have an ASN configured to participate in BGP; without it, the BGP process cannot start, but this is a less likely cause in practice as Cloud Router ASN is typically set during deployment.

219
Multi-Selectmedium

Which TWO of the following are benefits of using Cloud NAT?

Select 1 answer
A.Enables instances without public IPs to access the internet.
B.Automatically scales with the number of instances.
C.Allows instances to receive incoming connections from the internet.
D.Provides static external IP for outbound traffic.
E.Integrates with IAP for SSH access.
AnswersB

Cloud NAT uses Cloud Router and scales automatically.

Why this answer

Cloud NAT is a Google Cloud managed service that allows private instances (without external IPs) to initiate outbound connections to the internet. It automatically scales to handle the traffic from all instances in a region, using NAT gateways that are managed by Google, so you do not need to pre-provision or resize the NAT gateway as the number of instances changes.

Exam trap

Google Cloud often tests the misconception that Cloud NAT provides static IPs or allows inbound connections, but the key trap is that candidates confuse Cloud NAT with a traditional NAT gateway that supports port forwarding or static mappings, whereas Cloud NAT is purely for outbound-only traffic with ephemeral IPs by default.

220
MCQhard

An organization wants to implement a hub-and-spoke network topology in Google Cloud using VPC Network Peering. The hub VPC hosts shared services and the spoke VPCs host application workloads. They need to ensure that spokes can communicate with each other through the hub. Which additional configuration is required?

A.Configure a managed VPN between the hub and each spoke, and enable dynamic routing
B.Enable 'Export custom routes' on the hub VPC and 'Import custom routes' on the spoke VPCs
C.Use a shared VPC instead of VPC Network Peering
D.Create a peering connection between each pair of spokes
AnswerA

Using a managed VPN with dynamic routing (e.g., Cloud Router with BGP) allows the hub to advertise routes between spokes.

Why this answer

VPC Network Peering does not support transitive routing by default. To enable spoke-to-spoke communication through the hub, you must configure a managed VPN (Cloud VPN) between the hub and each spoke with dynamic routing (BGP). This creates a routed overlay that allows the hub to forward traffic between spokes, effectively achieving transitive routing.

Exam trap

The trap here is that candidates assume exporting/importing custom routes (Option B) can enable transitive routing, but VPC Network Peering explicitly forbids transitive routing regardless of route propagation settings.

How to eliminate wrong answers

Option B is wrong because exporting and importing custom routes only propagates static or dynamically learned routes between directly peered VPCs; it does not enable transitive routing through the hub because VPC Network Peering explicitly prohibits forwarding traffic from one peering connection to another. Option C is wrong because Shared VPC does not solve the transitive routing requirement; it centralizes subnet management but still uses VPC peering for cross-project connectivity, which lacks transitive routing. Option D is wrong because creating a peering connection between each pair of spokes creates a full mesh, not a hub-and-spoke topology, and does not satisfy the requirement of routing through the hub; it also increases management complexity and does not leverage the hub for centralized inspection or policy enforcement.

221
MCQhard

A company uses Cloud NAT to allow private VMs to access the internet. They notice that some VMs are unable to reach a specific set of external IP addresses, but other VMs can. The firewall rules are correctly configured. What is the most likely cause?

A.The default route (0.0.0.0/0) is missing for the VPC.
B.The VPC firewall rules have a deny rule for the source IP range of the affected VMs.
C.The Cloud NAT gateway uses a static IP address that is not allowed by the external service's firewall.
D.The VMs have a tag that overrides the Cloud NAT routing.
AnswerC

If the external service restricts access by IP, only VMs using that NAT IP can connect.

Why this answer

Cloud NAT uses a source IP address (either a static IP you assign or an ephemeral IP from the NAT gateway's IP range) when translating outbound traffic from private VMs. If the external service's firewall only allows traffic from specific IP addresses, and the Cloud NAT gateway is using a static IP that is not on that allowlist, the affected VMs' traffic will be blocked. Other VMs might reach the service if they use a different NAT gateway or if the service's firewall permits their translated IP.

Exam trap

Google Cloud often tests the misconception that firewall rules within the VPC are the only cause of connectivity failures, when in reality external service firewalls or IP allowlists can block traffic after NAT translation.

How to eliminate wrong answers

Option A is wrong because the default route (0.0.0.0/0) is required for internet-bound traffic to be sent to the Cloud NAT gateway; if it were missing, no VM could reach the internet, not just a specific set of external IPs. Option B is wrong because the question states firewall rules are correctly configured, and a deny rule for the source IP range of the affected VMs would block all outbound traffic from those VMs, not just to a specific set of external IPs. Option D is wrong because VM tags do not override Cloud NAT routing; tags are used for firewall rule targeting or network tags, but Cloud NAT routing is determined by the VPC network and the NAT gateway's configuration, not by VM tags.

222
MCQeasy

A company is designing a VPC network to support multiple projects that require isolation but also need to communicate with a shared services project. Which approach should the company use to minimize administrative overhead while ensuring isolation?

A.Assign all projects to a single VPC with separate subnets for each project.
B.Implement a Shared VPC in the host project and attach all service projects to it.
C.Use dedicated VPCs for each project and connect via Cloud VPN tunnels.
D.Create a separate VPC for each project and peer them with the shared services VPC.
AnswerB

Centralizes network management and enforces isolation through subnets and firewall rules.

Why this answer

A Shared VPC (XPN) allows an organization to connect resources from multiple service projects to a common host project's VPC network, enabling isolated projects to communicate with shared services while centralizing network administration. This minimizes administrative overhead because network policies, firewall rules, and routing are managed in one place, and service projects do not need to manage their own VPC infrastructure.

Exam trap

The trap here is that candidates often confuse VPC peering with Shared VPC, assuming that peering provides the same centralized management, but peering requires per-connection configuration and does not allow a single host project to centrally administer subnets and firewall rules across all projects.

How to eliminate wrong answers

Option A is wrong because using a single VPC with separate subnets does not provide true project-level isolation; all projects would share the same VPC and IAM boundaries are blurred, increasing the risk of unintended access and complicating resource management. Option C is wrong because using dedicated VPCs connected via Cloud VPN tunnels introduces significant administrative overhead for tunnel configuration, routing, and maintenance, and does not scale efficiently for multiple projects. Option D is wrong because peering each project's VPC with a shared services VPC requires managing multiple peering connections, each with its own routing and firewall rules, which increases complexity and administrative burden compared to a single Shared VPC.

223
Multi-Selecthard

A company is planning to migrate to Google Cloud and needs to design a VPC network for a multi-tier application (web, app, database). Which THREE best practices should they follow? (Choose THREE.)

Select 3 answers
A.Use one subnet for all tiers to simplify routing.
B.Use instance-level firewalls instead of VPC firewall rules.
C.Create separate subnets for each tier and use firewall rules to control traffic between them.
D.Use Cloud Armor to protect the web tier.
E.Use Private Google Access for instances to reach Google APIs privately.
AnswersC, D, E

Segmentation improves security and manageability.

Why this answer

Option C is correct because separating each application tier into its own subnet allows you to apply VPC firewall rules to control ingress and egress traffic between tiers based on source and destination CIDR ranges or service accounts. This follows the principle of least privilege, ensuring that only necessary traffic (e.g., web-to-app on TCP port 8080, app-to-database on TCP port 3306) is permitted, while all other traffic is denied by default.

Exam trap

Google Cloud often tests the misconception that instance-level firewalls are a best practice for multi-tier security in GCP, but the correct approach is to use VPC firewall rules with subnet segmentation and service account or tag-based controls for centralized, scalable traffic management.

224
Multi-Selecteasy

Which THREE components are required to set up a Partner Interconnect connection?

Select 3 answers
A.A Dedicated Interconnect connection
B.A VLAN attachment
C.A Cloud Router
D.A Cloud VPN gateway
E.The partner's network
AnswersB, C, E

The VLAN attachment is the logical connection to the partner.

Why this answer

A VLAN attachment (option B) is required because it defines the connection between your VPC and the partner's network over a Partner Interconnect, specifying the VLAN ID and IP addressing for the BGP session. Without a VLAN attachment, the Layer 2 and Layer 3 parameters for the interconnect cannot be established.

Exam trap

Google Cloud often tests the distinction between Dedicated Interconnect and Partner Interconnect, where candidates mistakenly think a Dedicated Interconnect connection is a prerequisite for Partner Interconnect, but they are mutually exclusive options for private connectivity.

225
MCQhard

A company has Compute Engine instances in a VPC that only have internal IP addresses. They need to access Google Cloud services like Cloud Storage and BigQuery. They also have on-premises servers that need to access the same instances via a Cloud VPN tunnel. What must be enabled for the instances to access Google APIs without public IPs?

A.Private Google Access
B.Cloud Router
C.VPC peering
D.Cloud NAT
AnswerA

Private Google Access enables access to Google APIs from internal IPs without public IPs.

Why this answer

Private Google Access enables Compute Engine instances that have only internal IP addresses (no external IPs) to reach Google APIs and services such as Cloud Storage and BigQuery. It works by routing traffic destined for Google API IP ranges through the default internet gateway, using the VPC's internal DNS resolution to map the API hostnames to Google's internal IP addresses, without requiring a public IP on the instance.

Exam trap

Google Cloud often tests the distinction between Cloud NAT (for general internet outbound) and Private Google Access (specifically for Google APIs), leading candidates to mistakenly choose Cloud NAT when the question explicitly requires access to Google services without public IPs.

How to eliminate wrong answers

Option B is wrong because Cloud Router is used for dynamic routing (BGP) between a VPC and an on-premises network over Cloud VPN or Dedicated Interconnect, not for enabling internal-only instances to reach Google APIs. Option C is wrong because VPC peering connects two VPC networks to exchange traffic, but it does not provide access to Google APIs for instances without public IPs; that requires Private Google Access on the subnet. Option D is wrong because Cloud NAT provides outbound internet connectivity for instances without public IPs, but it is designed for general internet access, not specifically for reaching Google APIs and services; Private Google Access is the correct feature for that purpose.

Page 2

Page 3 of 7

Page 4

All pages