Google Professional Cloud Network Engineer (PCNE) — Questions 226300

497 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

You have a Cloud Router with the configuration shown. The on-premises network (ASN 65002) is not receiving any routes from Google Cloud. What is the most likely cause?

A.The BGP keepalive interval is set too low
B.The BGP session is not established
C.The router is in custom advertise mode but does not advertise the VPC subnets
D.The on-premises subnet 10.0.1.0/24 is not advertised
AnswerC

Custom mode overrides default; must explicitly advertise VPC subnets.

Why this answer

When a Cloud Router is configured in custom advertise mode, it only advertises the routes explicitly specified in the custom advertisement list. If the VPC subnets are not included in that list, the on-premises network will not receive any routes from Google Cloud, even if the BGP session is established. This is the most likely cause because the question states the on-premises network is not receiving any routes, which aligns with a missing custom advertisement rather than a session or timer issue.

Exam trap

Google Cloud often tests the misconception that a BGP session being 'Established' guarantees route exchange, but in Google Cloud's custom advertise mode, the session can be up while no routes are advertised due to missing custom advertisement configuration.

How to eliminate wrong answers

Option A is wrong because a low BGP keepalive interval (e.g., 10 seconds) would cause the session to flap or reset, not silently prevent route advertisement; the session would still exchange routes when up. Option B is wrong because if the BGP session were not established, the Cloud Router would show a state other than 'Established' (e.g., Idle, Active), and the question implies the session is up but no routes are received. Option D is wrong because the on-premises subnet 10.0.1.0/24 is a route that the on-premises router advertises to Google Cloud, not a route that Google Cloud advertises to on-premises; the issue is about routes from Google Cloud not being received, not about missing on-premises advertisements.

227
MCQmedium

A company is migrating its on-premises infrastructure to Google Cloud. They need to connect their VPC to a third-party SaaS provider that only supports IPsec VPN. The company requires high availability and automatic failover. Which solution should they implement?

A.Deploy two Cloud VPN tunnels from two Cloud Routers with BGP sessions to the peer VPN device.
B.Use Dedicated Interconnect with VLAN attachments to the SaaS provider.
C.Deploy a Classic VPN tunnel with policy-based routing.
D.Deploy a single Cloud VPN tunnel and use static routing.
AnswerA

This provides HA with automatic failover via BGP; Cloud Routers enable dynamic routing and fast convergence.

Why this answer

Option A is correct because deploying two Cloud VPN tunnels from two Cloud Routers with BGP sessions provides high availability and automatic failover. The two Cloud Routers in different zones ensure redundancy, and BGP (Border Gateway Protocol) dynamically advertises routes and detects tunnel failures, allowing traffic to automatically switch to the healthy tunnel without manual intervention. This meets the requirement for an IPsec VPN connection to a third-party SaaS provider that only supports IPsec VPN.

Exam trap

The trap here is that candidates often assume Dedicated Interconnect is always superior for high availability, but the question explicitly requires IPsec VPN, and Interconnect does not support IPsec VPN, making it an invalid choice despite its high availability features.

How to eliminate wrong answers

Option B is wrong because Dedicated Interconnect is a direct physical connection to Google Cloud, not an IPsec VPN, and the SaaS provider only supports IPsec VPN, making this incompatible. Option C is wrong because Classic VPN with policy-based routing does not support BGP and cannot provide automatic failover; it relies on static routing and manual intervention for failover, which does not meet the high availability requirement. Option D is wrong because a single Cloud VPN tunnel with static routing lacks redundancy and automatic failover; if the tunnel fails, traffic is dropped until manual recovery, violating the high availability requirement.

228
Drag & Dropmedium

Drag and drop the steps to set up a Private Service Connect for accessing Google APIs privately into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Private Service Connect involves creating an endpoint, assigning IP, setting DNS, and testing.

229
MCQhard

Two organizations have their own GCP projects with VPCs that are peered. They want to allow a service in VPC-A to be consumed by VPC-B using Private Service Connect. What configuration is required in VPC-A?

A.Create a Private Service Connect endpoint in VPC-A.
B.Enable Private Google Access on the subnet where the service resides.
C.Create a Private Service Connect service attachment and publish the service.
D.Create a VPC peering connection with VPC-B.
AnswerC

The producer publishes the service via a service attachment.

Why this answer

Option C is correct because the producer (VPC-A) must create a Private Service Connect service attachment that publishes the service. This attachment is associated with a load balancer or a service. Option A is incorrect because the endpoint is created in the consumer VPC (VPC-B).

Option B is incorrect because VPC peering is not used with Private Service Connect (the services can be across organizations without peering). Option D is incorrect because Private Google Access is unrelated to publishing services.

230
MCQmedium

A team is deploying a new service in a Compute Engine instance without an external IP in subnet-b. The service needs to access Google Cloud Storage using internal IPs. What must the team do to enable this?

A.Assign an external IP address to the instance.
B.Move the instance to subnet-a where Private Google Access is already enabled.
C.Enable Private Google Access on subnet-b.
D.Set up Cloud NAT on the VPC to allow outbound access to Google APIs.
AnswerC

Enables instances without external IP to reach Google APIs via internal IPs.

Why this answer

Private Google Access enables a Compute Engine instance without an external IP address to reach Google APIs and services (including Cloud Storage) over the internal VPC network using RFC 1918 addresses. By enabling this feature on subnet-b, the instance can access Cloud Storage via internal IPs without needing an external IP or NAT gateway. This is the correct and minimal configuration for the requirement.

Exam trap

The trap here is that candidates often confuse Private Google Access with Cloud NAT, assuming outbound access to Google APIs always requires NAT, but Private Google Access is the specific feature designed for internal-only instances to reach Google APIs without external IPs.

How to eliminate wrong answers

Option A is wrong because assigning an external IP address would expose the instance to the internet, violating the requirement to use only internal IPs and introducing unnecessary security risk. Option B is wrong because moving the instance to subnet-a is not required; Private Google Access can be enabled on any subnet, including subnet-b, without moving resources. Option D is wrong because Cloud NAT is used for outbound internet access to non-Google services or for dynamic source IP translation, but Private Google Access directly provides internal IP access to Google APIs without NAT.

231
MCQmedium

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They need to add a new subnet for a Kubernetes cluster that requires a secondary IP range for pods. The primary IP range of the new subnet must be 10.0.2.0/24. What is the correct way to create this subnet?

A.Create the subnet with primary range 10.0.2.0/24 and specify the secondary range at creation time.
B.Create the subnet with primary range 10.0.2.0/24 and then update it to add the secondary range.
C.Create two subnets: one with 10.0.2.0/24 for primary and another for the secondary range.
D.Create an auto mode subnet and let Google Cloud assign the secondary range automatically.
AnswerA

Secondary ranges must be specified at subnet creation.

Why this answer

Option A is correct because in Google Cloud VPC, a subnet can have both a primary IP range and one or more secondary IP ranges, and these secondary ranges must be specified at subnet creation time. For a Kubernetes cluster, the secondary range for pods is required, and it cannot be added after the subnet is created; it must be defined during the initial subnet creation.

Exam trap

Google Cloud often tests the misconception that secondary IP ranges can be added to an existing subnet via an update, but in Google Cloud, they must be specified at subnet creation time and are immutable afterward.

How to eliminate wrong answers

Option B is wrong because Google Cloud does not allow adding a secondary IP range to an existing subnet after creation; secondary ranges must be specified at creation time. Option C is wrong because a single subnet can have both primary and secondary ranges, and creating two separate subnets would not associate the secondary range with the primary subnet as required by Kubernetes. Option D is wrong because auto mode subnets automatically assign primary ranges, but they do not automatically assign secondary ranges; secondary ranges must be explicitly defined, and auto mode does not solve the requirement for a specific primary range.

232
Multi-Selecteasy

Which two of the following are prerequisites for configuring an HA VPN tunnel to an on-premises network? (Choose two.)

Select 2 answers
A.A VLAN attachment in the same region.
B.A Cloud Router with BGP configured in the same region as the VPN gateway.
C.A pre-shared key that is at least 20 characters long.
D.An on-premises VPN device that supports static routing only.
E.Two external IP addresses for the VPN gateway.
AnswersB, E

Cloud Router is required for BGP route exchange.

Why this answer

B is correct because an HA VPN tunnel uses dynamic routing via BGP to provide active-active or active-passive failover. A Cloud Router with BGP configured in the same region as the VPN gateway is required to exchange routes with the on-premises network, enabling automatic failover and load balancing across the two tunnels.

Exam trap

Google Cloud often tests the misconception that HA VPN requires a VLAN attachment or static routing, but the key requirement is a Cloud Router with BGP in the same region to support dynamic routing and failover.

233
MCQmedium

A company needs to connect their on-premises data center to Google Cloud with a consistent, high-availability connection that offers 99.99% availability SLA. The on-premises router supports VLAN tagging and BGP. They expect to burst up to 50 Gbps peak traffic. Which interconnect solution should they choose?

A.Cloud VPN with dynamic routing
B.Dedicated Interconnect
C.Partner Interconnect
D.HA VPN
AnswerB

Dedicated Interconnect offers 99.99% SLA and supports multiple 10/40/100 Gbps connections.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between the on-premises data center and Google Cloud, supporting up to 80 Gbps per connection (via 10 or 100 Gbps links) and offering a 99.99% availability SLA when configured with redundant links and BGP sessions. The on-premises router's support for VLAN tagging and BGP aligns perfectly with Dedicated Interconnect's requirements for 802.1Q VLANs and eBGP peering, making it the only option that meets the 50 Gbps burst requirement and high-availability SLA.

Exam trap

Google Cloud often tests the misconception that HA VPN can achieve high throughput by aggregating multiple tunnels, but in Google Cloud, each HA VPN tunnel is limited to 3 Gbps and cannot be combined to exceed that per-VPC limit, making it unsuitable for 50 Gbps bursts.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing is limited to a maximum throughput of 3 Gbps per tunnel (using HA VPN) and does not offer a 99.99% SLA, making it insufficient for 50 Gbps peak traffic. Option C is wrong because Partner Interconnect relies on a third-party service provider's network, which introduces additional latency and typically offers a maximum of 10 Gbps per VLAN attachment, and its SLA is often lower than 99.99% due to the partner's infrastructure. Option D is wrong because HA VPN, while providing high availability with two tunnels, still caps at 3 Gbps per tunnel and cannot aggregate to 50 Gbps, and its SLA is 99.99% only for the VPN service itself, not the underlying bandwidth capacity.

234
MCQmedium

A company is migrating an on-premises DNS service to Cloud DNS. They want to resolve on-premises hostnames from GCP VMs and resolve Google Cloud private zone names from on-premises. They have a Cloud VPN with BGP. Which architecture should they implement?

A.Configure a Cloud DNS forwarding zone for on-premises names and a private zone for GCP names. Then create an inbound server policy for on-premises to query Cloud DNS.
B.Configure a split-horizon DNS with separate DNS servers for each environment.
C.Set up Cloud DNS peering zones between the VPC and on-premises.
D.Use DNS over HTTPS from on-premises to Google's public DNS.
AnswerA

Inbound server policy allows on-premises to resolve private zones; forwarding zone allows GCP to resolve on-premises.

Why this answer

Option A is correct because Cloud DNS supports inbound server policies that allow on-premises DNS resolvers to forward queries for private zone names (e.g., `gcp.internal`) to Cloud DNS via the Cloud VPN. A forwarding zone in the VPC directs queries for on-premises hostnames (e.g., `corp.example.com`) to the on-premises DNS servers. This bidirectional resolution is achieved without exposing DNS to the internet, leveraging BGP for routing.

Exam trap

Google Cloud often tests the distinction between DNS peering (VPC-to-VPC) and DNS forwarding/inbound policies (VPC-to-on-premises), causing candidates to mistakenly choose peering for hybrid scenarios.

How to eliminate wrong answers

Option B is wrong because split-horizon DNS is a design pattern, not a Google Cloud architecture component; it does not provide the required integration between Cloud DNS and on-premises DNS over VPN. Option C is wrong because Cloud DNS peering zones only allow DNS resolution between VPCs within Google Cloud, not between a VPC and an on-premises network. Option D is wrong because DNS over HTTPS to Google Public DNS would only resolve public internet names, not private zone names or on-premises hostnames, and bypasses the VPN.

235
MCQeasy

A company is running workloads on Compute Engine instances without public IP addresses. They need to allow these instances to securely access the internet for software updates. Which Google Cloud service should be configured?

A.Cloud VPN
B.Private Google Access
C.Cloud NAT
D.VPC Peering
AnswerC

Cloud NAT enables outbound internet traffic from instances without public IPs.

Why this answer

Cloud NAT (Network Address Translation) allows Compute Engine instances without public IP addresses to initiate outbound connections to the internet for tasks like software updates. It translates the private IP addresses of the instances to a public IP address managed by Google Cloud, enabling secure outbound internet access without exposing the instances to inbound traffic.

Exam trap

Google Cloud often tests the distinction between Private Google Access (which only reaches Google APIs) and Cloud NAT (which provides full internet access), causing candidates to confuse the two when the requirement is for general internet connectivity like software updates.

How to eliminate wrong answers

Option A is wrong because Cloud VPN creates an encrypted tunnel to an on-premises network, not to the general internet; it does not provide outbound internet access for instances without public IPs. Option B is wrong because Private Google Access allows instances to reach Google APIs and services using private IPs, but it does not provide access to the broader internet for software updates. Option D is wrong because VPC Peering connects two VPC networks privately, but it does not provide internet access; it only enables communication between the peered networks.

236
MCQhard

A company has a Dedicated Interconnect connection from their on-premises data center to GCP. They have set up BGP sessions over VLAN attachments to peer with their VPC. Traffic from on-premises to GCP works, but return traffic from GCP to on-premises is dropped at the on-premises firewall. What is the most likely cause?

A.The VLAN attachment is in a different region than the GCP resources.
B.A GCP firewall rule is blocking the return traffic.
C.The MTU size is inconsistent between the on-premises router and GCP.
D.The on-premises router is not advertising the on-premises prefix to GCP via BGP.
AnswerD

If the on-premises prefix is not advertised, GCP routes return traffic through the internet, causing asymmetric routing and firewall drops.

Why this answer

The most likely cause is that the on-premises router is not advertising the on-premises prefix to GCP via BGP. For return traffic from GCP to be routed correctly, GCP must learn the on-premises network prefix through a BGP advertisement from the on-premises router. Without this advertisement, GCP has no route to send traffic back, causing the firewall to drop the packets as they have no valid path.

Exam trap

Google Cloud often tests the misconception that return traffic issues are caused by GCP firewall rules or MTU mismatches, when the actual root cause is a missing or incorrect BGP prefix advertisement from the on-premises side.

How to eliminate wrong answers

Option A is wrong because the VLAN attachment can be in a different region than the GCP resources; traffic is routed through the VPC's global routing, and region mismatch does not cause return traffic to be dropped at the on-premises firewall. Option B is wrong because GCP firewall rules control traffic entering or leaving VM instances, not traffic that is already routed through the Dedicated Interconnect; the issue is at the on-premises side, not in GCP. Option C is wrong because MTU inconsistency would typically cause fragmentation issues or packet loss, not a complete drop of return traffic at the firewall; the firewall drop indicates a routing or prefix advertisement problem.

237
MCQhard

An organization uses VPC Service Controls to protect Google Cloud APIs. They need to allow a specific service account in a peripheral project to access a managed service in a protected service perimeter. What should they configure?

A.IAM conditions on the service account.
B.Access levels in VPC Service Controls.
C.Private Google Access.
D.Ingress and egress rules in the perimeter.
AnswerD

Ingress/egress rules grant access to specific service accounts from outside the perimeter.

Why this answer

VPC Service Controls uses ingress and egress rules to control data exchange between a protected service perimeter and resources outside it. To allow a specific service account in a peripheral project to access a managed service inside the perimeter, you configure an egress rule on the perimeter that permits traffic from that service account to the protected service. This rule explicitly defines the allowed source identity (the service account) and the target service, enabling secure cross-perimeter access.

Exam trap

Google Cloud often tests the distinction between IAM conditions (which control permissions within a project) and VPC Service Controls rules (which control network-level access across perimeters), leading candidates to mistakenly choose IAM conditions when the question explicitly involves crossing a service perimeter boundary.

How to eliminate wrong answers

Option A is wrong because IAM conditions on the service account can restrict when the account's permissions apply (e.g., based on IP address or resource tags), but they cannot override VPC Service Controls perimeter boundaries; the perimeter blocks all traffic by default regardless of IAM. Option B is wrong because access levels in VPC Service Controls define client attributes (e.g., IP range, device policy) for granting access to a perimeter, but they do not specify which service accounts or projects are allowed to exit the perimeter; ingress/egress rules handle identity-based flow. Option C is wrong because Private Google Access enables on-premises or VM instances without external IPs to reach Google APIs via private IP addresses, but it does not control cross-project or cross-perimeter access governed by VPC Service Controls.

238
MCQmedium

A company is deploying a global application on Google Cloud using Cloud Load Balancing. They want to serve traffic from multiple regions and require the lowest possible latency for users worldwide. The application serves HTTP traffic and uses a static IP address. Which load balancing solution should they use?

A.Network Load Balancer
B.Internal HTTP(S) Load Balancer
C.SSL Proxy Load Balancer
D.External HTTP(S) Load Balancer with Premium Tier
AnswerD

External HTTP(S) Load Balancer with Premium Tier uses Google's global network and anycast IP to direct users to the nearest backend, minimizing latency.

Why this answer

The External HTTP(S) Load Balancer with Premium Tier is correct because it uses Google's global anycast IP address to route user traffic to the nearest frontend, minimizing latency worldwide. Premium Tier leverages Google's global network backbone, ensuring traffic enters and exits at the closest Google edge point of presence (PoP) for HTTP(S) traffic, which is essential for a global application requiring low latency and a static IP.

Exam trap

Google Cloud often tests the misconception that any load balancer with 'HTTP(S)' in its name is automatically global, but the trap here is that only the External HTTP(S) Load Balancer with Premium Tier provides global anycast routing; the Internal and SSL Proxy variants are regional, and the Network Load Balancer is Layer 4 only.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer is a regional, passthrough load balancer that operates at Layer 4 (TCP/UDP) and does not support HTTP(S) traffic or global anycast IPs, making it unsuitable for global low-latency HTTP traffic. Option B is wrong because an Internal HTTP(S) Load Balancer is designed for internal VPC traffic within a single region and cannot serve traffic from the internet or use a public static IP. Option C is wrong because an SSL Proxy Load Balancer terminates SSL/TLS connections but is regional (not global) and does not provide the lowest possible latency for worldwide users compared to the Premium Tier's global anycast routing.

239
Multi-Selectmedium

Which TWO of the following are benefits of using Cloud NAT?

Select 2 answers
A.Supports static IP addresses for all instances
B.Enables outbound traffic from instances without public IPs
C.Allows fine-grained control over source IP addresses
D.Provides inbound port forwarding
E.Automatically scales with the number of instances
AnswersB, C

This is the primary purpose of Cloud NAT.

Why this answer

Cloud NAT enables outbound connectivity from private instances that lack public IP addresses. It translates private source IPs to a single or a pool of external IPs, allowing instances to reach the internet while remaining unreachable from outside. This is essential for security and compliance in VPC networks.

Exam trap

Google Cloud often tests the misconception that Cloud NAT provides inbound connectivity or static IPs per instance, when in fact it is strictly outbound and uses a shared pool of IPs.

240
Multi-Selecthard

Which THREE actions should you take to secure a VPC that hosts public-facing web applications?

Select 3 answers
A.Assign public IP addresses to all VMs for direct internet access
B.Use Cloud NAT to allow outbound internet access without public IPs
C.Enable VPC Flow Logs to block malicious traffic
D.Enable Cloud Armor to protect against DDoS and application attacks
E.Use Private Google Access for VMs that need to access Google APIs
AnswersB, D, E

Provides outbound connectivity without exposing VMs.

Why this answer

Cloud NAT enables outbound internet access for private VMs without assigning them public IP addresses, which reduces the attack surface. This is a secure alternative to direct internet access because it allows outbound connections initiated by the VMs while blocking unsolicited inbound traffic from the internet. It works by translating private IP addresses to a set of ephemeral public IPs managed by Google Cloud.

Exam trap

Google Cloud often tests the misconception that VPC Flow Logs are a security control that can block traffic, when in reality they are only a logging and monitoring feature, not an enforcement mechanism.

241
MCQhard

You run the command shown in the exhibit. Your on-premises network is connected to your VPC via a Cloud Router with two BGP sessions. You notice that your on-premises network receives routes for only the two custom IP ranges (10.0.1.0/24 and 10.0.2.0/24) but not for other subnets in the VPC. What is the most likely cause?

A.The BGP interface IP addresses 169.254.x.x are not reachable from the on-premises side.
B.The BGP peer ASN 65001 is not recognized by the on-premises router.
C.The advertisedGroups includes ALL_SUBNETS but the router is ignoring it because of a misconfiguration.
D.The Cloud Router is configured with custom route advertisement that only includes the two specified ranges.
AnswerD

With advertiseMode CUSTOM, the router only advertises the explicitly listed ranges, ignoring ALL_SUBNETS unless it is the only group. The advertisedGroups includes ALL_SUBNETS but since mode is CUSTOM, only custom ranges are advertised.

Why this answer

Option D is correct because the Cloud Router's custom route advertisement configuration explicitly controls which routes are advertised to on-premises via BGP. If only the two custom IP ranges (10.0.1.0/24 and 10.0.2.0/24) are included in the custom advertisement, other VPC subnets will not be advertised, even if they exist. The exhibit shows that the on-premises network receives only those two ranges, which directly matches a custom advertisement setup rather than the default ALL_SUBNETS behavior.

Exam trap

The trap here is that candidates often assume BGP session establishment implies all routes are automatically exchanged, but Cloud Router's custom advertisement feature allows granular control over which prefixes are advertised, and the default ALL_SUBNETS behavior is not active when custom ranges are explicitly listed.

How to eliminate wrong answers

Option A is wrong because if the BGP interface IP addresses 169.254.x.x were unreachable, the BGP sessions would not establish at all, and no routes would be received—not just a subset. Option B is wrong because the BGP peer ASN 65001 is a private ASN commonly used in GCP Cloud Router configurations; if the on-premises router did not recognize it, the BGP session would fail to establish, again resulting in zero routes. Option C is wrong because if advertisedGroups included ALL_SUBNETS, the Cloud Router would advertise all VPC subnets by default; the router does not 'ignore' this setting due to misconfiguration—either it is set or it is not, and the observed behavior (only two ranges) indicates custom advertisement is in use.

242
MCQeasy

A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?

A.Check VPC firewall rules to ensure ingress traffic from the on-premises subnet is allowed to the VM
B.Check the VM's OS firewall to see if it is blocking incoming traffic
C.Verify that the VPN tunnel is using the correct pre-shared key
D.Review Cloud Armor security policies that may be blocking the traffic
AnswerA

Firewall rules must allow traffic from the on-premises IP range to the VM's target tags or service account.

Why this answer

Option A is correct because VPC firewall rules are the first line of defense for controlling traffic to GCE VMs. Even though the VPN tunnel is established, the default-deny ingress posture of GCP means that traffic from the on-premises subnet must be explicitly allowed by a VPC firewall rule. Without this rule, packets arriving via the tunnel are dropped before they ever reach the VM's network interface.

Exam trap

Google Cloud often tests the misconception that a working tunnel implies all traffic flows, but the trap here is that VPC firewall rules are independent of tunnel status and must be explicitly configured for the on-premises subnet as the source.

How to eliminate wrong answers

Option B is wrong because the VM's OS firewall is a secondary concern; the VPC firewall operates before traffic reaches the VM, so checking the OS firewall first would be premature. Option C is wrong because the tunnel is already established, which confirms that the pre-shared key is correct; a mismatched PSK would prevent the tunnel from coming up. Option D is wrong because Cloud Armor security policies apply to HTTP(S) load balancing and external traffic, not to traffic arriving through a VPN tunnel, which is internal to the VPC.

243
MCQhard

An enterprise uses Shared VPC with a host project and multiple service projects. A service project team wants to create a Cloud VPN tunnel to their on-premises network. What must the network team configure in the host project to allow this?

A.The service project can create the VPN gateway directly in its own project as long as it uses a VPC that is peered with the host project
B.The VPN gateway and Cloud Router must be created in the host project's VPC, and the service project must be granted compute.networkUser role on the host project
C.The service project cannot use Cloud VPN with Shared VPC; they must use Dedicated Interconnect instead
D.A Cloud Router must be created in the service project, and the VPN gateway in the host project
AnswerB

Correct configuration; the networking resources are in the host project.

Why this answer

In a Shared VPC setup, the VPN gateway and Cloud Router must reside in the host project's VPC because the host project owns the underlying network infrastructure. The service project can then use the VPN tunnel by being granted the `compute.networkUser` role on the host project, which allows it to create forwarding rules and use the VPN resources. This ensures that the VPN termination point is within the shared VPC network, enabling connectivity to on-premises networks.

Exam trap

The trap here is that candidates mistakenly think the service project can own the VPN gateway or Cloud Router because they are creating the tunnel, but Shared VPC requires all networking resources (VPN gateway, Cloud Router) to be in the host project's VPC.

How to eliminate wrong answers

Option A is wrong because the service project cannot create a VPN gateway directly in its own project using a VPC peered with the host project; VPC peering does not support Cloud VPN termination, and the VPN gateway must reside in the host project's VPC. Option C is wrong because Cloud VPN is fully supported with Shared VPC; Dedicated Interconnect is a separate, higher-bandwidth option, not a requirement. Option D is wrong because both the Cloud Router and the VPN gateway must be created in the host project, not split between projects; the service project cannot host the Cloud Router for a VPN tunnel terminating in the host project.

244
MCQhard

Refer to the exhibit. A Cloud VPN tunnel is configured with the above Cloud Router configuration. The on-premises BGP peer is at 169.254.0.2 with ASN 65001. The on-premises router is receiving the route 10.0.0.0/8 from the Cloud Router, but it is not receiving any of the specific subnets (e.g., 10.1.0.0/16) that exist in the VPC. What is the most likely cause?

A.The advertised_route_priority is set too low, causing the routes to be suppressed.
B.The Cloud Router is configured with custom advertise mode and is only advertising the manually specified ranges.
C.The BGP session is not established due to ASN mismatch.
D.The on-premises peer ASN is incorrect.
AnswerB

Custom mode means only the listed ranges are advertised; VPC subnets are not included unless explicitly added.

Why this answer

The Cloud Router is configured with custom advertise mode, which means it only advertises the manually specified CIDR ranges to the on-premises BGP peer. Since the specific subnets (e.g., 10.1.0.0/16) are not included in the custom advertised ranges, the on-premises router receives only the explicitly listed 10.0.0.0/8 route, not the more specific subnets.

Exam trap

Google Cloud often tests the distinction between route advertisement control (custom vs. default mode) and route selection attributes (like priority/MED), leading candidates to incorrectly attribute missing routes to priority settings rather than advertisement configuration.

How to eliminate wrong answers

Option A is wrong because advertised_route_priority influences route selection (MED) but does not suppress route advertisement; routes are still sent regardless of priority value. Option C is wrong because if the BGP session were not established due to ASN mismatch, the on-premises router would not receive any routes at all, not just missing specific subnets. Option D is wrong because an incorrect on-premises peer ASN would prevent the BGP session from forming, which contradicts the fact that the on-premises router is already receiving the 10.0.0.0/8 route.

245
Multi-Selecteasy

A company is planning to migrate its on-premises workloads to Google Cloud. They have a few dedicated servers that need to be reachable from the internet via specific public IPs. Which TWO options should they consider to assign static public IP addresses to their Compute Engine instances? (Choose 2.)

Select 2 answers
A.Promote an existing ephemeral external IP address to static.
B.Reserve a new static external IP address and then assign it to the instance's network interface.
C.Assign a static internal IP address and use it as the public IP via DNS.
D.Configure Cloud NAT to assign a static IP for inbound traffic.
E.Use the instance's internal IP address as the public IP by configuring the VPC firewall.
AnswersA, B

If an instance already has an ephemeral IP, you can promote it to static without changing the address.

Why this answer

Static external IP addresses can be assigned either as regional or global. Option A is correct: reserve a static external IP address and assign it to the instance. Option B is correct: promote an ephemeral external IP to static.

Option C is incorrect because internal IPs are not accessible from internet. Option D is incorrect because you cannot assign an internal IP as an external IP. Option E is incorrect because Cloud NAT is for outbound internet access, not inbound.

246
MCQeasy

A company is setting up HA VPN between on-premises and Google Cloud. They have two Cloud VPN gateways with two tunnels each. They want to ensure automatic failover if one tunnel goes down. Which BGP configuration is a best practice?

A.Configure active-passive BGP with a single session.
B.Configure active-active BGP with multiple sessions using different ASNs.
C.Use policy-based routing to fail between tunnels.
D.Use static routes with a primary and backup route.
AnswerB

Active-active BGP with multiple sessions allows both tunnels to be active and provides automatic failover.

Why this answer

Option B is correct because active-active BGP with multiple sessions using different ASNs allows each tunnel to be treated as an independent path. If one tunnel fails, BGP withdraws the routes learned over that session, and traffic automatically shifts to the remaining tunnels without manual intervention. This configuration provides true automatic failover and load balancing, which is a best practice for HA VPN with multiple tunnels.

Exam trap

The trap here is that candidates often assume active-passive BGP is sufficient for HA, but in Google Cloud's HA VPN, active-active BGP with multiple sessions and different ASNs is required to achieve automatic failover across multiple tunnels without relying on static route manipulation.

How to eliminate wrong answers

Option A is wrong because active-passive BGP with a single session creates a single point of failure; if the session or tunnel fails, there is no automatic failover to another tunnel. Option C is wrong because policy-based routing does not integrate with BGP's dynamic route advertisement and withdrawal, making failover slower and less reliable in a multi-tunnel HA VPN setup. Option D is wrong because static routes require manual intervention or complex scripting to detect tunnel failure and switch routes, whereas BGP provides automatic failover through route withdrawal.

247
MCQeasy

An organization needs to connect two VPCs in different regions using Google's backbone. What is the recommended solution?

A.Cloud VPN
B.Dedicated Interconnect
C.Cloud NAT
D.VPC Peering
AnswerD

VPC Peering connects VPCs using Google's private network.

Why this answer

VPC Peering uses Google's backbone to connect VPCs across regions without public internet.

248
MCQhard

A financial institution is setting up Dedicated Interconnect with Google Cloud. They have two on-premises routers (R1 and R2) each connected to a separate Google Cloud router via VLAN attachments in two different zones (us-central1-a and us-central1-b). The on-premises routers are configured with BGP, and they advertise the corporate prefix 10.0.0.0/8. Google Cloud routers are configured with custom route advertisements. After provisioning, you notice that traffic from some on-premises subnets to GCP experiences asymmetrical routing, causing packet drops. You verify that both BGP sessions are established and that both Cloud Routers have received the 10.0.0.0/8 route. What is the most likely cause of the asymmetrical routing?

A.On-premises routers have mismatched BGP local preference values for routes received from Google Cloud
B.The on-premises routers are using the same AS number causing BGP loop prevention
C.VLAN attachments are configured with different MTU sizes
D.Cloud Router is setting different BGP metric attributes for each VLAN attachment
AnswerA

Different local preferences cause one path to be preferred for return traffic, while forward traffic may take the other path, leading to asymmetry.

Why this answer

Asymmetrical routing in a dual-homed Dedicated Interconnect setup occurs when on-premises routers have different BGP local preference values for routes received from Google Cloud. Local preference is the first BGP attribute considered when selecting the best path outbound from the on-premises network. If R1 has a higher local preference for the GCP routes than R2, all outbound traffic from on-premises will prefer R1, while return traffic from GCP may arrive via either router (depending on GCP's routing), causing a mismatch in traffic paths and packet drops.

Exam trap

Google Cloud often tests the distinction between BGP attributes that influence inbound traffic (MED, AS-path prepend) versus outbound traffic (local preference), and the trap here is that candidates may incorrectly attribute asymmetrical routing to MED or MTU issues rather than recognizing that local preference mismatch on the on-premises side is the root cause of asymmetric outbound path selection.

How to eliminate wrong answers

Option B is wrong because using the same AS number on both on-premises routers would cause BGP loop prevention only if the routers are in the same AS and the Cloud Routers see the same AS path; however, Google Cloud allows multi-homing with the same ASN by using 'allowas-in' or 'as-path prepend', and this would not directly cause asymmetrical routing—it would more likely cause route rejection or path selection issues. Option C is wrong because mismatched MTU sizes on VLAN attachments would cause fragmentation or packet drops at the link layer, not asymmetrical routing; asymmetrical routing is a Layer 3 path selection issue, not a Layer 2 MTU mismatch. Option D is wrong because Cloud Router sets BGP metric (MED) attributes per VLAN attachment only when custom route advertisements are configured with specific MED values, but MED is used to influence inbound traffic from on-premises, not outbound; asymmetrical routing here is caused by outbound path selection differences on the on-premises side, not by GCP's MED settings.

249
MCQmedium

An enterprise uses HA VPN to connect their on-premises network to Google Cloud. The on-premises side has a single VPN device that supports BGP. They want to maximize availability. What is the recommended Google Cloud configuration?

A.Deploy two Cloud VPN gateways in different regions to provide regional failover.
B.Deploy a single Cloud VPN gateway with one interface and one BGP session.
C.Deploy a single Cloud VPN gateway with two interfaces, each with its own external IP, and configure two BGP sessions to the single on-premises device.
D.Deploy a single Cloud VPN gateway with two interfaces, but only use one BGP session for simplicity.
AnswerC

This provides interface-level redundancy and achieves maximal availability with a single on-premises device.

Why this answer

Option C is correct because it provides high availability by using a single Cloud VPN gateway with two interfaces, each with its own external IP, and two BGP sessions to the on-premises device. This configuration allows active/active failover: if one interface or BGP session fails, traffic automatically switches to the other, maximizing availability without requiring multiple regions.

Exam trap

Google Cloud often tests the misconception that high availability requires multiple regions or gateways, but the trap here is that a single HA VPN gateway with dual interfaces and dual BGP sessions provides sufficient redundancy for a single on-premises device, avoiding unnecessary complexity.

How to eliminate wrong answers

Option A is wrong because deploying two Cloud VPN gateways in different regions introduces unnecessary complexity and cost; regional failover is not needed when the on-premises side has a single VPN device, and HA VPN with two interfaces on a single gateway already provides sufficient availability. Option B is wrong because a single interface and single BGP session creates a single point of failure; if the interface or BGP session goes down, connectivity is lost, which does not maximize availability. Option D is wrong because using only one BGP session with two interfaces defeats the purpose of redundancy; the second interface would remain idle and not provide automatic failover, leaving a single point of failure in the control plane.

250
MCQhard

After configuring Cloud VPN with dynamic routing (BGP), you notice that on-premises routes are not appearing in Google Cloud. BGP sessions are established but no prefixes are exchanged. Cloud Router logs show: 'No route advertisement received'. On-premises BGP configuration shows 'network 10.0.0.0/8' and 'neighbor 10.1.1.1 remote-as 65000'. What is the most likely cause?

A.The 'network 10.0.0.0/8' command does not have a corresponding exact route in the on-premises routing table; also missing 'neighbor 10.1.1.1 activate' under BGP.
B.The on-premises router's BGP peer IP is not in the same subnet as the Cloud Router's interface.
C.The Cloud Router's BGP peer IP is not reachable from the on-premises router.
D.The BGP MD5 password is configured incorrectly on the on-premises router.
AnswerA

BGP requires the network to be in the routing table, and 'activate' is needed to start sending updates.

Why this answer

Option A is correct because the on-premises BGP configuration uses the 'network 10.0.0.0/8' command, which requires an exact match in the local routing table to be advertised. Without a route for 10.0.0.0/8 (e.g., a connected or static route), BGP will not advertise it. Additionally, the 'neighbor 10.1.1.1 activate' command is missing under BGP, which is required to enable the exchange of prefixes with that neighbor.

These two issues together prevent route advertisement to Google Cloud.

Exam trap

Google Cloud often tests the misconception that an established BGP session automatically implies route exchange, but candidates must remember that the 'network' command requires an exact routing table match and that 'neighbor activate' is needed under the address family to actually send prefixes.

How to eliminate wrong answers

Option B is wrong because BGP peers do not need to be in the same subnet; they only need Layer 3 reachability, which is confirmed by the established BGP session. Option C is wrong because the BGP session is already established, indicating that the Cloud Router's BGP peer IP is reachable from the on-premises router. Option D is wrong because an incorrect MD5 password would prevent the BGP session from establishing, but the session is up, so authentication is not the issue.

251
MCQeasy

A company has two VPC networks in the same project: 'vpc-a' (us-central1) and 'vpc-b' (us-east1). They are connected via VPC Network Peering. An instance in vpc-a can ping the internal IP of an instance in vpc-b, but cannot reach it on TCP port 8080. The firewall rule in vpc-b allows ingress from the peered network's subnets. What is the most likely cause?

A.The instance in vpc-b has a firewall rule that denies TCP port 8080 explicitly.
B.The subnet in vpc-a is in a different region, so peering does not support cross-region communication.
C.The firewall rule for port 8080 is missing or uses an incorrect target tag or service account.
D.The firewall rule in vpc-b must allow ingress from the entire CIDR of vpc-a's subnet, not just the peered network.
AnswerC

Since ICMP works but TCP 8080 does not, the specific firewall rule for port 8080 is likely missing or misconfigured.

Why this answer

The firewall rule in vpc-b allows ingress from the peered network's subnets, but VPC Network Peering does not automatically allow all traffic; firewalls must be configured explicitly. Since ICMP works, the issue is specific to TCP 8080, likely a firewall rule missing or misconfigured for that port. Option D is correct because even if the rule allows from subnets, it may not have the correct port or target tags.

252
Multi-Selecthard

Which TWO statements about Cloud Router BGP are correct? (Choose two.)

Select 2 answers
A.Cloud Router uses multi-hop eBGP by default.
B.Cloud Router can use a private ASN.
C.Cloud Router requires a public ASN.
D.Cloud Router supports multiple BGP sessions per router.
E.Cloud Router only supports MED for routes it sends to on-premises.
AnswersB, D

Private ASN is commonly used.

Why this answer

Option B is correct because Cloud Router can use a private ASN (64512-65534) for BGP peering, which is common when connecting to on-premises networks that do not require a public ASN. This allows flexibility in hybrid interconnectivity without needing to register a public ASN.

Exam trap

Google Cloud often tests the misconception that Cloud Router requires a public ASN or that it uses multi-hop eBGP by default, when in fact private ASNs are supported and single-hop eBGP is the default behavior.

253
MCQmedium

A company wants to enable VPC Flow Logs for a subnet to troubleshoot connectivity issues. They have enabled flow logs with a sample rate of 1.0 and metadata annotation enabled. After a few hours, they notice that logs are being generated but they are missing flows from a specific application server to a database server in the same subnet. Both servers are Compute Engine instances with internal IPs only. What could be the cause?

A.The instances are using internal DNS names, and flow logs only capture traffic by IP address.
B.The sample rate of 1.0 means all flows are sampled, but metadata annotation may be causing some flows to be dropped.
C.Flow logs must be enabled on the VPC network, not just the subnet.
D.VPC Flow Logs do not capture traffic between instances in the same subnet because it does not traverse the VPC router.
AnswerD

Traffic within the same subnet is sent directly at layer 2, bypassing the router where flow logs are captured.

Why this answer

VPC Flow Logs capture only IP traffic that is logged for both ingress and egress. If the application server and database server are in the same subnet, traffic between them is layer 2 (if they are on the same VPC) and may not be captured because flow logs apply to traffic that traverses the virtual network stack. Traffic within the same subnet is typically forwarded directly without going through the VPC router, so flow logs may not capture it.

Option A is correct.

254
MCQmedium

A company needs a dedicated, low-latency connection from their on-premises data center to GCP with a 10 Gbps capacity. They require the highest availability and service level agreement (SLA). Which connectivity option should they choose?

A.Carrier Peering using Equinix or other carrier.
B.Dedicated Interconnect with two connections to different meet-me rooms.
C.Partner Interconnect with two VLAN attachments from different providers.
D.Cloud VPN with two tunnels from different VPN gateways.
AnswerB

Dedicated Interconnect provides dedicated, low-latency connection with high SLA.

Why this answer

Dedicated Interconnect provides a direct, private connection between the on-premises data center and GCP with 10 Gbps capacity. By using two connections to different meet-me rooms, the company achieves the highest availability and meets the 99.99% SLA, as this eliminates single points of failure at the physical layer and within a single facility.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect can match the SLA of Dedicated Interconnect, but the key trap is that Partner Interconnect's SLA is limited to the partner's network and does not cover the entire path from on-premises to GCP.

How to eliminate wrong answers

Option A is wrong because Carrier Peering uses a shared connection over the public internet, does not offer a 10 Gbps dedicated capacity, and provides no SLA for availability or latency. Option C is wrong because Partner Interconnect relies on a third-party provider's network, which introduces additional latency and does not offer the same 99.99% SLA as Dedicated Interconnect; two VLAN attachments from different providers still depend on the partner's infrastructure. Option D is wrong because Cloud VPN uses encrypted tunnels over the public internet, cannot guarantee 10 Gbps throughput (typically limited to ~3 Gbps per tunnel), and provides no SLA for latency or availability.

255
Multi-Selectmedium

Which TWO of the following are true regarding VPC Network Peering? (Choose TWO.)

Select 2 answers
A.The VPCs' subnet IP ranges must not overlap.
B.It supports transitive routing across multiple peering connections.
C.It supports exchange of routes with custom dynamic routing.
D.Custom dynamic routes are automatically exchanged.
E.It can be used to connect VPCs in different organizations.
AnswersA, E

Overlapping IP ranges are not allowed in VPC peering.

Why this answer

Option A is correct because VPC Network Peering requires that the subnet IP ranges of the peered VPCs do not overlap. Overlapping ranges would cause routing conflicts and ambiguous destination addresses, as GCP uses the subnet CIDR blocks to determine the next hop for traffic. If two VPCs have overlapping ranges, packets cannot be reliably forwarded to the correct destination, breaking the peering connection.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing or dynamic route exchange, leading candidates to select options B or C, when in fact peering is strictly non-transitive and only exchanges subnet and static routes.

256
MCQhard

A company has two Dedicated Interconnect connections to two separate Google Cloud regions for redundancy. They use Cloud Router with BGP to exchange routes. They want to ensure that traffic from on-premises to a specific VPC in us-central1 uses only the interconnect to us-central1, and the other interconnect is used only as a backup. How can they achieve this?

A.Configure MED values on the on-premises router to prefer the us-central1 interconnect.
B.Configure BGP communities on Google Cloud to prefer the us-central1 interconnect.
C.Configure AS path prepending on the on-premises router to make the us-central1 path longer.
D.Use Cloud Router's custom route advertisements to influence path selection.
AnswerA

Lower MED on us-central1 interconnect will make on-premises router prefer that path.

Why this answer

Option A is correct because Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from an AS to a specific entry point. By setting a lower MED value on the on-premises router for the routes advertised via the us-central1 interconnect, the on-premises network will prefer that path for traffic destined to the VPC in us-central1. The other interconnect will only be used if the preferred path fails, providing the desired active/backup behavior.

Exam trap

The trap here is that candidates often confuse MED with AS path prepending, thinking that making a path longer (prepending) increases preference, when in fact it decreases it, and they may also mistakenly believe that Google Cloud can directly influence on-premises path selection via communities or custom advertisements.

How to eliminate wrong answers

Option B is wrong because BGP communities on Google Cloud are used to tag routes for controlling route advertisement or applying routing policies within Google's network, not to influence path selection from on-premises; the on-premises router must set the MED or other attributes. Option C is wrong because AS path prepending makes a path longer (less preferred), which would cause the on-premises router to prefer the other interconnect, not the us-central1 one. Option D is wrong because Cloud Router's custom route advertisements control which routes are advertised to on-premises, not how on-premises selects among multiple paths; path selection is determined by BGP attributes on the on-premises side.

257
MCQeasy

Refer to the exhibit. A VM in the default VPC with tag 'internal' and IP 10.128.1.2 is unable to communicate with another VM with IP 10.132.0.3 and tag 'internal'. What is the most likely cause?

A.The rule only applies to ingress traffic.
B.The rule only allows TCP and UDP, not ICMP.
C.The rule priority is too low.
D.The source range 10.128.0.0/14 does not include 10.132.0.3.
AnswerD

The source range excludes 10.132.0.3, blocking return traffic.

Why this answer

The firewall rule allows ingress from source range 10.128.0.0/14, which covers 10.128.0.0 to 10.131.255.255. IP 10.132.0.3 is outside this range, so return traffic from VM2 to VM1 is blocked. Option A identifies this.

Option B is incorrect because the rule direction is ingress, which is correct for receiving traffic. Option C is incorrect because ICMP is allowed. Option D is incorrect because priority 1000 is within the valid range and does not cause blocking.

258
MCQmedium

A company has deployed Cloud HA VPN between their on-premises network and Google Cloud. They have two tunnels from the on-premises VPN appliance to the HA VPN gateway. The on-premises appliance uses a single public IP address for both tunnels, while the Cloud VPN gateway uses two different public IPs. BGP sessions are established over both tunnels, and the Cloud Router is configured with 'active/active' mode. The network team notices that all outbound traffic from Google Cloud to on-premises is using only one of the two tunnels, even though both tunnels are up. BGP metrics are identical for routes received over both sessions. What is the most likely cause?

A.The BGP sessions have different hold timers causing one to be preferred.
B.The on-premises appliance must use two different public IPs for ECMP to work.
C.The Cloud Router does not support ECMP when both BGP sessions have the same peer IP address.
D.The Cloud Router must be configured with 'active/standby' mode instead of 'active/active'.
AnswerC

Even if routes are identical, ECMP may not work if the next hop is the same; Cloud Router uses flow-based hashing that may not balance in this case.

Why this answer

Option C is correct because Cloud Router uses the BGP peer IP address as part of the ECMP hash key. When both BGP sessions originate from the same on-premises public IP (the single IP used for both tunnels), Cloud Router sees them as the same peer and does not load-balance across them. Even though the tunnels use different Cloud VPN gateway IPs, the BGP sessions share a common peer IP, which prevents ECMP from being enabled.

Exam trap

Google Cloud often tests the misconception that ECMP requires different tunnel endpoints or different BGP metrics, when the actual requirement is that the BGP peer IP addresses must be unique for the Cloud Router to treat the sessions as separate multipath candidates.

How to eliminate wrong answers

Option A is wrong because BGP hold timers affect session stability, not route preference; identical BGP metrics mean the routes are equally preferred, and differing hold timers would not cause one tunnel to be exclusively used. Option B is wrong because ECMP can work with a single on-premises IP if the Cloud Router sees distinct BGP peer IPs; the issue is that the peer IP is the same for both sessions, not that the on-premises appliance must use two IPs. Option D is wrong because active/active mode is the correct configuration for ECMP; active/standby would intentionally use only one tunnel, which is not the desired behavior here.

259
MCQmedium

A company currently uses a site-to-site Cloud VPN (IPsec) to connect their on-premises network to a VPC. Due to growing bandwidth demands, they plan to migrate to Partner Interconnect using a supported service provider. They have ordered a 1 Gbps connection and the provider has indicated the VLAN attachment is ready. After creating the VLAN attachment and pairing it with a Cloud Router, the on-premises router sees the BGP session come up, but no traffic is forwarded over the interconnect. The Cloud VPN is still operational. What step is most likely missing?

A.Create a VPC firewall rule to allow traffic on the VLAN attachment
B.Add a firewall rule in the VPC allowing traffic from the on-premises IP ranges on the interconnect
C.Adjust the BGP metric (MED) on the Cloud Router for the Partner Interconnect VLAN attachment to be lower than the VPN route
D.Delete the Cloud VPN tunnel and gateway to force traffic over the interconnect
AnswerC

Without explicitly setting a lower metric, the route from the VPN might be preferred; lowering the metric makes the interconnect the preferred path.

Why this answer

Option C is correct because when both a Cloud VPN and a Partner Interconnect are connected to the same VPC, the Cloud Router will have multiple BGP routes for the same destination prefixes. By default, the VPN BGP session may have a lower MED (Multi-Exit Discriminator) or a higher local preference, causing traffic to prefer the VPN path. Lowering the MED on the VLAN attachment's BGP session makes the interconnect route more preferred, allowing traffic to be forwarded over the interconnect without deleting the VPN.

Exam trap

Google Cloud often tests the misconception that firewall rules are the missing step for traffic flow over a new interconnect, when in fact the issue is BGP route preference between parallel connections.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are stateful and apply to traffic entering or leaving VM instances, not to the VLAN attachment itself; the attachment is a Layer 2/3 construct that does not require a dedicated firewall rule. Option B is wrong because firewall rules in the VPC already exist for the on-premises IP ranges if the VPN was working; the issue is routing, not firewall filtering. Option D is wrong because deleting the Cloud VPN tunnel and gateway is unnecessary and disruptive; the correct approach is to adjust BGP path selection (e.g., MED) to prefer the interconnect route while keeping the VPN as a backup.

260
MCQhard

A company uses Shared VPC with multiple service projects. They want to ensure that only specific service projects can use the Cloud NAT configured in the host project. What should they do?

A.Configure Cloud NAT with a specific network tag and assign that tag only to VMs in authorized service projects.
B.Use firewall rules to restrict traffic from service projects.
C.Use VPC Service Controls to restrict access.
D.Configure IAM roles on the Cloud NAT resource to allow only specific projects.
AnswerA

This is the standard method to restrict Cloud NAT usage.

Why this answer

Cloud NAT can be restricted to specific VMs using network tags. By configuring the Cloud NAT gateway in the host project with a specific network tag, and then assigning that tag only to the VM instances in authorized service projects, only those tagged VMs can use the NAT gateway. This ensures that only specific service projects (via their tagged VMs) can leverage the Cloud NAT, while all other VMs in the shared VPC are excluded.

Exam trap

The trap here is that candidates often assume IAM is the correct way to restrict access to a Cloud NAT resource, but Cloud NAT does not have an IAM resource—it is a regional service that is controlled via network tags or subnet-level configuration, not IAM permissions.

How to eliminate wrong answers

Option B is wrong because firewall rules control traffic flow (allow/deny) based on IP addresses, ports, and protocols, but they cannot restrict which VMs can use a Cloud NAT gateway; Cloud NAT operates at the network address translation layer, not at the firewall rule level. Option C is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs and services, not to manage which VMs can use a Cloud NAT gateway within a shared VPC. Option D is wrong because Cloud NAT does not have its own IAM resource; IAM roles on the Cloud NAT resource do not exist—Cloud NAT is a regional resource that is automatically used by VMs in the VPC, and access is controlled via network tags or subnet-level configuration, not IAM.

261
Multi-Selectmedium

An enterprise is evaluating connectivity options to Google Cloud. They have moderate bandwidth requirements (up to 1 Gbps) and need high availability. Which two of the following are appropriate solutions? (Choose two.)

Select 2 answers
A.HA VPN over the internet.
B.VPC peering with a third-party network.
C.Partner Interconnect with 1 Gbps connection.
D.Classic VPN with a single tunnel.
E.Dedicated Interconnect with 10 Gbps connections.
AnswersA, C

HA VPN provides up to 1.5 Gbps per tunnel and high availability with BGP.

Why this answer

HA VPN (High-Availability VPN) uses two tunnels to two separate Cloud VPN gateways, providing automatic failover and meeting the 99.99% SLA when configured with dynamic routing (BGP). This solution supports up to 3 Gbps per tunnel pair, easily covering the 1 Gbps requirement, and uses the public internet without needing physical cross-connects.

Exam trap

Google Cloud often tests the misconception that any VPN with 'HA' in the name is automatically suitable for high availability, but the trap here is that Classic VPN (option D) lacks redundancy and BGP, while HA VPN (option A) is the correct choice; candidates may also incorrectly assume Dedicated Interconnect (option E) is always better, ignoring the bandwidth requirement and cost efficiency.

262
MCQhard

A media streaming company uses Cloud CDN with signed URLs to protect content. They want to invalidate cached content for a specific file after a security incident. The file is stored in a Cloud Storage bucket and the CDN cache key includes the URL. They run: gcloud compute url-maps invalidate-cdn-cache URL_MAP --path "/videos/incident.mp4". The invalidation succeeds but the old content is still served. What is the most likely reason?

A.The Cloud CDN cache key does not include query parameters, so the invalidation should work.
B.The Cache-Control header on the object is set to public, max-age=31536000.
C.The invalidation path does not match the cache key because signed URLs include query parameters.
D.The Cloud Storage bucket requires object versioning to be enabled for invalidation.
AnswerC

With signed URLs, each request has unique query strings, so the cache key varies.

Why this answer

Option C is correct because Cloud CDN's cache key for signed URLs includes the query parameters (e.g., `?Expires=...&Signature=...`). The invalidation command specifies only the path `/videos/incident.mp4`, which does not match the full cache key that includes the query string. As a result, the invalidation does not purge the cached entry for the signed URL, and the old content continues to be served.

Exam trap

Google Cloud often tests the misconception that cache invalidation by path alone will work for all cached objects, ignoring that signed URLs or query parameters can create distinct cache entries that require matching the full cache key.

How to eliminate wrong answers

Option A is wrong because the cache key does include query parameters when signed URLs are used, so the invalidation path must match the full cache key. Option B is wrong because a long `max-age` only affects how long the object is cached by the browser or intermediate caches, not Cloud CDN's ability to invalidate its own cache; invalidation overrides any cache-control directives. Option D is wrong because object versioning is not required for CDN cache invalidation; Cloud CDN invalidates based on the cache key, not on object versions.

263
Multi-Selectmedium

A company is designing a secure multi-VPC architecture in Google Cloud. They have three VPCs: Production, Staging, and Shared Services. The Shared Services VPC hosts a Cloud NAT for outbound internet access and a set of managed instance groups. The Production and Staging VPCs are peered to the Shared Services VPC. The company wants to ensure that: (1) instances in Staging cannot initiate connections to instances in Production, (2) instances in Production cannot initiate connections to instances in Staging, (3) all VPCs can communicate with Shared Services, and (4) traffic between VPCs must be inspected by a firewall appliance in Shared Services. Which TWO actions should the company take?

Select 2 answers
A.Delete the VPC peering connection between the Staging and Production VPCs.
B.Set up a Cloud VPN between each spoke VPC and the Shared Services VPC to enable transitive routing.
C.Configure static routes in each spoke VPC with a next hop to the firewall appliance's internal IP for the destination VPC's subnet ranges.
D.Remove the default route (0.0.0.0/0) from the spoke VPCs to prevent direct internet access.
E.Enable the export of custom routes from the Shared Services VPC to the peered VPCs.
AnswersC, E

This forces traffic between spokes to go through the firewall.

Why this answer

Option C is correct because configuring static routes in each spoke VPC with a next hop to the firewall appliance's internal IP ensures that traffic between Production and Staging is forced through the firewall in Shared Services for inspection. This satisfies the requirement that all inter-VPC traffic must be inspected, as VPC peering alone does not support transitive routing or traffic inspection.

Exam trap

The trap here is that candidates often assume VPC peering provides transitive routing automatically, but Google Cloud explicitly does not support transitive peering, requiring manual route configuration to direct traffic through a central inspection appliance.

264
MCQeasy

An organization has an on-premises router that only supports static routing and does not support BGP. They need private connectivity to a single Google Cloud VPC. Which solution should they use?

A.Cloud VPN with dynamic routing (BGP)
B.Ha VPN with policy-based routing
C.Dedicated Interconnect with static routing
D.Partner Interconnect with BGP
AnswerC

Dedicated Interconnect supports configuring static routes for the VLAN attachment without needing BGP.

Why this answer

Dedicated Interconnect supports static routing, which is required because the on-premises router does not support BGP. This solution provides direct, private connectivity to a single Google Cloud VPC without relying on dynamic routing protocols, making it the correct choice for this scenario.

Exam trap

Google Cloud often tests the misconception that Cloud VPN or Partner Interconnect can operate without BGP, but in Google Cloud, all VPN and Partner Interconnect solutions require BGP for dynamic routing, while Dedicated Interconnect uniquely supports static routing.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing requires BGP, which the on-premises router does not support. Option B is wrong because HA VPN with policy-based routing is not supported in Google Cloud; HA VPN uses route-based routing with BGP. Option D is wrong because Partner Interconnect requires BGP for routing, which is incompatible with the on-premises router's static routing limitation.

265
MCQhard

A company uses Cloud Armor with an external HTTPS load balancer to protect their web application. They have a security policy 'my-policy' attached to the backend service. The policy includes an allow rule (priority 1000) for their corporate IP range (203.0.113.0/24) and a deny rule (priority 2000) for all other IPs. The company has an office at a remote location that uses a different IP range (198.51.100.0/24). Employees from the remote office report they cannot access the application. Meanwhile, employees from the corporate office (203.0.113.0/24) can access. The engineer checks the Cloud Armor policy and sees the rule configuration as shown. What is the most likely cause?

A.The rule evaluation order is wrong; the deny rule should have higher priority (lower number).
B.The remote office IP range is not included in an allow rule in the security policy.
C.The deny rule uses 'SRC_IPS_V2' which is an invalid expression.
D.The load balancer's frontend IP blocks traffic from certain geographic regions.
AnswerB

Only the corporate IP range is allowed; all others are denied by the default deny rule.

Why this answer

The remote office IP range (198.51.100.0/24) is not explicitly allowed by any rule in the security policy. The only allow rule (priority 1000) permits traffic from the corporate IP range (203.0.113.0/24), and the deny rule (priority 2000) blocks all other IPs. Since the remote office IPs are not covered by the allow rule, they are denied by default, which explains their inability to access the application.

Exam trap

Google Cloud often tests the misconception that a deny rule with a higher priority number (e.g., 2000) will override an allow rule with a lower priority number (e.g., 1000), but in reality, Cloud Armor evaluates rules in ascending priority order, so the allow rule is evaluated first and permits matching traffic before the deny rule is considered.

How to eliminate wrong answers

Option A is wrong because the rule evaluation order is correct: Cloud Armor evaluates rules from lowest priority number to highest, so the allow rule (priority 1000) is evaluated before the deny rule (priority 2000). Option C is wrong because 'SRC_IPS_V2' is a valid expression type in Cloud Armor for specifying IP ranges using CIDR notation, and its use does not cause the issue. Option D is wrong because the load balancer's frontend IP does not block traffic based on geographic regions; geographic blocking would require a separate Cloud Armor rule or a different configuration, and the problem statement does not indicate any such rule.

266
MCQmedium

An organization has established a Dedicated Interconnect to Google Cloud. They can ping instances in a VPC subnet but cannot connect to a service running on a different subnet within the same VPC. What is the most likely cause?

A.The MTU is too small.
B.The firewall rules are blocking the traffic.
C.The VLAN attachment is down.
D.The BGP routes for that subnet are not advertised.
AnswerD

If the on-premises router does not advertise the subnet via BGP, the VPC will not know how to route traffic back.

Why this answer

The Dedicated Interconnect is up and the organization can ping instances in one subnet, which confirms that Layer 2 and basic Layer 3 connectivity (via the VLAN attachment) are working. However, the inability to reach a service on a different subnet within the same VPC indicates that the on-premises router does not have a route to that specific subnet. This is most likely because the BGP session is not advertising the prefix for that subnet, or the on-premises router is not receiving the route via BGP.

Without the route, traffic from on-premises to that subnet will be dropped.

Exam trap

Google Cloud often tests the misconception that firewall rules are the default cause of connectivity issues within a VPC, but here the key clue is that ping to one subnet works, isolating the problem to route advertisement rather than security policies.

How to eliminate wrong answers

Option A is wrong because MTU issues typically cause packet fragmentation problems or connectivity failures for large packets, not a complete inability to reach a different subnet while ping (which uses small packets) works. Option B is wrong because firewall rules in Google Cloud VPC are stateful and apply to all traffic; if ping to one subnet works, firewall rules are not blocking traffic to another subnet within the same VPC (assuming similar ingress/egress rules). Option C is wrong because if the VLAN attachment were down, the organization would not be able to ping any instances in the VPC at all, as the interconnect link would be non-functional.

267
MCQeasy

Refer to the exhibit. A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot. What change should be made to fix this?

A.Change the stack type of subnet-b to IPV4_IPV6.
B.Configure Cloud NAT in the region of subnet-b.
C.Add a firewall rule allowing egress to 0.0.0.0/0 on port 443 for subnet-b.
D.Enable Private Google Access on subnet-b.
AnswerD

Enabling Private Google Access allows VMs to reach Google APIs via internal IP.

Why this answer

Private Google Access enables a VM that has only an internal IP address (no external IP) to reach Google APIs and services through the default internet gateway using Google's private network. Since subnet-b lacks this setting, VMs there cannot reach Google APIs via private IP. Enabling Private Google Access on subnet-b resolves this by allowing the VM's traffic to be routed to Google APIs without needing an external IP.

Exam trap

Google Cloud often tests the distinction between enabling outbound internet access (Cloud NAT) and enabling private access to Google services (Private Google Access), leading candidates to mistakenly choose Cloud NAT when the requirement is specifically for private IP access to Google APIs.

How to eliminate wrong answers

Option A is wrong because changing the stack type to IPV4_IPV6 adds IPv6 support but does not enable private access to Google APIs; Private Google Access is independent of IP stack type. Option B is wrong because Cloud NAT provides outbound internet access for private VMs but does not route traffic to Google APIs via private IP; Cloud NAT uses external IPs for translation, not the private Google network path. Option C is wrong because a firewall rule allowing egress to 0.0.0.0/0 on port 443 would permit HTTPS traffic but does not enable the underlying routing needed for private Google API access; without Private Google Access, the traffic would still be dropped or sent via external IP.

268
MCQeasy

Refer to the exhibit. A company has enabled Private Google Access on the subnet. What effect does this have on VMs in the subnet?

A.VMs can use external IPs to access Google services
B.VMs can access the internet using Cloud NAT
C.VMs can communicate with each other without firewall rules
D.VMs can access Google services using only internal IPs
AnswerD

Private Google Access enables access to Google APIs over internal IPs.

Why this answer

Private Google Access enables VMs in a subnet that have only internal IP addresses (RFC 1918) to reach Google APIs and services (e.g., Cloud Storage, BigQuery) through Google's internal network. The traffic is routed via the default internet gateway (which does not require an external IP on the VM) and uses a special 0.0.0.0/0 route with next hop 'default internet gateway' to reach Google's external IPs, but the VM itself never needs a public IP. This is why D is correct: VMs can access Google services using only internal IPs.

Exam trap

Google Cloud often tests the misconception that Private Google Access provides general internet access (like Cloud NAT) or that it requires VMs to have external IPs, when in fact it is strictly for Google APIs and services using internal-only VMs.

How to eliminate wrong answers

Option A is wrong because Private Google Access specifically allows VMs without external IPs to reach Google services; if a VM already has an external IP, it can reach Google services directly without needing Private Google Access. Option B is wrong because Cloud NAT is used to enable outbound internet connectivity for VMs without external IPs, but Private Google Access is a separate feature that only covers Google APIs and services, not general internet access. Option C is wrong because VM-to-VM communication within a subnet is governed by VPC firewall rules (ingress/egress), and Private Google Access has no effect on internal traffic between VMs.

269
Multi-Selecteasy

Which TWO statements about VPC peering are correct?

Select 2 answers
A.VPC peering allows traffic without firewall rules if both VPCs are in the same project.
B.VPC peering automatically exports custom routes.
C.VPC peering can only be established for VPCs in the same region.
D.VPC peering requires that all subnet CIDR ranges be unique across both VPCs.
E.VPC peering can be established between VPCs in different organizations.
AnswersD, E

Overlapping subnets are not allowed.

Why this answer

Peering can be across organizations and requires non-overlapping subnets.

270
MCQmedium

Refer to the exhibit. A network engineer checks the BGP status of a Cloud Router. The on-prem router has two BGP peers configured. What is the most likely cause of the IDLE session for the second peer?

A.The VLAN attachment is not configured
B.The BGP timers are misconfigured
C.The peer router is not configured with the correct BGP ASN
D.The peer router's firewall is blocking TCP port 179
AnswerD

Blocking port 179 prevents TCP connection, causing IDLE.

Why this answer

The IDLE state in BGP indicates that the session has not been established or has been reset. Since the on-prem router has two BGP peers and only one is IDLE, a per-peer issue like a firewall blocking TCP port 179 on the second peer's router is the most likely cause. This prevents the TCP three-way handshake required for BGP session establishment, leaving the session stuck in IDLE.

Exam trap

The trap here is that candidates often assume an IDLE session is always due to a BGP configuration mismatch (like ASN or timers), but Cisco tests the nuance that a per-peer firewall rule blocking TCP 179 can cause IDLE on only one peer while the other remains established.

How to eliminate wrong answers

Option A is wrong because a VLAN attachment is a Layer 2 construct used for Cloud Router interfaces; its absence would affect all BGP sessions or the underlying connectivity, not just one specific peer. Option B is wrong because misconfigured BGP timers (e.g., keepalive or hold timers) would cause the session to oscillate between ESTABLISHED and IDLE or flap, not remain persistently in IDLE without any prior connection. Option C is wrong because an incorrect BGP ASN on the peer router would cause a NOTIFICATION message and the session to go to IDLE, but the question states the peer router is configured with two BGP peers—if the ASN were wrong, both peers would likely fail, not just one.

271
MCQeasy

An organization needs to allow on-premises servers to resolve DNS names of GCP VM instances using RFC 1918 addresses. They have a Cloud VPN connection. Which DNS resolution approach should they implement?

A.Set up a public zone and use the instance's external IP for DNS
B.Configure Cloud DNS outbound server policy and forward from Cloud DNS to on-premises DNS
C.Use DNS peering with a private zone in the on-premises DNS
D.Configure Cloud DNS inbound server policy and set up forwarding from on-premises DNS to the Cloud DNS inbound endpoint
AnswerD

Enables on-premises to query Cloud DNS for private zones.

Why this answer

Option D is correct because the on-premises servers need to resolve DNS names of GCP VM instances using RFC 1918 addresses over a Cloud VPN connection. Configuring a Cloud DNS inbound server policy creates a VPC-wide inbound DNS endpoint (using an internal IP address) that on-premises DNS servers can forward queries to. This allows the on-premises DNS to send DNS requests for GCP private zone records (e.g., `vm-instance.c.example.internal`) directly to the Cloud DNS inbound endpoint, which then resolves the private RFC 1918 addresses of the VM instances.

Exam trap

The trap here is that candidates confuse inbound and outbound server policies, often selecting Option B (outbound) because they think 'forwarding to on-premises' is needed, but the requirement is for on-premises to query GCP, which requires an inbound endpoint.

How to eliminate wrong answers

Option A is wrong because using a public zone and the instance's external IP would expose the DNS records to the internet and require public IP addresses, contradicting the requirement to use RFC 1918 addresses. Option B is wrong because Cloud DNS outbound server policy is used to forward DNS queries from GCP VPCs to on-premises DNS servers, not the reverse direction needed here. Option C is wrong because DNS peering is used to allow DNS resolution between two GCP VPCs or between a GCP VPC and a service producer network; it does not support forwarding from an on-premises DNS server to Cloud DNS.

272
MCQhard

An organization is migrating to Google Cloud and requires connectivity between their on-premises network and VPC. They plan to use Cloud VPN with dynamic routing (BGP). Which VPC feature is required for this setup?

A.Cloud NAT
B.VPC peering
C.Cloud Router
D.VPC Flow Logs
AnswerC

Cloud Router manages BGP sessions for dynamic routing with VPN or Interconnect.

Why this answer

Cloud Router is required when using Cloud VPN with dynamic routing (BGP) because it manages the BGP sessions between the on-premises router and the Google Cloud VPN gateway. It exchanges routes dynamically, enabling automatic route propagation and failover without manual static route configuration.

Exam trap

The trap here is that candidates confuse Cloud Router with Cloud NAT or VPC peering, thinking any 'cloud' component or 'peering' term implies connectivity, but only Cloud Router handles the BGP dynamic routing required for Cloud VPN.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private VMs, not connectivity between on-premises and VPC. Option B is wrong because VPC peering connects two VPCs within Google Cloud, not an on-premises network to a VPC. Option D is wrong because VPC Flow Logs capture network metadata for monitoring and troubleshooting, not routing or connectivity.

273
MCQeasy

Refer to the exhibit. A Compute Engine instance has the network tags 'http-server' and 'ssh-server'. It also has a public IP address. Which of the following statements about traffic to this instance is true?

A.All traffic from the internet is denied because of the deny-all rule.
B.SSH traffic from the internet is allowed.
C.HTTP traffic from the internet is allowed.
D.HTTPS traffic from the internet is allowed.
AnswerC

The allow-http rule allows tcp:80 from 0.0.0.0/0 to tagged instances; the instance has http-server tag.

Why this answer

The instance has the network tag 'http-server', which is used by the default VPC firewall rule 'default-allow-http' to permit inbound TCP traffic on port 80 from any source (0.0.0.0/0). Since the instance also has a public IP address, HTTP traffic from the internet can reach it. The other tags and the public IP do not override this allow rule.

Exam trap

Google Cloud often tests the misconception that having a public IP address automatically opens all ports, or that a network tag alone (without a corresponding firewall rule) permits traffic on that port.

How to eliminate wrong answers

Option A is wrong because the implied deny-all rule only applies to traffic that is not explicitly allowed; the 'default-allow-http' rule explicitly permits HTTP traffic, so it is not denied. Option B is wrong because although the instance has the tag 'ssh-server', there is no default firewall rule that allows SSH traffic from the internet; the default-allow-ssh rule exists only if explicitly created, and the tag alone does not create a rule. Option D is wrong because HTTPS (port 443) is not allowed by any default rule associated with the 'http-server' tag; the default-allow-https rule would require a separate tag like 'https-server' or a custom rule.

274
MCQmedium

A company is using Partner Interconnect to connect to Google Cloud. They notice that traffic from on-premises to GCP takes one path, but return traffic takes a different path, causing asymmetric routing. How can they resolve this?

A.Configure the same BGP ASN on both sides.
B.Apply BGP MED values to influence path selection.
C.Enable asymmetric routing mode on the Cloud Router.
D.Use different link-local addresses for each session.
AnswerB

MED allows you to indicate the preferred path for inbound traffic.

Why this answer

B is correct because applying BGP MED (Multi-Exit Discriminator) values allows you to influence the path selection for return traffic from Google Cloud to your on-premises network. By setting a lower MED value on one of the Partner Interconnect connections, you can make Google Cloud prefer that path for return traffic, thereby matching the forward path and resolving asymmetric routing. This is a standard BGP technique for controlling inbound traffic to an AS.

Exam trap

Google Cloud often tests the misconception that BGP ASN configuration or link-local addresses can fix routing asymmetry, when in fact only path-selection attributes like MED or AS path prepending can influence return traffic in a multi-homed BGP setup.

How to eliminate wrong answers

Option A is wrong because configuring the same BGP ASN on both sides would cause BGP to reject the session (eBGP requires different ASNs) or require allowas-in, which does not address asymmetric routing. Option C is wrong because Cloud Router does not have an 'asymmetric routing mode'; asymmetric routing is a network behavior, not a configurable mode on Cloud Router. Option D is wrong because using different link-local addresses for each session is a best practice for BGP session establishment but has no effect on path selection or routing symmetry.

275
MCQeasy

Your company has two on-premises data centers, DC1 and DC2, each connected to a separate Google Cloud VPC via Dedicated Interconnect. Both VPCs are connected via VPC Network Peering. A new application deployed in VPC1 needs to communicate with a database in DC2. The database IP range is 10.0.0.0/16. You have configured firewall rules to allow the traffic. However, the application cannot reach the database. You have verified that routes for 10.0.0.0/16 exist in VPC1's route table with next hop to VPC Peering, and in VPC2's route table with next hop to the interconnect attachment. The BGP sessions on both interconnects are up. What is the most likely reason for the connectivity failure?

A.The route for 10.0.0.0/16 in VPC1 is not imported correctly from VPC Peering
B.VPC Network Peering does not support transitive routing through a peered VPC
C.BGP session on the interconnect between VPC2 and DC2 is down
D.Firewall rules in VPC2 are blocking traffic
AnswerB

VPC Peering does not allow a peered VPC to forward traffic to another network, breaking the path from VPC1 to DC2.

Why this answer

VPC Network Peering does not support transitive routing. In this topology, VPC1 is peered with VPC2, but traffic from VPC1 to DC2 must pass through VPC2 and then over the interconnect. Since VPC1's route for 10.0.0.0/16 points to the VPC peering as next hop, VPC1 expects the traffic to be forwarded directly to VPC2.

However, VPC2 cannot forward that traffic to DC2 because Google Cloud VPC peering does not allow a peered VPC to act as a transit hub; each VPC can only communicate directly with its peer, not with resources reachable through that peer. This is a fundamental limitation of VPC Network Peering, which is non-transitive.

Exam trap

The trap here is that candidates assume VPC peering behaves like a router or a traditional network switch, supporting transitive routing, when in fact Google Cloud VPC peering is strictly non-transitive and requires a separate peering or a dedicated interconnect for each VPC-to-on-premises path.

How to eliminate wrong answers

Option A is wrong because the route for 10.0.0.0/16 in VPC1 is correctly pointing to VPC Peering as the next hop, and the question states that routes exist, so import is not the issue. Option C is wrong because the BGP sessions on both interconnects are explicitly stated as up, so the interconnect between VPC2 and DC2 is functioning. Option D is wrong because firewall rules have been verified to allow the traffic, and the problem is at the routing layer, not the firewall layer.

276
MCQhard

Refer to the exhibit. A network team has created this load balancer. Clients inside the VPC are unable to connect to the load balancer's IP address from a Compute Engine instance in the same VPC. What is the most likely cause?

A.The target HTTPS proxy is not properly configured to use a backend service.
B.The load balancer is configured with network tier STANDARD, which does not support internal traffic.
C.The load balancer is using INTERNAL_MANAGED scheme, which requires the clients to be in a different region.
D.The load balancer does not have a backend service configured.
AnswerB

Internal load balancers must use Premium Tier. Standard tier is for external load balancers only.

Why this answer

Option B is correct because a load balancer configured with network tier STANDARD uses the Premium Tier's external IP addressing, which does not support internal traffic routing within the same VPC. Clients inside the VPC attempting to connect to the load balancer's IP address from a Compute Engine instance in the same VPC will fail because STANDARD tier IPs are designed for external internet-facing traffic and cannot be reached from within the VPC without a public IP and appropriate routing. The load balancer must use the Premium Tier (network tier PREMIUM) to support internal client traffic within the same VPC.

Exam trap

Google Cloud often tests the distinction between network tier STANDARD and PREMIUM, trapping candidates who assume all load balancer IPs are reachable from within the VPC regardless of tier, when in fact STANDARD tier IPs are external-only and require public internet routing.

How to eliminate wrong answers

Option A is wrong because the target HTTPS proxy configuration is unrelated to the client's inability to connect from within the same VPC; a misconfigured proxy would cause backend failures, not a connectivity failure from clients to the load balancer IP. Option C is wrong because INTERNAL_MANAGED scheme is specifically designed for internal load balancing within the same VPC and region, and clients in the same region can connect; the issue here is the network tier, not the scheme or region. Option D is wrong because the absence of a backend service would cause health check failures or 502 errors, not a complete inability for clients to reach the load balancer's IP address from within the VPC.

277
Multi-Selectmedium

Which TWO services can be used to provide outbound connectivity to the internet for private VMs in a VPC? (Assume VMs have no external IPs.)

Select 2 answers
A.Instance with external IP
B.Cloud Router
C.Private Google Access
D.Cloud NAT
E.Cloud VPN
AnswersA, D

Can be configured as a NAT gateway for other private VMs.

Why this answer

Option A is correct because an instance with an external IP can provide outbound connectivity for private VMs if it is configured as a NAT gateway or proxy. However, the question specifies that VMs have no external IPs, so this option is technically incorrect in the context of the question's constraint. The intended correct answer for outbound connectivity without external IPs is Cloud NAT, which allows private VMs to access the internet using source network address translation (SNAT) without assigning external IPs to individual VMs.

Exam trap

The trap here is that candidates often confuse Private Google Access (which only works for Google services) with general internet access, or assume Cloud Router or Cloud VPN can provide NAT-like functionality, when in fact only Cloud NAT (or a custom NAT instance) can provide outbound internet connectivity for private VMs without external IPs.

278
MCQmedium

A company uses an internal TCP/UDP load balancer to distribute traffic to a backend service. The backend instances are in an unmanaged instance group. Some instances fail health checks and are removed. What happens to existing connections to failed instances?

A.The load balancer drains existing connections before removing the instance.
B.Existing connections are seamlessly redirected to healthy instances.
C.Existing connections are terminated immediately.
D.The load balancer waits for all existing connections to close before removing the instance.
AnswerC

Internal TCP/UDP load balancers do not provide connection draining; connections are dropped.

Why this answer

When an instance in an unmanaged instance group fails a health check, the internal TCP/UDP load balancer immediately terminates all existing connections to that instance. This is because the load balancer does not support connection draining for unmanaged instance groups; it simply stops forwarding new traffic and drops existing flows to the failed instance. The abrupt termination occurs because the load balancer operates at Layer 4 and has no mechanism to gracefully close TCP connections or wait for application-level cleanup.

Exam trap

The trap here is that candidates often assume connection draining is always available for load balancers, but Cisco tests the distinction between managed and unmanaged instance groups, where unmanaged groups lack graceful connection termination features.

How to eliminate wrong answers

Option A is wrong because connection draining is a feature of managed instance groups (e.g., with Google Cloud's managed instance groups), not unmanaged instance groups; the load balancer does not drain connections for unmanaged groups. Option B is wrong because existing connections are not seamlessly redirected; TCP/UDP sessions are stateful and cannot be transparently moved to another instance without breaking the connection. Option D is wrong because the load balancer does not wait for connections to close; it removes the instance immediately upon health check failure, terminating all active connections.

279
MCQeasy

You need to allow on-premises servers to access a Google Cloud VM's internal IP without using a public IP. The on-premises network is connected via Cloud VPN. What configuration is required on the Google Cloud side?

A.Configure Cloud NAT for the on-premises network.
B.Enable Private Google Access on the VPC subnet where the VM resides.
C.Assign a global static external IP to the VM.
D.Configure Cloud DNS forwarding to the on-premises DNS servers.
AnswerB

Private Google Access allows on-premises to access Google APIs and services, but for internal IP access, the VPN provides routing.

Why this answer

Option B is correct because Private Google Access for on-premises (via VPN/Interconnect) requires setting up a Private Service Connect endpoint or simply enabling Private Google Access on the subnet and ensuring routes are advertised. However, the simplest method is to enable Private Google Access on the VPC subnet (or the whole VPC) and ensure the on-premises network can reach the internal IP directly via VPN routes. Option A is wrong because Cloud NAT is for outbound only.

Option C is wrong because a global IP is not needed. Option D is wrong because Cloud DNS is not directly required.

280
MCQhard

A request comes from IP 192.0.2.5, with origin region code 'US', and path '/admin/dashboard'. What will be the final action?

A.Deny by rule priority 1000.
B.Deny by rule priority 2000.
C.Deny by rule priority 3000.
D.Allow (default rule).
AnswerB

The request path starts with '/admin', matching rule 2000.

Why this answer

The request matches a rule with priority 2000 that denies traffic from IP 192.0.2.5 to path '/admin/dashboard' with origin region 'US'. Since Cloud Armor security policies evaluate rules in ascending priority order, rule 2000 is evaluated before rule 3000 and after rule 1000. Rule 1000 does not match (likely a different condition), so rule 2000 applies and denies the request.

Exam trap

Google Cloud often tests the misconception that rules are evaluated in descending priority order (e.g., 3000 before 2000) or that the default rule overrides explicit deny rules, when in fact the lowest numeric priority wins and evaluation stops at the first match.

How to eliminate wrong answers

Option A is wrong because priority 1000 is evaluated first but does not match the request (e.g., it might allow all traffic or match a different path/region), so it does not deny. Option C is wrong because priority 3000 is evaluated after priority 2000; once a match occurs at priority 2000, evaluation stops and rule 3000 is never reached. Option D is wrong because the default rule (allow) only applies if no higher-priority rule matches; here, rule 2000 matches and denies the request.

281
MCQeasy

A company wants to use a third-party VPN appliance on Google Cloud (Compute Engine) to connect to an on-premises network. Which networking feature must be enabled to allow the VPN appliance to forward traffic between VPC subnets and the tunnel?

A.Create a custom route in the VPC pointing to the VPN appliance's internal IP.
B.Enable Private Google Access on the subnet hosting the VPN appliance.
C.Enable IP forwarding on the VPN appliance VM instance.
D.Create a firewall rule allowing traffic from the on-premises network to the VPC subnets.
AnswerC

IP forwarding is required for the VM to act as a router.

Why this answer

Option C is correct because a third-party VPN appliance running as a Compute Engine VM must have IP forwarding enabled to act as a router. Without this setting, the VM will drop any traffic that is not destined to its own IP address, even if the kernel is configured to forward packets. Enabling IP forwarding (via the `canIpForward` flag or the `gcloud compute instances create --can-ip-forward` option) allows the VM to forward traffic between the VPC subnets and the VPN tunnel interfaces.

Exam trap

Google Cloud often tests the distinction between network-level configurations (routes, firewall rules) and instance-level capabilities (IP forwarding), trapping candidates who assume that creating a route or firewall rule alone is sufficient for a VM to act as a gateway.

How to eliminate wrong answers

Option A is wrong because creating a custom route pointing to the VPN appliance's internal IP is necessary for directing traffic from VPC subnets to the on-premises network, but it is not the feature that must be enabled on the appliance itself; the question asks which feature must be enabled to allow the appliance to forward traffic, and that is IP forwarding. Option B is wrong because Private Google Access enables VMs without external IPs to reach Google APIs and services, but it has no role in forwarding traffic between VPC subnets and a VPN tunnel. Option D is wrong because firewall rules control which traffic is permitted to enter or leave the VPC, but they do not enable the VM to forward packets; without IP forwarding, the VM will not forward traffic even if firewall rules allow it.

282
MCQhard

Refer to the exhibit. The Cloud Router is configured with custom BGP advertisements. The on-premises router receives only the two advertised ranges (10.1.0.0/24 and 10.2.0.0/24) but not the VPC subnets (e.g., 10.3.0.0/24). What is the most likely reason?

A.The on-premises router is configured to accept only prefixes longer than /24.
B.The advertised route priority of 100 is too high, causing the routes to be ignored.
C.The Cloud Router's custom advertisement includes both the ALL_SUBNETS group and the explicit ranges, so all subnets should be advertised.
D.The on-premises router is filtering routes based on the BGP community or AS path.
AnswerD

On-premises routers often have ingress filters that can drop routes.

Why this answer

Option D is correct because Cloud Router custom advertisements can include BGP communities or AS-path attributes that the on-premises router may be filtering. If the on-premises router is configured to reject routes based on these attributes (e.g., only accepting routes with a specific community or AS-path length), it would drop the VPC subnet routes even if they are advertised. The scenario states that only the two explicitly advertised ranges are received, indicating a filtering mechanism on the on-premises side rather than a Cloud Router misconfiguration.

Exam trap

Google Cloud often tests the misconception that Cloud Router's custom advertisement configuration automatically overrides on-premises filtering, when in reality BGP attributes like communities and AS-path are the primary mechanisms for route filtering on the receiving side.

How to eliminate wrong answers

Option A is wrong because the on-premises router receiving /24 prefixes does not imply it filters longer prefixes; the VPC subnets (e.g., 10.3.0.0/24) are also /24, so prefix length filtering would not explain why they are missing. Option B is wrong because BGP route priority (MED or local preference) influences route selection among multiple paths, not whether a route is accepted or rejected; a priority of 100 is a default value and does not cause routes to be ignored. Option C is wrong because if the Cloud Router's custom advertisement includes both the ALL_SUBNETS group and explicit ranges, all VPC subnets should be advertised; the fact that only the explicit ranges are received points to a filtering issue on the on-premises side, not a Cloud Router configuration problem.

283
MCQhard

A company with limited public IP addresses on-premises needs to connect to Google Cloud using Cloud VPN. They require high availability. Which solution should they implement?

A.Use NAT to map multiple private IPs to one public IP.
B.Use Classic VPN with a single tunnel.
C.Use HA VPN with two on-premises public IPs and two tunnels.
D.Use HA VPN with the same public IP for both tunnels.
AnswerC

HA VPN provides redundancy by supporting active-active or active-passive with separate endpoints.

Why this answer

HA VPN provides high availability by using two tunnels, each terminating on a separate on-premises VPN gateway with a unique public IP address. This ensures that if one on-premises public IP or tunnel fails, traffic can still flow through the other tunnel, meeting the high-availability requirement. Classic VPN (option B) does not support active-active failover, and using the same public IP for both tunnels (option D) creates a single point of failure at the on-premises side.

Exam trap

Google Cloud often tests the misconception that HA VPN can use the same on-premises public IP for both tunnels, but in reality, each tunnel must terminate on a separate on-premises device or interface with a unique public IP to achieve true high availability.

How to eliminate wrong answers

Option A is wrong because NAT is a method for translating private IPs to a public IP for outbound internet access, not a solution for establishing a highly available VPN connection to Google Cloud. Option B is wrong because Classic VPN uses a single tunnel and a single on-premises public IP, providing no redundancy or automatic failover, thus failing the high-availability requirement. Option D is wrong because HA VPN requires two distinct on-premises public IP addresses for the two tunnels; using the same public IP for both tunnels would create a single point of failure at the on-premises gateway, negating the high-availability benefit.

284
MCQhard

A company has two VPCs in the same project, VPC-A and VPC-B. They have set up VPC peering between them. In VPC-A, there is a subnet 10.0.1.0/24. In VPC-B, there are subnets 10.0.2.0/24 and 10.0.3.0/24. A compute instance in VPC-A can ping an instance in VPC-B with IP 10.0.2.10, but fails to ping an instance in VPC-B with IP 10.0.3.10. All subnets are in the same region. Firewall rules allow all traffic between VPC-A and VPC-B. What is the most likely cause?

A.VPC-A has a static route to 10.0.3.0/24 that preempts the peering route.
B.The peering is not bidirectional; VPC-B is not exporting routes.
C.The firewall rules in VPC-B block ICMP from VPC-A to 10.0.3.0/24.
D.The subnet 10.0.3.0/24 was added after the peering, and the peering routes were not updated. Recreate the peering.
AnswerA

Static routes have higher priority than peering routes, causing traffic to go elsewhere.

Why this answer

VPC peering routes are automatically added to the route tables of both VPCs when the peering is established. However, if a more specific static route (e.g., to 10.0.3.0/24) exists in VPC-A, it will take precedence over the peering route due to longest prefix match routing. Since the instance in VPC-A can reach 10.0.2.10 but not 10.0.3.10, the most likely cause is that VPC-A has a static route that preempts the peering route for the 10.0.3.0/24 subnet.

Exam trap

The trap here is that candidates often assume VPC peering automatically works for all subnets in the peered VPC, forgetting that static routes with more specific prefixes can override peering routes, even when firewall rules are permissive.

How to eliminate wrong answers

Option B is wrong because VPC peering is bidirectional by default; both VPCs export and import routes unless explicitly configured otherwise, and the question does not indicate any custom export/import settings. Option C is wrong because the question explicitly states that firewall rules allow all traffic between VPC-A and VPC-B, so ICMP is not blocked. Option D is wrong because VPC peering routes are dynamically updated when subnets are added or removed; there is no need to recreate the peering, as route propagation is automatic.

285
MCQmedium

A company is using Dedicated Interconnect to connect their on-premises network to Google Cloud. They have two VLAN attachments configured, each with a separate Cloud Router with active/active BGP. They want to ensure that traffic from their on-premises network to Google Cloud uses both attachments equally. Which configuration should they implement?

A.Set the same MED value on both on-premises BGP peers, and ensure the AS path length is identical.
B.Configure local preference on the Cloud Router to prefer one attachment, and rely on the other for backup.
C.Configure a single BGP session on one Cloud Router and use static routing for the other attachment.
D.Set a higher MED value on one on-premises peer to deprefer that attachment.
AnswerA

Equal MED and AS path length enables ECMP, balancing traffic across both attachments.

Why this answer

Option A is correct because setting the same MED (Multi-Exit Discriminator) value on both on-premises BGP peers ensures that Google Cloud's Cloud Routers, which are configured with active/active BGP, will see both paths as equally preferred. When the AS path length is also identical, the BGP best-path selection algorithm on the Cloud Routers will load-balance traffic across both VLAN attachments, achieving equal utilization. This is the standard method for enabling equal-cost multipath (ECMP) over Dedicated Interconnect with multiple attachments.

Exam trap

The trap here is that candidates often assume MED is only for influencing inbound traffic from Google Cloud to on-premises, but in this scenario, the MED values are set on the on-premises peers to influence how Google Cloud selects the return path, and equal MED is required for ECMP to work.

How to eliminate wrong answers

Option B is wrong because configuring local preference to prefer one attachment would make that attachment the primary path and the other a backup, which directly contradicts the requirement for equal traffic distribution. Option C is wrong because using a single BGP session on one Cloud Router with static routing on the other attachment would not allow dynamic load balancing; static routes lack the BGP attributes needed for equal-cost multipath, and the second attachment would only be used as a failover. Option D is wrong because setting a higher MED value on one on-premises peer would deprefer that attachment, making it less preferred and preventing equal traffic distribution; MED is a metric that influences path selection, and unequal values break ECMP.

286
MCQhard

A company uses a Shared VPC with a host project and multiple service projects. They have deployed Cloud NAT in the host project's network to provide internet access for service project instances. The Cloud NAT is configured to use a network tag 'nat'. Instances in service projects that have the tag 'nat' can reach the internet. A new service project is added and its instances are created with the same tag 'nat' in a subnet in europe-west1. However, these instances cannot reach the internet. Other service project instances with the tag 'nat' in us-central1 work fine. The Cloud NAT is deployed in us-central1. What is the most likely cause?

A.The Cloud NAT's UDP timeout is too short.
B.The firewall rules in the host project block traffic from the new service project's subnets.
C.The Cloud NAT is not in the same region as the new service project's instances.
D.The new service project's instances are not tagged with 'nat'.
AnswerC

Cloud NAT only works for instances in its region.

Why this answer

Cloud NAT is a regional resource; it only provides outbound internet access to instances within the same region. Since the Cloud NAT is deployed in us-central1, instances in europe-west1 cannot use it, regardless of their network tag. The instances in the new service project must have a Cloud NAT deployed in europe-west1 to reach the internet.

Exam trap

The trap here is that candidates assume Cloud NAT is a global resource or that network tags alone ensure connectivity, overlooking the critical regional scope of Cloud NAT and the fact that it must be deployed in the same region as the instances it serves.

How to eliminate wrong answers

Option A is wrong because UDP timeout settings affect the duration of NAT connections, not the ability to establish them across regions; a short timeout would cause dropped idle connections, not a complete lack of internet access. Option B is wrong because firewall rules in the host project control traffic at the network level, but Cloud NAT operates at the regional level and does not require explicit firewall rules for NAT traffic; the issue is regional mismatch, not firewall blocking. Option D is wrong because the question explicitly states the new instances are created with the same tag 'nat', so the tag is present; the problem is regional, not tag-related.

287
MCQeasy

A company has Compute Engine instances without external IPs that need to access the internet for updates. They do not want any inbound traffic. What is the best design?

A.Configure Cloud NAT and rely on default firewall rules.
B.Configure Cloud NAT and add firewall rules to allow only necessary egress and deny all ingress.
C.Configure Cloud NAT and add a firewall rule to allow all egress traffic.
D.Configure Cloud NAT and add a firewall rule to deny all ingress and egress.
AnswerB

Meets both outbound access and inbound blocking requirements.

Why this answer

Option B is correct because Cloud NAT provides outbound internet connectivity for instances without external IPs, and the explicit firewall rules ensure only necessary egress traffic is allowed while denying all ingress, meeting the requirement of no inbound traffic. Default firewall rules allow some ingress (e.g., ICMP), so they must be overridden with a deny-all-ingress rule to fully block inbound traffic.

Exam trap

The trap here is that candidates assume default firewall rules are sufficient for security, but they actually allow some ingress (e.g., ICMP from internal ranges), so a deny-all-ingress rule is necessary to fully block inbound traffic.

How to eliminate wrong answers

Option A is wrong because default firewall rules allow certain ingress traffic (e.g., ICMP from RFC 1918 ranges), which violates the 'no inbound traffic' requirement. Option C is wrong because allowing all egress traffic is overly permissive and does not follow the principle of least privilege; the question implies only necessary egress (e.g., updates) should be allowed. Option D is wrong because denying all egress traffic would block the outbound updates the instances need, defeating the purpose of Cloud NAT.

288
Multi-Selectmedium

Which TWO statements are true about VPC Network Peering?

Select 2 answers
A.Each VPC can have up to 25 peerings by default
B.Peered VPCs can communicate using RFC 1918 IP addresses without the need for VPN or Interconnect
C.Firewall rules in one VPC are automatically applied to the peered VPC
D.VPC peering incurs additional cost beyond standard egress charges
E.Custom static routes are automatically exchanged between peered VPCs
AnswersA, B

Default limit is 25 peerings per VPC.

Why this answer

Option A is correct because the default limit for VPC Network Peering per VPC is 25, as documented in Google Cloud's quotas and limits. This is a soft limit that can be increased by requesting a quota adjustment, but by default, each VPC can have up to 25 peerings. Option B is correct because VPC Network Peering allows direct communication between VPCs using RFC 1918 private IP addresses without requiring VPN tunnels or Cloud Interconnect, as the peering connection uses Google's internal network infrastructure.

Exam trap

The trap here is that candidates often assume firewall rules or custom routes are automatically shared across peered VPCs, but Google Cloud explicitly requires separate firewall rule management and manual route exchange configuration for custom routes.

289
Multi-Selecthard

A Cloud Router BGP session is flapping. Which TWO actions are appropriate troubleshooting steps?

Select 2 answers
A.Check the MTU size on the VPN tunnel or interconnect.
B.Delete and recreate the VLAN attachment.
C.Revert all BGP routes to static routes.
D.Verify BGP timers and hold time settings.
E.Increase the bandwidth of the interconnect.
AnswersA, D

MTU mismatches can cause packet loss and BGP session drops.

Why this answer

Option A is correct because an MTU mismatch on the VPN tunnel or interconnect can cause packet fragmentation or drops, leading to BGP session flapping. Cloud Router uses Google's internal infrastructure, and if the MTU is set too low, large BGP update packets may be silently discarded, triggering hold timer expiry and session resets. Checking and adjusting the MTU ensures that BGP packets can traverse the path without fragmentation.

Exam trap

Google Cloud often tests the misconception that increasing bandwidth or recreating attachments resolves BGP flapping, when in fact the issue is typically related to MTU mismatches or BGP timer misconfigurations that affect session stability.

290
MCQmedium

A network engineer notices that VPC Flow Logs show connections from a Compute Engine instance to an IP address that should have been blocked by firewall rules. What is the most likely cause?

A.The firewall rule has a lower priority than a deny rule.
B.The instance is using an external IP.
C.VPC Flow Logs are inaccurate.
D.The firewall rule is not applied to the instance's network tag.
AnswerD

If the instance doesn't have the required tag, the firewall rule doesn't apply.

Why this answer

Option D is correct because if a firewall rule is not applied to the instance's network tag, the rule will not affect that instance. In Google Cloud, firewall rules can target instances by specifying target tags; if the rule's target tag does not match the instance's tag, the rule is not enforced on that instance, allowing traffic that should have been blocked.

Exam trap

Google Cloud often tests the misconception that firewall rules are automatically applied to all instances in a VPC, when in reality they must be explicitly associated via target tags or service accounts, and candidates may overlook the tag mismatch as the root cause.

How to eliminate wrong answers

Option A is wrong because a lower priority number means higher priority in Google Cloud firewall rules (priority 1000 is higher than 2000), so a deny rule with a lower priority number would take precedence over an allow rule with a higher priority number; the scenario describes traffic that should have been blocked, implying the allow rule is incorrectly allowing it, not that a deny rule is being overridden. Option B is wrong because using an external IP does not bypass firewall rules; firewall rules in Google Cloud are stateful and apply to all traffic regardless of whether the instance uses an internal or external IP, as they operate at the VPC network level. Option C is wrong because VPC Flow Logs are accurate; they capture metadata about network flows and are not prone to inaccuracies that would show connections that do not actually occur—they reflect actual traffic seen by the network.

291
MCQmedium

A company wants to migrate an on-premises application that uses IPsec VPN tunnels to Google Cloud. They need to ensure encrypted connectivity between the on-premises network and a VPC. Which GCP service should they use?

A.Cloud Router
B.Cloud Interconnect
C.VPC Network
D.Cloud VPN
AnswerD

Provides IPsec VPN connectivity.

Why this answer

Cloud VPN (D) is the correct service because it securely extends an on-premises network to a Google Cloud VPC over the public internet using IPsec VPN tunnels. It provides encrypted connectivity that matches the existing IPsec-based architecture, ensuring data confidentiality and integrity between the two sites.

Exam trap

The trap here is that candidates confuse Cloud Router (a routing protocol component) with the actual VPN connectivity service, or assume Cloud Interconnect is required for encryption, when in fact Cloud Interconnect offers no native encryption and relies on separate IPsec overlays.

How to eliminate wrong answers

Option A is wrong because Cloud Router is a BGP-based dynamic routing component that exchanges routes between a Cloud VPN tunnel and a VPC, not a connectivity service itself. Option B is wrong because Cloud Interconnect provides dedicated, high-bandwidth physical connections between on-premises and Google Cloud, but it does not inherently include IPsec encryption; encryption would require an additional overlay. Option C is wrong because VPC Network is the virtual network container within Google Cloud that defines subnets, routes, and firewall rules, not a service that establishes encrypted tunnels to on-premises networks.

292
MCQmedium

A network engineer is configuring VPC peering between two VPCs in the same project. The peering status is ACTIVE, but instances in one VPC cannot reach instances in the other VPC using internal IPs. The firewall rules are default (ingress deny all). What is the most likely cause?

A.The VPCs use different routing modes.
B.The IAM permissions for the peering are missing.
C.The VPCs have overlapping subnet CIDR ranges.
D.The engineer forgot to add firewall rules to allow traffic from the peer range.
AnswerD

Firewall rules are required to allow ingress traffic from the peered network.

Why this answer

Default firewall rules deny all ingress, so even with peering, traffic is blocked unless allow rules are added.

293
MCQmedium

A company uses VPC Service Controls to protect a managed service (e.g., BigQuery) within a service perimeter. Developers need to access the service from an on-premises network via a Cloud VPN tunnel with a specific IP address. However, access is being denied. What is the most likely cause?

A.The project containing the VPN tunnel is not in the same perimeter.
B.The VM instances in the perimeter do not have public IP addresses.
C.The on-premises source IP is not included in the allowed external IP addresses list in the perimeter.
D.The Cloud VPN tunnel is not using IKEv2.
AnswerC

VPC Service Controls can restrict by source IP; the on-prem IP must be allowed.

Why this answer

VPC Service Controls enforce access to managed services like BigQuery by restricting which source IPs can reach the service. When accessing from on-premises via Cloud VPN, the source IP seen by the service is the on-premises client's IP, not the VPN gateway's IP. If that on-premises source IP is not explicitly added to the allowed external IP addresses list in the service perimeter, access is denied, even though the VPN tunnel is established.

Exam trap

Google Cloud often tests the misconception that placing the VPN tunnel's project inside the service perimeter or using a specific IKE version is required, when the real issue is that VPC Service Controls evaluate the source IP of the original client, not the VPN gateway, and that IP must be explicitly allowed.

How to eliminate wrong answers

Option A is wrong because the VPN tunnel is a network resource, not a managed service; VPC Service Controls perimeters apply to projects containing the managed service (e.g., BigQuery), not to the project hosting the VPN tunnel. Option B is wrong because VPC Service Controls do not require VM instances to have public IPs; the perimeter controls access based on identity and source IP, not the presence of public IPs on VMs. Option D is wrong because Cloud VPN tunnels support both IKEv1 and IKEv2; the IKE version does not affect VPC Service Controls access decisions, which operate at the application layer.

294
MCQeasy

A company wants to connect their on-premises network to Google Cloud using a VPN with high availability and 99.99% SLA. They have two Cloud VPN gateways, each with two external IP addresses. Which configuration best meets the high availability requirement?

A.Deploy two Cloud VPN gateways, each with one tunnel to one on-premises VPN device
B.Deploy two Cloud VPN gateways, each with two tunnels to two separate on-premises VPN devices
C.Deploy one Cloud VPN gateway with two tunnels to two separate on-premises VPN devices
D.Deploy one Cloud VPN gateway with one tunnel to one on-premises VPN device
AnswerB

Provides redundancy at both ends; meets 99.99% SLA.

Why this answer

Option B is correct because it meets the 99.99% SLA requirement by deploying two Cloud VPN gateways, each with two tunnels to two separate on-premises VPN devices. This configuration provides both gateway-level redundancy and tunnel-level redundancy, ensuring that if one gateway, tunnel, or on-premises device fails, traffic can failover to another tunnel. Google Cloud's HA VPN requires at least two tunnels per gateway to achieve the 99.99% SLA, and using two separate on-premises devices eliminates the single point of failure on the customer side.

Exam trap

The trap here is that candidates often assume two gateways with one tunnel each is sufficient for high availability, but they overlook the requirement for two tunnels per gateway to meet the 99.99% SLA, as well as the need for two separate on-premises devices to avoid a single point of failure on the customer side.

How to eliminate wrong answers

Option A is wrong because deploying two Cloud VPN gateways each with only one tunnel to one on-premises VPN device creates a single point of failure on the on-premises side; if that single on-premises device fails, connectivity is lost, and the 99.99% SLA cannot be met. Option C is wrong because deploying only one Cloud VPN gateway, even with two tunnels to two on-premises devices, lacks gateway-level redundancy; if the single gateway fails, all tunnels go down, violating the high availability requirement. Option D is wrong because a single Cloud VPN gateway with a single tunnel to a single on-premises device provides no redundancy at any layer, making it impossible to achieve any meaningful SLA.

295
Multi-Selecteasy

Which TWO steps are required to set up a Cloud VPN with dynamic routing (BGP)? (Choose 2.)

Select 2 answers
A.Configure a static route for the remote network.
B.Create a Cloud NAT for outbound access.
C.Create a VPN gateway and a VPN tunnel.
D.Create firewall rules to allow traffic from the remote network.
E.Create a Cloud Router in the same region as the VPN gateway.
AnswersC, E

The VPN gateway terminates the tunnel.

Why this answer

Option C is correct because a Cloud VPN requires both a VPN gateway (the GCP-side endpoint for encrypted traffic) and a VPN tunnel (the actual IPSec tunnel configuration that defines the remote peer IP, shared secret, and IKE parameters). Option E is correct because dynamic routing with BGP mandates a Cloud Router in the same region as the VPN gateway to exchange BGP routes with the on-premises router; the Cloud Router advertises the VPC subnets and learns remote prefixes via BGP sessions over the tunnel.

Exam trap

Google Cloud often tests the misconception that firewall rules are part of the VPN setup process, but they are a separate security control applied after the VPN infrastructure is created; the trap here is confusing prerequisite security policies with the actual configuration steps for the VPN gateway, tunnel, and BGP routing.

296
MCQeasy

Refer to the exhibit. A network engineer reviews the firewall rules in a VPC. What is the most significant security concern?

A.There is no deny rule.
B.RDP is allowed from 10.0.0.0/8.
C.SSH is allowed from any source.
D.Firewall rules are not in order.
AnswerC

0.0.0.0/0 includes all public IPs, which is insecure.

Why this answer

Option C is correct because allowing SSH (TCP/22) from any source (0.0.0.0/0) exposes the VPC instances to brute-force attacks, unauthorized access, and potential compromise. This violates the principle of least privilege and is a critical security misconfiguration in a VPC firewall rule.

Exam trap

Google Cloud often tests the misconception that a missing explicit deny rule is a security risk, but in GCP VPC, the implicit deny at the end of the rule evaluation makes an explicit deny unnecessary unless you need to override a higher-priority allow rule.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are implicitly deny-all at the end; a missing explicit deny rule is not a security concern as long as allow rules are properly scoped. Option B is wrong because RDP from 10.0.0.0/8 is a private RFC 1918 range, which is acceptable for internal administrative access and does not represent a significant security concern. Option D is wrong because VPC firewall rules are evaluated based on priority numbers, not order of creation; the lowest priority number wins, and there is no requirement for rules to be in a specific sequence.

297
MCQeasy

A company wants to provide internet access to their Compute Engine instances without assigning external IP addresses. Which Google Cloud service should they use?

A.Cloud NAT
B.Cloud VPN
C.Private Google Access
D.VPC Peering
AnswerA

Cloud NAT provides outbound internet access to instances without external IPs.

Why this answer

Cloud NAT allows instances without external IPs to access the internet. Other options are for different purposes.

298
Multi-Selectmedium

An organization is using Cloud VPN with dynamic routing and wants to improve failover time between two VPN tunnels. Which THREE configuration changes can help reduce failover time?

Select 3 answers
A.Set a lower BGP MED value on the primary tunnel
B.Increase the BGP keepalive interval to reduce overhead
C.Configure BGP timers with lower values for faster detection
D.Add static routes with a higher priority than BGP routes
E.Use multiple VPN tunnels with equal BGP metrics
AnswersA, C, E

Lower MED makes the primary path preferred, allowing faster fallback.

Why this answer

Option A is correct because lowering the BGP Multi-Exit Discriminator (MED) value on the primary tunnel makes it more preferred by the BGP best-path selection process. When the primary tunnel fails, BGP withdraws the route, and the backup tunnel (with a higher MED) is immediately used without waiting for timers to expire. This reduces failover time by ensuring the backup path is already known and only needs to be selected upon withdrawal.

Exam trap

Google Cloud often tests the misconception that increasing keepalive intervals improves performance, when in fact it delays failure detection and increases failover time.

299
MCQhard

A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?

A.The subnet purpose is PRIVATE, which blocks Google APIs.
B.Private Google Access is disabled on the subnet.
C.The subnet CIDR range is too small.
D.Flow logs are disabled, so traffic is not logged.
AnswerB

Private Google Access must be enabled for instances without external IPs to access Google APIs.

Why this answer

The instance has no external IP address, so it must use Private Google Access to reach Google APIs and services like Cloud Storage. Private Google Access is enabled at the subnet level; if it is disabled, the instance cannot route traffic to the Google API VIPs through the default route (0.0.0.0/0) without a NAT gateway or external IP. Option B correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates may assume a private subnet inherently blocks all external traffic, but Private Google Access is a separate, optional subnet setting that must be explicitly enabled for instances without external IPs to reach Google APIs.

How to eliminate wrong answers

Option A is wrong because the subnet purpose PRIVATE does not block Google APIs; it simply means the subnet is used for internal VPC traffic, and Private Google Access can still be enabled on it. Option C is wrong because the CIDR range size does not affect connectivity to Google APIs; it only limits the number of IP addresses available for instances. Option D is wrong because flow logs are a monitoring feature that capture metadata about traffic, but disabling them does not prevent connectivity; they are not required for traffic to flow.

300
Multi-Selecthard

Which THREE factors should be considered when designing a Cloud VPN for high availability? (Choose 3.)

Select 3 answers
A.Enable BGP for dynamic routing
B.Deploy VPN gateways in different regions
C.Use two tunnels from each VPN gateway
D.Use static routes for failover
E.Use a single Cloud Router for simplicity
AnswersA, B, C

BGP allows automatic route advertisement and failover.

Why this answer

Enabling BGP (Border Gateway Protocol) for dynamic routing is correct because it allows the Cloud VPN to automatically detect and route around failures. BGP exchanges route information between the on-premises router and the Cloud Router, enabling dynamic failover and load balancing across multiple tunnels. Without BGP, you would rely on static routes, which cannot adapt to network changes and require manual intervention during a failure.

Exam trap

The trap here is that candidates often think static routes with a higher metric can provide failover, but they fail to realize that static routes cannot dynamically detect a tunnel failure unless combined with a health check mechanism, which is not as reliable or fast as BGP's built-in path selection and withdrawal.

Page 3

Page 4 of 7

Page 5

All pages