Google Professional Cloud Network Engineer (PCNE) — Questions 301375

497 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecteasy

Which TWO of the following are benefits of using Shared VPC?

Select 2 answers
A.Enhanced security through VPC Service Perimeters
B.Automatic cross-project routing
C.Centralized firewall rule management
D.Reduced IP address usage
E.Separation of network and application teams
AnswersB, C

Service project VMs automatically communicate using host project's routes.

Why this answer

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, enabling automatic cross-project routing. This is because all subnets in the host project are directly reachable from any service project attached to that host, without needing additional VPC peering or VPN tunnels. Option B is correct because this inherent routing simplifies network connectivity and reduces administrative overhead.

Exam trap

Google Cloud often tests the misconception that Shared VPC inherently provides security features like VPC Service Perimeters, when in fact those are separate controls; the trap here is confusing the administrative separation of network and application teams as a direct benefit of Shared VPC, rather than recognizing that the core technical benefit is automatic cross-project routing and centralized firewall rule management.

302
MCQeasy

A startup is migrating a two-tier application to GCP. The web tier must be accessible from the internet, and the database tier must only be accessible from the web tier. Which network design should be used?

A.Place web servers in a public subnet with external IPs, database in a private subnet, and add a firewall rule allowing traffic from web subnet to database
B.Place both tiers in separate VPCs and use VPC peering with no firewall rules
C.Place both tiers in the same subnet and configure firewall rules to restrict database access
D.Place web servers in a private subnet with Cloud NAT for outbound, database in the same private subnet
AnswerA

This design provides proper segmentation and security.

Why this answer

Option A is correct because it places the web servers in a public subnet with external IPs, allowing direct internet access, while the database resides in a private subnet with no external IP, enforcing isolation. A firewall rule (ingress on the database subnet) explicitly permits traffic from the web subnet’s CIDR range, typically on the database port (e.g., TCP 3306 for MySQL), ensuring the database is reachable only from the web tier. This design follows GCP’s best practice of using VPC firewall rules to control east-west traffic between subnets.

Exam trap

Google Cloud often tests the misconception that placing resources in the same subnet automatically allows isolation via firewall rules, but in GCP, firewall rules are applied at the instance level (via tags or service accounts) and cannot restrict traffic between instances in the same subnet without additional tagging, leading candidates to incorrectly choose Option C.

How to eliminate wrong answers

Option B is wrong because placing both tiers in separate VPCs with VPC peering and no firewall rules would allow unrestricted traffic between the VPCs (peering does not impose default deny), violating the requirement that the database be accessible only from the web tier. Option C is wrong because placing both tiers in the same subnet would give the database the same network access as the web servers, making it impossible to restrict database access to only the web tier using subnet-level firewall rules (firewall rules in GCP are applied at the subnet or instance level, but same-subnet traffic is not easily isolated without complex per-instance tags). Option D is wrong because placing web servers in a private subnet with Cloud NAT only provides outbound internet access, not inbound; the web tier would not be accessible from the internet, failing the requirement that the web tier must be internet-accessible.

303
Multi-Selecthard

A network engineer is troubleshooting connectivity issues with VPC Flow Logs. Which TWO statements about VPC Flow Logs are correct? (Choose TWO)

Select 2 answers
A.VPC Flow Logs capture only egress traffic.
B.VPC Flow Logs only capture traffic that is allowed by firewall rules.
C.VPC Flow Logs can be used to diagnose overly permissive firewall rules.
D.VPC Flow Logs capture all packets for every flow in the VPC.
E.VPC Flow Logs do not capture traffic that is generated by GCP health checks.
AnswersC, E

By analyzing logs, you can see allowed traffic and identify rules that are too broad.

Why this answer

Option C is correct because VPC Flow Logs capture metadata about accepted and rejected traffic, including traffic that is allowed by overly permissive firewall rules. By analyzing the logs, you can identify flows that should have been blocked, revealing rules that are too broad in scope (e.g., allowing all traffic from 0.0.0.0/0). This diagnostic capability directly helps tighten security posture.

Exam trap

Google Cloud often tests the misconception that VPC Flow Logs capture every packet or only allowed traffic, when in reality they sample flows and log both accepted and rejected traffic, making options B and D common traps.

304
MCQhard

An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?

A.Ensure the VPC firewall rules allow ingress from the source subnet or instance.
B.Set up VPC peering between the two regions.
C.No additional configuration is needed because internal IPs are routable within the VPC.
D.Enable Cloud NAT for the VPC.
AnswerA

Firewall rules control traffic within a VPC; by default, all internal traffic is allowed, but custom rules could block it.

Why this answer

Option A is correct because VPC firewall rules are stateful and must allow ingress traffic from the source subnet (10.0.1.0/24) or the specific source instance (10.0.1.2) to the destination VM in europe-west1. By default, VPCs have an implied deny-all ingress rule, so explicit firewall rules are required to permit traffic between subnets in different regions within the same VPC. The rule should specify the source IP range or tag and the destination protocol/port (e.g., ICMP, TCP/22) to enable communication.

Exam trap

Google Cloud often tests the misconception that internal IPs are automatically reachable across regions within the same VPC, but the trap is that while routing is global by default, firewall rules are not — candidates forget that an explicit ingress rule is required to allow cross-subnet traffic.

How to eliminate wrong answers

Option B is wrong because VPC peering is used to connect two separate VPC networks, not subnets within the same VPC; instances in different regions of the same VPC are already directly routable via the VPC's internal routing table. Option C is wrong because while internal IPs are routable within the VPC, the default firewall rules only allow traffic from the same subnet (10.0.1.0/24) and block cross-subnet traffic unless explicit ingress rules are configured. Option D is wrong because Cloud NAT provides outbound internet access for private instances, not internal VPC-to-VPC communication; it does not affect routing or firewall rules between subnets.

305
MCQeasy

A company has multiple projects that each need their own administrative control but must share a common VPC network. Which networking solution should they use?

A.Create a single VPC in one project and grant all users access to that project.
B.Create separate VPCs for each project and connect via Cloud VPN.
C.Use Shared VPC with the host project and attach service projects.
D.Create a VPC in each project and peer them all together.
AnswerC

Provides centralized network management with per-project resource control.

Why this answer

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, enabling centralized control of the network while maintaining administrative isolation for each project. The host project owns the VPC and firewall rules, and service projects can use subnets within that VPC, meeting the requirement for separate administrative control with a shared network.

Exam trap

The trap here is that candidates often confuse VPC peering (Option D) with Shared VPC, not realizing that peering does not allow a single common VPC network and lacks centralized administrative control, while Shared VPC is designed exactly for this use case.

How to eliminate wrong answers

Option A is wrong because granting all users access to a single project eliminates administrative isolation, as all users would have project-level permissions, not per-project control. Option B is wrong because creating separate VPCs and connecting via Cloud VPN introduces complexity, latency, and bandwidth limitations, and does not provide a single common VPC network; it creates multiple networks that are bridged. Option D is wrong because VPC peering does not support transitive routing and requires non-overlapping CIDR ranges, making it unsuitable for a shared network with multiple projects that need to communicate through a common VPC; it also does not allow centralized firewall or subnet management.

306
MCQhard

A large organization uses Shared VPC with hundreds of projects. They want to implement fine-grained access control for SSH access to Compute Engine instances using IAP TCP forwarding. They have created a custom IAM role with the necessary permissions (iap.tunnel.dest, iap.tunnel.getIamPolicy, compute.instances.use) and granted it to a group of developers. The developers have also been granted the iap.tunnelUser role on the project. However, when they try to use `gcloud compute ssh --tunnel-through-iap instance-name`, they get a permission error: "Permission 'iap.tunnel.dest' denied on resource 'projects/project/zones/zone/instances/instance'". The network admin has verified that the custom role includes the required permissions and that the developers are members of the group with the role. What is the most likely missing configuration?

A.The developers need the `iap.tunnel` resource-level permission on the IAP TCP forwarding resource.
B.IAP TCP forwarding is not enabled for the project or VPC.
C.The instances do not have the required network tags for IAP.
D.The developers need the `compute.instances.osLogin` permission.
AnswerB

IAP TCP forwarding must be explicitly enabled at the project level. If not enabled, the permission check fails.

Why this answer

IAP TCP forwarding requires the IAP API to be enabled on the project and the service to be activated for the VPC. Without this, the IAP proxy cannot intercept and forward TCP traffic to the instance, even if the IAM permissions are correctly assigned. The error 'Permission 'iap.tunnel.dest' denied' typically occurs when the IAP TCP forwarding service itself is not enabled, as the permission check fails at the service level before evaluating the IAM role.

Exam trap

The trap here is that candidates assume the error is due to missing IAM permissions or instance configuration, when in fact the IAP TCP forwarding service must be explicitly enabled at the project level, which is a prerequisite often forgotten in Shared VPC environments.

How to eliminate wrong answers

Option A is wrong because 'iap.tunnel.dest' is already a resource-level permission on the instance, not a separate 'iap.tunnel' resource; IAP TCP forwarding uses resource-level permissions on the Compute Engine instance, not a distinct IAP resource. Option C is wrong because network tags are used for firewall rules, not for IAP TCP forwarding; IAP works through the IAP proxy and does not require specific tags on instances. Option D is wrong because 'compute.instances.osLogin' is for OS Login authentication, not for IAP TCP forwarding; the error is about IAP tunnel permissions, not OS-level access.

307
MCQhard

A company uses a Shared VPC host project with three service projects: Prod, Staging, and Dev. All service projects have similar network requirements except that Prod requires Private Google Access to access Google APIs from VM instances without external IP addresses. The network team creates a single subnet in the Shared VPC with Private Google Access enabled. However, Staging and Dev teams report that their VMs cannot reach external IP addresses on the internet because the subnet's route has a next hop of default internet gateway. What is the most cost-effective solution that meets all requirements?

A.Create a separate subnet for each service project in the Shared VPC and enable Private Google Access only on the Prod subnet.
B.Enable Private Google Access on the Shared VPC's subnet for all projects and configure Cloud Router with BGP to advertise a default route.
C.Configure Cloud NAT in the Shared VPC for the Staging and Dev service projects to allow outbound internet access from their VMs without external IPs.
D.Disable Private Google Access on the subnet and create a separate subnet for Prod with Private Google Access enabled.
AnswerC

Cloud NAT provides internet access to VMs without external IPs; Private Google Access remains enabled for Prod. This is cost-effective because Cloud NAT shares IPs across multiple VMs.

Why this answer

Option C is correct because Cloud NAT provides outbound internet connectivity for VM instances without external IP addresses, which is exactly what Staging and Dev need. Since Private Google Access is already enabled on the shared subnet, Prod VMs can reach Google APIs without external IPs, while Cloud NAT handles the general internet access for the other projects. This is the most cost-effective solution because Cloud NAT incurs only egress data processing charges and does not require additional subnets or complex routing changes.

Exam trap

The trap here is that candidates confuse Private Google Access with general internet access, assuming that enabling it on a subnet automatically allows VMs to reach any external IP, when in fact Private Google Access only covers Google API and service endpoints, not arbitrary internet destinations.

How to eliminate wrong answers

Option A is wrong because creating separate subnets for each service project increases IP address consumption and management overhead, and it does not solve the outbound internet access issue for Staging and Dev VMs without external IPs—they still lack a route to the internet. Option B is wrong because enabling Private Google Access on all subnets does not provide outbound internet access; Cloud Router with BGP advertising a default route would require a VPN or Dedicated Interconnect to an on-premises router, which is not cost-effective and is unnecessary for simple internet access. Option D is wrong because disabling Private Google Access on the shared subnet would break Prod's requirement to access Google APIs from VMs without external IPs, and creating a separate Prod subnet with Private Google Access enabled does not address the outbound internet need for Staging and Dev.

308
MCQmedium

A company has a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises network to a VPC in us-central1. They recently added a new subnet (10.2.0.0/16) to the VPC. The on-premises network still cannot reach resources in the new subnet. The Cloud Router BGP session is established and routes from on-prem are being received. What is the most likely cause?

A.The Cloud Router does not support more than 10 custom dynamic routes
B.The new subnet range is not included in the Cloud Router's advertised routes
C.BGP session is not established
D.Firewall rules are blocking traffic
AnswerB

Custom dynamic routes must be added to the Cloud Router's advertised route list for the remote peer to learn them.

Why this answer

When a new subnet is added to a VPC, the Cloud Router must be configured to advertise that subnet's CIDR range to the on-premises BGP peer. Even though the BGP session is established and routes from on-premises are received, the Cloud Router will not automatically advertise the new subnet unless its advertised route list is updated. Without the new subnet in the Cloud Router's advertised routes, the on-premises network has no path to reach 10.2.0.0/16, causing connectivity failure.

Exam trap

Google Cloud often tests the distinction between route propagation (BGP session up) and route advertisement (what prefixes are actually sent), leading candidates to incorrectly assume that an established BGP session automatically advertises all VPC subnets.

How to eliminate wrong answers

Option A is wrong because Cloud Router does not have a hard limit of 10 custom dynamic routes; it supports up to 100 custom route advertisements per VPC, and the limit is configurable via quota. Option C is wrong because the question explicitly states the BGP session is established, so a lack of session is not the issue. Option D is wrong because firewall rules control traffic filtering, not route advertisement; even if firewall rules permit traffic, the on-premises network cannot send packets to the new subnet without a route to it.

309
MCQhard

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

A.Enable Cloud NAT and configure a firewall rule to allow egress to 0.0.0.0/0
B.Configure a Service Directory endpoint and attach an IAM policy to the bucket allowing access only from that endpoint
C.Create a firewall rule allowing egress to the storage.googleapis.com service IP range and enable VPC flow logs
D.Enable Private Google Access on the subnet and create a VPC Service Controls perimeter that includes the bucket project
AnswerD

Private Google Access enables internal IP access to Google APIs, and VPC Service Controls restricts access to the perimeter.

Why this answer

D is correct because VPC Service Controls create a security perimeter around the Cloud Storage bucket's project, preventing data exfiltration even if the bucket is publicly accessible. Private Google Access on the subnet allows VMs to reach Google APIs (including storage.googleapis.com) via internal IPs, avoiding the public internet. Together, they ensure only VMs within the specified VPC network can download objects, as the perimeter restricts access to authorized networks and Private Google Access provides the private connectivity path.

Exam trap

Google Cloud often tests the misconception that firewall rules alone (Option C) or NAT (Option A) are sufficient for restricting access, when in fact VPC Service Controls are required to enforce network-level boundaries beyond IAM and connectivity.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private VMs, but it does not restrict access to the bucket; it would actually allow VMs to reach the bucket via the public internet, violating the requirement to restrict access to only the VPC network. Option B is wrong because Service Directory is a service for service discovery and does not provide network-level access control; attaching an IAM policy to a Service Directory endpoint does not restrict network access to the bucket. Option C is wrong because a firewall rule allowing egress to storage.googleapis.com service IP range only enables connectivity, but without VPC Service Controls, any VM (or even external hosts) with the correct IP range could access the bucket; VPC flow logs are for monitoring, not access control.

310
Multi-Selectmedium

Which THREE of the following are requirements for setting up a Dedicated Interconnect connection to Google Cloud? (Choose three.)

Select 3 answers
A.A Layer 2 circuit between the on-premises router and Google's edge router.
B.A public IP address on the on-premises router for BGP peering.
C.BGP sessions must be configured directly on the VLAN attachment.
D.A physical cross-connect in a colocation facility that supports Google Cloud Interconnect.
E.A VLAN attachment (VLAN) configured in Google Cloud to connect to a VPC.
AnswersA, D, E

The connection operates at Layer 2.

Why this answer

Option A is correct because a Dedicated Interconnect requires a Layer 2 circuit (e.g., Ethernet VLAN) that directly connects your on-premises router to a Google edge router at a colocation facility. This Layer 2 link provides the physical or virtual circuit over which BGP sessions are established to exchange routes between your network and Google Cloud.

Exam trap

Google Cloud often tests the misconception that BGP sessions are configured directly on the VLAN attachment, when in fact they are configured on the Cloud Router, which uses the VLAN attachment as the underlying Layer 2 transport.

311
MCQhard

A company has a VPC with several subnets and wants to force traffic between two specific subnets (A and B) to be inspected by a third-party firewall appliance in a separate subnet (C). The firewall has source/destination check disabled. What is the best way to route traffic from A to B through C?

A.Use Cloud NAT to route traffic through the firewall.
B.Use a custom route with a lower priority for the destination subnet.
C.Use VPC flow logs to monitor traffic.
D.Use a policy-based route to redirect traffic from A to B to the firewall's IP.
AnswerD

Policy-based routes can match source and destination and redirect to a next hop.

Why this answer

Policy-based routes allow you to define a forwarding rule that matches traffic based on source and destination IP ranges, then sends it to a next-hop instance (the firewall). Since the firewall has source/destination check disabled, it can forward the inspected traffic to the final destination. This is the only option that directly forces traffic between subnets A and B through the firewall in subnet C.

Exam trap

Google Cloud often tests the distinction between policy-based routes (which match on source and destination) and static routes (which match only on destination), leading candidates to incorrectly choose a custom static route (Option B) when a policy-based route is required.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for routing traffic between subnets within a VPC. Option B is wrong because a custom route with lower priority would only affect traffic destined for the subnet's IP range if no more specific route exists; it does not force traffic through a specific next-hop instance for inter-subnet communication. Option C is wrong because VPC flow logs only capture metadata about network flows for monitoring and analysis; they do not influence routing decisions.

312
MCQeasy

A company wants to enable Private Google Access for an on-premises network connected via Cloud VPN. Which configuration step is required?

A.Enable Private Google Access on the VPC subnet that hosts the Cloud VPN gateway.
B.Enable VPC Flow Logs for the VPN tunnel.
C.Create a default route with next hop set to the internet gateway.
D.Configure a Cloud NAT gateway for the on-premises network.
AnswerA

Private Google Access allows on-premises hosts to use internal IP addresses for Google APIs.

Why this answer

Option B is correct because Private Google Access must be enabled on the VPC subnet that hosts the Cloud VPN gateway. This allows on-premises hosts to use internal IPs to access Google APIs through the VPN tunnel. Option A is incorrect because a default route to the internet is not required; the traffic goes through the VPN.

Option C is incorrect because Cloud NAT is for outbound internet from private instances, not for on-premises access. Option D is incorrect because VPC Flow Logs are for logging, not enabling access.

313
MCQeasy

A developer created a Compute Engine instance in the default VPC network. The instance needs to communicate with an on-premises server over a Cloud VPN tunnel. The developer configured the VPN tunnel but the instances cannot ping the on-premises server. What is the most likely cause?

A.The subnet IP range overlaps with the on-premises network.
B.The instance has IP forwarding disabled.
C.The default VPC does not have a default route to the internet.
D.The firewall rules in the VPC are blocking ingress traffic from the on-premises network.
AnswerD

Default firewall rules allow only certain ingress; ICMP from on-premises is not allowed by default.

Why this answer

Option D is correct because, by default, the default VPC includes firewall rules that allow outbound traffic but restrict inbound traffic. Even though the Cloud VPN tunnel is established, the VPC firewall rules block ingress traffic from the on-premises network (e.g., ICMP for ping). To allow communication, a firewall rule must explicitly permit ingress traffic from the on-premises IP range or the remote tunnel IP.

Exam trap

Google Cloud often tests the misconception that a configured VPN tunnel automatically allows all traffic, when in reality firewall rules (ingress) and routes must be explicitly configured to permit communication between VPC and on-premises networks.

How to eliminate wrong answers

Option A is wrong because subnet IP range overlap with the on-premises network would cause routing conflicts, but the question states the VPN tunnel is configured and the issue is connectivity, not routing table errors; overlapping ranges typically prevent tunnel establishment or cause asymmetric routing, not just ping failure. Option B is wrong because IP forwarding is only required when the instance acts as a gateway (e.g., NAT instance or VPN gateway), not for a standard instance initiating traffic to an on-premises server over a VPN tunnel; the instance can send packets without IP forwarding enabled. Option C is wrong because the default VPC always includes a default route (0.0.0.0/0) to the internet via the default internet gateway; this route is automatically created and does not affect VPN-based communication.

314
MCQhard

Your company has a Dedicated Interconnect with two VLAN attachments (vlan-attachment-a and vlan-attachment-b) connected to two different Edge Availability Domains (EADs) in the us-central1 region. Both attachments are associated with a single Cloud Router named 'cr-us-central1'. On-premises, you have two routers (rtr-a and rtr-b) each connected to one VLAN attachment via BGP. The Cloud Router has four BGP sessions: rtr-a (vlan-a), rtr-a (vlan-b), rtr-b (vlan-a), rtr-b (vlan-b) — a full mesh for redundancy. All sessions are established and routes are exchanged. Recently, you added a new on-premises subnet 192.168.100.0/24 and advertised it via BGP from both on-premises routers. However, Google Cloud instances in the VPC cannot reach this subnet. Other on-premises subnets (e.g., 10.0.0.0/8) are reachable. The Cloud Router route table for 'cr-us-central1' shows multiple entries for 192.168.100.0/24, each with different next hops but all with status 'stacked'. There are no BGP route filters configured. What is the most likely cause of the issue?

A.The Cloud Router has reached its maximum route limit.
B.The BGP routes have incorrect MED values causing a conflict.
C.The new subnet 192.168.100.0/24 overlaps with an existing VPC subnet.
D.The on-premises routers are not advertising the subnet with a required community tag.
AnswerC

When a learned route overlaps with a VPC subnet, the route is stacked and not used to avoid conflict.

Why this answer

When a BGP-learned route overlaps with an existing VPC subnet, Google Cloud treats it as a conflict and marks the route as 'stacked' (i.e., not active). The Cloud Router can learn the route, but it will not be installed in the VPC's effective routes because the VPC subnet prefix takes precedence. Since 192.168.100.0/24 is a private IP range that could easily overlap with a subnet in the VPC, this is the most likely cause.

Exam trap

The trap here is that candidates often assume 'stacked' routes indicate a BGP peering or route advertisement issue, when in fact it is a route conflict caused by overlapping prefixes with existing VPC subnets.

How to eliminate wrong answers

Option A is wrong because the Cloud Router has not reached its maximum route limit; if it had, the new routes would not appear at all in the route table, and other routes would also be affected. Option B is wrong because MED values influence path selection among multiple BGP paths but do not cause routes to be 'stacked' or prevent them from being installed in the VPC; conflicting MEDs would not block the route from being used. Option D is wrong because community tags are not required for BGP route acceptance on Google Cloud; the absence of a community tag does not cause routes to be marked as 'stacked' or prevent them from being used.

315
MCQmedium

A company wants to allow their VPC instances to access Google APIs using internal IPs without using a NAT. They have set up Private Google Access on the subnet. What else is required?

A.A default route to the internet must be created.
B.A Cloud NAT must be configured.
C.No additional configuration is needed.
D.The instances must have external IPs.
AnswerC

Private Google Access works out of the box once enabled on the subnet.

Why this answer

Option A is correct because enabling Private Google Access on the subnet allows instances without external IPs to access Google APIs via the automatically generated default route for the private Google access ranges. No additional configuration is needed. Option B is incorrect because an explicit default route to the internet would send traffic to the internet, not to Google APIs via private access.

Option C is incorrect because Cloud NAT is not needed and would override private access. Option D is incorrect because instances should not have external IPs if using private access.

316
MCQmedium

An on-premises router uses BGP ASN 64512. The Cloud Router is also configured with ASN 64512. When the BGP peering is established, what behavior is expected?

A.The session works but routes are not exchanged.
B.Cloud Router will automatically prepend its ASN to avoid conflict.
C.The BGP session will fail or behave unpredictably.
D.The BGP session works normally since ASN 64512 is a private ASN.
AnswerC

Same ASN on both sides causes BGP to reject the session (at least one side will see a loop).

Why this answer

BGP requires each router in a peering session to have a unique ASN to properly enforce loop prevention and path selection. When both the on-premises router and Cloud Router use the same ASN 64512, the BGP session will fail or behave unpredictably because each router will see its own ASN in received updates, triggering the BGP loop detection mechanism (RFC 4271, Section 9.3) and causing the session to drop or routes to be rejected.

Exam trap

Google Cloud often tests the misconception that private ASNs (64512-65535) are exempt from BGP loop detection, but in reality, BGP treats all ASNs equally for loop prevention, and duplicate ASNs will cause the session to fail.

How to eliminate wrong answers

Option A is wrong because the BGP session will not work normally; the duplicate ASN causes the session to fail or behave unpredictably, not just a lack of route exchange. Option B is wrong because Cloud Router does not automatically prepend its ASN to avoid conflict; ASN prepending is a manual path manipulation technique, not an automatic fix for duplicate ASN issues. Option D is wrong because even though 64512 is a private ASN, BGP loop detection still applies regardless of ASN range; the session will not work normally with duplicate ASNs.

317
MCQmedium

An engineer has configured an HA VPN tunnel between an on-premises network and Google Cloud. The tunnel status shows as established, but traffic is not flowing. The engineer checks the Cloud Router BGP session and sees it is in the Active state. What is the most likely cause?

A.The tunnel's shared secret (pre-shared key) is mismatched.
B.The Cloud Router is not advertising the VPC subnet routes.
C.The on-premises router is not allowing BGP traffic on UDP port 179.
D.The Cloud Router is not configured with the correct BGP IP address for the on-premises side.
AnswerD

Incorrect peer IP is a common cause of BGP Active state.

Why this answer

The BGP session being in the Active state indicates that the Cloud Router has sent an Open message but has not received a valid response from the on-premises peer. This most commonly occurs when the BGP peer IP address configured on the Cloud Router does not match the IP address the on-premises router is using for BGP peering, preventing the TCP connection on port 179 from completing. Since the tunnel is established (IPsec is up), the issue is at the BGP layer, not the tunnel layer.

Exam trap

Google Cloud often tests the distinction between IPsec tunnel states and BGP session states, trapping candidates who assume a working tunnel means BGP must also be working, when in fact BGP has its own TCP-based connectivity requirements independent of the encrypted tunnel.

How to eliminate wrong answers

Option A is wrong because a mismatched pre-shared key would prevent the IPsec tunnel from establishing, but the question states the tunnel status is established. Option B is wrong because the Cloud Router not advertising VPC subnet routes would cause BGP to be established (Established state) but routes would be missing; the session being in Active state indicates a TCP connection failure, not a route advertisement issue. Option C is wrong because the on-premises router not allowing BGP traffic on UDP port 179 is incorrect—BGP uses TCP port 179, not UDP; blocking TCP port 179 would cause the same Active state, but the question specifies UDP, which is a protocol mismatch and thus not the most likely cause given the standard BGP behavior.

318
MCQeasy

An organization is migrating a legacy application to GCP. The application requires a static internal IP address for a Compute Engine VM that must persist even if the VM is stopped or deleted. Which IP address type should they assign?

A.Configure an alias IP range on the VM's network interface.
B.Assign an ephemeral external IP and configure a firewall rule.
C.Reserve a static internal IP address in the same region and subnetwork.
D.Use a regional internal IP address with auto-delete set to false.
AnswerC

Static internal IPs are reserved and persist until released.

Why this answer

A static internal IP address is reserved within a specific region and subnetwork, ensuring the IP persists even after the VM is stopped or deleted. This meets the requirement for a fixed internal address that remains available for reassignment to the same or a different VM in the same subnet. Ephemeral IPs are released on VM stop/delete, and external IPs are not relevant for internal-only communication.

Exam trap

The trap here is that candidates confuse 'ephemeral' with 'persistent' or assume that stopping a VM preserves the internal IP, but GCP releases ephemeral internal IPs on stop/delete unless explicitly reserved as a static internal IP.

How to eliminate wrong answers

Option A is wrong because an alias IP range is used to assign multiple IP addresses to a single network interface for container or multi-service workloads, but it does not provide a persistent static IP that survives VM deletion. Option B is wrong because an ephemeral external IP is a public, temporary address that is released when the VM is stopped or deleted, and a firewall rule does not affect IP persistence. Option D is wrong because there is no 'auto-delete' property for internal IP addresses; the correct mechanism to make an internal IP persistent is to reserve a static internal IP address, and the term 'regional internal IP address' is ambiguous without the reservation step.

319
MCQmedium

An organization is deploying a global application and wants to use an Internal Load Balancer (ILB) across multiple regions. What is the correct configuration?

A.Use a cross-region ILB by enabling global access
B.Use an Internal TCP/UDP Load Balancer in one region and route traffic via Cloud VPN
C.Deploy ELB in each region and use DNS to route traffic
D.Use a global External Load Balancer with internal backend
AnswerC

Regional ILBs combined with DNS provide global internal load balancing.

Why this answer

Option C is correct because Google Cloud does not support a native cross-region Internal Load Balancer (ILB). To distribute traffic across multiple regions, you must deploy a separate Internal TCP/UDP Load Balancer in each region and use DNS-based routing (e.g., Cloud DNS with geo-routing or weighted record sets) to direct clients to the appropriate regional ILB. This approach provides regional high availability and global reach without exposing internal IPs externally.

Exam trap

Google Cloud often tests the misconception that 'global access' can make an Internal Load Balancer cross-region, but in Google Cloud, global access only allows clients from any region within the same VPC to reach a regional ILB, not to load balance across regions.

How to eliminate wrong answers

Option A is wrong because there is no 'cross-region ILB' in Google Cloud; Internal Load Balancers are regional resources and cannot be made global by enabling 'global access' (that feature applies only to external load balancers). Option B is wrong because routing traffic via Cloud VPN from a single-region ILB to other regions adds latency, complexity, and defeats the purpose of a global application; it does not provide native multi-region load balancing. Option D is wrong because a global External Load Balancer with internal backends is not supported; external load balancers require backends with external connectivity or specific hybrid connectivity, and using them for internal-only traffic violates the requirement for an internal load balancer.

320
Drag & Dropmedium

Drag and drop the steps to create a VPC with custom subnet mode in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Custom subnet mode requires manual subnet creation. The steps include naming the VPC, selecting custom mode, and defining subnets.

321
MCQhard

Your company uses Network Connectivity Center (NCC) to manage multiple on-premises sites connected via Cloud VPN and Partner Interconnect. You create a NCC hub and attach spokes (VPN tunnels and VLAN attachments). Traffic between two on-premises sites (Site A and Site B) should flow through Google Cloud. However, traffic is not passing between the sites. What is the most likely cause?

A.The on-premises routers need static routes pointing to the Google Cloud VPC for inter-site traffic.
B.The VPN spokes do not have custom dynamic route exchange enabled, so routes from Site A are not advertised to Site B.
C.Network Connectivity Center does not support Cloud VPN as a spoke type.
D.The NCC hub must be in the same VPC network as the sites' VPCs.
AnswerB

NCC requires route exchange to be enabled on spokes to propagate routes.

Why this answer

Option A is correct because NCC routes will only propagate if the spokes are configured with the proper route exchange options. By default, custom dynamic route exchange is not enabled for VPN tunnels; you need to configure advertisement of routes. Option B is wrong because NCC supports VPN and Interconnect.

Option C is wrong because NCC uses dynamic routing; static routes are not required. Option D is wrong because VPC networks are not directly involved if using NCC hub-and-spoke.

322
MCQhard

An organization uses a custom mode VPC with several subnets. They need to add a new subnet 192.168.1.0/24 for a new workload. After creating the subnet, they find that existing firewall rules with target tags don't apply to instances in the new subnet, even though the tags are applied. What is the most likely reason?

A.Firewall rules are scoped to a VPC, not to subnets.
B.The new subnet was created without enabling firewall rule enforcement.
C.The instances need to be recreated for the new rules to apply.
D.The firewall rules have a source or destination filter that excludes the new subnet's CIDR.
AnswerD

If a rule includes an IP range filter, it will only apply to traffic that matches that range.

Why this answer

Option C is correct because firewall rules may include source or destination IP range filters. Even if tags match, if the rule also specifies a source or destination IP range that does not include 192.168.1.0/24, the rule will not apply. Option A is incorrect because firewall rules are scoped to the VPC, not to subnets, so tags work across subnets.

Option B is incorrect because there is no such concept as firewall rule enforcement on subnets. Option D is incorrect because instances do not need to be recreated; changes to firewall rules apply immediately.

323
Drag & Dropmedium

Drag and drop the steps to configure a global external HTTP(S) load balancer in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Load balancer setup: backend, health check, URL map, target proxy, forwarding rule.

324
MCQeasy

A company uses an HTTPS load balancer with SSL certificates. They want to ensure only strong cipher suites are accepted. Which Google Cloud service should they use to enforce this?

A.Identity-Aware Proxy (IAP).
B.Cloud Armor security policy.
C.SSL policies on the target HTTPS proxy.
D.Firewall rules on the backend instances.
AnswerC

SSL policies control TLS versions and ciphers for load balancers.

Why this answer

SSL policies on the target HTTPS proxy allow you to define a set of allowed SSL/TLS cipher suites and protocols for the load balancer. By configuring an SSL policy with a 'RESTRICTED' profile or a custom list of strong ciphers, you can enforce that only secure cipher suites (e.g., TLS 1.2+ with ECDHE and AES-GCM) are accepted, rejecting weak or deprecated ciphers like RC4 or 3DES.

Exam trap

The trap here is that candidates confuse Cloud Armor (which enforces security policies at the application layer) with SSL policies (which control TLS cipher suites at the transport layer), leading them to pick Cloud Armor when the question specifically asks about cipher suite enforcement.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access to applications based on identity and context, not cipher suite enforcement; it operates at the application layer, not the TLS negotiation layer. Option B is wrong because Cloud Armor security policies provide web application firewall (WAF) and DDoS protection at Layer 7, but they do not control SSL/TLS cipher suites or protocol versions. Option D is wrong because firewall rules on backend instances control network traffic at Layers 3/4 (IP/port), not the cryptographic parameters of the TLS handshake, which is terminated at the load balancer.

325
MCQmedium

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect using VLAN attachments. They have set up a Cloud Router with BGP to exchange routes. The on-premises network advertises a prefix 10.0.0.0/8, and Google Cloud advertises the VPC's subnet ranges (10.0.0.0/24 and 10.0.1.0/24). After configuration, on-premises hosts cannot reach the Google Cloud instances in those subnets. The engineer checks the BGP session status and it is established. The Cloud Router shows that the on-premises prefix is learned, and the on-premises router shows that the specific /24 prefixes are received. However, traffic from on-premises to the Google Cloud subnets is not working. What is the most likely cause?

A.The on-premises router has a local route for 10.0.0.0/8 that overrides the BGP-learned /24 routes.
B.The VPN connection needs to be configured for the Interconnect.
C.The Google Cloud VPC has a custom static route that overrides the dynamically learned route.
D.The on-premises firewall is blocking the traffic.
AnswerA

A local route with a lower administrative distance can shadow the BGP routes.

Why this answer

The most likely cause is that the on-premises router has a local route for the larger prefix 10.0.0.0/8, which is more specific than the BGP-learned /24 routes. Since the local route has a lower administrative distance (typically 0 for directly connected or 1 for static) compared to BGP's administrative distance of 20 for eBGP, the on-premises router prefers the local route and forwards traffic locally instead of sending it over the Dedicated Interconnect to Google Cloud. This results in traffic not reaching the VPC subnets.

Exam trap

Google Cloud often tests the concept that administrative distance overrides prefix length in route selection when comparing routes from different sources, leading candidates to incorrectly assume that more specific prefixes are always preferred regardless of administrative distance.

How to eliminate wrong answers

Option B is wrong because a Dedicated Interconnect does not require a VPN connection; it is a direct physical connection that uses VLAN attachments and BGP for routing, not IPsec VPNs. Option C is wrong because Google Cloud VPC custom static routes have a lower priority (higher administrative distance) than dynamically learned routes from Cloud Router, so they would not override the BGP-learned routes; the issue is on the on-premises side. Option D is wrong because the firewall would typically block traffic at a higher layer, but the core routing issue is that traffic never reaches the firewall due to the local route overriding BGP-learned routes.

326
Multi-Selecthard

Which THREE of the following could cause a Dedicated Interconnect BGP session to go to the 'IDLE' state?

Select 3 answers
A.Firewall rules blocking UDP port 179
B.BGP is not enabled on the Cloud Router
C.BGP keepalive timer mismatch
D.Multi-Exit Discriminator (MED) mismatch
E.Cloud Router is not configured to establish a BGP session with the on-premises peer
AnswersA, B, E

BGP uses TCP 179, not UDP. But if TCP is blocked, session stays IDLE.

Why this answer

Option A is correct because BGP uses TCP port 179 for establishing and maintaining sessions. If a firewall blocks UDP port 179, it would not affect BGP directly, as BGP relies on TCP, not UDP. However, the question states 'UDP port 179' which is a common misdirection; in reality, blocking TCP port 179 would cause the BGP session to go to IDLE state.

The IDLE state indicates that the BGP process is not attempting to establish a connection, often due to a failure in the underlying TCP connection.

Exam trap

Google Cloud often tests the misconception that BGP uses UDP port 179, but BGP actually uses TCP port 179; the trap here is that candidates may incorrectly select firewall rules blocking UDP port 179 as a cause, when in reality it is TCP port 179 that matters.

327
MCQmedium

A company is using Cloud VPN with BGP to connect their on-premises network to Google Cloud. They have two VPN tunnels from two different on-premises VPN gateways to a single Cloud VPN gateway. They notice that during maintenance on one on-premises gateway, traffic fails over to the other tunnel, but after the maintenance, traffic does not fail back. What is the most likely cause?

A.Only one VPN tunnel can be active at a time
B.The BGP local preference on the primary tunnel is not higher than the backup tunnel
C.Cloud VPN gateway does not support BGP
D.The backup tunnel does not have a valid BGP session
AnswerB

Without a higher local preference, the backup tunnel remains preferred after failover.

Why this answer

B is correct because BGP local preference is used to influence outbound traffic path selection. If the primary tunnel's local preference is not higher than the backup tunnel, BGP will not prefer the primary route after the backup session recovers, causing traffic to remain on the backup tunnel. This is a classic BGP route selection behavior where the highest local preference wins.

Exam trap

The trap here is that candidates often assume failback is automatic with BGP, but without explicit local preference tuning, BGP will not prefer the primary tunnel after recovery, leading to asymmetric traffic or persistent backup path usage.

How to eliminate wrong answers

Option A is wrong because Cloud VPN supports multiple active tunnels simultaneously with BGP, and both tunnels can be active at the same time. Option C is wrong because Cloud VPN fully supports BGP for dynamic routing, including route advertisement and selection. Option D is wrong because the backup tunnel does have a valid BGP session (traffic fails over to it), so the issue is not a missing session but rather the BGP path selection not reverting to the primary tunnel.

328
MCQeasy

A company has a VPC with three subnets and multiple firewall rules. They want to ensure that the most specific firewall rule takes precedence when there is a conflict. What is the default evaluation order of firewall rules?

A.Egress rules are evaluated before ingress rules.
B.The rule with the highest priority (lowest priority number) is evaluated first.
C.The more restrictive rule (with smaller IP range) is applied first.
D.Rules are evaluated in the order they were created.
AnswerB

Lower priority number = higher priority; rules are evaluated from high to low priority.

Why this answer

In Google Cloud Platform (GCP) VPC firewall rules, the default evaluation order is based on priority. Each rule is assigned a priority number from 0 to 65535 (lower number = higher priority), and rules are evaluated from highest priority (lowest number) to lowest priority. When multiple rules match traffic, the rule with the highest priority (lowest priority number) is applied first, and its action (allow/deny) is definitive; lower-priority rules are not evaluated for that traffic.

Exam trap

Google Cloud often tests the misconception that firewall rules are evaluated based on specificity (most restrictive wins) or creation order, but GCP explicitly uses a numeric priority system where lower numbers take precedence, not the breadth of the rule's match criteria.

How to eliminate wrong answers

Option A is wrong because GCP firewall rules do not have a default evaluation order based on direction (ingress vs. egress); both ingress and egress rules are evaluated independently using their priority numbers, and there is no inherent precedence of one direction over the other. Option C is wrong because GCP does not use rule restrictiveness (e.g., smaller IP range) as the default tiebreaker; instead, the priority number explicitly determines evaluation order, and if two rules have the same priority, the behavior is undefined (conflict resolution is not based on range size). Option D is wrong because GCP firewall rules are not evaluated in the order they were created; creation order has no effect on evaluation—only the priority field dictates the sequence.

329
Matchingmedium

Match each Cloud Router BGP attribute to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unique autonomous system number for the router

MED value to influence inbound traffic

IP address of the BGP peer

ASN of the BGP peer

Time between BGP keepalive messages

Why these pairings

These are essential BGP configuration parameters on Cloud Router.

330
MCQhard

A large enterprise has a multi-site on-premises network with two data centers (DC1 and DC2) connected via a private WAN. They are migrating critical applications to Google Cloud and have established a Dedicated Interconnect at each data center, each with a single VLAN attachment (vlan-attachment-1 from DC1, vlan-attachment-2 from DC2) connected to a single VPC network in us-central1. Each VLAN attachment uses a separate Cloud Router (router-us-central1-dc1 and router-us-central1-dc2) with BGP sessions advertising the same on-premises prefixes. The VPC has auto-mode subnet ranges. They notice that traffic from Google Cloud to on-premises is flowing only through DC1, and when DC1's interconnect fails, traffic fails over to DC2, but after DC1 recovers, traffic does not return to DC1. The on-premises routers are advertising the same prefixes with equal MED values. What is the most likely cause and the best corrective action?

A.Configure the on-premises router at DC1 to set a lower MED value for its advertised routes to make DC1 preferred
B.Change the VPC routing mode from auto to custom to force route re-evaluation
C.Disable the BGP session on DC2's Cloud Router during normal operation and re-enable it only when DC1 fails
D.On the Google Cloud Router for DC1, apply a route policy to set a higher local preference for routes learned from DC1
AnswerA

Lower MED makes DC1 preferred; after failover, when DC1 recovers, its lower MED will cause traffic to return.

Why this answer

Option A is correct because with equal MED values from both on-premises routers, Google Cloud's Cloud Routers will prefer the first learned route and stick to it due to the default BGP best-path selection behavior (no tie-breaking based on router ID or other attributes when routes are identical). When DC1's interconnect fails, the route is withdrawn, and traffic fails over to DC2. After DC1 recovers, the route is re-advertised, but Cloud Router does not automatically preempt the existing DC2 route because the BGP best-path selection is stable and does not re-evaluate unless the current best path is withdrawn.

Setting a lower MED on DC1's advertised routes makes DC1's route more preferred, ensuring traffic returns to DC1 after recovery.

Exam trap

Google Cloud often tests the misconception that BGP automatically re-evaluates the best path when a new route is received, but in practice, BGP is stable and only switches to a new path if the current best path is withdrawn, which is why adjusting MED (or other attributes) is necessary to force traffic back to the primary link after recovery.

How to eliminate wrong answers

Option B is wrong because changing the VPC routing mode from auto to custom does not affect BGP route re-evaluation or failover behavior; it only changes how subnets are created and managed, not how dynamic routes are selected. Option C is wrong because manually disabling the BGP session on DC2's Cloud Router during normal operation defeats the purpose of having redundant connectivity and active-active load balancing; it also introduces operational complexity and potential for longer failover times. Option D is wrong because setting a higher local preference on the Google Cloud Router for DC1 would make DC1's routes more preferred, but local preference is an inbound attribute applied to routes received from BGP peers; however, Cloud Router does not support applying local preference to routes learned from on-premises—it is typically set on the on-premises side or via route policies on the Cloud Router, but the correct approach is to adjust MED on the on-premises router to influence the path selection from Google Cloud's perspective.

331
MCQhard

A large enterprise has multiple on-premises data centers connected to Google Cloud via a combination of Dedicated Interconnect and Cloud VPN. They have a VPC with subnets in us-east1 and us-west1. The on-premises network advertises a prefix 10.0.0.0/8 to both Cloud Routers (each in different regions) via BGP. The Cloud Routers are configured with 'global' dynamic routing mode. The network team notices that traffic from Google Cloud instances in us-west1 to on-premises destinations in 10.0.0.0/8 is always taking the path to the closest on-premises data center (west coast) even though the west coast data center is currently under high load, causing performance degradation. The east coast data center is underutilized. They want to influence the path selection so that the west coast instances prefer the east coast data center during peak times. They are using BGP. What is the most effective method to achieve this?

A.Set a higher local preference on the west coast Cloud Router for routes received from the east coast data center.
B.Set a higher MED on the west coast data center's BGP advertisements to increase its desirability.
C.Configure the east coast data center to prepend one additional AS path hop to its advertised routes.
D.Use BGP communities to tag routes from the west coast data center under load, and configure Cloud Router to match these communities and adjust the route priority (MED) accordingly.
AnswerD

This allows dynamic adjustment: when the west coast is loaded, it tags routes with a community, and Cloud Router increases MED for those routes, making east coast more preferred.

Why this answer

Option D is correct because BGP communities allow the west coast data center to tag its routes with a community value indicating high load. The Cloud Router can then be configured to match this community and adjust the route priority by lowering the MED (or local preference) for those routes, making the east coast data center's routes more preferred. This dynamic, policy-based approach directly addresses the need to shift traffic away from the overloaded west coast data center without manual reconfiguration.

Exam trap

The trap here is that candidates often confuse MED and local preference, thinking MED influences outbound path selection from the local AS, when in fact MED is used to influence inbound traffic from a neighboring AS, while local preference is used for outbound path selection within the AS.

How to eliminate wrong answers

Option A is wrong because setting a higher local preference on the west coast Cloud Router for routes from the east coast data center would make those routes more preferred globally (since local preference is propagated within the AS), but the question specifies influencing path selection for west coast instances specifically; local preference is an AS-wide attribute and would affect all regions, not just us-west1. Option B is wrong because MED is used to influence inbound traffic from a neighbor AS, not outbound traffic from Google Cloud to on-premises; increasing MED on the west coast data center's advertisements would make its routes less desirable for inbound traffic from Google Cloud, but the issue is about outbound path selection from Google Cloud instances. Option C is wrong because AS path prepending makes a route less preferred by artificially lengthening the AS path; prepending on the east coast data center would make its routes less attractive, which is the opposite of what is needed (we want to make east coast routes more preferred).

332
MCQhard

A company uses Shared VPC with a host project and multiple service projects. A service project administrator wants to create a VM with an internal IP from a specific subnet in the host project. The operation fails with a permission error. What is the most likely missing permission?

A.resourcemanager.projects.get on the host project.
B.compute.subnetworks.use on the host project subnet.
C.compute.instances.create on the service project.
D.compute.networks.use on the host project VPC.
AnswerB

This permission grants use of a specific subnet.

Why this answer

Option D is correct because the service project needs the compute.subnetworks.use permission on the specific subnet in the host project. This permission is part of the roles/compute.networkUser role. Option A is incorrect because compute.networks.use is needed for using the VPC network, but the error is more specific to subnet use.

Option B is incorrect because compute.instances.create is for creating instances, not for using a subnet. Option C is incorrect because resourcemanager.projects.get is not related to subnet usage.

333
MCQhard

A financial services company is deploying a multi-tier application in a custom VPC with three subnets: web (10.0.1.0/24), app (10.0.2.0/24), and db (10.0.3.0/24). They use a Cloud VPN with dynamic routing (BGP) to connect to their on-premises data center (10.1.0.0/16). The on-premises network administrator reports that traffic from the web tier (10.0.1.0/24) to on-premises is working, but traffic from the app tier (10.0.2.0/24) to on-premises is failing. The company uses an Identity-Aware Proxy (IAP) for SSH access. The following configurations are in place: - Cloud Router advertises all VPC subnets via BGP. - On-premises router advertises 10.1.0.0/16. - Firewall rules allow all traffic from 10.0.0.0/16 to 10.1.0.0/16. - The app tier instances have a network tag 'app-tier' and a service account 'app-sa@project.iam.gserviceaccount.com'. - There is a firewall rule with priority 1000 that denies egress from tags 'app-tier' to 10.1.0.0/16. What is the most likely cause of the failure?

A.The service account 'app-sa' does not have permissions to send traffic through the VPN.
B.IAP is blocking traffic from the app tier because it is not configured for that subnet.
C.A firewall egress rule with priority 1000 denies traffic from instances with tag 'app-tier' to 10.1.0.0/16.
D.The Cloud Router is not advertising the 10.0.2.0/24 subnet to on-premises.
AnswerC

This deny rule explicitly blocks the traffic, overriding any lower-priority allow rules.

Why this answer

Option C is correct because the firewall egress rule with priority 1000 explicitly denies traffic from instances tagged 'app-tier' to the on-premises network (10.1.0.0/16). Since firewall rules are evaluated in order of priority (lower numbers are higher priority), and this rule has a relatively low priority number, it will override any higher-numbered (lower priority) allow rules. The fact that web tier traffic works confirms that routing and VPN are functional, isolating the issue to the egress deny rule targeting the app tier.

Exam trap

Google Cloud often tests the misconception that service accounts or IAP control network-level traffic, when in reality firewall rules and routing are the only mechanisms that govern packet flow between VPC subnets and on-premises networks.

How to eliminate wrong answers

Option A is wrong because service accounts do not control network traffic permissions; they control API authorization via IAM roles, not packet-level routing or firewall decisions. Option B is wrong because IAP is used for SSH/RDP access and does not block general application traffic between subnets and on-premises; it operates at the application layer for administrative access, not at the network layer for inter-VPC or VPN traffic. Option D is wrong because the Cloud Router advertises all VPC subnets via BGP, and the web tier (10.0.1.0/24) works, proving that the app subnet (10.0.2.0/24) is also advertised; otherwise, web traffic would also fail.

334
MCQhard

A large e-commerce company has a hybrid cloud setup with a Dedicated Interconnect between their on-premises data center in Dallas and Google Cloud us-central1 region. They have a single VLAN attachment with a Cloud Router that uses BGP to exchange routes. The on-premises network uses 10.0.0.0/8, and Google Cloud VPC uses 172.16.0.0/16. They recently deployed a new application in us-west1 that uses IP range 172.17.0.0/16. They created a VPC peering between the us-central1 VPC and the us-west1 VPC. On-premises users can reach the us-central1 workloads but cannot reach the us-west1 application. There are no firewall rules blocking traffic. The on-premises router has a default route pointing to the Interconnect. What is the most likely cause of the issue?

A.The Cloud Router does not have routes for 172.17.0.0/16 because VPC peering does not automatically propagate routes to Cloud Router
B.BGP is not configured between Cloud Router and us-west1 VPC
C.Firewall rules in us-west1 are blocking traffic from the on-premises IP range
D.The Dedicated Interconnect is only available in us-central1 and cannot reach us-west1
AnswerA

VPC peering does not propagate routes to on-premises via Cloud Router; you must use a separate VLAN attachment or VPN in us-west1.

Why this answer

The issue is that VPC peering does not automatically propagate routes from the peered VPC (us-west1, 172.17.0.0/16) to the Cloud Router that is used for the Dedicated Interconnect. Cloud Router only learns routes that are present in the VPC’s routing table and that are explicitly advertised via BGP. Since VPC peering routes are not automatically imported into the VPC’s dynamic routing table for Cloud Router, the on-premises router never receives a route for 172.17.0.0/16, even though there are no firewall blocks.

Exam trap

The trap here is that candidates assume VPC peering automatically makes all peered networks reachable from on-premises via the Interconnect, forgetting that Cloud Router only advertises routes that are explicitly in the VPC’s routing table and not those learned through peering unless custom advertisement is set up.

How to eliminate wrong answers

Option B is wrong because BGP is configured between the Cloud Router and the on-premises router, not between Cloud Router and the us-west1 VPC; VPC peering does not involve BGP. Option C is wrong because the question explicitly states there are no firewall rules blocking traffic, so firewall rules in us-west1 are not the cause. Option D is wrong because a Dedicated Interconnect in us-central1 can reach us-west1 via Google’s internal network; the limitation is not geographic but rather the lack of route propagation from the peered VPC to the Cloud Router.

335
MCQhard

An organization is using Cloud VPN with dynamic routing (BGP) to connect their on-premises network to Google Cloud. They notice that traffic from Google Cloud to on-premises is not using the VPN tunnel but instead going through the internet. They have verified that the VPN tunnel is up and BGP sessions are established. Which configuration issue is most likely causing this behavior?

A.The Cloud Router BGP IP address is misconfigured
B.The pre-shared key for the VPN tunnel is mismatched
C.The on-premises BGP ASN is incorrect
D.The on-premises router is not advertising the on-premises CIDR via BGP
AnswerD

Without the route advertisement, Google Cloud cannot route traffic to on-premises via the VPN.

Why this answer

Option D is correct because if the on-premises router does not advertise the on-premises CIDR via BGP, the Cloud Router will not have a route to that network in its routing table. Even though the VPN tunnel is up and BGP sessions are established, without the specific prefix being advertised, Google Cloud will use its default route (0.0.0.0/0) to send traffic to on-premises over the internet instead of through the VPN tunnel.

Exam trap

The trap here is that candidates assume a working VPN tunnel and established BGP session guarantee traffic flows correctly, but they overlook the critical requirement that the on-premises CIDR must be explicitly advertised via BGP for Cloud Router to install a specific route over the VPN.

How to eliminate wrong answers

Option A is wrong because a misconfigured Cloud Router BGP IP address would prevent the BGP session from establishing, but the question states BGP sessions are established. Option B is wrong because a mismatched pre-shared key would cause the IPsec tunnel to fail to come up, but the question confirms the VPN tunnel is up. Option C is wrong because an incorrect on-premises BGP ASN would cause the BGP session to fail to establish or be rejected, but the question explicitly states BGP sessions are established.

336
MCQeasy

A company is using Cloud DNS for private zone resolution within their VPC. They have a private zone for 'example.internal' and have attached it to the VPC. When they create a new Compute Engine VM and try to resolve 'myapp.example.internal', it fails. What is the most likely cause?

A.The private zone is not attached to the VPC
B.The VM's /etc/resolv.conf does not point to Cloud DNS
C.Firewall rule blocking DNS traffic (UDP 53) to the metadata server
D.The record 'myapp.example.internal' does not exist in the zone
AnswerD

Private zone is authoritative; records must be added explicitly.

Why this answer

Option D is correct because the most likely cause of a resolution failure for a specific record is that the record does not exist in the private zone. The question states the zone is attached to the VPC, so the zone itself is accessible; the failure is specific to the record name. Cloud DNS will return an NXDOMAIN response if the record is not defined, even if the zone is properly configured.

Exam trap

Google Cloud often tests the misconception that DNS failures in a private zone are due to firewall rules or resolver configuration, when in fact the metadata server handles DNS transparently and the most common cause is a missing DNS record.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the private zone is attached to the VPC, so this is not the cause. Option B is wrong because Compute Engine VMs automatically have their /etc/resolv.conf configured to use the metadata server (169.254.169.254) which proxies DNS queries to Cloud DNS; manual configuration is not required. Option C is wrong because DNS traffic to the metadata server uses a special internal path that does not traverse standard firewall rules; UDP 53 to 169.254.169.254 is allowed by default and not blocked by VPC firewall rules.

337
MCQeasy

A company wants to deploy a web application with a public-facing load balancer and a private backend. The backend instances must not have external IPs. Which statement about the VPC configuration is correct?

A.Cloud NAT must be configured for the backend subnet.
B.The backend subnet must have a default route to the internet.
C.Private Google Access must be enabled on the backend subnet.
D.No additional configuration is required beyond creating the subnet.
AnswerD

Backend instances without external IPs can be fronted by a public load balancer without any special network configuration.

Why this answer

Option D is correct because instances without external IPs can still receive traffic from a public load balancer. No additional configuration such as NAT or Private Google Access is needed for this purpose. Option A is incorrect because Private Google Access is for accessing Google APIs, not for load balancer traffic.

Option B is incorrect because Cloud NAT provides outbound internet access, which is not required. Option C is incorrect because the backend subnet does not need a default route; traffic from the load balancer comes through the VPC internal routing.

338
MCQmedium

A company is designing a hybrid network between their on-premises data center and Google Cloud. They need high availability for traffic between the two environments and want to use Cloud VPN with dynamic routing. Which configuration ensures that if one VPN tunnel fails, traffic automatically fails over to the other tunnel without manual intervention?

A.Create one VPN tunnel and a static route with next hop set to the VPN gateway.
B.Use Cloud Interconnect instead of VPN, and configure two VLAN attachments.
C.Create two VPN tunnels to two separate peer VPN gateways on-premises, and use Cloud Router with BGP to advertise routes from both tunnels.
D.Create two VPN tunnels to the same peer VPN gateway, and configure equal-cost multi-path (ECMP) routing with static routes.
AnswerC

Cloud Router with BGP enables dynamic routing; with two tunnels, BGP will withdraw routes for the failed tunnel, and traffic will use the remaining tunnel automatically.

Why this answer

Option C is correct because it uses two VPN tunnels to separate on-premises peer gateways with Cloud Router and BGP. BGP automatically handles failover by withdrawing routes from the failed tunnel and advertising routes via the healthy tunnel, ensuring traffic fails over without manual intervention. This meets the high availability and dynamic routing requirements specified in the question.

Exam trap

The trap here is that candidates assume two tunnels to the same peer gateway (Option D) provide high availability, but they fail to recognize that the peer gateway itself is a single point of failure, and static routes with ECMP do not support automatic failover without BGP.

How to eliminate wrong answers

Option A is wrong because a single VPN tunnel with a static route provides no redundancy; if the tunnel fails, traffic is blackholed and requires manual route changes. Option B is wrong because Cloud Interconnect with VLAN attachments is a dedicated connection, not Cloud VPN, and the question explicitly requires Cloud VPN with dynamic routing. Option D is wrong because creating two VPN tunnels to the same peer VPN gateway creates a single point of failure; if that gateway goes down, both tunnels fail, and using static routes with ECMP does not provide dynamic failover without manual intervention.

339
Multi-Selecthard

Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?

Select 3 answers
A.The backend must be configured with Private Google Access.
B.The backend must support health checks from the load balancer's health check IP ranges.
C.The backend must have an SSL certificate installed.
D.Firewall rules must allow traffic from the load balancer's IP ranges.
E.The backend must have a public IP address or be accessible via internet.
AnswersB, D, E

Health checks are required for proper traffic routing.

Why this answer

Option B is correct because Global External HTTP(S) Load Balancers use Google's frontend (proxying) IP ranges to send health checks to backends. The backend must allow inbound traffic from these specific health check IP ranges (e.g., 35.191.0.0/16 and 130.211.0.0/22) to receive health probes; otherwise, the load balancer will mark the backend as unhealthy and stop forwarding traffic.

Exam trap

Google Cloud often tests the distinction between health check IP ranges and load balancer forwarding IP ranges, causing candidates to confuse which IP ranges must be allowed in firewall rules for external backends.

340
MCQhard

A company has deployed a Global External HTTP(S) Load Balancer with a backend service that points to an instance group in us-central1. The load balancer's frontend uses a reserved static external IP address. Users in Europe report high latency, while users in Asia cannot reach the application at all. The application works fine when accessed directly via the instance group's internal IPs from within us-central1. Which action should be taken to resolve the issue?

A.Change the load balancer to a regional load balancer and deploy additional instance groups in other regions.
B.Enable Cloud CDN on the backend service to cache content closer to users.
C.Configure a DNS A record for the load balancer's IP address with a low TTL.
D.Ensure the backend service's 'Enable Global Access' checkbox is selected in the instance group's network settings.
AnswerD

Global access allows the load balancer's global IP to reach the backend instance group even though it's in a single region. Without it, traffic from other regions may be blocked.

Why this answer

Option D is correct because for a Global External HTTP(S) Load Balancer, the backend service must have the 'Enable Global Access' checkbox selected on the instance group's network settings. This setting allows the load balancer's global anycast IP to reach the backend instances across regions. Without it, the load balancer can only forward traffic to instances within the same region as the load balancer's frontend, causing high latency for European users and complete failure for Asian users.

Exam trap

The trap here is that candidates often assume a global load balancer automatically routes to any backend region, but they overlook the explicit 'Enable Global Access' checkbox that must be enabled for cross-region backend connectivity.

How to eliminate wrong answers

Option A is wrong because changing to a regional load balancer would limit the load balancer to a single region, worsening the issue for users outside that region; the correct solution is to keep the global load balancer and enable global access. Option B is wrong because Cloud CDN caches static content, but the problem is connectivity and routing, not content delivery speed; CDN does not fix the inability of Asian users to reach the application. Option C is wrong because configuring a DNS A record with a low TTL does not affect how the load balancer routes traffic to backend instances; the issue is at the network layer, not DNS resolution.

341
MCQmedium

A company is designing a Shared VPC architecture for multiple projects. The host project hosts three VPC networks: 'prod', 'staging', 'dev'. Each service project needs access to a specific network. Some service projects require access to multiple networks. The security team wants to minimize the number of firewall rules and use IAM for centralized control. Which approach meets these requirements?

A.Attach each service project to one host project network and use IAM roles to grant access to specific subnets in other networks with a cross-project service account.
B.Use VPC Network Peering between each service project's VPC and the host project's networks.
C.Create a separate host project for each environment and attach service projects accordingly.
D.Create a single VPC network that encompasses all environments, and use subnet-level firewall rules to isolate environments.
AnswerA

This allows service projects to access multiple networks by using IAM on subnets and service accounts, minimizing firewall rules.

Why this answer

Shared VPC allows service projects to be attached to a single host project, but a service project can only be attached to one VPC network in the host project. To access multiple networks, the service project must be attached to multiple host projects or use separate networks per project. Using IAM at the subnet level with roles like compute.networkUser allows granular access.

Option C is correct because it limits service projects to one network each and uses IAM to grant cross-network access as needed.

342
MCQeasy

A company deploys a web application behind a global external HTTP(S) load balancer and wants to protect against SQL injection attacks. Which Google Cloud security product should they use?

A.Identity-Aware Proxy (IAP)
B.VPC firewall rules
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor provides WAF capabilities.

Why this answer

Cloud Armor is the correct choice because it provides web application firewall (WAF) capabilities, including pre-configured rules to filter SQL injection (SQLi) attacks at the edge of Google's network, before traffic reaches the backend. It integrates directly with the global external HTTP(S) load balancer to inspect HTTP/HTTPS requests and block malicious payloads based on OWASP Top 10 signatures.

Exam trap

Google Cloud often tests the distinction between network-layer security (VPC firewall rules, Cloud IDS) and application-layer security (Cloud Armor), leading candidates to confuse IDS/IPS capabilities with WAF functionality.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., OAuth, SAML), not application-layer attack patterns like SQL injection. Option B is wrong because VPC firewall rules operate at the network layer (IP/port/protocol) and cannot inspect HTTP request bodies or query strings for SQL injection signatures. Option C is wrong because Cloud IDS is a network-based intrusion detection system that monitors for network-level threats (e.g., malware, C2 traffic) using packet mirroring, but it does not provide inline blocking or HTTP-layer WAF rules for SQL injection.

343
MCQeasy

A company wants to allow HTTP traffic from the internet to a web server running on a Compute Engine VM in a VPC. The web server should only be accessible on port 80. Which firewall rule should be created?

A.Egress rule: allow tcp:80 from 0.0.0.0/0 (target tags: web-server)
B.Ingress rule: allow tcp:80 from 0.0.0.0/0 (target tags: web-server)
C.Ingress rule: allow tcp:443 from 0.0.0.0/0 (target tags: web-server)
D.Ingress rule: allow tcp:80 from 0.0.0.0/0 (target tags: default)
AnswerB

Correct: Ingress, port 80, any source, target tag 'web-server'.

Why this answer

Option B is correct because HTTP traffic from the internet (source 0.0.0.0/0) must be allowed by an ingress firewall rule targeting the web server VM. The rule specifies TCP port 80, which is the standard HTTP port, and uses target tags 'web-server' to apply the rule only to VMs with that tag, ensuring the web server is accessible on port 80 from any source.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates may confuse the direction of traffic (ingress for inbound, egress for outbound) or select a rule with the wrong port (e.g., 443 instead of 80) or incorrect target tags (e.g., 'default' instead of 'web-server').

How to eliminate wrong answers

Option A is wrong because it defines an egress rule, which controls outbound traffic from the VM, not inbound HTTP traffic from the internet. Option C is wrong because it allows TCP port 443 (HTTPS), not port 80 (HTTP), which does not meet the requirement to allow HTTP traffic on port 80. Option D is wrong because it uses target tags 'default', which would apply the rule to all VMs in the VPC with the default tag, rather than specifically targeting the web server VM with the 'web-server' tag, potentially exposing other VMs to inbound HTTP traffic.

344
MCQeasy

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

A.Alice has the role roles/compute.securityAdmin, which should allow deletion; perhaps the rule is managed by another service
B.The IAM policy has a condition that denies deletion after business hours
C.An organization policy prevents deletion of firewall rules in this project
D.Bob has the role roles/compute.networkAdmin, which does not include permissions to delete firewall rules
AnswerA

roles/compute.securityAdmin includes firewall rule deletion. If Alice still gets an error, it might be due to hierarchical policies or the rule being managed by another service like Firewall Insights.

Why this answer

Alice has the role roles/compute.securityAdmin, which includes the compute.firewalls.delete permission. However, if the VPC firewall rule is managed by another service (e.g., Firewall Rules Manager, Google Cloud Armor, or a managed service like GKE), the rule may have a 'managed' label or be part of a service-managed resource hierarchy that prevents direct deletion via the compute.firewalls.delete API. In such cases, the rule must be deleted through the managing service, not directly via the firewall rules API, leading to a permission error despite having the correct role.

Exam trap

Google Cloud often tests the misconception that having the correct IAM role (like compute.securityAdmin) always grants full control over all firewall rules, ignoring that managed services can impose additional deletion restrictions that override the base IAM permissions.

How to eliminate wrong answers

Option B is wrong because the IAM policy shown does not include any conditions; the exhibit only shows a simple binding with roles/compute.securityAdmin for Alice, and there is no mention of a condition that denies deletion after business hours. Option C is wrong because an organization policy would apply at the organization or folder level, not within a project's IAM policy; the exhibit shows a project-level IAM policy, and organization policies are separate constraints (e.g., constraints/compute.restrictFirewallRules) that would appear in the Organization Policies section, not in the IAM policy. Option D is wrong because Bob's role is irrelevant to Alice's permission error; the question asks why Alice cannot delete the rule, and Bob's role does not affect Alice's permissions.

345
MCQmedium

A company wants to deploy an HTTP application on Compute Engine instances in us-east1 and europe-west1, and use a global external HTTP(S) load balancer. How should they configure the backend?

A.Create a regional load balancer in each region and use DNS round-robin.
B.Create one backend service and add two instance groups, one from each region.
C.Create one backend service and add one instance group with instances in both regions.
D.Create two backend services, one per region, and attach to the same URL map.
AnswerB

This allows the load balancer to distribute traffic globally.

Why this answer

A global external HTTP(S) load balancer requires a single backend service that can span multiple regions. By adding one instance group from us-east1 and another from europe-west1 to the same backend service, the load balancer automatically routes traffic to the closest healthy backend based on the client's geographic location and the load balancer's anycast IP. This configuration leverages Google's global network infrastructure for optimal latency and failover.

Exam trap

The trap here is that candidates mistakenly think instance groups can span multiple regions (Option C) or that multiple backend services are needed for multi-region deployments (Option D), when in fact a single backend service with multiple regional instance groups is the correct and simplest design for a global load balancer.

How to eliminate wrong answers

Option A is wrong because creating two regional load balancers with DNS round-robin does not provide true global load balancing; DNS round-robin cannot account for backend health or geographic proximity, and it lacks the anycast IP and automatic failover capabilities of a global load balancer. Option C is wrong because an instance group cannot span multiple regions; instance groups are zonal or regional resources, and you must use separate instance groups per region. Option D is wrong because creating two backend services per region and attaching them to the same URL map would require a multi-backend setup, but for a single HTTP application you need one backend service that aggregates both regional instance groups; using two backend services would require separate URL paths or host rules, which is unnecessary and adds complexity.

346
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises network to Google Cloud using a VPN and VPC peering into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Migration steps: VPN, BGP, new VPC, peering, then moving workloads.

347
Multi-Selectmedium

Which TWO of the following are advantages of using the Premium Tier of Google Cloud's Network Service Tiers? (Choose TWO.)

Select 2 answers
A.Reduced cost compared to Standard Tier.
B.Global load balancing with a single anycast IP address.
C.Lower latency and egress costs for traffic originating in regions far from users.
D.Supports regional load balancers only.
E.Public IP addresses are assigned from a regional pool.
AnswersB, C

Premium Tier enables global anycast IP for load balancers.

Why this answer

Options B and D are correct. Premium Tier offers lower latency by leveraging Google's global network. Option A is wrong because Premium Tier costs more.

Option C is wrong because Premium Tier allows global load balancing with anycast IP. Option E is wrong because Premium Tier supports both global and regional load balancers, but the advantage is global.

348
MCQhard

A global e-commerce company has deployed a web application across multiple GCP regions using an external HTTPS load balancer. Traffic is expected to originate from users worldwide. They want to minimize latency and improve user experience, while also ensuring that traffic is served from the nearest healthy backend. Which load balancing configuration should they use?

A.Deploy a regional external HTTP(S) load balancer in each region and use Cloud CDN to cache content.
B.Use a global external HTTP(S) load balancer with an anycast IP and enable Cloud CDN.
C.Configure an internal TCP/UDP load balancer in each region with DNS-based geolocation routing.
D.Set up a global external TCP proxy load balancer with SSL termination at each backend.
AnswerB

Global load balancer uses anycast to route users to the nearest healthy backend automatically.

Why this answer

A global external HTTP(S) load balancer uses a single anycast IP address, which directs each user to the closest healthy backend based on the user's geographic location and backend health. Enabling Cloud CDN further reduces latency by caching content at Google's global edge locations, ensuring that static and dynamic content is served from the nearest point of presence.

Exam trap

Google Cloud often tests the distinction between global anycast-based load balancers and regional load balancers with DNS routing, where candidates mistakenly think that regional load balancers with Cloud CDN can achieve the same latency optimization as a global anycast load balancer.

How to eliminate wrong answers

Option A is wrong because regional external HTTP(S) load balancers do not provide a single anycast IP; they require separate IPs per region and rely on DNS-based routing, which cannot guarantee that traffic is always served from the nearest healthy backend without additional complexity and potential latency from DNS caching. Option C is wrong because internal TCP/UDP load balancers are designed for private VPC traffic within a region, not for global external user traffic, and DNS-based geolocation routing introduces latency and does not provide the same anycast-based proximity as a global load balancer. Option D is wrong because a global external TCP proxy load balancer operates at Layer 4 and does not support HTTP/HTTPS features like Cloud CDN, URL-based routing, or content caching, making it unsuitable for optimizing user experience for a web application.

349
Multi-Selecthard

Which TWO statements about VPC Network Peering are correct?

Select 2 answers
A.VPC peering supports global load balancing with internal IPs
B.VPC peering is supported within the same organization
C.VPC peering supports transitivity across multiple peerings
D.VPC peering allows overlapping CIDR ranges
E.VPC peering can be used to connect VPCs in different regions
AnswersB, E

Peering can be established between VPCs in the same organization.

Why this answer

Option B is correct because VPC Network Peering is designed to connect VPCs within the same organization (or across different organizations) without requiring a VPN or gateway. It allows private RFC 1918 IP communication between VPCs, and when both VPCs belong to the same organization, the peering setup is straightforward and does not involve cross-organization trust policies. This is a fundamental use case for peering in Google Cloud.

Exam trap

The trap here is that candidates often assume VPC peering supports transitivity (Option C) because they confuse it with traditional router-based networking, but Google Cloud explicitly enforces non-transitive peering to maintain security and simplicity.

350
MCQhard

Refer to the exhibit. You are troubleshooting an on-premises to Cloud VPN connection with dynamic routing. The BGP session is CONNECTED, but no routes are received from the on-premises router. What is the most likely cause?

A.The firewall rules are blocking BGP traffic.
B.The on-premises router is not configured to advertise routes.
C.The VPN tunnel is down.
D.The cloud router is not advertising any routes.
AnswerB

Since the BGP session is CONNECTED but no routes received, the on-premises side is not advertising.

Why this answer

The BGP session is up, but routesReceived is 0, indicating the on-premises router is not advertising routes.

351
MCQmedium

A network engineer is troubleshooting connectivity from a VM to an on-premises server over a Cloud VPN. The VM can reach the on-premises server, but the return traffic is dropped. What is the most likely cause?

A.The on-premises network does not have a route back to the VPC subnet.
B.A firewall rule is blocking ingress traffic from the on-premises network.
C.The BGP session is down.
D.The Cloud Router is not configured.
AnswerA

Return traffic requires a route on-premises pointing to the VPN gateway.

Why this answer

Option C is correct because on-premises routes must include the VPC subnet to ensure return traffic is sent to the VPN gateway. Option A is wrong because firewall rules can be separate for ingress/egress. Option B is wrong because BGP session being down would cause no connectivity.

Option D is wrong because Cloud Router is needed for dynamic routing, but not having one does not cause asymmetric dropping specifically.

352
Matchingmedium

Match each Google Cloud interconnect or peering type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Direct physical connection between on-premises and Google

Connection via a supported service provider

Direct BGP peering between on-premises and Google edge

Peering via a carrier's network

Encrypted tunnel over the internet to your VPC

Why these pairings

These options provide varying levels of connectivity to Google Cloud.

353
Multi-Selecteasy

Which TWO statements about VPC Network Peering are correct? (Choose TWO.)

Select 2 answers
A.Transitive peering is not supported; if Network A is peered with Network B and Network A is peered with Network C, Network B cannot communicate with Network C through Network A.
B.Peered networks can use globally distributed routing to communicate across regions without additional configuration.
C.Default routes (0.0.0.0/0) are automatically exported and imported between peered networks.
D.Firewall rules from one network are automatically applied to the peered network.
E.The subnet IP ranges of peered VPC networks must not overlap.
AnswersA, E

VPC peering is non-transitive; traffic must be directly peered.

Why this answer

Option A is correct because VPC Network Peering is non-transitive by design. This means that if Network A is peered with both Network B and Network C, traffic cannot flow from Network B to Network C through Network A. Each peering connection is a direct, point-to-point link, and routing is not propagated across multiple peering hops.

This behavior is enforced by the GCP networking stack to prevent complex and unintended routing topologies.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing, similar to how traditional router-based networks work, but GCP explicitly disallows this to enforce network segmentation and prevent unintended traffic flows.

354
MCQmedium

A company uses Identity-Aware Proxy (IAP) to secure access to Compute Engine VMs. Users report that they can SSH into some VMs but not others, even though they have the IAP-secured Tunnel User role. Both VMs are in the same project and have the same network tags. What is the most likely reason?

A.Firewall rules allow ingress from IAP's IP ranges only for some VMs.
B.The VMs are in different zones with different DNS resolution.
C.The VMs that can be accessed have external IP addresses; the others only have internal IP addresses.
D.The VMs do not have OS Login enabled.
AnswerC

IAP requires that the VM can be reached from IAP proxies, which typically requires an external IP.

Why this answer

Option C is correct because IAP for TCP forwarding requires the target VM to have an external IP address (or be accessible via a Cloud NAT with specific routing) for the IAP service to establish the tunnel. Without an external IP, the IAP tunnel cannot reach the VM, even if the user has the IAP-secured Tunnel User role and the firewall rules allow ingress from IAP's IP ranges (35.235.240.0/20).

Exam trap

The trap here is that candidates assume IAP works with any VM in the project as long as firewall rules and IAM roles are correct, overlooking the requirement for an external IP address (or Cloud NAT) for the IAP tunnel to reach the VM.

How to eliminate wrong answers

Option A is wrong because firewall rules in a project apply to all VMs with the same network tags; if the rules allow ingress from IAP's IP ranges (35.235.240.0/20) for one VM with a given tag, they apply equally to all VMs with that tag, so this cannot explain why some VMs are inaccessible. Option B is wrong because DNS resolution is not a factor in IAP tunneling; IAP uses IP addresses, not DNS names, and zones do not affect DNS resolution for internal VM connectivity. Option D is wrong because OS Login is not required for IAP tunneling; IAP works with standard SSH keys or gcloud auth, and OS Login is an optional authentication method that does not affect the ability to establish the IAP tunnel itself.

355
MCQhard

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

A.Deploy the Cloud SQL Auth Proxy on each VM and configure IAM permissions for each VM's service account
B.Use Shared VPC and assign the specific VMs to a subnet with a dedicated secondary IP range, then restrict database access to that range
C.Use Private Service Connect to publish the database as a managed service and create a Private Service Connect endpoint in the spoke VPC with IAM permissions for the specific VM service accounts
D.Configure firewall rules in the hub project to allow traffic only from the specific VM internal IPs
AnswerC

Private Service Connect provides per-service account authorization and network isolation.

Why this answer

Option C is correct because Private Service Connect (PSC) allows you to publish a managed service (like Cloud SQL) and create a PSC endpoint in the spoke VPC. By combining the PSC endpoint with IAM permissions on the VM service accounts, you ensure that only specific VMs can connect to the database, providing fine-grained, identity-aware access control without exposing the database to the entire network.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewall rules or IP ranges) are sufficient for securing access to managed services, when in fact identity-based controls (IAM + Private Service Connect) provide a more secure and auditable solution in a shared VPC topology.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Auth Proxy provides authentication and encryption but does not restrict network-level access; any VM with the proxy installed and valid IAM credentials could connect, and it does not leverage the hub-and-spoke topology for isolation. Option B is wrong because Shared VPC with a dedicated secondary IP range only controls IP addressing, not access; firewall rules would still be needed, and any VM in that subnet could reach the database, not just the specific VMs. Option D is wrong because firewall rules in the hub project filter traffic based on source IPs, which can be spoofed within the VPC or bypassed if VMs are moved; they lack identity-based controls and do not prevent traffic from other VMs in the same subnet.

356
MCQeasy

A company needs to connect multiple on-premises sites to Google Cloud using a single Cloud VPN gateway. What is the recommended approach?

A.Create a single VPN tunnel and use policy-based routing to direct traffic.
B.Use a single VPN tunnel with multiple BGP sessions.
C.Create multiple VPN tunnels, each with its own BGP session to a Cloud Router.
D.Create a single VPN tunnel and use static routes for each site.
AnswerC

This allows each site to have its own encrypted tunnel and dynamic routing.

Why this answer

When connecting multiple on-premises sites to Google Cloud using a single Cloud VPN gateway, the recommended approach is to create multiple VPN tunnels, each with its own BGP session to a Cloud Router. This allows the Cloud VPN gateway to terminate multiple tunnels, and each tunnel can have a unique BGP session for dynamic route exchange, enabling the gateway to learn and advertise routes for each site independently. Using a single tunnel with multiple BGP sessions or policy-based routing is not supported because a Cloud VPN tunnel is a point-to-point connection that can only have one BGP session per tunnel, and static routes would not provide the redundancy or dynamic failover needed for multiple sites.

Exam trap

Google Cloud often tests the misconception that a single VPN tunnel can support multiple BGP sessions or that policy-based routing can be used to segregate traffic for multiple sites, but in Google Cloud, each tunnel is a point-to-point construct that requires its own BGP session, and policy-based routing is not available for Cloud VPN.

How to eliminate wrong answers

Option A is wrong because policy-based routing is not a supported feature for Cloud VPN tunnels; Cloud VPN uses route-based VPNs (with BGP or static routes) and cannot direct traffic based on policies across multiple sites through a single tunnel. Option B is wrong because a single VPN tunnel can only have one BGP session; multiple BGP sessions cannot be established over a single tunnel as each BGP session requires a separate tunnel interface and peer IP address. Option D is wrong because using a single VPN tunnel with static routes for each site would create a single point of failure and cannot provide the dynamic routing, failover, or load balancing needed for multiple on-premises sites; static routes also require manual updates if site topologies change.

357
MCQeasy

A team has deployed Compute Engine instances with internal IPs only. They need to allow these instances to download updates from specific external IP ranges. Which action should they take?

A.Create egress firewall rules with target tags and allowed IP ranges.
B.Configure Cloud NAT and allow all traffic.
C.Attach a public IP to each instance.
D.Use Private Google Access.
AnswerA

Egress firewall rules can restrict outbound traffic to specific IP ranges.

Why this answer

Egress firewall rules with target tags allow you to control outbound traffic from Compute Engine instances based on destination IP ranges. By specifying the allowed external IP ranges for updates and applying the rule to instances with a specific tag, you enable secure outbound access without exposing the instances to inbound traffic or requiring public IPs.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone can restrict outbound traffic to specific destinations, but Cloud NAT only provides source NAT and does not filter traffic by destination; egress firewall rules are required for that control.

How to eliminate wrong answers

Option B is wrong because Cloud NAT provides outbound connectivity to the internet for instances without public IPs, but it does not restrict traffic to specific external IP ranges; allowing all traffic would violate the requirement to limit updates to specific IP ranges. Option C is wrong because attaching a public IP to each instance would expose them to inbound traffic from the internet, increasing the attack surface and contradicting the requirement to use internal IPs only. Option D is wrong because Private Google Access enables instances with internal IPs to reach Google APIs and services, not external third-party update servers.

358
Matchingmedium

Match each VPC networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Regional IP range within a VPC

Connection between two VPCs for private IP communication

VPC from one project shared with other projects

Outbound internet access for private instances

Access Google APIs from on-premises or other clouds

Why these pairings

These concepts are fundamental to VPC design in Google Cloud.

359
MCQhard

You are using Serverless VPC Access to connect Cloud Run services to a VPC network. The connector is in us-central1 with a /28 subnet. You have a Cloud SQL instance (private IP) in the same region but in a different VPC network (peered). The Cloud Run service cannot reach the Cloud SQL instance. What is the most likely cause?

A.The Cloud SQL instance must have the Cloud SQL Proxy configured.
B.Serverless VPC Access requires Private Google Access to be enabled on the connector's subnet.
C.Cloud SQL requires an external IP for Serverless VPC Access connectivity.
D.The VPC connector's subnet does not have a route to the peered VPC where Cloud SQL resides.
AnswerD

VPC peering does not automatically propagate routes; you must configure custom route exchange or create routes.

Why this answer

Option A is correct because Serverless VPC Access routes traffic through the connector's VPC, but if the Cloud SQL instance is in a different VPC (even peered), the connector does not automatically route to the peered VPC. You need to ensure the route for the Cloud SQL private IP range is present in the connector's VPC. Option B is wrong because Cloud SQL private IP is accessible within the same VPC.

Option C is wrong because the Cloud SQL proxy is not required if direct access is configured. Option D is wrong because the connector does not use Private Google Access for Cloud SQL.

360
Multi-Selectmedium

A company has a VPC with three tiers: web, app, and db. They want to enforce that only the web tier can communicate with the app tier on TCP port 8080, and only the app tier can communicate with the db tier on TCP port 3306. All instances are in the same region but different subnets. Which TWO firewall rules should be created? (Choose 2.)

Select 2 answers
A.An ingress rule on the db tier instances with tag 'db' allowing TCP 3306 from instances with tag 'app'.
B.An egress rule on the web instances with tag 'web' allowing TCP 8080 to the app subnet.
C.An egress rule on the web subnet allowing TCP 8080 to any destination.
D.An ingress rule on the app tier instances with tag 'app' allowing TCP 8080 from instances with tag 'web'.
E.An ingress rule on the web subnet allowing TCP 8080 from the app subnet.
AnswersA, D

This ensures only app tier can reach db tier on port 3306.

Why this answer

To control traffic between tiers, you use firewall rules with source tags. The correct approach is to create ingress rules on the destination tier's subnet, allowing traffic from the source tier's tag. Option B is an egress rule on the web tier to allow to app tier on 8080, but that doesn't prevent other sources from reaching app tier.

Option D is an ingress rule on app tier allowing from web tag on 8080. Option E is an ingress rule on db tier allowing from app tag on 3306. Option A and C are incorrect because they allow traffic from any source or are on the wrong tier.

361
MCQeasy

A company is deploying a hybrid cloud solution using Partner Interconnect. They have ordered a 1 Gbps connection from a partner at a colocation facility. The on-premises network uses a 10 Gbps link to the colo, and the partner provides a single 1 Gbps connection to Google Cloud. The company wants to connect two separate VPC networks in Google Cloud (production and development) to their on-premises network. Each VPC requires 500 Mbps of dedicated bandwidth. The company also needs high availability for the connection. What should they do?

A.Create a single VLAN attachment, then use a shared VPC with two subnets. Configure one Cloud Router with two BGP sessions, one for each subnet.
B.Create one VLAN attachment with 1 Gbps capacity, attach it to both VPCs using a single Cloud Router with two BGP sessions.
C.Create two VLAN attachments on the same interconnect, each with 500 Mbps capacity. Configure a separate Cloud Router for each VPC, each with a BGP session on its respective VLAN attachment. Use BGP metrics for active/passive failover.
D.Order two separate 1 Gbps Partner Interconnect connections, one for each VPC, and configure each with a single VLAN attachment.
AnswerC

Correct. This meets bandwidth and HA requirements.

Why this answer

Option C is correct because Partner Interconnect supports multiple VLAN attachments on a single connection, each with its own capacity allocation. By creating two VLAN attachments with 500 Mbps each, you can dedicate bandwidth to each VPC while meeting the 500 Mbps requirement. Using separate Cloud Routers with BGP sessions on each VLAN attachment and adjusting BGP metrics (e.g., local preference) allows active/passive failover for high availability, satisfying both the bandwidth and HA needs without requiring additional physical connections.

Exam trap

The trap here is that candidates assume a single VLAN attachment can serve multiple VPCs or that multiple physical connections are required for multiple VPCs, but Partner Interconnect allows multiple VLAN attachments on one connection, each dedicated to a different VPC with its own bandwidth and BGP session.

How to eliminate wrong answers

Option A is wrong because a single VLAN attachment cannot be shared across two separate VPC networks; VLAN attachments are per-VPC resources, and using a shared VPC with subnets does not provide dedicated bandwidth per VPC or proper isolation. Option B is wrong because a single VLAN attachment cannot be attached to two VPCs simultaneously; each VLAN attachment is associated with exactly one VPC and one Cloud Router, and a single Cloud Router with two BGP sessions cannot route traffic to two different VPCs over the same attachment. Option D is wrong because ordering two separate 1 Gbps connections is unnecessary and cost-prohibitive; a single 1 Gbps Partner Interconnect connection can support multiple VLAN attachments (up to 8 per connection) to serve multiple VPCs with dedicated bandwidth.

362
MCQmedium

Your security team wants to block specific SQL injection attacks using Cloud Armor. You have configured a security policy with a preconfigured WAF rule for SQL injection (evaluatePreconfiguredExpr('sqli-stable')). The rule is set to DENY. However, legitimate traffic is being blocked intermittently. What should you adjust?

A.Add a rate-based rule to limit the number of requests per second.
B.Create a rule with higher priority to allow the legitimate traffic before the WAF rule.
C.Modify the WAF rule to use a lower sensitivity level or exclude certain request attributes.
D.Enable TLS inspection for the load balancer to fully inspect encrypted traffic.
AnswerC

Reducing sensitivity reduces false positives.

Why this answer

The preconfigured WAF rule for SQL injection (sqli-stable) uses a default sensitivity level that may be too aggressive, causing false positives on legitimate traffic. By lowering the sensitivity level or excluding specific request attributes (e.g., headers, cookies, or URI paths), you can reduce false positives while still blocking actual SQL injection attempts. Cloud Armor allows fine-tuning of preconfigured rules via the `sensitivity` parameter and `exclude` lists, which is the correct approach here.

Exam trap

Google Cloud often tests the misconception that false positives from WAF rules are best handled by adding allow rules or rate limiting, rather than tuning the rule's sensitivity or exclusions, which is the proper Cloud Armor mechanism.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request frequency to mitigate DDoS or brute-force attacks, not to address false positives from a WAF rule that incorrectly flags legitimate SQL-like patterns. Option B is wrong because creating a higher-priority allow rule would bypass the WAF rule entirely for that traffic, defeating the purpose of SQL injection protection and potentially allowing actual attacks through. Option D is wrong because TLS inspection (e.g., using Cloud Armor with HTTPS load balancers) is already performed by default for encrypted traffic; the issue is not about decryption but about the WAF rule's sensitivity to benign SQL-like patterns.

363
MCQhard

Your company runs a multi-tier web application on Google Cloud. The application consists of frontend instances in a managed instance group (MIG) in us-central1, backend instances in a MIG in us-west1, and a Cloud SQL database in us-central1. The frontend and backend communicate over a VPC network with custom subnet mode (10.0.0.0/16) and use internal IP addresses. Recently, the application experienced intermittent timeouts. You notice that the backend instances in us-west1 have high latency when querying the Cloud SQL database in us-central1. You suspect network congestion or suboptimal routing. You want to minimize latency between the regions for database queries while ensuring the most cost-effective solution. What should you do?

A.Move all resources to a single region, such as us-central1, and use a single VPC.
B.Set up a Cloud VPN tunnel with Cloud Router and use BGP to advertise routes between the two regions.
C.Create a VPC peering connection between the frontend and backend VPCs.
D.Enable Cloud CDN on the backend load balancer to cache database responses.
AnswerB

This provides a dedicated encrypted tunnel and dynamic routing, which can reduce latency by using a more direct path than the public internet.

Why this answer

Option B is correct because Cloud VPN with Cloud Router and BGP enables dynamic route advertisement between the two regions, allowing traffic between the backend instances in us-west1 and the Cloud SQL database in us-central1 to traverse Google's global network with optimal routing. This minimizes latency by using Google's internal backbone rather than the public internet, and it is cost-effective because Cloud VPN charges only for the tunnel hours and egress traffic, with no per-GB data transfer costs for inter-region traffic within the same VPC.

Exam trap

Google Cloud often tests the misconception that VPC peering is needed for inter-region communication within the same VPC, but the trap here is that the frontend and backend are already in the same VPC, so peering is irrelevant, and the real issue is optimizing routing between regions, which Cloud VPN with BGP addresses.

How to eliminate wrong answers

Option A is wrong because moving all resources to a single region would eliminate the multi-region architecture, potentially increasing latency for users in other regions and violating the requirement to minimize latency between regions while maintaining the existing deployment. Option C is wrong because VPC peering connects two separate VPCs, but the frontend and backend are already in the same VPC (custom subnet mode 10.0.0.0/16), so peering is unnecessary and does not address routing optimization between regions. Option D is wrong because Cloud CDN caches static content at edge locations, not database query responses, and it cannot reduce latency for dynamic database queries that require real-time access to Cloud SQL.

364
Multi-Selectmedium

An organization needs low-latency connectivity between their on-premises data center and Google Cloud, supporting up to 20 Gbps throughput. They already have a Partner Interconnect connection but need to increase capacity. Which two actions should they take? (Choose two.)

Select 2 answers
A.Work with the service provider to upgrade the existing interconnect to a higher capacity
B.Create additional Cloud VPN tunnels to the same region
C.Provision a new Dedicated Interconnect to bypass the partner
D.Provision additional VLAN attachments on the existing Partner Interconnect
AnswersA, D

Partner Interconnect bandwidth can be upgraded with provider.

Why this answer

Option A is correct because Partner Interconnect connections can be upgraded to higher capacity by working with the service provider, as the provider manages the underlying physical circuit. This allows increasing throughput up to 20 Gbps without replacing the existing connection, leveraging the existing Layer 2 or Layer 3 handoff.

Exam trap

Google Cloud often tests the misconception that adding Cloud VPN tunnels can scale throughput to match Interconnect speeds, but VPN tunnels have lower bandwidth limits and higher latency, making them unsuitable for high-throughput, low-latency requirements.

365
Matchingmedium

Match each Google Cloud networking service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides outbound connectivity for private instances

Securely connects on-premises to VPC via IPsec

Delivers content from edge caches globally

Translates domain names to IP addresses

Manages service mesh traffic with global load balancing

Why these pairings

These are core Google Cloud networking services with distinct roles.

366
Multi-Selecteasy

A network engineer needs to configure firewall rules to allow health checks from Google Cloud's health check systems to a backend service. Which two source IP ranges should they allow? (Choose two.)

Select 2 answers
A.169.254.0.0/16
B.10.0.0.0/8
C.130.211.0.0/22
D.35.191.0.0/16
E.0.0.0.0/0
AnswersC, D

This is the other health check range.

Why this answer

Google Cloud health check probes originate from the specific IP ranges 130.211.0.0/22 and 35.191.0.0/16. Allowing these source ranges in firewall rules is necessary to permit health check traffic to reach backend instances, ensuring load balancers can determine instance health.

Exam trap

Google Cloud often tests the misconception that health checks originate from the same subnet as the load balancer or from private IP ranges, leading candidates to incorrectly select 10.0.0.0/8 or 169.254.0.0/16 instead of the documented Google Cloud health check source ranges.

367
MCQmedium

A company uses Cloud Armor to protect its HTTP(S) load balancer. They need to block requests from a specific geographic region and also apply a rate limiting rule. What is the correct order of evaluation for Cloud Armor security policies?

A.Rate limiting rules are evaluated separately from other rules.
B.Evaluate rules in priority order and apply all matching rules.
C.Evaluate rules in priority order; the first matching rule determines the action.
D.Evaluate all rules and apply the most restrictive action.
AnswerC

This is the correct behavior of Cloud Armor security policies.

Why this answer

Cloud Armor security policies evaluate rules in priority order, and the first rule that matches the request determines the action (allow or deny). This means that if a rate limiting rule matches first, it will be applied, and subsequent rules are not evaluated. Option C correctly describes this behavior.

Exam trap

Google Cloud often tests the misconception that all matching rules are applied or that the most restrictive action is taken, but Cloud Armor uses first-match semantics, not cumulative or most-restrictive logic.

How to eliminate wrong answers

Option A is wrong because rate limiting rules are not evaluated separately; they are integrated into the same priority-ordered rule set as other rules. Option B is wrong because Cloud Armor does not apply all matching rules; it stops at the first match and applies only that rule's action. Option D is wrong because Cloud Armor does not evaluate all rules and apply the most restrictive action; it uses the first match in priority order, not the most restrictive.

368
MCQhard

A large enterprise uses hierarchical firewall policies across multiple VPCs. They have an organization policy that requires all VPCs to block SSH from the internet. However, a development team needs SSH from a specific external IP range for a building. How can they create a firewall rule that allows that range without violating the organization policy?

A.Remove the organization policy and implement firewall rules at the project level only.
B.Create a project-level firewall policy with a priority higher than the organization policy's deny rule, allowing the specific source range.
C.Use VPC firewall rules instead of hierarchical policies to allow the range, as they are evaluated after hierarchical policies.
D.Add the external IP range to an exception list in the organization policy.
AnswerB

In hierarchical firewall policies, lower priority numbers take precedence. A project-level rule with a higher priority (lower number) than the organization's deny rule will be evaluated first and allow the traffic.

Why this answer

In Google Cloud, hierarchical firewall policies are evaluated before VPC firewall rules, and the effective rule is the one with the highest priority (lowest numeric value). By creating a project-level firewall policy rule with a higher priority (e.g., priority 100) than the organization policy's deny rule (e.g., priority 1000), the allow rule for the specific external IP range will take precedence, effectively overriding the deny for that traffic while keeping the organization policy intact.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules are evaluated after hierarchical policies and can override them, but in reality, hierarchical policies are evaluated first and their deny rules will block traffic unless a higher-priority allow rule exists within the hierarchical policy hierarchy.

How to eliminate wrong answers

Option A is wrong because removing the organization policy violates the enterprise's security requirements and is not necessary; the goal is to allow a specific exception without removing the global block. Option C is wrong because VPC firewall rules are evaluated after hierarchical policies, so a VPC rule allowing SSH would be overridden by the hierarchical deny rule, not the other way around. Option D is wrong because Google Cloud hierarchical firewall policies do not support an 'exception list' mechanism; exceptions must be implemented via higher-priority allow rules within the hierarchical policy or at a lower level.

369
MCQmedium

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth of at least 10 Gbps. Which connectivity option meets these requirements?

A.Cloud VPN with two tunnels to different gateways
B.Dedicated Interconnect with two circuits (each 10 Gbps) to different edge locations
C.Direct Peering with multiple BGP sessions
D.Partner Interconnect with 1 Gbps VLAN attachments
AnswerB

Dedicated Interconnect offers 10 Gbps per circuit and with two circuits provides HA and meets bandwidth requirement.

Why this answer

Dedicated Interconnect with two 10 Gbps circuits to different edge locations meets the 10 Gbps bandwidth requirement and provides high availability through diverse physical paths. Cloud VPN maxes out at 3 Gbps per tunnel, Direct Peering does not offer SLA-backed bandwidth or support for 10 Gbps single connections, and Partner Interconnect typically caps at 1 Gbps per VLAN attachment.

Exam trap

Google Cloud often tests the misconception that Cloud VPN can achieve 10 Gbps by using multiple tunnels, but the per-tunnel and per-VPN gateway throughput limits (typically 3 Gbps) make it unsuitable for sustained 10 Gbps traffic, while Dedicated Interconnect provides dedicated physical circuits with guaranteed bandwidth.

How to eliminate wrong answers

Option A is wrong because Cloud VPN tunnels have a maximum throughput of approximately 3 Gbps per tunnel (even with two tunnels, aggregate throughput is limited by the VPN gateway capacity and does not guarantee 10 Gbps). Option C is wrong because Direct Peering is a bilateral arrangement without a Google SLA, does not support dedicated bandwidth guarantees, and is not designed for single-connection 10 Gbps throughput to a VPC. Option D is wrong because Partner Interconnect VLAN attachments are typically offered at 1 Gbps or lower, and even with multiple attachments, they do not provide the dedicated 10 Gbps circuit required.

370
MCQmedium

A company has an HA VPN tunnel between on-premises and Google Cloud. They want traffic destined to 10.1.0.0/16 (a subnet in their VPC) to go through a specific next-hop VPN tunnel interface, but currently traffic is being dropped. What should they verify?

A.The VPC has a custom route with destination 10.1.0.0/16 and next-hop set to the correct VPN tunnel interface.
B.Cloud NAT is enabled.
C.Firewall rules allow ingress from on-premises IPs.
D.The on-premises router is advertising the route via BGP.
AnswerA

A custom route with the correct next-hop is necessary to direct traffic through the specific VPN tunnel.

Why this answer

Option B is correct because a custom route with destination 10.1.0.0/16 and next-hop set to the specific VPN tunnel interface is required to direct traffic through that interface. Option A is incorrect because firewall rules control access but not routing. Option C is incorrect because on-premises BGP advertisement is for routes from on-premises, not Google Cloud routes.

Option D is incorrect because Cloud NAT is used for outbound internet access, not routing to on-premises.

371
MCQhard

A company is designing a hub-and-spoke VPC architecture in Google Cloud. The hub VPC hosts a set of shared services, including a third-party firewall appliance (NGFW) in a managed instance group behind a TCP load balancer. Spoke VPCs need to send traffic to the hub's internal TCP load balancer IP (10.0.0.10) for inspection. The firewall appliance inspects traffic and forwards it to the final destination. The network team notices that traffic from one spoke to the load balancer is being dropped. They have verified that VPC peering is established, routes are propagated, and firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

A.The spoke VPC's subnet routes are not advertised to the hub VPC via VPC peering.
B.The spoke VPC does not have a route to the hub's internal load balancer IP via the peering connection.
C.The internal TCP load balancer's forwarding rule is misconfigured, pointing to the wrong target.
D.The hub VPC uses Cloud NAT, which is not compatible with VPC peering.
AnswerA

VPC peering does not automatically export custom static routes; the load balancer IP is in the hub's subnet, but the spoke needs a route to that IP via peering, which is automatically present. However, if the load balancer is in a different subnet, static routes may be needed. But the most likely cause is that the spoke VPC uses custom static routes that are not exported to the hub, causing asymmetric routing.

Why this answer

The most likely cause is that the spoke VPC's subnet routes are not advertised to the hub VPC via VPC peering. For traffic from a spoke to reach the hub's internal TCP load balancer (10.0.0.10), the hub must have a route back to the spoke's source IP range. Without the spoke advertising its subnet routes, the hub's firewall appliance cannot return traffic to the spoke, causing asymmetric routing and dropped packets.

Exam trap

The trap here is that candidates assume VPC peering automatically handles all routing in both directions, but they forget that custom routes or non-default subnet ranges must be explicitly advertised to the hub for return traffic to work.

How to eliminate wrong answers

Option B is wrong because the spoke VPC does have a route to the hub's internal load balancer IP via the peering connection — VPC peering automatically installs routes for the entire peered VPC's subnet ranges, so the spoke can reach 10.0.0.10. Option C is wrong because the forwarding rule misconfiguration would cause traffic to never reach the load balancer, but the question states traffic is being dropped (not that it fails to arrive), and the team has verified firewall rules and routes, implying the forwarding rule is correct. Option D is wrong because Cloud NAT is used for outbound internet access from instances without external IPs, and it is fully compatible with VPC peering — it does not interfere with traffic to internal load balancers.

372
MCQhard

A security team wants to restrict which Google services can be accessed from their VPC without external IPs. They use Private Google Access. What should they use to block access to specific services?

A.VPC Service Controls
B.Firewall rules blocking destination IPs
C.Cloud NAT with a specific IP range
D.Private Google Access with restricted VIPs
AnswerA

This service creates perimeters to control access to Google services.

Why this answer

VPC Service Controls allows creating security perimeters that restrict access to services.

373
Multi-Selecthard

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

Select 3 answers
A.Ensure the VMs have a default route (0.0.0.0/0) with next hop set to the Cloud NAT gateway's subnet
B.Configure IAM conditions on the Cloud NAT resource to restrict which VMs can use it
C.Enable VPC Flow Logs on the subnet to monitor which NAT IPs are used
D.Create a separate Cloud NAT gateway with the desired IPs and associate it with the VMs via a subnet or tags
E.Configure VPC firewall rules to allow egress from the VMs to the internet
AnswersA, D, E

The default route sends traffic to Cloud NAT.

Why this answer

Option A is correct because for Cloud NAT to function, the VM must have a default route (0.0.0.0/0) that points to the Cloud NAT gateway's subnet as the next hop. Without this route, the VM's outbound traffic will not be directed to the NAT gateway, and the NAT IPs will not be used. This ensures that traffic from the VM is routed through the NAT gateway, allowing the specific set of NAT IPs to be applied for auditing.

Exam trap

Google Cloud often tests the misconception that IAM conditions can control Cloud NAT usage per VM, but in reality, Cloud NAT uses subnet or tag-based association, not IAM, and VPC Flow Logs are for monitoring, not configuration.

374
MCQeasy

A company has a VPC with subnet 10.1.0.0/24 in us-central1. They created a Cloud NAT gateway named 'nat-us-central1' attached to that subnet. During peak hours, many VM instances in the subnet cannot connect to the internet. The NAT configuration shows only one NAT IP. Firewall rules allow egress traffic, and health checks confirm the NAT gateway is functioning. What is the most likely cause of the failure?

A.The Cloud Router is missing or misconfigured.
B.The NAT gateway is not attached to the correct subnet.
C.An egress firewall rule blocks ICMP packets.
D.Port exhaustion due to insufficient NAT IP addresses.
AnswerD

One NAT IP provides limited source ports, easily exhausted by many concurrent connections.

Why this answer

With only one NAT IP address and many VM instances sharing it, the available source ports (65,535 per IP) are quickly exhausted during peak hours. Each concurrent outbound connection consumes a unique source port; once all ports are in use, new connections fail. This is a classic port exhaustion scenario, not a configuration or firewall issue.

Exam trap

Google Cloud often tests the misconception that firewall rules or router misconfiguration are the primary cause of connectivity failures, when in reality port exhaustion from insufficient NAT IPs is a common scaling issue in high-traffic environments.

How to eliminate wrong answers

Option A is wrong because Cloud NAT requires a Cloud Router for dynamic routing, but the question states the NAT gateway is functioning and health checks pass, indicating the router is present and correctly configured. Option B is wrong because the NAT gateway is explicitly attached to subnet 10.1.0.0/24, and health checks confirm it is working, so the attachment is correct. Option C is wrong because the firewall rules allow egress traffic, and ICMP is not required for general internet connectivity; the failure affects all protocols, not just ICMP.

375
MCQeasy

Your company has a VPC with a single subnet in us-central1 (10.0.1.0/24). You have a managed instance group (MIG) of web servers (10.0.1.2-10.0.1.10) and a standalone database instance (10.0.1.100). The web servers need to communicate with the database on TCP port 3306. You have configured a firewall rule allowing ingress from 10.0.1.0/24 to 10.0.1.100 on tcp:3306. However, the web servers cannot connect to the database. You verified that the database is running and listening on port 3306, and that the web servers can ping the database. What should you do to resolve the issue?

A.Create a custom route from the web servers to the database.
B.Check the database instance's OS-level firewall (e.g., iptables) and ensure it allows traffic on port 3306 from the web servers.
C.Add a network tag 'db' to the database instance and update the firewall rule to target 'db'.
D.Configure the firewall rule to use the database's service account as the target.
AnswerB

The VPC firewall allows traffic, but the OS firewall on the database may be blocking the connection.

Why this answer

The firewall rule is correctly configured at the VPC level to allow ingress from the web servers' subnet to the database on TCP port 3306. Since the web servers can ping the database, network connectivity exists, but the application-layer connection fails. This indicates the database instance's OS-level firewall (e.g., iptables on Linux) is blocking the port, as cloud VPC firewall rules and guest OS firewalls operate independently.

Exam trap

Google Cloud often tests the distinction between cloud-level firewall rules and guest OS firewalls, leading candidates to overcomplicate the solution with network tags or routes when the issue is a simple OS-level block.

How to eliminate wrong answers

Option A is wrong because custom routes control packet forwarding paths, not firewall filtering; the web servers and database are in the same subnet, so no routing is needed. Option C is wrong because network tags are used to apply firewall rules to specific instances, but the existing rule already allows traffic from the entire subnet (10.0.1.0/24) to the database IP, so tags are unnecessary and would not fix an OS-level block. Option D is wrong because service accounts are used for authentication and authorization to Google Cloud APIs, not for controlling network traffic within a VPC; firewall rules cannot target service accounts.

Page 4

Page 5 of 7

Page 6

All pages