Google Professional Cloud Network Engineer (PCNE) — Questions 376450

497 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Multi-Selectmedium

Which THREE of the following are benefits of using VPC Flow Logs?

Select 3 answers
A.Compliance and audit requirements.
B.Troubleshooting connectivity issues.
C.Detecting DDoS attacks.
D.Reducing network latency.
E.Real-time network monitoring.
AnswersA, B, C

Flow logs provide records of network traffic for compliance.

Why this answer

VPC Flow Logs help with compliance and audit (B), troubleshooting connectivity issues (C), and detecting DDoS attacks (E). Option A is incorrect because flow logs are not real-time; there is a delay. Option D is incorrect because flow logs do not reduce latency.

377
MCQeasy

A company is deploying a Dedicated Interconnect with a 10 Gbps circuit to Google Cloud. They need to ensure high availability. Which configuration is required by Google Cloud to meet the high availability SLA?

A.Combine Dedicated Interconnect with a Cloud VPN tunnel for failover
B.Use Partner Interconnect instead of Dedicated Interconnect
C.Provision two VLAN attachments on two separate Cloud Routers in different zones
D.Provision a single VLAN attachment on one Cloud Router
AnswerC

Two VLAN attachments in different zones provide redundancy and meet the HA SLA.

Why this answer

To meet the high availability SLA for Dedicated Interconnect, Google Cloud requires at least two VLAN attachments, each on a separate Cloud Router in different zones. This ensures that if one zone or Cloud Router fails, traffic can still flow through the other attachment, providing redundancy. A single VLAN attachment or a single Cloud Router does not meet the 99.99% availability SLA because it creates a single point of failure.

Exam trap

The trap here is that candidates often think a single Cloud Router with multiple VLAN attachments is sufficient, but Google Cloud requires the Cloud Routers themselves to be in different zones to avoid a single point of failure at the zone level.

How to eliminate wrong answers

Option A is wrong because combining Dedicated Interconnect with a Cloud VPN tunnel is not a required configuration for the high availability SLA; while it can provide a backup path, the SLA specifically requires redundant VLAN attachments on separate Cloud Routers in different zones. Option B is wrong because Partner Interconnect is an alternative connectivity option, not a requirement for high availability; the SLA for Dedicated Interconnect is met with redundant VLAN attachments, not by switching to Partner Interconnect. Option D is wrong because a single VLAN attachment on one Cloud Router creates a single point of failure and does not meet the high availability SLA, which mandates at least two attachments in different zones.

378
MCQmedium

A company needs to connect their on-premises data center to Google Cloud using Dedicated Interconnect. They have a service level agreement that requires 99.99% availability for the connection. What is the minimum number of VLAN attachments they must provision, and how should they be configured to meet this SLA?

A.One VLAN attachment with a single Interconnect
B.Two VLAN attachments, each on a different Interconnect
C.Four VLAN attachments on two Interconnects
D.Two VLAN attachments on the same Interconnect
AnswerB

Two VLAN attachments on redundant Interconnects provide the required availability.

Why this answer

To achieve 99.99% availability for Dedicated Interconnect, you must eliminate single points of failure. A single VLAN attachment on one Interconnect (Option A) provides no redundancy. Google Cloud requires at least two VLAN attachments, each on a different Interconnect (and ideally different edge availability domains), to meet this SLA.

This ensures that if one Interconnect or VLAN attachment fails, traffic can fail over to the other, maintaining connectivity.

Exam trap

Google Cloud often tests the misconception that two VLAN attachments on the same Interconnect provide redundancy, but the trap here is that they share the same physical link and edge availability domain, so a single failure takes down both attachments.

How to eliminate wrong answers

Option A is wrong because a single VLAN attachment on one Interconnect creates a single point of failure; Google Cloud's 99.99% SLA for Dedicated Interconnect requires redundant connections across at least two separate Interconnects. Option C is wrong because four VLAN attachments on two Interconnects exceed the minimum requirement; two VLAN attachments (one per Interconnect) are sufficient to meet the 99.99% SLA, and adding more does not increase availability beyond the SLA. Option D is wrong because two VLAN attachments on the same Interconnect share the same physical link; if that Interconnect fails, both attachments go down, so this configuration does not provide the required redundancy.

379
MCQhard

You have set up a Dedicated Interconnect with two VLAN attachments (each 10 Gbps) and configured ECMP on the Cloud Router. You observe that traffic from on-premises to a specific VM is only using one attachment. What is the most likely cause?

A.Route propagation is disabled on one Cloud Router interface
B.One of the VLAN attachments has a higher route priority
C.BGP ASN mismatch between the two attachments
D.The traffic consists of a single flow that is hashed to one attachment
AnswerD

ECMP per-flow hashing keeps each flow to one path.

Why this answer

D is correct because ECMP (Equal-Cost Multi-Path) relies on hashing of packet headers (e.g., 5-tuple: source/destination IP, protocol, source/destination port) to select a path. A single flow (e.g., a TCP connection between two specific IPs and ports) will always hash to the same attachment, so it cannot use both VLAN attachments simultaneously. This is expected behavior, not a fault.

Exam trap

Google Cloud often tests the misconception that ECMP should load-balance every packet across all links, but the trap here is that ECMP operates on a per-flow basis (not per-packet) to avoid packet reordering, so a single flow will always use only one path.

How to eliminate wrong answers

Option A is wrong because route propagation is a BGP setting that controls whether learned routes are advertised to VPC networks; if disabled on one interface, routes would be missing entirely, not just for a single flow. Option B is wrong because route priority (e.g., MED, local preference) affects which route is preferred for a prefix, but both attachments have equal cost (same bandwidth, same AS path length), so priority does not cause single-flow behavior. Option C is wrong because an ASN mismatch would prevent BGP peering from establishing at all, causing complete loss of connectivity on that attachment, not selective use of one attachment for a single flow.

380
MCQeasy

When setting up a Partner Interconnect, which Google Cloud resource is used to connect to the partner's network?

A.Cloud VPN gateway
B.Cloud Interconnect attachment
C.VLAN attachment
D.Cloud Router
AnswerC

A VLAN attachment is the logical connection between Google Cloud and the partner's network.

Why this answer

When setting up a Partner Interconnect, the correct Google Cloud resource is a VLAN attachment. This attachment is provisioned on a Cloud Interconnect connection that is managed by a supported service provider, and it defines the VLAN and the Cloud Router configuration used to exchange routes via BGP. The VLAN attachment is the logical construct that connects your VPC network to the partner's network through the partner's physical infrastructure.

Exam trap

Google Cloud often tests the distinction between the physical connection (Dedicated Interconnect or Partner Interconnect) and the logical attachment (VLAN attachment), so candidates mistakenly select 'Cloud Interconnect attachment' as a generic term instead of the precise 'VLAN attachment' resource name used in Google Cloud.

How to eliminate wrong answers

Option A is wrong because Cloud VPN gateway is used for IPsec VPN tunnels over the public internet, not for dedicated or partner-managed physical interconnections. Option B is wrong because 'Cloud Interconnect attachment' is not a specific Google Cloud resource; the correct term is 'VLAN attachment' which is the attachment created on a Dedicated or Partner Interconnect connection. Option D is wrong because Cloud Router is a dynamic routing appliance that exchanges BGP routes over the VLAN attachment, but it is not the resource that directly connects to the partner's network—the VLAN attachment is the connection point.

381
MCQhard

Refer to the exhibit. A Cloud Router has two BGP sessions. The first session is UP, the second is DOWN. What is the most likely cause for the second session being down?

A.The advertised route priority is too low.
B.The session initialization mode is set to PASSIVE.
C.The peer IP address 169.254.1.2 is not routable.
D.The BFD multiplier is too low (3).
AnswerB

If the peer is also PASSIVE, the session cannot establish. One side must be ACTIVE.

Why this answer

The second session has sessionInitializationMode set to PASSIVE. If the peer router is also configured as PASSIVE, the BGP session will never establish. The first session is ACTIVE, so it came up.

This is a common misconfiguration.

382
MCQeasy

A company needs to connect their on-premises data center to Google Cloud using a VPN with high availability. They have two VPN appliances on-premises in different locations. What is the best design on the GCP side?

A.Deploy one Cloud VPN gateway with two tunnels to both on-premises appliances, using one Cloud Router.
B.Deploy two Cloud VPN gateways in the same region, each with a tunnel to a different on-premises appliance, using separate Cloud Routers.
C.Deploy one Cloud VPN gateway with a single tunnel to one on-premises appliance.
D.Deploy two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises appliance, using separate Cloud Routers.
AnswerD

Provides regional redundancy and full HA.

Why this answer

Option D is correct because it provides true high availability by using two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises appliance. This design ensures that if one region or gateway fails, traffic can still flow through the other region, meeting the requirement for high availability. Using separate Cloud Routers allows for dynamic routing with BGP, enabling automatic failover and load balancing across the two tunnels.

Exam trap

The trap here is that candidates often assume two tunnels from a single gateway provide high availability, but they overlook that the gateway itself is a single point of failure; true high availability requires redundancy at both the gateway and region level.

How to eliminate wrong answers

Option A is wrong because deploying one Cloud VPN gateway creates a single point of failure in the GCP region; if that gateway or region fails, both tunnels are lost, even though they connect to different on-premises appliances. Option B is wrong because deploying two Cloud VPN gateways in the same region still leaves the design vulnerable to a regional outage; if the entire region goes down, both gateways and their tunnels are unavailable. Option C is wrong because a single tunnel provides no redundancy at all; if the tunnel, gateway, or on-premises appliance fails, connectivity is completely lost.

383
MCQmedium

An organization wants to restrict data exfiltration from a GCP project. They need to prevent users from copying data to external cloud storage services like AWS S3, but allow access to Google Cloud Storage. Which VPC Service Controls (VPC-SC) configuration should they use?

A.Combine VPC Service Controls with a Cloud Firewall that denies egress to non-Google IPs.
B.Use Cloud Firewall rules to block egress to AWS IP ranges.
C.Enable Data Loss Prevention (DLP) API to inspect outgoing data.
D.Create a VPC Service Controls perimeter that includes the project and set access levels to allow only Google Cloud Storage.
AnswerA

VPC-SC secures Google services, and firewall rules can block external destinations.

Why this answer

Option A is correct because VPC Service Controls (VPC-SC) can create a perimeter that restricts data movement to only Google Cloud Storage, while Cloud Firewall egress rules can deny traffic to non-Google IP ranges (including AWS S3 endpoints). This combination ensures that even if a user attempts to copy data to an external cloud storage service, the firewall blocks the egress traffic, and VPC-SC prevents access to Google Cloud Storage from outside the perimeter.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls alone can block data exfiltration to external cloud storage services, when in fact they only control access to Google Cloud services and must be combined with network-level controls like Cloud Firewall egress rules to block traffic to non-Google endpoints.

How to eliminate wrong answers

Option B is wrong because Cloud Firewall rules alone cannot distinguish between Google Cloud Storage and external cloud storage services like AWS S3 based on IP ranges alone, as both may share overlapping or dynamic IP ranges; also, firewall rules do not enforce data exfiltration policies at the application layer. Option C is wrong because the Data Loss Prevention (DLP) API inspects data for sensitive content but does not block data exfiltration to external cloud storage services; it is a detection tool, not a prevention mechanism. Option D is wrong because setting access levels to allow only Google Cloud Storage within a VPC-SC perimeter does not prevent users from copying data to external cloud storage services like AWS S3, as VPC-SC perimeters control access to Google Cloud services, not egress traffic to non-Google endpoints.

384
Multi-Selectmedium

A company is deploying a new application across three VPCs in the same project, using Shared VPC. The security team wants to restrict traffic such that only the frontend subnet (10.0.1.0/24) can send traffic to the backend subnet (10.0.2.0/24) on TCP port 8080. The backend instances have the service account 'backend-sa@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations achieve this goal?

Select 2 answers
A.Create an ingress firewall rule on the backend VPC with source service account 'frontend-sa@project.iam.gserviceaccount.com', protocol tcp:8080, and target service account 'backend-sa@project.iam.gserviceaccount.com'.
B.Create an egress firewall rule on the frontend VPC with source CIDR 10.0.1.0/24, protocol tcp:8080, and target CIDR 10.0.2.0/24.
C.Create an ingress firewall rule on the backend VPC with source CIDR 10.0.1.0/24, protocol tcp:8080, and target tag 'backend-tag'.
D.Create an ingress firewall rule on the backend VPC with source tag 'frontend-tag', protocol tcp:8080, and target tag 'backend-tag'.
E.Create a VPC firewall rule with priority 1000 that denies all traffic from 10.0.1.0/24 to 10.0.2.0/24, and then a higher priority rule allowing tcp:8080.
AnswersA, C

Using source and target service accounts precisely restricts traffic to only the frontend service account communicating to the backend service account on tcp:8080.

Why this answer

Option A is correct because it uses service accounts as both source and target in an ingress rule on the backend VPC. This allows only instances with the frontend service account to send traffic to instances with the backend service account on TCP 8080, meeting the security requirement without relying on IP addresses or network tags.

Exam trap

The trap here is that candidates often assume egress rules on the source VPC are sufficient to control inbound traffic to the backend, but Google Cloud requires ingress rules on the destination VPC to filter incoming packets, and service account-based rules are often overlooked in favor of IP-based rules.

385
Multi-Selectmedium

Which TWO factors should be considered when selecting a Google Cloud region for deploying a globally distributed application to minimize latency for users?

Select 2 answers
A.Availability of required Google Cloud services in the region
B.Compliance with data residency requirements
C.Proximity to the majority of users
D.Number of zones in the region
E.Cost of resources in the region
AnswersA, C

The region must support the services needed (e.g., Compute Engine, Cloud Load Balancing).

Why this answer

Option A is correct because the availability of required Google Cloud services in a region is a fundamental constraint: if a service (e.g., Cloud Spanner, BigQuery, or a specific machine series) is not offered in a region, you cannot deploy that component there, regardless of latency benefits. Option C is correct because minimizing latency for a globally distributed application requires placing compute and data resources as close as possible to the majority of users, reducing round-trip time (RTT) and improving user experience. Google Cloud's global network and edge caching locations (e.g., Cloud CDN) further amplify the benefit of proximity.

Exam trap

Google Cloud often tests the misconception that compliance or cost are primary factors for latency minimization, when in fact they are separate design constraints that may conflict with latency goals.

386
MCQhard

A network engineer is troubleshooting connectivity between an on-premises network and Google Cloud. The on-premises router has two BGP sessions configured for redundancy with a Cloud Router. The engineer runs the command above. Which issue does the output indicate?

A.Both BGP sessions are down
B.The BGP session for peer-a is down
C.The on-premises router is not advertising any routes to the Cloud Router
D.The Cloud Router is not advertising any routes to on-premises
AnswerC

learnedRoutes is empty for peer-a, indicating no routes received from on-premises.

Why this answer

The output shows that both BGP sessions are established (state = Established), so options A and B are incorrect. However, the 'Received routes' count is 0 for both peers, meaning the on-premises router is not sending any routes to the Cloud Router. This prevents the Cloud Router from learning the on-premises prefixes, breaking connectivity from Google Cloud to on-premises.

Exam trap

The trap here is that candidates see 'Established' sessions and assume full connectivity, overlooking that BGP session up does not guarantee routes are being exchanged, which is the actual root cause of the connectivity failure.

How to eliminate wrong answers

Option A is wrong because the BGP session state for both peers is 'Established', indicating the TCP connection and BGP session are up, not down. Option B is wrong because peer-a's session state is also 'Established', so it is not down. Option D is wrong because the 'Advertised routes' count is non-zero (e.g., 5 for peer-a), showing the Cloud Router is sending routes; the issue is with received routes, not advertised routes.

387
Multi-Selectmedium

A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?

Select 2 answers
A.You must create a separate Cloud Router for each VLAN attachment.
B.You can configure the Cloud Router to advertise the same IP prefixes over both VLAN attachments.
C.You should use BGP MED to load balance outbound traffic from Google Cloud.
D.You can use the same BGP ASN for both VLAN attachments.
E.Load balancing across VLAN attachments requires a single BGP session.
AnswersB, D

Advertising the same prefixes over multiple VLANs enables load balancing.

Why this answer

Option B is correct because a Cloud Router can advertise the same IP prefixes over multiple VLAN attachments to enable load balancing. This allows Google Cloud to use ECMP (Equal-Cost Multi-Path) routing to distribute outbound traffic across the two VLAN attachments, as long as the BGP attributes (e.g., AS path length, MED) are equal.

Exam trap

Google Cloud often tests the misconception that BGP MED controls outbound traffic, but in reality, MED is a hint for inbound path selection, while outbound load balancing relies on equal BGP attributes and ECMP.

388
MCQeasy

A company has a Dedicated Interconnect with one 10 Gbps connection. They need high availability for critical workloads. Which design is the best practice according to Google Cloud recommendations?

A.Provision a second Dedicated Interconnect connection to a different PoP.
B.Add a second connection to the same PoP using the same provider.
C.Rely on the single connection and monitor for failures.
D.Use Cloud VPN as a backup to the Dedicated Interconnect.
AnswerA

Connections to different PoPs provide geographic redundancy and higher availability.

Why this answer

Google Cloud best practice for high availability with Dedicated Interconnect requires at least two physical connections, each to a different edge point of presence (PoP), to eliminate single points of failure at the network edge. A single 10 Gbps connection, even with a backup VPN, does not provide the same SLA or bandwidth guarantees for critical workloads. Option A ensures that if one PoP or provider fails, the other connection can maintain connectivity.

Exam trap

The trap here is that candidates often assume a second connection to the same PoP or a VPN backup is sufficient for high availability, but Google Cloud explicitly requires diverse PoPs to protect against facility-level failures, and VPN backup lacks the bandwidth and SLA for critical workloads.

How to eliminate wrong answers

Option B is wrong because adding a second connection to the same PoP using the same provider still creates a single point of failure at that PoP; both connections share the same physical location and provider infrastructure, so an outage at that PoP or provider will take down both links. Option C is wrong because relying on a single connection with monitoring does not provide high availability; any failure of that single link will cause downtime for critical workloads, and Google Cloud recommends at least two connections for HA. Option D is wrong because Cloud VPN as a backup to Dedicated Interconnect does not provide the same bandwidth (typically limited to 3 Gbps per tunnel) or latency guarantees, and it introduces additional encryption overhead; it is suitable for lower-bandwidth or non-critical failover, not for maintaining 10 Gbps throughput for critical workloads.

389
MCQmedium

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

A.The VM is in a different zone than the Cloud NAT gateway
B.The VPC firewall rules are blocking outbound traffic from the VM to the Cloud NAT IP
C.Cloud Router is misconfigured and not advertising the Cloud NAT IP
D.The VM has a custom route that does not use the default route through Cloud NAT
AnswerD

Traffic must match the default route to be source NATed by Cloud NAT.

Why this answer

Option D is correct because Cloud NAT relies on the default route (0.0.0.0/0) pointing to the Cloud Router to direct traffic through the NAT gateway. If a VM has a custom route that overrides the default route (e.g., a more specific route to an external IP or a route to a different next hop), the VM's outbound traffic will bypass Cloud NAT entirely, resulting in the source IP being the VM's private IP instead of the Cloud NAT IP. This causes external firewalls to block the traffic as the source IP is not the expected NAT IP.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is zone-dependent or that firewall rules are the cause, when in reality the issue is almost always a routing override that prevents traffic from reaching the NAT gateway.

How to eliminate wrong answers

Option A is wrong because Cloud NAT operates at the VPC level and is not zone-specific; a VM in any zone within the same region can use the same Cloud NAT gateway as long as the subnet is associated with the NAT configuration. Option B is wrong because VPC firewall rules control traffic at the instance level (ingress/egress) but do not affect the routing path; if outbound traffic were blocked by firewall rules, the traffic would not reach the Cloud NAT IP at all, but the symptom here is that traffic reaches the internet with the wrong source IP, indicating a routing issue, not a firewall block. Option C is wrong because Cloud Router is used for dynamic routing (e.g., BGP) with on-premises or VPN connections, not for advertising Cloud NAT IPs; Cloud NAT IPs are not advertised via BGP—they are used for source NAT and are not routable from the internet.

390
Multi-Selecteasy

Which TWO of the following methods can be used to encrypt traffic between VPC networks?

Select 2 answers
A.Use of SSL/TLS at the application layer.
B.VPC peering.
C.Cloud Interconnect with VLAN attachments.
D.Cloud VPN with IPsec.
E.Cloud NAT.
AnswersA, D

SSL/TLS encrypts application data end-to-end.

Why this answer

Option A is correct because SSL/TLS operates at the application layer (Layer 7) of the OSI model, providing end-to-end encryption for traffic between VPC networks. When applications use HTTPS (HTTP over TLS), the payload is encrypted before leaving the source, ensuring confidentiality even if the underlying network path is untrusted. This method is independent of the underlying network connectivity, making it suitable for encrypting traffic across VPCs connected via any means, including the public internet.

Exam trap

Google Cloud often tests the misconception that VPC peering or Cloud Interconnect inherently encrypts traffic, when in fact they only provide private connectivity without encryption, and candidates must remember that encryption requires explicit protocols like IPsec or TLS.

391
MCQmedium

A company uses Identity-Aware Proxy (IAP) to secure access to a group of Compute Engine instances running a web application. The instances have no external IP addresses and are accessed via IAP TCP forwarding. Recently, the security team discovered that some users can access the instances directly via SSH from other instances within the same VPC, bypassing IAP. What is the most effective way to ensure all SSH access goes through IAP?

A.Modify the VPC firewall rule to deny ingress traffic on TCP port 22 from all sources except the IAP IP range (35.235.240.0/20).
B.Assign a service account to each instance with the IAP-secured Tunnel User role.
C.Remove SSH keys from the instances and use OS Login.
D.Create a new firewall rule that allows SSH only from the IAP IP range and delete the existing SSH rule.
AnswerA

This ensures only IAP can initiate SSH connections.

Why this answer

Option A is correct because the IAP TCP forwarding source IP range (35.235.240.0/20) is the only range that should be allowed to initiate SSH connections to the instances. By modifying the VPC firewall rule to deny all other sources on TCP port 22, you ensure that any SSH traffic not originating from the IAP IP range is blocked, even from other instances within the same VPC. This directly addresses the bypass scenario where users SSH from other internal instances.

Exam trap

Google Cloud often tests the misconception that IAP alone enforces access control, when in reality it relies on VPC firewall rules to restrict traffic to only the IAP source IP range; candidates may incorrectly choose options that change authentication (OS Login) or authorization (service account roles) instead of addressing the network path.

How to eliminate wrong answers

Option B is wrong because assigning a service account with the IAP-secured Tunnel User role controls who can use IAP to connect, but does not prevent direct SSH access from other instances within the VPC; it does not enforce traffic to go through IAP. Option C is wrong because removing SSH keys and using OS Login changes the authentication method but does not restrict the network path; instances can still be reached directly via SSH from other VPC instances, bypassing IAP. Option D is wrong because creating a new firewall rule that allows SSH only from the IAP IP range and deleting the existing SSH rule is functionally identical to Option A, but the question asks for the most effective way; Option A is more precise as it modifies the existing rule rather than deleting and recreating, but both achieve the same result; however, the key distinction is that Option D's wording could imply a less controlled change, and in practice, modifying the existing rule is the recommended approach to avoid accidental exposure during the transition.

392
Multi-Selecthard

A company has VPC peering between two VPC networks. They want to ensure that traffic from VPC A to VPC B can use a custom route in VPC A that points to a next-hop appliance in VPC A. Which TWO conditions must be met?

Select 2 answers
A.VPC B must have a route back to VPC A.
B.VPC peering must be set up with 'export custom routes' enabled from VPC A.
C.The appliance must be in the same region as VPC A.
D.The appliance must have a firewall rule allowing traffic from VPC B.
E.VPC A must have a route with destination inside VPC B and next-hop set to the appliance.
AnswersB, E

Export of custom routes is required for the peer to see and use them.

Why this answer

Option B is required because custom routes must be exported via peering to be used by the peer network. Option C is required because a route in VPC A with destination in VPC B and next-hop appliance is needed. Option A is not required; the appliance can be in any region.

Option D is not required for the forward path, though return path needs separate configuration. Option E is a general firewall requirement but not specific to the custom route usage.

393
MCQmedium

Your company has deployed a hybrid cloud environment with a Cloud VPN tunnel between Google Cloud VPC and an on-premises data center. The VPC has a custom mode with subnet 10.0.1.0/24 in us-east1. On-premises uses subnet 192.168.1.0/24. The VPN tunnel is established using dynamic routing (BGP). Both sides advertise the correct prefixes. A Compute Engine VM in the VPC (10.0.1.10) can ping the on-premises gateway (192.168.1.1), but cannot ping a server on-premises (192.168.1.100). The on-premises network team confirms that 192.168.1.100 is reachable from the on-premises gateway. Firewall rules in GCP allow ingress from 192.168.1.0/24 to all VMs. What is the most likely cause?

A.The on-premises router does not have a route for the GCP subnet (10.0.1.0/24) pointing to the VPN tunnel.
B.The on-premises server is not configured with a default gateway pointing to the on-premises gateway.
C.The Cloud VPN tunnel is not configured with an IKE version supported by the on-premises device.
D.A firewall rule on the GCP VPC is blocking ICMP traffic from 192.168.1.100.
AnswerA

Without a return route, the on-premises server sends replies through the default route (likely internet), causing asymmetric routing and packet drop.

Why this answer

The correct answer is A. Since the VM can ping the on-premises gateway (192.168.1.1) but not the server (192.168.1.100), the VPN tunnel and BGP session are working, and GCP has the correct route. The issue is that the on-premises router is not advertising or does not have a route for the GCP subnet 10.0.1.0/24 pointing back to the VPN tunnel, so return traffic from the server to the VM is dropped.

Without this route, the on-premises router cannot forward packets destined for 10.0.1.10 back through the VPN.

Exam trap

Google Cloud often tests the misconception that a successful ping to the remote gateway proves full bidirectional connectivity, but the trap here is that the gateway responds from its own IP stack, not from behind it, so a missing return route for the GCP subnet on the on-premises router breaks traffic to hosts beyond the gateway.

How to eliminate wrong answers

Option B is wrong because if the on-premises server lacked a default gateway pointing to the on-premises gateway, the server would not be able to reach any off-subnet destination, including the gateway itself, but the problem states the server is reachable from the gateway. Option C is wrong because an IKE version mismatch would prevent the VPN tunnel from establishing at all, yet the VM can ping the on-premises gateway, proving the tunnel is up and BGP is exchanging routes. Option D is wrong because the GCP firewall rule explicitly allows ingress from 192.168.1.0/24 to all VMs, and the VM can receive ICMP from the gateway (192.168.1.1), so a firewall block on 192.168.1.100 specifically is inconsistent with the rule and the successful ping from the gateway.

394
MCQmedium

Refer to the exhibit. A VM with the 'ssh-allowed' tag is unreachable via SSH from the internet, while other VMs with the same tag work. What is the most likely cause?

A.A firewall rule with priority 500 denies ingress traffic to the VM's tag or IP range.
B.The rule source range is set to 0.0.0.0/0, which includes all internet IPs, so it should allow SSH.
C.The VM is in a different VPC that does not have the allow-ssh rule.
D.The firewall rule 'allow-ssh' has a higher priority (1000) than the implicit deny (65535), so it should work.
AnswerA

A higher priority deny rule can override the allow rule.

Why this answer

The most likely cause is that a firewall rule with priority 500 explicitly denies ingress traffic to the specific VM's tag or IP range, overriding the allow-ssh rule (which has a lower priority, i.e., a higher numerical value). In Google Cloud Platform (GCP), firewall rules are evaluated from lowest to highest priority number, and a deny rule with a lower priority number (e.g., 500) takes precedence over an allow rule with a higher priority number (e.g., 1000). This explains why other VMs with the same 'ssh-allowed' tag remain reachable, as they are not affected by the specific deny rule.

Exam trap

Google Cloud often tests the misconception that a higher priority number means higher priority, when in fact a lower priority number (e.g., 500) takes precedence over a higher one (e.g., 1000), causing candidates to overlook the effect of a deny rule with a lower priority number.

How to eliminate wrong answers

Option B is wrong because the source range 0.0.0.0/0 does allow all internet IPs, but the issue is that a higher-priority deny rule (priority 500) is blocking the traffic, not that the allow rule is misconfigured. Option C is wrong because if the VM were in a different VPC without the allow-ssh rule, no VM in that VPC would be reachable via SSH, but the question states that other VMs with the same tag work, implying they are in the same VPC. Option D is wrong because while the allow-ssh rule with priority 1000 is higher than the implicit deny (65535), a deny rule with a lower priority number (500) takes precedence over the allow rule, blocking the traffic.

395
Multi-Selecteasy

Which TWO of the following are benefits of using Cloud Interconnect over Cloud VPN for hybrid connectivity? (Choose two.)

Select 2 answers
A.Lower and more consistent latency.
B.Always provides encryption for data in transit.
C.Easier to set up as no physical connection is needed.
D.Lower cost for small bandwidth requirements.
E.Higher bandwidth capacity (up to 80 Gbps per circuit).
AnswersA, E

Dedicated connections avoid internet variability.

Why this answer

Cloud Interconnect provides a dedicated, private connection between your on-premises network and Google Cloud, bypassing the public internet. This results in lower and more consistent latency compared to Cloud VPN, which relies on the public internet and is subject to variable network conditions and potential congestion.

Exam trap

Google Cloud often tests the misconception that Cloud Interconnect provides encryption by default, when in fact it does not; the trap is that candidates confuse the private nature of the connection with inherent security, forgetting that encryption must be separately implemented.

396
MCQmedium

A company has a Cloud VPN between their on-premises network and Google Cloud. They want to ensure that traffic flows symmetrically, meaning that traffic from Google Cloud to on-premises uses the same VPN tunnel as traffic from on-premises to Google Cloud. Which best practice should they implement?

A.Use dynamic routing with BGP and ensure that the AS path length is the same on both sides.
B.Implement policy-based routing that forces traffic to and from specific subnets to use the same tunnel.
C.Deploy multiple VPN tunnels and use different priorities for each.
D.Use static routes pointing to the VPN tunnel on both sides.
AnswerB

Policy-based routing can enforce symmetric flows.

Why this answer

Option B is correct because policy-based routing (PBR) allows you to explicitly define forwarding rules based on source/destination IP addresses, ensuring that traffic from Google Cloud to on-premises uses the same VPN tunnel as the reverse direction. This enforces symmetric flow, which is critical for stateful firewalls and NAT devices that expect packets to arrive on the same interface they left. Dynamic routing (BGP) or static routes alone do not guarantee symmetry unless combined with PBR or tunnel interface configurations.

Exam trap

Google Cloud often tests the misconception that dynamic routing protocols like BGP inherently provide symmetric routing, but in reality, BGP only controls the best path selection independently on each router, so without additional configuration (e.g., PBR or tunnel interface binding), traffic can easily become asymmetric.

How to eliminate wrong answers

Option A is wrong because BGP with equal AS path length does not enforce symmetric traffic flow; BGP selects the best path based on multiple attributes, and the return path is determined independently by the remote router, so asymmetry can still occur. Option C is wrong because deploying multiple VPN tunnels with different priorities (e.g., using route metrics) only controls which tunnel is preferred for outbound traffic, but the return path is decided by the remote side, which may not match the priority settings. Option D is wrong because static routes pointing to the VPN tunnel on both sides do not guarantee symmetry; if the on-premises router has multiple equal-cost paths or a different routing table, return traffic could take a different tunnel, breaking symmetry.

397
MCQhard

A network engineer has configured a Dedicated Interconnect with a VLAN attachment and Cloud Router. BGP sessions are up and routes are exchanged. However, traffic from a specific on-premises subnet is not reaching a VPC instance. The route table shows a custom static route with priority 1000 for that subnet pointing to a VPN tunnel, and a BGP learned route with priority 100 for the same subnet via Interconnect. What is the most likely reason for the traffic not using the Interconnect route?

A.The BGP route's next hop is not reachable due to a missing firewall rule on the on-premises side
B.Route propagation is disabled on the Cloud Router
C.VPC firewall rules are blocking traffic on the Interconnect VLAN attachment
D.The BGP route has a lower MED than the static route
AnswerA

If the on-premises next hop is unreachable, Cloud Router cannot forward traffic, causing blackhole.

Why this answer

The BGP route with priority 100 is preferred over the static route with priority 1000. However, if the BGP route's next hop is not reachable (e.g., due to a missing firewall rule on the on-premises side blocking the necessary ICMP or BGP session traffic), the route will be considered invalid and not installed in the routing table. This causes traffic to fall back to the less preferred static route via the VPN tunnel, explaining why the Interconnect path is not used.

Exam trap

Google Cloud often tests the misconception that route priority alone determines path selection, but the trap here is that a BGP route with a lower priority can still be invalid if its next hop is unreachable, causing the router to use a higher-priority static route instead.

How to eliminate wrong answers

Option B is wrong because route propagation is enabled by default on Cloud Router when BGP sessions are up and routes are exchanged, as stated in the scenario. Option C is wrong because VPC firewall rules apply to instances, not to the Interconnect VLAN attachment itself; the attachment operates at Layer 2/3 and is not subject to VPC firewall rules. Option D is wrong because MED is a BGP attribute used for path selection among multiple paths from the same AS, but a static route (priority 1000) is always less preferred than a BGP route (priority 100) regardless of MED values.

398
Multi-Selecteasy

Which TWO configurations can enable VM instances without external IPs to access the internet? (Choose TWO.)

Select 2 answers
A.Direct peering with Google
B.VPC peering with a network that has Cloud NAT
C.Private Google Access
D.Using a proxy instance with an external IP
E.Cloud NAT
AnswersB, E

Through VPC peering, VMs can use the NAT of the peered network for outbound traffic.

Why this answer

Cloud NAT (Option A) provides source network address translation for VMs in a subnet. VPC peering to a network with Cloud NAT (Option C) allows VMs to use the NAT of the peered network. Option B only provides access to Google APIs, not the full internet.

Option D is for on-premises connectivity. Option E is possible but not a native Google Cloud service.

399
Multi-Selecthard

A Cloud VPN with dynamic routing (BGP) is established between an on-premises network and Google Cloud. The on-premises BGP router is advertising a default route (0.0.0.0/0). The Cloud Router in Google Cloud is receiving this route, but network traffic from Google Cloud VMs to the internet is not being routed through the VPN. Which THREE troubleshooting steps should you take? (Choose three.)

Select 3 answers
A.Verify that the VPC's dynamic routing mode is set to 'global' if using regional routing.
B.Check VPC firewall rules to ensure they allow egress traffic from VMs.
C.Check the route priority (preference) of the default route learned via BGP compared to the default internet gateway route.
D.Verify that the Cloud Router is configured to advertise the default route to the VPC.
E.Ensure that the on-premises router is sending the default route with a higher local preference.
AnswersA, C, D

Global routing ensures the default route is propagated to all regions.

Why this answer

Option A is correct because the VPC's dynamic routing mode determines the scope of route propagation. If the VPC uses regional dynamic routing, Cloud Router only propagates routes within the region where the VPN tunnel is attached. A global dynamic routing mode is required for the BGP-learned default route to be available across all regions, ensuring VMs in any region can use the VPN for internet egress.

Exam trap

The trap here is that candidates often assume firewall rules are the issue when traffic fails to route, but the core problem is route selection and propagation—specifically, the default internet gateway route competing with the BGP-learned route, and the Cloud Router's advertisement settings.

400
Multi-Selectmedium

Which TWO are best practices for securing a VPC network? (Choose 2.)

Select 2 answers
A.Use VPC Network Peering to connect to other projects.
B.Create a VPC with default firewall rules.
C.Enable Private Google Access on all subnets.
D.Use firewall rules to restrict ingress traffic to only necessary ports and IPs.
E.Enable VPC Flow Logs to monitor traffic patterns.
AnswersD, E

This minimizes attack surface.

Why this answer

Option D is correct because firewall rules are the primary mechanism for controlling ingress traffic in a VPC. By restricting traffic to only necessary ports and source IPs, you minimize the attack surface and enforce the principle of least privilege. This is a fundamental security best practice for network segmentation and access control.

Exam trap

Google Cloud often tests the misconception that default firewall rules are secure or that enabling features like Private Google Access or VPC Peering directly improve VPC security, when in fact they serve different purposes and can introduce risks if not configured correctly.

401
Multi-Selecthard

A company currently uses Cloud VPN with dynamic routing to connect to Google Cloud. They want to migrate to Dedicated Interconnect without downtime. Which THREE steps should they take to achieve a seamless migration? (Choose three.)

Select 3 answers
A.Order and provision the Dedicated Interconnect
B.Configure BGP on the on-premises router for the Interconnect and start advertising routes
C.Create a new VLAN attachment and attach it to the existing Cloud Router to peer with both VPN and Interconnect
D.Decrease the BGP route priority (MED) on the VPN advertisements to make VPN less preferred
E.Update on-premises firewall rules to allow traffic over the new Interconnect
AnswersA, B, C

First, you need to have the physical connection ready.

Why this answer

Option A is correct because ordering and provisioning the Dedicated Interconnect is the foundational step to establish the physical connection between the on-premises network and Google Cloud. Without this, no migration can occur. This involves working with a Google Cloud partner to ensure the cross-connect is completed and the VLAN attachments are created.

Exam trap

Google Cloud often tests the misconception that firewall rules must be updated when migrating connectivity types, but in reality, the migration is driven by BGP route preference adjustments, not firewall changes.

402
Multi-Selecthard

Which THREE of the following are requirements for VPC Network Peering?

Select 3 answers
A.The VPCs must have non-overlapping subnet IP ranges.
B.Peering supports transitive routing.
C.Routes are automatically exchanged.
D.You need IAM permissions to establish the peering.
E.The VPCs must be in the same project.
AnswersA, C, D

Overlapping IP ranges cannot be peered due to routing conflicts.

Why this answer

VPC Network Peering requires non-overlapping subnet IP ranges to prevent routing conflicts and ensure that traffic is correctly directed between the peered VPCs. Overlapping CIDR blocks would cause ambiguous routing, as the same IP address could exist in both VPCs, making it impossible for the VPC routers to determine the correct destination.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing, but the correct behavior is that peering is non-transitive and each pair must be explicitly configured.

403
MCQhard

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

A.The firewall rule allow-ssh is missing a source IP range or has a source IP range that does not include the user's IP
B.The firewall rule allow-ssh is for the wrong network
C.The firewall rule allow-ssh is disabled
D.The VM's external IP (34.67.89.10) is blocked by Cloud NAT
AnswerA

If the rule does not specify sourceRanges, it defaults to 0.0.0.0/0, but if it was created with an incorrect source range, traffic from 203.0.113.5 would be blocked. The exhibit does not show sourceRanges, but a common misconfiguration is to set sourceRanges to an internal range.

Why this answer

The most likely cause is that the firewall rule 'allow-ssh' is missing a source IP range or has a source IP range that does not include the user's public IP (203.0.113.5). In Google Cloud, firewall rules are stateful and by default deny all ingress traffic unless explicitly allowed; without a source IP range (or with an incorrect one), the SSH traffic from the user's workstation is dropped at the VPC firewall level, preventing access to the VM's external IP (34.67.89.10).

Exam trap

Google Cloud often tests the misconception that a firewall rule's existence alone is sufficient, but the trap here is that the source IP range must be explicitly defined or set to 0.0.0.0/0 for external access; candidates may overlook the source filter configuration and assume the rule name implies it works for all sources.

How to eliminate wrong answers

Option B is wrong because the firewall rule 'allow-ssh' is associated with the VM's network (as per the exhibit), and if it were for the wrong network, the VM would not be reachable at all, but the question states the rule exists and is likely correctly assigned. Option C is wrong because if the rule were disabled, the user would see a different error (e.g., 'connection refused' or timeout), but the question implies the rule exists and is active; disabling would be a more obvious configuration issue. Option D is wrong because Cloud NAT is used for outbound traffic from private instances to the internet, not for inbound SSH traffic to a VM's external IP; blocking by Cloud NAT would not affect ingress traffic destined to the VM's public IP.

404
Multi-Selecthard

A company is designing a VPC for a production environment that must meet the following requirements: support multiple projects, centralized network administration, and allow each project to have its own firewall rules. Which THREE components should be used?

Select 3 answers
A.Service projects
B.Host project
C.Cloud VPN
D.VPC peering
E.Shared VPC
AnswersA, B, E

Service projects consume Shared VPC networks.

Why this answer

A is correct because service projects in a Shared VPC architecture allow each project to host its own resources (e.g., Compute Engine instances) while maintaining separate firewall rules and security policies. This enables centralized network administration via the host project while giving each project autonomy over its own firewall configurations, meeting the requirement for multiple projects with independent firewall rules.

Exam trap

Google Cloud often tests the distinction between connectivity solutions (Cloud VPN, VPC peering) and network administration models (Shared VPC), leading candidates to mistakenly choose VPC peering for multi-project setups when Shared VPC is required for centralized control with per-project firewall rules.

405
MCQhard

An organization uses HA VPN with dynamic routing and active-active BGP sessions. One tunnel fails, but traffic continues to flow through the other tunnel. However, they notice increased latency. What is the most likely explanation?

A.BGP multipath is enabled, causing all traffic to be sent through the remaining tunnel.
B.The remaining tunnel is using a different encryption algorithm.
C.The BGP timers are misconfigured.
D.The failed tunnel's routes are still in the routing table.
AnswerA

With multipath, traffic is normally split; after failure, all traffic goes through one tunnel, potentially causing congestion.

Why this answer

When BGP multipath is enabled on an HA VPN with active-active BGP sessions, the router can load-balance traffic across multiple tunnels. If one tunnel fails, all traffic is redirected through the remaining tunnel, which can cause increased latency due to congestion or suboptimal path selection. The correct answer is A because this behavior directly explains the latency increase after a tunnel failure.

Exam trap

Google Cloud often tests the misconception that increased latency after a tunnel failure is due to routing table issues or encryption changes, when in fact it is the result of BGP multipath concentrating all traffic onto a single tunnel, causing congestion.

How to eliminate wrong answers

Option B is wrong because encryption algorithms (e.g., AES-128 vs AES-256) affect security and CPU overhead, not latency in a way that would suddenly increase after a tunnel failure; the remaining tunnel would have been using the same algorithm before the failure. Option C is wrong because misconfigured BGP timers (e.g., keepalive or hold timers) would cause session instability or flapping, not a gradual latency increase after a single tunnel failure. Option D is wrong because if the failed tunnel's routes were still in the routing table, traffic would attempt to use the failed tunnel and result in packet loss or blackholing, not increased latency; BGP withdraws routes from the failed tunnel upon session loss.

406
MCQhard

A company is deploying a GKE cluster with Dataplane V2 and wants to enforce micro-segmentation using network policies. They also need to monitor policy violations. What should they do?

A.Enable Packet Mirroring.
B.Use Cloud IDS to monitor traffic.
C.Use VPC firewall rules with pod IP ranges.
D.Enable GKE Dataplane V2 and use Kubernetes Network Policies with audit logging.
AnswerD

Dataplane V2 natively enforces network policies and audit logs record violations.

Why this answer

Option D is correct because Dataplane V2 uses eBPF to implement Kubernetes Network Policies directly in the kernel, providing native support for micro-segmentation. Enabling audit logging on the cluster captures denied or allowed policy actions, allowing the company to monitor policy violations without additional infrastructure.

Exam trap

The trap here is that candidates confuse VPC firewall rules (Option C) with Kubernetes Network Policies, not realizing that VPC firewalls cannot enforce pod-level segmentation because they lack pod IP awareness and are applied at the node or subnet level.

How to eliminate wrong answers

Option A is wrong because Packet Mirroring copies pod traffic for analysis but does not enforce or monitor network policy violations; it is a troubleshooting tool, not a policy enforcement or audit mechanism. Option B is wrong because Cloud IDS is an intrusion detection service that inspects traffic for threats, not a tool for monitoring Kubernetes Network Policy violations; it operates at a different layer and does not integrate with policy audit logs. Option C is wrong because VPC firewall rules operate at the node network level, not at the pod level, and cannot enforce Kubernetes Network Policies; they lack the pod identity awareness needed for micro-segmentation within a cluster.

407
MCQeasy

An e-commerce website uses Cloud CDN to cache static content. The origin is an external HTTP load balancer. What is the benefit of enabling Cloud CDN in this scenario?

A.It eliminates the need for SSL certificates.
B.It provides DDoS protection only.
C.It increases compute instance capacity.
D.It reduces latency by serving content from edge locations.
AnswerD

Content is cached at edges closer to users, reducing round-trip time.

Why this answer

Cloud CDN caches content at Google's global edge locations, which are geographically closer to end users. By serving static content from these edge caches instead of the origin HTTP load balancer, the request latency is significantly reduced because the data travels a shorter distance over the network.

Exam trap

Google Cloud often tests the misconception that CDN replaces security features like SSL or DDoS protection, but the trap here is that candidates confuse caching benefits with infrastructure scaling or security capabilities.

How to eliminate wrong answers

Option A is wrong because Cloud CDN does not eliminate the need for SSL certificates; the origin load balancer still requires an SSL certificate to terminate HTTPS, and the CDN can use Google-managed certificates for edge termination. Option B is wrong because while Cloud CDN can absorb some volumetric attacks through caching, it is not a dedicated DDoS protection service; Google Cloud Armor is the primary DDoS protection solution. Option C is wrong because Cloud CDN does not increase compute instance capacity; it offloads requests from the origin, reducing the load on backend instances, but does not add compute resources.

408
MCQmedium

A company has deployed a web application on Compute Engine instances in a VPC with subnet 10.1.0.0/20. The instances need to access an external API that whitelists IP addresses. The company uses Cloud NAT to provide outbound connectivity. The API integration tests are failing, and the operations team suspects that the source IP addresses seen by the API are not consistent. What is the most likely cause and solution?

A.Cloud NAT is configured with endpoint-independent mapping; change to endpoint-dependent mapping to ensure consistent source IP.
B.Cloud NAT is configured with dynamic port allocation; use static port allocation instead.
C.Cloud NAT is using a manual NAT IP address that is not assigned to the instances; assign the NAT IP to the instances as an alias IP range.
D.Cloud NAT is configured with a default rule that does not include the subnet; add a custom NAT rule that specifically includes subnet 10.1.0.0/20.
AnswerD

If the subnet is not in a NAT rule, instances may not use NAT or use different NAT IPs, causing inconsistent source IPs. Adding the subnet ensures consistent NAT IP usage.

Why this answer

Option D is correct because if Cloud NAT's default rule does not include the subnet 10.1.0.0/20, instances in that subnet will not have their outbound traffic translated through the NAT gateway, causing them to use their ephemeral public IPs (if any) or fail to reach the external API. Adding a custom NAT rule that explicitly includes the subnet ensures all outbound traffic from those instances uses the consistent NAT IP address that the API whitelist expects.

Exam trap

The trap here is that candidates assume Cloud NAT automatically applies to all subnets in the VPC, but in reality, the default rule must explicitly include the subnet, and if it is removed or not configured, traffic from that subnet will not be NATed.

How to eliminate wrong answers

Option A is wrong because endpoint-independent mapping (which preserves the same source IP and port for all sessions to a given destination) actually provides consistency; endpoint-dependent mapping would change the source IP per destination, causing inconsistency. Option B is wrong because dynamic port allocation is the default and does not affect source IP consistency; static port allocation is used for specific port forwarding rules, not for ensuring a consistent source IP. Option C is wrong because a manual NAT IP address is assigned to the Cloud NAT gateway, not to the instances; assigning it as an alias IP range to instances would bypass Cloud NAT and use the instance's own IP, defeating the purpose of NAT.

409
MCQhard

A company uses Cloud CDN with an external HTTP(S) load balancer. They have two origin server groups: a primary in us-central1 and a backup in europe-west1. They want traffic directed to the primary unless it is unhealthy, in which case traffic should fail over to the backup. Which configuration is required?

A.Create a Cloud CDN with two origins and enable failover in the CDN settings.
B.Use a TCP/UDP network load balancer with two target pools.
C.Configure a weighted round-robin with primary weight 100 and backup weight 0, and change weights manually.
D.Create a backend service with two backends (primary and failover) and a failover policy that marks the primary as failover when unhealthy.
AnswerD

This is the correct architecture for failover across origins.

Why this answer

Option D is correct because Cloud CDN with an external HTTP(S) load balancer uses a backend service that can contain multiple backends (e.g., instance groups or NEGs) with a failover policy. When the primary backend is marked as unhealthy by the health check, the load balancer automatically routes traffic to the failover backend. This configuration meets the requirement without manual intervention.

Exam trap

The trap here is that candidates confuse Cloud CDN's origin settings with backend service failover policies, assuming CDN itself handles failover, when in fact failover is a property of the backend service used by the external HTTP(S) load balancer.

How to eliminate wrong answers

Option A is wrong because Cloud CDN does not have a built-in failover setting for origins; failover is configured at the backend service level, not within CDN settings. Option B is wrong because a TCP/UDP network load balancer uses target pools and does not support HTTP(S) traffic or failover policies between backends in different regions. Option C is wrong because weighted round-robin requires manual weight changes to fail over, which does not provide automatic failover based on health checks.

410
MCQhard

A network engineer runs the gcloud command above for a Cloud NAT configured in us-central1. The VPC has 20 instances without external IPs in us-central1. They notice that only three instances have NAT mappings displayed. What could explain this?

A.Only instances with active outbound connections are shown.
B.The NAT gateway is configured only for a specific subnet.
C.Only instances with external IPs are mapped.
D.The other instances are using a different NAT gateway.
AnswerA

NAT gateway info displays only active NAT mappings; idle instances have no mapping.

Why this answer

The `gcloud compute nat-gateways list-mappings` command only displays NAT mappings for instances that currently have active outbound connections traversing the Cloud NAT gateway. Cloud NAT uses dynamic port address translation (PAT) and only creates a mapping entry when an instance sends traffic that requires source NAT. Instances without active sessions will not appear in the listing, even though they are configured to use the NAT gateway.

Exam trap

The trap here is that candidates assume the `list-mappings` command shows all instances configured to use the NAT gateway, rather than understanding it only shows instances with currently active NAT sessions.

How to eliminate wrong answers

Option B is wrong because even if the NAT gateway is configured for a specific subnet, all 20 instances in that subnet would still be eligible for NAT mappings; the command would show mappings for any instance with active connections, not just three. Option C is wrong because Cloud NAT is specifically designed for instances without external IPs; instances with external IPs do not use NAT and would not appear in NAT mappings at all. Option D is wrong because if the other 17 instances were using a different NAT gateway, the command would show zero mappings for the queried gateway, not exactly three; the question states only three instances have mappings, implying the others simply have no active connections.

411
MCQmedium

A company needs to ensure that all traffic between GCP VMs in different regions is encrypted in transit. What is the recommended approach?

A.Use VPC peering with encryption enabled
B.By default, traffic between GCP VMs is encrypted
C.Use Cloud VPN between the two regions
D.Enable IPsec on the VPC
AnswerB

Google encrypts all inter-region traffic at the physical layer.

Why this answer

Google Cloud encrypts all traffic between VMs at the hypervisor level, regardless of region, using application-layer encryption (e.g., TLS) and network-layer encryption (e.g., IPSec) by default. This encryption is transparent, always-on, and does not require any configuration, making option B the correct answer. The encryption covers all VM-to-VM traffic within the same VPC or across VPCs, including inter-region communication.

Exam trap

The trap here is that candidates assume inter-region traffic requires explicit encryption configuration (like VPN or IPsec), but Google Cloud encrypts all VM-to-VM traffic by default, making those options unnecessary and incorrect.

How to eliminate wrong answers

Option A is wrong because VPC peering does not have an 'encryption enabled' toggle; traffic over VPC peering is already encrypted by default at the Google network layer, and there is no separate encryption setting for peering. Option C is wrong because Cloud VPN is used to connect on-premises networks or other cloud providers to GCP, not for encrypting traffic between GCP VMs in different regions, as that traffic is already encrypted by default. Option D is wrong because IPsec cannot be 'enabled on the VPC' as a whole; IPsec is a protocol used for site-to-site VPNs, and applying it to VPC-level traffic is unnecessary and not supported as a VPC-wide feature.

412
MCQmedium

A company has a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They have two VLAN attachments (vlan-100 and vlan-200) connected to two separate Cloud Routers in the same region. Each Cloud Router has a BGP session with the on-premises router. The on-premises router advertises the same prefixes (10.0.0.0/8) over both sessions. In Google Cloud, they have workloads in two different VPCs: VPC-A and VPC-B. They want traffic to VPC-A to use vlan-100, and traffic to VPC-B to use vlan-200. Cloud Router 1 is attached to VPC-A, Cloud Router 2 is attached to VPC-B. Currently, traffic from on-premises to VPC-A sometimes goes through vlan-200, causing asymmetric routing. What configuration change should they make to ensure traffic is symmetric?

A.Set a higher MED on the on-premises router for routes advertised to vlan-200, making vlan-100 preferred for all traffic.
B.Configure static routes on the on-premises router to force traffic to VPC-A via vlan-100 and to VPC-B via vlan-200.
C.Create two separate VPCs and assign each VLAN attachment to a different VPC.
D.Use BGP community tags on the on-premises router to label routes for VPC-A and VPC-B, and configure route priority on Cloud Router to match these communities.
AnswerD

BGP communities allow granular route manipulation, ensuring traffic for each VPC uses the designated attachment.

Why this answer

Option D is correct because BGP community tags allow the on-premises router to tag routes for VPC-A and VPC-B differently. Cloud Router can then use these community tags to influence route priority (e.g., via local preference or MED matching), ensuring that traffic to VPC-A is always routed through vlan-100 and traffic to VPC-B through vlan-200, solving the asymmetric routing issue without relying on static routes or MED manipulation that would affect all traffic.

Exam trap

The trap here is that candidates often assume MED or static routes can solve asymmetric routing, but they overlook that MED affects all routes from a neighbor and static routes on-premises cannot control Google Cloud's return path selection, whereas BGP communities provide the necessary granularity to influence path selection per prefix in both directions.

How to eliminate wrong answers

Option A is wrong because setting a higher MED on the on-premises router for routes advertised to vlan-200 would make vlan-100 preferred for all prefixes, not just those destined for VPC-A; this would force all traffic through vlan-100, breaking the requirement for VPC-B traffic to use vlan-200. Option B is wrong because static routes on the on-premises router cannot override BGP-learned routes on the Google Cloud side; the asymmetric routing occurs because Google Cloud's Cloud Routers may still prefer the alternate path due to equal-cost multi-path (ECMP) or BGP best-path selection, and static routes on-premises do not control return path selection in Google Cloud. Option C is wrong because the two VLAN attachments are already connected to separate VPCs (VPC-A and VPC-B) via their respective Cloud Routers; creating two separate VPCs again would not change the routing behavior—the issue is that both Cloud Routers receive the same prefix (10.0.0.0/8) and Google Cloud may load-balance or choose the wrong path, not a VPC attachment problem.

413
MCQhard

A large enterprise has two on-premises data centers (DC1 and DC2) connected to Google Cloud via two separate VPN tunnels to the same VPC. Each tunnel terminates on a different Cloud VPN gateway (gateway1 in us-east1, gateway2 in us-west1). The on-premises routers advertise the same CIDR 172.16.0.0/12 from both DCs. Cloud Router is configured with BGP and uses default route priority. You notice that after a failover event where one tunnel goes down, traffic continues to flow, but there is a significant increase in latency for traffic coming from GCP to on-premises. You verify that both tunnels have re-established. What is the most likely cause of the increased latency?

A.The on-premises routers are using site-to-site VPN between themselves causing a routing loop
B.The on-premises routers do not use AS path prepending to prefer the local DC's path for the prefix
C.The Cloud VPN tunnels are using different preshared keys
D.Bidirectional Forwarding Detection (BFD) is not enabled on the Cloud VPN tunnels
AnswerB

Without AS path prepending, GCP may choose a suboptimal path (e.g., sending DC1 traffic via DC2) if the routes have equal AS path length, causing increased latency.

Why this answer

When both on-premises routers advertise the same CIDR (172.16.0.0/12) to Google Cloud via BGP, Cloud Router selects the path with the shorter AS path length by default. Without AS path prepending on the backup DC's router, both routes have equal AS path length, causing Cloud Router to load-balance or pick a suboptimal path after failover. After the tunnel re-establishes, traffic from GCP may still be routed to the remote DC (e.g., DC2) instead of the local DC (DC1), resulting in higher latency due to cross-country or inter-DC transit.

Exam trap

Google Cloud often tests the misconception that increased latency after failover is due to a routing loop or BFD misconfiguration, when the real issue is the lack of AS path prepending to influence BGP path selection for the same prefix advertised from multiple locations.

How to eliminate wrong answers

Option A is wrong because site-to-site VPN between on-premises routers would not cause a routing loop in this scenario; the increased latency is due to suboptimal path selection, not a loop. Option C is wrong because different preshared keys would prevent the VPN tunnels from establishing at all, not cause increased latency after re-establishment. Option D is wrong because BFD is used for fast failure detection, not for influencing path selection or latency after tunnels are up; its absence would delay failover detection, not increase latency post-failover.

414
MCQeasy

A company has a single VPC with subnets in us-central1 and europe-west1. They have Compute Engine instances in both subnets that need to communicate with each other. The security team wants to ensure that only specific instances in us-central1 can connect to a database instance in europe-west1 on port 3306. Currently, the default firewall rules allow all internal traffic (priority 65535). The network engineer first creates a new ingress firewall rule to allow TCP traffic on port 3306 from instances with the network tag 'app' to instances with the tag 'db', with priority 1000. Then, to enforce the restriction, they delete the default allow internal rule (priority 65535). However, after applying the changes, the app instances (tagged 'app') in us-central1 cannot connect to the database instance (tagged 'db') in europe-west1. The engineer verifies that the tags are correctly applied to the instances. What is the most likely cause of the connectivity failure?

A.The firewall rule only allows ingress from instances with tag 'app' but the egress traffic from app instances is blocked.
B.The app instances need a firewall rule to allow egress traffic to the database on port 3306.
C.The firewall rule is applied to the wrong VPC network.
D.The database instance's network tag 'db' was not applied to the database instance.
AnswerB

With the default allow internal rule removed, egress must be explicitly allowed.

Why this answer

B is correct because in Google Cloud VPC, firewall rules are stateful for ingress but not for egress. The ingress rule allowing traffic from 'app' to 'db' on port 3306 only controls incoming packets to the database instance. The app instance still needs an egress firewall rule to allow outbound traffic on port 3306, otherwise the outbound SYN packet is dropped before it reaches the database.

Deleting the default allow internal rule (priority 65535) removed the implicit egress permission, so a specific egress rule is required.

Exam trap

Google Cloud often tests the misconception that an ingress rule alone is sufficient for bidirectional communication, but in Google Cloud VPC, egress rules are required for outbound traffic initiation unless a default allow egress rule exists.

How to eliminate wrong answers

Option A is wrong because the ingress rule is correctly defined to allow traffic from 'app' to 'db' on port 3306; the issue is not that ingress is blocked but that egress from the app instance is missing. Option C is wrong because the question states there is a single VPC, and the rule is applied to that same VPC; there is no indication of a wrong VPC selection. Option D is wrong because the engineer verified that the tags are correctly applied, so the database instance does have the 'db' tag; the failure is not due to missing tags.

415
Matchingmedium

Match each Cloud Load Balancing type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Global, proxy-based, for HTTP/S traffic from internet

Regional, pass-through, for traffic within VPC

Regional, proxy-based, for non-HTTP/S internet traffic

Regional, proxy-based, for internal HTTP/S traffic

Global, terminates SSL, for non-HTTPS SSL traffic

Why these pairings

Google Cloud offers various load balancers for different use cases.

416
Multi-Selectmedium

A company is using Cloud Interconnect with multiple VLAN attachments. They want to implement traffic shaping to prioritize real-time traffic over bulk transfers. Which THREE actions should they take?

Select 3 answers
A.Set up Cloud Router with BGP QoS policies to match DSCP values
B.Enable Cloud NAT to handle traffic shaping
C.Create VPC firewall rules to classify traffic based on source/destination
D.Configure DSCP markings on the on-premises routers for different traffic types
E.Use VPC flow logs to identify heavy traffic flows
AnswersA, C, D

Cloud Router can apply QoS based on DSCP.

Why this answer

Option A is correct because Cloud Router with BGP QoS policies can match DSCP values to prioritize traffic. By configuring BGP QoS policies, you can map specific DSCP values to different traffic classes, allowing Cloud Interconnect to apply traffic shaping that prioritizes real-time traffic (e.g., VoIP) over bulk transfers. This leverages BGP community attributes to signal QoS requirements across the hybrid connection.

Exam trap

The trap here is that candidates confuse monitoring tools (VPC flow logs) or unrelated services (Cloud NAT) with traffic shaping mechanisms, overlooking that DSCP marking and BGP QoS policies are the correct approach for prioritizing traffic on Cloud Interconnect.

417
MCQeasy

A company needs private connectivity between its on-premises data center and Google Cloud with consistent low latency and high throughput. The on-premises location is close to a Google Cloud point of presence that supports Dedicated Interconnect. The company expects to use more than 10 Gbps of bandwidth in the near future. Which connectivity solution should they choose?

A.Dedicated Interconnect
B.Partner Interconnect
C.HA VPN with dynamic routing
D.Cloud VPN with static routing
AnswerA

Dedicated Interconnect provides a direct, private connection with low latency and high bandwidth (10/100 Gbps) suitable for growing needs.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between the on-premises data center and Google Cloud, offering consistent low latency and high throughput. Since the on-premises location is near a Google Cloud point of presence that supports Dedicated Interconnect and the bandwidth requirement exceeds 10 Gbps (Dedicated Interconnect supports up to 10 Gbps per circuit, with multiple circuits for higher aggregate bandwidth), this is the optimal solution.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect is equivalent to Dedicated Interconnect for high-bandwidth needs, but the key trap is that Partner Interconnect introduces a third-party provider's network, which cannot guarantee the same consistent low latency and throughput as a direct physical connection.

How to eliminate wrong answers

Option B is wrong because Partner Interconnect relies on a third-party service provider's network, which introduces additional latency and potential throughput variability, and typically supports lower bandwidths (up to 10 Gbps per VLAN attachment) compared to Dedicated Interconnect's direct physical links. Option C is wrong because HA VPN with dynamic routing uses the public internet or a third-party network, cannot guarantee consistent low latency or high throughput, and is limited to bandwidths far below 10 Gbps (typically up to 3 Gbps per tunnel). Option D is wrong because Cloud VPN with static routing also uses the public internet, lacks the performance guarantees needed for >10 Gbps, and static routing does not provide the redundancy or dynamic failover required for enterprise-grade hybrid connectivity.

418
Multi-Selectmedium

A company has a VPC with a subnet in us-central1 and needs to allow HTTP traffic (port 80) from the internet to a VM instance. Which TWO configurations are required?

Select 2 answers
A.Configure Cloud NAT for the VPC.
B.Assign an external IP address to the VM.
C.Enable Private Google Access on the subnet.
D.Assign a static internal IP address to the VM.
E.Create a firewall rule to allow ingress on TCP port 80 from 0.0.0.0/0.
AnswersB, E

An external IP allows the VM to be reachable from the internet.

Why this answer

Option B is correct because a VM must have an external (public) IP address assigned to be directly reachable from the internet. Without an external IP, the VM cannot receive inbound traffic initiated from outside the VPC, even with proper firewall rules. This is a fundamental requirement for internet-facing workloads in Google Cloud.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or Private Google Access can substitute for an external IP when allowing inbound internet traffic, but these services only support outbound or API-specific connectivity, not inbound internet access.

419
Multi-Selectmedium

Which TWO considerations are important when designing a VPC peering strategy between multiple projects in Google Cloud?

Select 2 answers
A.Peering is transitive by default
B.Subnet IP ranges in peered VPCs must not overlap
C.Firewall rules in one VPC automatically apply to peered VPCs
D.VPC peering can only be used within the same project
E.Custom routes can be exchanged between peered VPCs if configured
AnswersB, E

Overlapping ranges cause routing issues.

Why this answer

Option B is correct because VPC peering requires that subnet IP ranges in peered VPCs do not overlap. This is a fundamental constraint of VPC peering in Google Cloud: if two VPCs have overlapping CIDR blocks, routes cannot be exchanged unambiguously, and the peering connection will fail to establish or will cause routing conflicts. Overlapping ranges would break the ability to route traffic correctly between the VPCs, as there would be no way to determine which subnet a packet should be delivered to.

Exam trap

Google Cloud often tests the misconception that VPC peering is transitive by default, leading candidates to incorrectly select Option A, when in fact transitivity must be explicitly engineered.

420
Multi-Selectmedium

A company has a VPC with firewall rules. They want to ensure that only traffic from known IP ranges can access their web server instances. Which two firewall rule configurations are appropriate? (Choose two.)

Select 2 answers
A.Ingress rule with source IP range of the company's public IPs and allow tcp:443
B.Ingress rule with source IP range 0.0.0.0/0 and allow tcp:80
C.Ingress rule with source IP range of the company's public IPs and allow tcp:80
D.Ingress rule with source tag 'web' and allow tcp:80
E.Ingress rule with destination IP range 0.0.0.0/0 and allow tcp:80
AnswersA, C

Restricts HTTPS traffic to company IPs.

Why this answer

Options C and E are correct because ingress rules with source IP ranges from known company IPs on the required ports (HTTP/HTTPS) restrict access appropriately. Option A is incorrect because it allows all traffic. Option B is incorrect because a source tag is not used to identify source IPs; tags are for target instances.

Option D is incorrect because it uses destination IP range, which is not the correct way to restrict incoming traffic.

421
MCQmedium

An engineer is configuring Dedicated Interconnect between an on-premises data center and Google Cloud. Cloud Router is set up with BGP sessions. The BGP session remains in Idle state. Which of the following is the most likely cause?

A.The Cloud Router's BGP IP address is not in the same subnet as the on-premises router's interface.
B.The on-premises router is not advertising the Google Cloud VPC subnet routes.
C.The interconnect is not configured with redundant links.
D.The VLAN attachment is not in the same region as the Cloud Router.
AnswerA

IP mismatch is a common cause of BGP Idle state.

Why this answer

The BGP session remains in Idle state because the Cloud Router's BGP IP address is not in the same subnet as the on-premises router's interface. For BGP peering over Dedicated Interconnect, the two routers must be directly connected at Layer 3, meaning their BGP peer IP addresses must belong to the same /30 or /31 subnet. If they are in different subnets, the TCP connection for BGP cannot be established, keeping the session in Idle state.

Exam trap

The trap here is that candidates often confuse BGP session states with route advertisement issues, assuming missing routes cause Idle state, when in fact Idle state is a Layer 3 connectivity problem, not a routing policy problem.

How to eliminate wrong answers

Option B is wrong because the on-premises router not advertising the Google Cloud VPC subnet routes would not cause the BGP session to remain in Idle state; it would instead cause routes to be missing from the routing table after the session is established. Option C is wrong because redundant links are not required for a single BGP session to transition out of Idle state; redundancy affects high availability, not the initial BGP peering process. Option D is wrong because the VLAN attachment must be in the same region as the Cloud Router for the interconnect to function, but if it were not, the BGP session would not even be configured or would fail at a lower layer, not specifically remain in Idle state.

422
MCQhard

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

A.Yes, if they use a global load balancer in front of the endpoint.
B.No, unless the VPC is peered with another VPC that contains the endpoint.
C.Yes, because the endpoint is accessible from any region in the VPC.
D.No, because the endpoint is only accessible from the same region.
AnswerD

Private Service Connect endpoints are regional; instances must be in the same region to access the endpoint.

Why this answer

Private Service Connect (PSC) endpoints are regional resources. An endpoint created in us-central1 is only accessible from Compute Engine instances within the same region (us-central1) of the VPC. Instances in europe-west1 cannot directly reach the endpoint because traffic would need to cross regional boundaries, which PSC does not support for producer endpoints.

Option D correctly identifies this regional restriction.

Exam trap

The trap here is that candidates assume a VPC is a global construct and therefore any resource within it is globally accessible, but Cisco tests the specific regional nature of Private Service Connect endpoints, which are not globally routable within the VPC without additional configuration.

How to eliminate wrong answers

Option A is wrong because a global load balancer does not extend the regional scope of a PSC endpoint; the endpoint itself remains regional, and the load balancer would still need to forward traffic to the endpoint in us-central1, which does not change the regional access limitation. Option B is wrong because VPC peering does not enable cross-region access to a PSC endpoint; the endpoint is tied to the region where it is created, and peering does not override that regional constraint. Option C is wrong because PSC endpoints are not globally accessible within a VPC; they are regional resources, and instances in other regions cannot reach them directly without additional constructs like inter-region VPC peering or VPN, which still do not make the endpoint itself global.

423
Multi-Selecthard

A company has a Hybrid Connectivity setup using Cloud VPN with BGP. They want to migrate to Dedicated Interconnect for better performance. During the migration, they need to avoid downtime. Which THREE steps should they take?

Select 3 answers
A.Set a lower local preference on the Interconnect BGP session
B.Remove the VPN tunnels immediately after Interconnect is up
C.Provision the Dedicated Interconnect and VLAN attachments
D.Configure BGP on the Interconnect with a higher local preference than the VPN
E.Gradually withdraw VPN routes after verifying Interconnect traffic
AnswersC, D, E

Must have the Interconnect physical path ready.

Why this answer

Option C is correct because provisioning the Dedicated Interconnect and VLAN attachments is the foundational step to establish the new high-performance connection. Without this, there is no physical or logical path to migrate traffic onto. This must be done before any BGP configuration or route manipulation can occur.

Exam trap

Google Cloud often tests the misconception that you should immediately remove the old connection (VPN tunnels) once the new one (Interconnect) is up, but the correct approach is to gracefully shift traffic using BGP attributes and then decommission the old path only after verification.

424
MCQeasy

A company wants to forward DNS queries from their on-premises network to Google Cloud for resolution of private zone names. Which configuration is required?

A.DNS peering
B.DNS inbound server policy
C.DNS forwarding zone
D.Managed private zone
AnswerB

DNS inbound server policy allows on-premises resolvers to forward queries to Cloud DNS over VPN/Interconnect.

Why this answer

Option B is correct because a DNS inbound server policy allows an on-premises DNS resolver to forward queries to Google Cloud, enabling resolution of private zone names. This policy creates a forwarding path from on-premises to Cloud DNS using a specific inbound endpoint, which is required for hybrid cloud DNS resolution.

Exam trap

The trap here is that candidates confuse the direction of DNS forwarding—assuming a forwarding zone (which sends queries from Cloud to on-premises) is the same as an inbound policy (which receives queries from on-premises)—and overlook that the question specifies forwarding from on-premises to Google Cloud.

How to eliminate wrong answers

Option A is wrong because DNS peering is used to enable resolution between two Google Cloud VPC networks, not for forwarding queries from an on-premises network. Option C is wrong because a DNS forwarding zone is a Cloud DNS configuration that forwards queries from Google Cloud to an on-premises resolver, not the reverse direction required here. Option D is wrong because a managed private zone only hosts DNS records within Google Cloud and does not provide any mechanism to receive or forward queries from external networks.

425
MCQhard

An organization uses Shared VPC with multiple service projects. They want to ensure that only certain service projects can use a specific subnet. How can this be achieved?

A.Use VPC subnet secondary IP ranges.
B.Use IAM roles on the subnet to grant access to specific service projects.
C.Use VPC Network Tags on the VM instances.
D.Use VPC firewall rules with service accounts to restrict access.
AnswerB

Subnet-level IAM allows fine-grained access control to service projects.

Why this answer

Option A is correct because Shared VPC subnet-level IAM allows granting access to specific service projects. Option B is wrong because firewall rules with service accounts control traffic, not subnet access. Option C is wrong because network tags are used for firewall rules, not subnet permissions.

Option D is wrong because secondary IP ranges do not control project access.

426
MCQhard

A company uses VPC Flow Logs for traffic analysis. They notice that logs are missing for a specific Compute Engine instance that handles high traffic. The subnet has Flow Logs enabled. What is the most likely reason?

A.The instance is using Private Google Access.
B.Flow Logs are sampled and may drop high-throughput traffic.
C.The instance's network interface has an external IP.
D.The instance is in a different region from the log sink.
AnswerB

Flow Logs sample traffic, and at high throughput, sampling rate may be reduced or logs dropped.

Why this answer

VPC Flow Logs use sampling; high throughput can lead to sampling reduction or dropped logs.

427
Multi-Selectmedium

Which THREE components are required to set up Identity-Aware Proxy (IAP) for TCP forwarding to a VM?

Select 3 answers
A.A firewall rule that allows ingress from 35.235.240.0/20 to the VM on the desired port.
B.The user or group must have the IAP-secured Tunnel User role on the project.
C.The VM must have an external IP address.
D.IAP API enabled in the project.
E.A NAT gateway configured for the VPC.
AnswersA, B, D

This IP range is used by IAP.

Why this answer

Option A is correct because IAP TCP forwarding requires that the VM allows ingress traffic from the IAP health-check and forwarding source IP range (35.235.240.0/20) on the desired TCP port. Without this firewall rule, the IAP proxy cannot establish a connection to the VM, even if the user is authenticated and authorized.

Exam trap

Google Cloud often tests the misconception that a VM must have a public IP to be accessed remotely, but IAP TCP forwarding specifically eliminates that requirement by tunneling through the internal network.

428
MCQhard

A financial services company is deploying a new payment processing application in Google Cloud. The architecture consists of: a VPC named 'payment-vpc' with subnet 'payment-subnet' (10.1.0.0/16), a managed instance group (MIG) of backend servers in payment-subnet, an internal TCP load balancer (ILB) with IP 10.1.0.10 distributing traffic to the MIG, and a Cloud NAT for outbound internet access. The application must communicate with an external payment gateway over TLS. The security policy requires that all outbound traffic from the backend servers to the internet must egress through a single, centralized Cloud NAT instance to allow traffic inspection. To meet this requirement, the network team has configured: a Cloud Router, a Cloud NAT gateway named 'payment-nat' in payment-vpc, and a default route (0.0.0.0/0, next hop: default internet gateway) in payment-vpc. They have also configured VPC firewall rules to allow outbound HTTPS traffic. During testing, the backend servers cannot connect to the external payment gateway. The team has verified that the Cloud NAT is properly configured and that the VPC firewall rules allow egress traffic. What is the most likely cause of the connectivity failure?

A.The VPC firewall rules are blocking outbound HTTPS traffic from the backend servers.
B.The default route (0.0.0.0/0) with next hop 'default internet gateway' preempts the Cloud NAT route.
C.The Cloud NAT gateway is not in the same region as the backend servers.
D.The Cloud Router's BGP ASN is not properly configured.
AnswerB

The default route sends traffic directly to the internet, bypassing Cloud NAT. Cloud NAT requires that the default route have a higher priority (lower number) than the automatically created route for Cloud NAT, or the default route must be removed.

Why this answer

The default route (0.0.0.0/0) with next hop 'default internet gateway' directs all outbound internet traffic directly to the internet gateway, bypassing the Cloud NAT gateway. Cloud NAT only applies when the next hop for 0.0.0.0/0 is the Cloud Router (or when no default route to the internet gateway exists), because NAT is performed on packets that are routed through the Cloud Router. Since the default route with next hop 'default internet gateway' has a higher priority (lower numeric value) than any dynamically learned route, it preempts the Cloud NAT path, causing outbound traffic to egress without NAT and thus fail to reach the external payment gateway if the backend servers have only private IPs.

Exam trap

Google Cloud often tests the misconception that Cloud NAT automatically intercepts all outbound traffic regardless of routing, when in fact the default route's next hop must point to the Cloud Router for NAT to apply.

How to eliminate wrong answers

Option A is wrong because the team has verified that VPC firewall rules allow outbound HTTPS traffic, so firewall rules are not blocking the connection. Option C is wrong because Cloud NAT is a regional resource that can be configured to serve all zones within a region; the backend servers in payment-subnet are in the same region as the Cloud NAT, and the subnet is within that region, so region mismatch is not the issue. Option D is wrong because the Cloud Router's BGP ASN configuration is irrelevant for Cloud NAT; Cloud NAT does not use BGP for its operation—it relies on the Cloud Router only to hold the NAT configuration and to enable dynamic routing, but the ASN does not affect NAT functionality.

429
Multi-Selectmedium

Which TWO of the following are required steps to set up a Dedicated Interconnect?

Select 2 answers
A.Create an interconnect (physical connection) in the colocation facility
B.Establish a VPN tunnel as a backup
C.Create a Cloud Router and VLAN attachment
D.Deploy a Google-provided router in the colocation facility
E.Configure MD5 authentication on the BGP session
AnswersA, C

The physical cross-connect is necessary.

Why this answer

Creating an interconnect (physical connection) in the colocation facility is a required step because Dedicated Interconnect requires a direct, physical cross-connect between your on-premises router and a Google Cloud edge router at a colocation facility. This physical link is the foundation of the dedicated, high-bandwidth connection, and without it, no Layer 2 or Layer 3 connectivity can be established.

Exam trap

Google Cloud often tests the misconception that you must deploy a Google-provided router in the colocation facility, but in reality, you use your own router and Google provides only the edge router in their network.

430
MCQhard

A company runs a Kubernetes cluster on GKE with a VPC-native cluster (alias IP ranges). They have pods that need to communicate with on-premises services via a Cloud VPN tunnel. Which networking configuration is required to enable pod-to-on-premises communication?

A.Enable VPC Flow Logs for the subnets to allow traffic to be routed.
B.Advertise the pod IP ranges over the Cloud Router BGP session to the on-premises router.
C.Configure a firewall rule allowing traffic from pod CIDR to on-premises subnets.
D.Create a VPC peering connection between the VPC and the on-premises network.
AnswerB

BGP advertising ensures on-premises knows how to route back to pods.

Why this answer

Option B is correct because VPC-native clusters assign alias IP ranges to pods directly from the VPC subnet's secondary CIDR ranges. To enable on-premises routing to these pods, the pod IP ranges must be advertised over the Cloud Router BGP session to the on-premises router. This ensures the on-premises network learns the routes to the pod CIDRs and can forward traffic back through the Cloud VPN tunnel.

Exam trap

The trap here is that candidates often confuse firewall rules with routing, assuming that allowing traffic in a firewall rule is sufficient for connectivity, when in fact the on-premises router must have a route to the pod CIDRs via BGP advertisement for bidirectional communication.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only capture metadata about network flows for monitoring and troubleshooting; they do not influence routing or enable traffic to be forwarded. Option C is wrong because firewall rules control which traffic is allowed or denied, but they do not create routes; without route advertisement, the on-premises router has no path to the pod CIDRs. Option D is wrong because VPC peering is used for connectivity between two VPC networks within Google Cloud, not for connecting a VPC to an on-premises network; on-premises connectivity requires Cloud VPN or Dedicated Interconnect with Cloud Router BGP sessions.

431
MCQmedium

A company is deploying an internal HTTP application on Compute Engine instances. The application must be load-balanced across multiple instances in different regions, but only accessible from within the same VPC. Which load balancer type meets these requirements?

A.Internal HTTP(S) Load Balancer
B.External TCP/UDP Load Balancer
C.External HTTP(S) Load Balancer
D.Internal TCP/UDP Load Balancer
AnswerA

Internal HTTP(S) LB can be configured with backends in multiple regions and is internal to the VPC.

Why this answer

An Internal HTTP(S) Load Balancer is a regional, internal-only load balancer that distributes HTTP/HTTPS traffic among Compute Engine instances within the same VPC network. It uses an internal IP address and is not accessible from outside the VPC, meeting the requirement for internal-only access while providing cross-region load balancing via a multi-region backend service.

Exam trap

Google Cloud often tests the misconception that any 'internal' load balancer can handle HTTP traffic, but the Internal TCP/UDP Load Balancer (option D) operates at layer 4 and cannot inspect or route HTTP application-layer data, making it unsuitable for an HTTP application.

How to eliminate wrong answers

Option B is wrong because an External TCP/UDP Load Balancer is designed for traffic originating from the internet, using external IP addresses, and does not support internal-only VPC access. Option C is wrong because an External HTTP(S) Load Balancer also uses external IP addresses and is intended for internet-facing applications, not for traffic confined to a VPC. Option D is wrong because an Internal TCP/UDP Load Balancer handles non-HTTP traffic (TCP/UDP) and cannot perform HTTP-level content-based routing or terminate TLS, which is required for an HTTP application.

432
MCQhard

A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?

A.Cloud VPN with two tunnels each using 1 Gbps
B.Dedicated Interconnect with two 10 Gbps connections
C.Direct Peering
D.Partner Interconnect with two 10 Gbps connections
AnswerB

Dedicated Interconnect provides 99.99% SLA with redundant connections.

Why this answer

Dedicated Interconnect provides direct, private connections between your on-premises network and Google Cloud, supporting up to 10 Gbps per circuit. By using two 10 Gbps connections in an active-active or active-passive configuration, you can achieve the required 20 Gbps aggregate bandwidth and meet the 99.99% SLA, as Google guarantees this SLA when you have at least two redundant connections.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming that two 10 Gbps connections from a partner automatically provide a 99.99% SLA from Google, but only Dedicated Interconnect offers a Google-backed SLA when using redundant connections.

How to eliminate wrong answers

Option A is wrong because Cloud VPN is limited to a maximum of 3 Gbps per tunnel (using IPsec over the public internet) and cannot provide a 99.99% SLA, as it relies on best-effort internet connectivity. Option C is wrong because Direct Peering is an exchange of traffic at an internet exchange point, does not offer an SLA, and is limited to a maximum of 10 Gbps per session, with no guarantee of bandwidth or availability. Option D is wrong because Partner Interconnect, while offering up to 10 Gbps per connection via a service provider, does not provide a 99.99% SLA from Google; the SLA is only offered by the partner, and the aggregate bandwidth of 20 Gbps would require two 10 Gbps connections, but the SLA requirement is not met by Google's commitment.

433
MCQeasy

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They have deployed Compute Engine instances that need to communicate with an on-premises database via a Cloud VPN tunnel using BGP. The on-premises network advertises the database subnet 192.168.0.0/16. The instances can reach the database for a few minutes after reboot, but then connectivity drops. The Cloud VPN logs show no errors. The BGP session remains established. What is the most likely issue?

A.The on-premises firewall has an idle timeout that kills the TCP session.
B.The GCP route to the on-premises database is being preempted by a more specific route.
C.The VPN tunnel's IKE session expires.
D.The BGP session is flapping.
AnswerA

After a period of inactivity, the firewall drops the session; reboot resets it.

Why this answer

The on-premises firewall is likely configured with an idle timeout that terminates TCP sessions when no traffic is exchanged for a certain period. After the instances reboot, they initiate new connections that work briefly, but once the session becomes idle (e.g., no keepalives or application traffic), the firewall drops the stateful session, causing connectivity loss. The Cloud VPN and BGP session remain up, indicating the issue is at the application or firewall layer, not the tunnel or routing.

Exam trap

The trap here is that candidates often focus on routing or VPN tunnel issues (B, C, D) because the problem involves BGP and Cloud VPN, but the key clue is that connectivity drops after a few minutes while the tunnel and BGP remain healthy, pointing to a session timeout at the firewall layer rather than a network-layer failure.

How to eliminate wrong answers

Option B is wrong because GCP routes are not preempted by more specific routes in this scenario; the on-premises database subnet 192.168.0.0/16 is advertised via BGP and would be installed as a dynamic route, and no other conflicting route is mentioned. Option C is wrong because the IKE session expiring would cause the VPN tunnel to drop, but the Cloud VPN logs show no errors and the BGP session remains established, indicating the tunnel is stable. Option D is wrong because the BGP session is not flapping; the question explicitly states the BGP session remains established, so routing updates are not disrupted.

434
MCQeasy

A company has a Cloud VPN tunnel to on-premises. They want on-premises clients to resolve private DNS names in the VPC. Which service should they configure?

A.Inbound DNS policy
B.Outbound DNS policy
C.Cloud NAT
D.Private Google Access
AnswerA

An inbound DNS policy allows on-premises DNS servers to forward queries to Cloud DNS.

Why this answer

Option C is correct: An inbound DNS policy forwards DNS queries from on-premises DNS servers to Cloud DNS, enabling resolution of private zone names. Option A is for outbound internet; Option B only gives VMs access to Google APIs; Option D is for VMs to forward queries to on-premises.

435
MCQhard

A Dedicated Interconnect VLAN attachment is in ACTIVE state. The Cloud Router has learned routes from on-premises, and the on-premises router has learned routes from GCP. However, traffic from on-premises to a GCP VM fails. What should the engineer check first?

A.Check firewall rules on the GCP VPC for ingress from the on-premises range.
B.Confirm that the Cloud Router is advertising the on-premises subnets back to the VPC.
C.Verify that the VPC subnet routes exist in the routing table.
D.Both A and C.
AnswerD

Both firewall rules and Cloud Router advertisement must be verified.

Why this answer

The correct answer is D because both firewall rules and VPC subnet routes must be in place for traffic to reach a GCP VM. Even if the VLAN attachment is ACTIVE and routes are exchanged, the VPC firewall must permit ingress from the on-premises range, and the VPC subnet routes must exist in the routing table for the VM's subnet. Without both, traffic will be dropped or not forwarded.

Exam trap

Google Cloud often tests the misconception that route exchange alone guarantees connectivity, but in GCP, both firewall rules and subnet routes are mandatory for traffic to reach a VM, even when the interconnect is ACTIVE and BGP sessions are established.

How to eliminate wrong answers

Option A is wrong because checking only firewall rules is insufficient; the VPC subnet routes must also exist for the traffic to be routed to the VM. Option B is wrong because the Cloud Router advertising on-premises subnets back to the VPC is not required for traffic from on-premises to GCP; the on-premises router already learned GCP routes, and the Cloud Router's job is to advertise GCP routes to on-premises, not the reverse. Option C is wrong because verifying only subnet routes ignores the firewall rules that control ingress traffic; both are necessary.

436
Multi-Selectmedium

Which TWO statements about HA VPN are correct?

Select 2 answers
A.Both VPN gateways must be in the same region.
B.It uses IKEv1 by default.
C.It supports both active-active and active-passive modes.
D.It supports static routing as well as dynamic routing.
E.It requires two Cloud VPN gateways.
AnswersC, E

HA VPN can be configured in either mode depending on redundancy needs.

Why this answer

Option C is correct because HA VPN supports both active-active and active-passive modes. In active-active mode, both tunnels forward traffic simultaneously, while in active-passive mode, one tunnel is used as a standby. This flexibility allows HA VPN to meet different high-availability and load-balancing requirements.

Exam trap

Google Cloud often tests the misconception that HA VPN requires both gateways in the same region or that it supports static routing, but the correct understanding is that HA VPN uses dynamic routing (BGP) and allows gateways in different regions.

437
MCQmedium

An engineer is troubleshooting connectivity between an on-premises network and a GCP VPC over a Cloud VPN tunnel with dynamic routing (BGP). The tunnel is established and BGP session is up, but on-premises hosts cannot reach instances in the VPC. What should the engineer check first?

A.The advertised route from the on-premises router is a default route.
B.The MTU size of the VPN tunnel.
C.The Cloud VPN gateway is assigned an external IP address.
D.The firewall rules in the VPC allowing incoming traffic from the on-premises CIDR.
AnswerD

Firewall rules control inbound traffic; without an allow rule, traffic is denied.

Why this answer

Option C is correct because even with BGP routes, the VPC firewall rules must permit incoming traffic from the on-premises CIDR. If no appropriate ingress rule exists, traffic will be blocked. Option A is incorrect because MTU might cause packet loss but not complete failure.

Option B is incorrect because advertised routes from the on-premises router are being learned (BGP is up). Option D is incorrect because the VPN gateway's external IP is necessary for the tunnel but not the immediate cause of connectivity failure.

438
MCQhard

An engineer runs 'gcloud compute networks peerings list' and sees state 'INACTIVE' for a peering connection. Which is the most likely cause?

A.The subnet CIDR ranges overlap.
B.The IAM permissions for the peer are insufficient.
C.The dynamic routing mode differs.
D.The firewall rules are missing.
AnswerA

Overlapping subnets result in an INACTIVE peering state.

Why this answer

Overlapping subnet CIDRs cause the peering to be INACTIVE.

439
Multi-Selectmedium

Which THREE components are required when configuring an internal TCP/UDP load balancer? (Choose THREE.)

Select 3 answers
A.Health check
B.Backend service
C.External IP address
D.SSL certificate
E.Forwarding rule
AnswersA, B, E

Health checks determine which backends receive traffic.

Why this answer

An internal load balancer requires a backend service (Option A) to define the instance group and port mapping, a health check (Option B) to monitor backend health, and a forwarding rule (Option C) to assign the internal VIP. Option D is incorrect because internal LBs use internal IP addresses. Option E is only needed for HTTPS external LBs.

440
Multi-Selectmedium

Which THREE factors can affect the throughput of a Cloud VPN tunnel? (Choose three.)

Select 3 answers
A.VM instance types
B.Number of tunnels
C.Tunnel type (route-based vs policy-based)
D.Encryption algorithm
E.On-premises router CPU capacity
AnswersC, D, E

Different tunnel types have different overheads.

Why this answer

Tunnel type (route-based vs policy-based) affects throughput because route-based tunnels (e.g., using BGP or static routes) can leverage ECMP and do not require per-flow policy lookups, reducing CPU overhead. Policy-based tunnels require the VPN gateway to evaluate each packet against a security policy, which adds latency and can limit throughput, especially under high traffic loads.

Exam trap

Google Cloud often tests the misconception that VM instance types or the number of tunnels directly control VPN throughput, when in reality the tunnel type, encryption algorithm, and on-premises router CPU are the primary factors that limit or enhance throughput.

441
Multi-Selecteasy

Which TWO network services can be used to provide secure connectivity between a VPC and an on-premises data center without traversing the public internet? (Choose two.)

Select 2 answers
A.Cloud VPN with IPsec
B.Cloud NAT
C.Dedicated Interconnect
D.VPC Network Peering
E.Partner Interconnect
AnswersC, E

Interconnect provides direct private connection.

Why this answer

Dedicated Interconnect (C) provides a direct, private physical connection between your on-premises network and Google's VPC, bypassing the public internet entirely. This ensures low latency, high bandwidth, and consistent network performance for secure hybrid cloud connectivity.

Exam trap

Google Cloud often tests the distinction between 'secure connectivity' and 'private connectivity' — candidates mistakenly choose Cloud VPN (IPsec) because it is encrypted, but the question explicitly requires no traversal of the public internet, which only Dedicated or Partner Interconnect can guarantee.

442
MCQmedium

A network engineer notices unexpected traffic being allowed through a VPC firewall rule. They want to analyze the logs to identify the source and destination. What is the best way to enable detailed logging for firewall rules?

A.Enable firewall rule logging on the specific rule and view logs in Cloud Logging.
B.Enable VPC Flow Logs for the subnet.
C.Create a custom router with a log export.
D.Use Packet Mirroring to capture all traffic.
AnswerA

Firewall rule logging logs each packet that matches the rule.

Why this answer

Firewall rule logging in VPC is designed specifically to log metadata (source IP, destination IP, action, etc.) for each packet matched by a firewall rule. Enabling it on the specific rule and viewing logs in Cloud Logging provides the granular, per-rule detail needed to identify the source and destination of unexpected traffic. This is the direct and intended method for firewall rule analysis.

Exam trap

Google Cloud often tests the distinction between VPC Flow Logs (subnet-level flow metadata) and firewall rule logging (per-rule, per-packet decision logs), and the trap here is that candidates confuse VPC Flow Logs as a substitute for firewall rule logging, but Flow Logs lack rule-specific context.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs capture metadata about network flows at the subnet level (e.g., 5-tuple, packet/byte counts), but they do not log firewall rule-specific actions (allow/deny) or rule IDs, so they cannot pinpoint which firewall rule allowed the traffic. Option C is wrong because a custom router with a log export is used for exporting routes or BGP events, not for logging firewall rule traffic; it has no mechanism to capture per-packet firewall decisions. Option D is wrong because Packet Mirroring copies all traffic (including payloads) to a collector for deep packet inspection, which is overkill and not focused on firewall rule logging; it also incurs significant cost and complexity, and does not natively associate traffic with specific firewall rules.

443
MCQeasy

A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?

A.169.254.0.1
B.10.0.0.1
C.The tunnel's external IP address
D.The on-premises router's external IP address
AnswerA

Google requires BGP peer IPs to be in the 169.254.0.0/16 range for Cloud VPN tunnels.

Why this answer

The correct BGP peer IP is 169.254.0.1 because Cloud Router uses the first IP in the 169.254.0.0/16 link-local range for BGP peering over a VPN tunnel. This is required by Google Cloud's implementation, where the on-premises router must use a link-local address from the 169.254.0.0/16 range, and Cloud Router automatically assigns 169.254.0.1 as its own BGP peer IP. The on-premises router typically uses 169.254.0.2 as its BGP peer IP, ensuring a point-to-point link-local BGP session.

Exam trap

Google Cloud often tests the misconception that BGP peering over a VPN tunnel uses the tunnel's external IP addresses or private RFC 1918 addresses, but the correct answer requires knowledge that Google Cloud mandates link-local 169.254.x.x addresses for BGP sessions.

How to eliminate wrong answers

Option B is wrong because 10.0.0.1 is a private RFC 1918 address, not a link-local address, and Cloud Router requires a 169.254.x.x address for BGP peering over VPN tunnels. Option C is wrong because the tunnel's external IP address is the public IP of the VPN gateway, which is used for the tunnel establishment itself, not for BGP peering; BGP peering uses link-local addresses within the tunnel. Option D is wrong because the on-premises router's external IP address is its public-facing IP, which is used for the VPN tunnel endpoint, not for the BGP session; BGP peering must use link-local addresses from the 169.254.0.0/16 range.

444
MCQeasy

A company requires a dedicated connection from their on-premises data center to Google Cloud with a guaranteed SLA of 99.99% and bandwidth starting at 10 Gbps. Which connectivity option meets these requirements?

A.Direct Peering
B.Cloud VPN
C.Dedicated Interconnect
D.Partner Interconnect
AnswerC

Offers 10 Gbps or higher and 99.99% SLA.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google Cloud, supporting bandwidths of 10 Gbps or 100 Gbps per circuit. It offers a 99.99% or 99.999% SLA depending on the configuration (e.g., dual connections with diverse paths), meeting the guaranteed SLA and bandwidth requirements specified in the question.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect can match Dedicated Interconnect's SLA and bandwidth guarantees, but Partner Interconnect's SLA is typically limited to the partner's network and does not meet the 99.99% requirement without additional redundancy from the partner.

How to eliminate wrong answers

Option A is wrong because Direct Peering is a public peering arrangement that does not provide a dedicated connection, offers no SLA, and bandwidth is not guaranteed at 10 Gbps. Option B is wrong because Cloud VPN uses the public internet with IPsec tunnels, providing no SLA and typically supporting lower bandwidth (up to 3 Gbps per tunnel with HA VPN). Option D is wrong because Partner Interconnect relies on a third-party service provider and does not guarantee a 99.99% SLA or 10 Gbps bandwidth directly from Google; the SLA and bandwidth depend on the partner's infrastructure.

445
MCQhard

A company has an on-premises data center connected to Google Cloud via Dedicated Interconnect. They have a VPC with subnets in us-central1 and us-west1. They want compute instances in us-central1 to access Google APIs (e.g., Cloud Storage) without traversing the internet, but the on-premises network must also be able to access those APIs via the interconnect. They have configured Private Google Access (PGA) on all subnets. However, on-premises users report that they cannot access Cloud Storage buckets using the private IP of a forward proxy in us-central1 (the proxy is configured to use the default internet gateway for egress). What is the most likely reason?

A.Private Google Access is not supported on subnets in us-central1.
B.The forward proxy must use an external IP address to use Private Google Access.
C.There is a custom static route for 199.36.153.4/30 (Google API VIP) that points to the interconnect, overriding the default route for the proxy's outbound traffic.
D.The on-premises network must be configured with a default route pointing to the internet.
AnswerC

A custom route for the Google API VIP would cause the proxy to route traffic to on-premises instead of using the internet gateway, breaking PGA for the proxy.

Why this answer

Private Google Access allows instances with only internal IPs to reach Google APIs via the default internet gateway. However, on-premises traffic coming via interconnect uses the VPC's internal IP range, and if the forward proxy does not have a route for Google API destinations via the internet gateway (default route), it will try to use the interconnect route, which points to on-premises. Since the proxy is configured to use the default internet gateway, but that gateway is only effective for instances with PGA; on-premises traffic does not go through the proxy's default gateway.

The issue is that the proxy's egress traffic to Google APIs is being routed via the on-premises network because the VPC's default route (0.0.0.0/0) points to the internet gateway only for instances with PGA, but for traffic sourced from the proxy that is destined to Google APIs, the proxy itself uses its default gateway which is the internet gateway. Actually, the on-premises users are using the proxy's internal IP as a forward proxy. The proxy will make requests to Google APIs.

For those requests, the proxy's VPC will route based on the most specific route. If there is a custom route for the Google API IP ranges (e.g., 199.36.153.4/30) that points to the interconnect, the proxy will send traffic to on-premises instead of internet. PGA does not create routes; it only allows the default route to be used for Google API destinations.

A common misconfiguration is having a custom route for the Google API IP range (e.g., from a previous VPN setup) that overrides the default route. Option B is correct.

446
MCQeasy

Your organization has a site-to-site Cloud VPN connection between an on-premises network with CIDR 10.0.0.0/8 and a VPC in us-central1 with subnet 192.168.1.0/24. The VPN tunnel is established, but you cannot reach a Compute Engine instance with internal IP 192.168.1.10 from a server on-premises with IP 10.0.0.50. Cloud VPN logs show no errors. On-premises firewall rules allow all outbound traffic. What is the most likely cause of the problem?

A.A firewall rule on the VPC blocking inbound traffic from 10.0.0.0/8
B.Missing a static route on the on-premises router for 192.168.1.0/24 pointing to the VPN gateway
C.The Compute Engine instance's OS firewall blocking ICMP
D.Incorrect IAM permissions on the Cloud VPN gateway
AnswerB

Without a proper route on-premises, traffic to GCP may not be forwarded to the VPN peer.

Why this answer

The VPN tunnel is established and Cloud VPN logs show no errors, indicating the cloud side is configured correctly. However, the on-premises server at 10.0.0.50 cannot reach 192.168.1.10 because the on-premises router lacks a static route for the VPC subnet 192.168.1.0/24 pointing to the VPN gateway. Without this route, the on-premises router does not know to send traffic destined for 192.168.1.0/24 through the VPN tunnel, so packets are dropped or sent to the default gateway instead.

Exam trap

Google Cloud often tests the misconception that a successful VPN tunnel establishment implies full bidirectional connectivity, when in fact routing must be explicitly configured on both sides for traffic to flow.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are stateful and by default allow inbound traffic from any source unless explicitly denied; the question states no errors in Cloud VPN logs, and a VPC firewall rule blocking 10.0.0.0/8 would generate logged denies, not a silent failure. Option C is wrong because the problem is about reachability at the network layer (IP routing), not the application layer; even if the instance's OS firewall blocks ICMP, the traffic would still reach the instance (the OS would receive it and drop it), but the symptom here is no connectivity at all, indicating a routing issue. Option D is wrong because IAM permissions control management of the VPN gateway (e.g., creating/modifying tunnels), not the data-plane forwarding of traffic through an established tunnel; the tunnel is up and logs show no errors, so IAM is irrelevant.

447
MCQeasy

A small company is moving their on-premises application to Google Cloud. They have a single on-premises office with a small router that supports IPsec VPN. They need a simple and low-cost connectivity solution that provides encryption and a consistent experience. They anticipate low bandwidth needs (under 100 Mbps). They also want the ability to use BGP for dynamic routing to avoid manual route updates. Which Google Cloud service should they use?

A.Partner Interconnect
B.Cloud HA VPN with dynamic routing (BGP)
C.Cloud Classic VPN with static routes
D.Direct Peering
AnswerB

HA VPN supports dynamic routing, provides encryption, and is cost-effective for low bandwidth.

Why this answer

Cloud HA VPN with dynamic routing (BGP) is the correct choice because it provides an encrypted IPsec tunnel, supports BGP for automatic route exchange, and is a low-cost, simple solution for sub-100 Mbps bandwidth needs. It meets the requirement for a consistent experience without the complexity or cost of dedicated interconnect services.

Exam trap

The trap here is that candidates often confuse Cloud Classic VPN with static routes as sufficient for dynamic routing, but Cisco tests the distinction that static routes require manual updates while BGP provides automatic route exchange, making Cloud HA VPN the only correct option for dynamic routing with encryption at low cost.

How to eliminate wrong answers

Option A is wrong because Partner Interconnect is a dedicated, high-bandwidth connection (typically >1 Gbps) that requires a service provider and incurs higher costs, making it overkill for low bandwidth under 100 Mbps. Option C is wrong because Cloud Classic VPN with static routes does not support BGP for dynamic routing, requiring manual route updates which contradicts the requirement for dynamic routing. Option D is wrong because Direct Peering is a non-encrypted, direct connection to Google's network that does not provide IPsec encryption and is intended for high-volume traffic, not simple low-cost connectivity with encryption.

448
Multi-Selecthard

Which THREE components are necessary to configure a global external HTTP(S) load balancer with Cloud CDN and an origin backend that requires authentication? (Choose three.)

Select 3 answers
A.A TCP or SSL proxy for protocol optimization.
B.A regional external HTTP(S) load balancer as the entry point.
C.An origin access identity (e.g., service account) to authenticate to the backend.
D.A backend bucket configured with Cloud CDN enabled.
E.Cloud Armor security policies to protect against attacks.
AnswersC, D, E

To access authenticated backends, you need a service account or signed URLs.

Why this answer

Option C is correct because when the origin backend (e.g., an external HTTP server or a custom origin) requires authentication, you must configure an origin access identity, typically a Google-managed service account, to authenticate requests from Cloud CDN to the origin. This ensures that only authorized CDN edge caches can fetch content from the backend, preventing direct unauthenticated access.

Exam trap

Google Cloud often tests the misconception that a regional load balancer can be used with Cloud CDN, but Cloud CDN requires a global external HTTP(S) load balancer to leverage the global anycast IP and edge cache infrastructure.

449
MCQmedium

A DevOps team is configuring a VPC with a subnet in us-east1. They need to allow a specific VM (source IP 10.0.1.2) to access a database VM (destination IP 10.0.2.3) on port 3306, but only from that specific source. All other traffic should be denied. Which firewall rule configuration should they use?

A.Create an egress rule on the source VM's network interface allowing traffic to 10.0.2.3/32 on port 3306.
B.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol all, target service account = db-sa.
C.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol tcp:3306, target tags = db, and assign the 'db' tag to the database VM.
D.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol tcp:3306, target 10.0.2.3/32.
AnswerC

Ingress rule with specific source and port allows the required traffic when tag is assigned to destination VM.

Why this answer

Option C is correct because it creates an ingress firewall rule with the highest priority (1000 is the default for custom rules) that explicitly allows TCP traffic on port 3306 from source IP 10.0.1.2/32 to any VM tagged with 'db'. By assigning the 'db' tag to the database VM, the rule applies only to that target, and since VPC firewall rules are stateful, the corresponding return traffic is automatically allowed. All other traffic is denied by the implied deny-all rule (priority 65535), meeting the requirement.

Exam trap

The trap here is that candidates often confuse ingress vs. egress rules or try to target a specific destination IP in a firewall rule, but GCP firewall rules only support targets via tags, service accounts, or the entire network, not by IP address.

How to eliminate wrong answers

Option A is wrong because egress rules control outbound traffic from the source VM, but the requirement is to allow inbound traffic to the database VM; egress rules cannot permit ingress connections. Option B is wrong because it specifies 'protocol all', which would allow all protocols (including non-TCP) on all ports, violating the requirement to restrict to port 3306 only. Option D is wrong because firewall rules cannot target a specific IP address as a destination; they target VMs via tags, service accounts, or the entire VPC, and the destination IP is not a valid target specifier in GCP firewall rules.

450
MCQeasy

A network engineer is setting up Dedicated Interconnect and sees the output above. What does the 'encryption: IPSEC' field indicate about this VLAN attachment?

A.Traffic over this VLAN attachment is encrypted using IPsec
B.The attachment is using Cloud VPN as the underlying transport
C.The attachment requires a Cloud VPN tunnel in addition to the Interconnect
D.The attachment is using MACsec encryption at layer 2
AnswerA

IPsec encryption is enabled on this attachment.

Why this answer

The 'encryption: IPSEC' field in the VLAN attachment output for Dedicated Interconnect indicates that traffic traversing this attachment is encrypted using IPsec. This is a feature of Google Cloud's Dedicated Interconnect that allows you to enable IPsec encryption on the VLAN attachment itself, providing confidentiality and integrity for data in transit without requiring a separate Cloud VPN tunnel.

Exam trap

Google Cloud often tests the misconception that IPsec encryption on a VLAN attachment requires a separate Cloud VPN tunnel, but in reality, the encryption is a built-in feature of the attachment itself.

How to eliminate wrong answers

Option B is wrong because Cloud VPN is not the underlying transport; Dedicated Interconnect uses a direct physical connection between your on-premises network and Google's network, and IPsec encryption is applied on top of that direct link, not via a VPN tunnel. Option C is wrong because the IPsec encryption is configured directly on the VLAN attachment, so no additional Cloud VPN tunnel is required; the attachment itself handles the encryption. Option D is wrong because MACsec operates at Layer 2 (Ethernet) and uses different encryption mechanisms (IEEE 802.1AE), while the output explicitly states 'IPSEC', which is a Layer 3 protocol (RFC 4301).

Page 5

Page 6 of 7

Page 7

All pages