Google Professional Cloud Network Engineer (PCNE) — Questions 451497

497 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

A company uses Shared VPC with multiple service projects. The network admin wants to restrict access to certain Compute Engine instances so that only specific service accounts can SSH into them. What is the best practice to achieve this?

A.Configure firewall rules that allow SSH only from source IP ranges of the allowed service accounts.
B.Use Identity-Aware Proxy (IAP) TCP forwarding with IAM conditions restricting which service accounts can use IAP.
C.Use Organization Policies to restrict SSH access.
D.Use VPC Service Controls with a service perimeter.
AnswerB

IAP provides secure access and IAM conditions allow granular control by service account.

Why this answer

Option B is correct because Identity-Aware Proxy (IAP) TCP forwarding allows SSH access to Compute Engine instances without exposing them to the public internet. By combining IAP with IAM conditions, the network admin can restrict which service accounts are permitted to use IAP, thereby controlling SSH access at the identity level rather than relying on source IP addresses. This approach aligns with Google Cloud's best practice for zero-trust network security.

Exam trap

The trap here is that candidates may confuse IAP with traditional firewall rules or VPC Service Controls, mistakenly thinking source IP filtering or perimeter-based controls can enforce identity-based access, whereas IAP is the only option that directly integrates service account identity with SSH access.

How to eliminate wrong answers

Option A is wrong because firewall rules filter traffic based on source IP addresses, not service accounts; service accounts are identities, not IP ranges, so this approach cannot restrict access by service account. Option C is wrong because Organization Policies are used to set constraints on resource configurations (e.g., disabling serial port access), not to control SSH access per service account. Option D is wrong because VPC Service Controls are designed to protect data exfiltration by defining perimeters around managed services (e.g., BigQuery, Cloud Storage), not to manage SSH access to Compute Engine instances.

452
MCQmedium

A multinational corporation has deployed a multi-region application on Google Kubernetes Engine (GKE) clusters in us-central1 and europe-west1. The application serves global users and requires low-latency access to a shared database hosted on Cloud SQL in us-central1. The network team has configured Cloud VPN tunnels between each region and the on-premises data center for administrative access. The application instances in europe-west1 are experiencing high latency when connecting to the Cloud SQL instance in us-central1. The team wants to reduce latency without migrating the database. The team has already verified that the Cloud SQL instance has private IP enabled and is peered to a shared VPC that spans both regions. The GKE clusters are in the same shared VPC. What should the team do?

A.Configure Private Service Connect to expose the Cloud SQL instance from us-central1 and access it via a service attachment from europe-west1.
B.Configure a global external HTTP(S) load balancer in front of the Cloud SQL instance.
C.Create a Cloud Interconnect connection from europe-west1 to the on-premises data center and route traffic through the on-premises network to reach us-central1.
D.Enable Cloud SQL public IP and allow the GKE nodes in europe-west1 to connect over the internet using Cloud NAT.
AnswerA

Private Service Connect provides low-latency, private cross-region access to Cloud SQL without traversing the internet or on-premises.

Why this answer

Option A is correct because Private Service Connect (PSC) allows the Cloud SQL instance in us-central1 to be accessed from europe-west1 via a service attachment and a private endpoint, enabling traffic to traverse Google's internal network without backhauling through the on-premises data center. This reduces latency by keeping the traffic within Google's backbone, avoiding the longer path through the Cloud VPN and on-premises network. PSC supports cross-region connectivity with private IP, which aligns with the requirement to not migrate the database.

Exam trap

Google Cloud often tests the misconception that cross-region private connectivity must go through a VPN or on-premises network, when in fact Private Service Connect can provide direct, low-latency access within Google's network without additional infrastructure.

How to eliminate wrong answers

Option B is wrong because a global external HTTP(S) load balancer is designed for HTTP/HTTPS traffic to application backends, not for proxying database connections like Cloud SQL, and it would introduce unnecessary overhead and protocol incompatibility. Option C is wrong because creating a Cloud Interconnect to the on-premises data center and routing traffic through it would add additional latency and complexity, as traffic would still need to traverse the on-premises network to reach us-central1, defeating the purpose of reducing latency. Option D is wrong because enabling Cloud SQL public IP and connecting over the internet via Cloud NAT would expose the database to public internet risks and increase latency due to internet routing, while also violating the requirement to use private IP.

453
MCQhard

A company has multiple on-premises networks connected to a Cloud VPN hub in GCP. Each on-premises site uses BGP to advertise its prefixes. The security team wants to ensure that only specific prefixes from each site are accepted into the VPC routes. What should they configure?

A.Configure BGP route filtering on the Cloud Router to accept only specific prefixes from each on-premises site.
B.Create firewall rules to block traffic from unwanted prefixes.
C.Set up a separate VPN tunnel for each prefix.
D.Use VPC Service Controls to restrict the prefixes.
AnswerA

Cloud Router allows filtering inbound and outbound routes.

Why this answer

Option A is correct because Cloud Router supports BGP route filtering, allowing you to define inbound route policies that accept only specific prefixes from each on-premises BGP peer. This ensures that only the desired prefixes are installed into the VPC route table, providing granular control over route advertisement acceptance without affecting the VPN tunnel or firewall state.

Exam trap

Google Cloud often tests the distinction between route filtering (control plane) and firewall rules (data plane), so the trap here is that candidates mistakenly think firewall rules can prevent unwanted route injection, when in fact they only block traffic after the route is already learned.

How to eliminate wrong answers

Option B is wrong because firewall rules control traffic flow based on IP addresses and ports, but they do not prevent unwanted prefixes from being injected into the VPC route table; the routes would still exist and could influence routing decisions. Option C is wrong because creating a separate VPN tunnel for each prefix is inefficient and unnecessary; BGP route filtering on a single Cloud Router can selectively accept prefixes without multiplying tunnel configurations. Option D is wrong because VPC Service Controls are designed to restrict data exfiltration and access to Google-managed services, not to filter BGP route advertisements or control which on-premises prefixes are learned into VPC routes.

454
Multi-Selecteasy

Which TWO situations are most appropriate for using Partner Interconnect instead of Dedicated Interconnect?

Select 2 answers
A.When you need IPSec encryption
B.When 99.99% SLA is required
C.When data center space is limited and you cannot host a Google edge router
D.When bandwidth requirements exceed 10 Gbps per connection
E.When you want to leverage existing service provider connectivity
AnswersC, E

Partner handles the physical connection.

Why this answer

Option B and D are correct. B: When colocation space is limited, partner can provide connectivity. D: When using a service provider that already connects to Google.

A: High SLA is better with Dedicated. C: Bandwidth over 10 Gbps is better with Dedicated. E: HA VPN already provides encryption.

455
MCQeasy

A developer wants to create a VM that can communicate with all Google APIs without requiring an external IP address. Which configuration is necessary?

A.Configure a Cloud NAT.
B.Add a firewall rule to allow egress to 0.0.0.0/0.
C.Set up VPC peering with the Google APIs service producer.
D.Enable Private Google Access on the subnet.
AnswerD

Private Google Access allows VMs without external IPs to reach Google APIs.

Why this answer

To allow communication with Google APIs without an external IP, Private Google Access must be enabled on the subnet. Option B is correct. Option A is wrong because Cloud NAT is for internet access to non-Google destinations.

Option C is wrong because VPC peering is for connecting VPCs. Option D is wrong because firewall rules alone are not sufficient.

456
MCQmedium

A company uses Shared VPC with multiple service projects. They need to allow certain service projects to create internal load balancers (ILBs) that are accessible from all projects in the organization. What is the best practice?

A.Deploy ILB in each service project and use global access
B.Create the ILB in the host project and share the backend
C.Use Cloud NAT for outbound connectivity
D.Use VPC peering between each service project and the host project
E.Enable Private Service Connect
AnswerB

ILB in host project is accessible to all service projects in the Shared VPC.

Why this answer

In a Shared VPC architecture, the host project owns the VPC network and its resources, including internal load balancers (ILBs). By creating the ILB in the host project and sharing its backend (e.g., instance groups from service projects), the ILB becomes accessible from all projects in the organization without additional connectivity. This approach centralizes network control and ensures the ILB's IP address is routable within the shared VPC, meeting the requirement for cross-project access.

Exam trap

The trap here is that candidates often assume 'global access' on an ILB enables cross-project access, but global access only allows clients from any region within the same VPC network to reach the ILB, not clients from different projects.

How to eliminate wrong answers

Option A is wrong because deploying an ILB in each service project with global access only allows access from any region within that same project, not from other projects; global access does not enable cross-project connectivity. Option C is wrong because Cloud NAT provides outbound internet connectivity for private instances, not inbound load balancing or cross-project access. Option D is wrong because VPC peering between each service project and the host project would create separate peering connections, but ILBs in service projects are not automatically accessible across peering links without additional configuration (e.g., custom routes or Private Service Connect), and this approach adds complexity and management overhead.

Option E is wrong because Private Service Connect is designed for exposing managed services privately to consumers, not for creating internal load balancers accessible across all projects in an organization; it is typically used for service producers and consumers, not for internal load balancing within a shared VPC.

457
MCQhard

A network engineer configured a Cloud Router with the BGP configuration shown. The on-premises router (AS 64512) is peering with the Cloud Router (AS 65001) over a Dedicated Interconnect VLAN attachment. The engineer notices that traffic from on-premises to Google Cloud is not being routed via this interconnect as expected. What is the most likely cause?

A.The route-map SET-MED sets the MED attribute incorrectly
B.The ebgp-multihop 2 command is not supported on Cloud Router
C.The update-source loopback0 command is invalid for Cloud Router BGP sessions
D.The local-preference is set in the outbound direction, which is not allowed
AnswerC

Cloud Router requires the BGP session to use the link-local IP address, not a loopback.

Why this answer

Option C is correct because Cloud Router does not support the `update-source loopback0` command. BGP sessions on Cloud Router must use the primary IP address of the interface that is directly connected to the VLAN attachment; loopback interfaces are not supported for BGP peering. This command would cause the Cloud Router to attempt to source BGP packets from a loopback address that is not reachable by the on-premises router, breaking the BGP session.

Exam trap

Google Cloud often tests the misconception that Cloud Router supports the same BGP commands as a physical Cisco router, leading candidates to overlook the fact that Cloud Router is a managed service with a restricted feature set, particularly regarding interface sourcing and multihop capabilities.

How to eliminate wrong answers

Option A is wrong because the MED attribute is typically used to influence inbound traffic from a peer, and while a route-map SET-MED could affect path selection, it would not prevent traffic from being routed via the interconnect; the issue is that traffic is not being routed at all, not that it is taking a suboptimal path. Option B is wrong because `ebgp-multihop` is not a command used on Cloud Router; Cloud Router does not support ebgp-multihop, but the absence of this command would not cause the described issue—the session would simply require direct connectivity. Option D is wrong because setting local-preference in the outbound direction is allowed and is a common practice to influence inbound traffic; however, local-preference is a well-known mandatory attribute that is sent to eBGP peers by default, and setting it outbound does not break routing.

458
MCQhard

A network engineer is designing a Google Cloud network for a financial services company that requires strict compliance with PCI DSS. They need to isolate development, staging, and production environments. Which approach should they use to meet these requirements?

A.Use a single VPC with separate subnets for each environment and firewall rules to restrict traffic
B.Use a single VPC with separate firewall rules for each environment
C.Use a Shared VPC with separate service projects for each environment
D.Use separate VPCs for each environment, connected via VPC Network Peering
AnswerD

Separate VPCs provide strong isolation, and peering can be used if controlled communication is needed.

Why this answer

Option D is correct because PCI DSS requires strict network segmentation between environments handling cardholder data. Separate VPCs provide complete isolation at the network layer, preventing any accidental cross-environment traffic. VPC Network Peering allows controlled, encrypted communication between these isolated VPCs without reducing the security boundary, as peering does not merge routing domains or security policies.

Exam trap

The trap here is that candidates often confuse logical segmentation (subnets and firewall rules) with physical or hard segmentation, assuming that firewall rules alone can enforce PCI DSS isolation, but the exam expects a design that creates separate administrative and routing domains.

How to eliminate wrong answers

Option A is wrong because using a single VPC with separate subnets does not provide true network isolation; all subnets share the same VPC routing table and can potentially communicate if firewall rules are misconfigured, violating PCI DSS segmentation requirements. Option B is wrong because relying solely on firewall rules within a single VPC is insufficient for PCI DSS; firewall rules are stateful and can be bypassed by misconfiguration or internal routing, and they do not create a hard network boundary. Option C is wrong because Shared VPC still uses a single VPC network; service projects share the same host project's VPC, meaning all environments reside in the same routing domain, which fails to meet the strict isolation required by PCI DSS.

459
MCQhard

A company has a VPC with multiple subnets. They want to restrict traffic between two specific subnets (10.0.1.0/24 and 10.0.2.0/24) while allowing all other traffic. They create a firewall rule with priority 1000 denying ingress from 10.0.1.0/24 to 10.0.2.0/24. However, traffic is still allowed. What is the most likely reason?

A.The rule is incorrectly applied to the wrong network tag
B.The traffic is going through the metadata server
C.There is a higher priority allow rule that matches the traffic
D.Firewall rules are stateless, so return traffic is blocked
AnswerC

Higher priority allow rule can override deny.

Why this answer

Option C is correct because in Google Cloud VPC firewall rules, lower priority numbers indicate higher precedence. A rule with priority 1000 is evaluated after any rule with a priority lower than 1000 (e.g., priority 65535 is the default allow rule). If a higher priority (lower number) allow rule exists that matches the same traffic, it will override the deny rule.

The default VPC firewall rules include an implicit allow rule for egress and an ingress allow rule for traffic within the same VPC, which may have a higher priority than 1000, thus permitting the traffic despite the deny rule.

Exam trap

Google Cloud often tests the misconception that a deny rule with a higher priority number (e.g., 1000) will override allow rules with lower priority numbers, when in fact lower numbers have higher precedence.

How to eliminate wrong answers

Option A is wrong because network tags are used to apply firewall rules to specific VM instances, not to subnets; the rule is applied to the subnet via the source and destination IP ranges, not tags. Option B is wrong because the metadata server (169.254.169.254) is used for instance metadata and does not route traffic between subnets; traffic between subnets goes through the VPC's internal routing, not the metadata server. Option D is wrong because Google Cloud VPC firewall rules are stateful by default, meaning return traffic is automatically allowed; the issue is not about statelessness but about rule priority.

460
MCQmedium

Refer to the exhibit. An engineer has configured HA VPN with two tunnels (tunnel-a and tunnel-b) to an on-premises network. The BGP session for peer-b is in IDLE state. What is the most likely cause?

A.The Cloud Router is not in the same region as the VPN gateway.
B.The on-premises router is not advertising any routes.
C.The pre-shared key for tunnel-b is incorrect.
D.The on-premises router's BGP configuration for peer-b has a wrong IP address.
AnswerD

IP mismatch causes BGP IDLE state; tunnel status indicates VPN is up, so BGP configuration is likely the issue.

Why this answer

The BGP session for peer-b is in IDLE state, which typically indicates a TCP connection failure. Since tunnel-a is working, the Cloud Router and VPN gateway are correctly configured, and the issue is specific to peer-b. The most likely cause is that the on-premises router's BGP configuration for peer-b has the wrong IP address (e.g., the wrong BGP peer IP or the wrong Cloud Router interface IP), preventing the TCP handshake from completing.

Exam trap

Google Cloud often tests the distinction between BGP session states and tunnel/encryption failures; the trap here is that candidates assume any BGP issue is caused by route advertisement problems, when in fact the IDLE state points to a TCP connectivity issue, such as a wrong peer IP address.

How to eliminate wrong answers

Option A is wrong because the Cloud Router must be in the same region as the VPN gateway for HA VPN to function; if it were not, tunnel-a would also fail, but it is working. Option B is wrong because the BGP session being in IDLE state is a transport-layer issue (TCP connection not established), not a routing advertisement issue; even if no routes are advertised, the BGP session would reach Established state with no prefixes. Option C is wrong because an incorrect pre-shared key would cause IKE/IPsec authentication failure, not a BGP IDLE state; the BGP session would not even attempt to start if the tunnel is down.

461
MCQeasy

A company wants to connect its on-premises data center to Google Cloud. They have a single VPN appliance on-premises and need high availability for the connection. Which architecture provides the most cost-effective high availability solution?

A.Deploy Cloud HA VPN with two interfaces, each with its own external IP address, and configure two tunnels to the on-premises VPN appliance.
B.Use a single Cloud Classic VPN tunnel with a static route.
C.Deploy two Cloud Classic VPN gateways in the same region, each with one tunnel to the on-premises VPN appliance.
D.Deploy Cloud HA VPN with one interface and one external IP address, and configure a single tunnel to the on-premises appliance.
AnswerA

HA VPN uses two external IPs and two tunnels, providing automatic failover and high availability.

Why this answer

Option D is correct because Cloud HA VPN uses two external IP addresses per tunnel and automatically provides high availability by using two VPN gateways in different regions. Option A is incorrect because using two Cloud VPN gateways in the same region does not protect against zonal failure. Option B is incorrect because a single Classic VPN tunnel is not highly available.

Option C is incorrect because HA VPN with a single IP per tunnel is not supported; HA VPN requires at least two IPs.

462
MCQhard

An organization has two VPC networks in different Google Cloud organizations. They need to allow private IP communication between instances in these VPCs without using public IPs or VPNs. Which solution should they use?

A.Cloud NAT
B.Shared VPC
C.Cloud VPN
D.VPC Network Peering
AnswerD

Supports cross-organization peering.

Why this answer

VPC Network Peering allows private IP connectivity between two VPC networks across different organizations without requiring public IPs, VPNs, or gateways. It uses the Google Cloud internal infrastructure to route traffic directly between instances, leveraging RFC 1918 addresses and supporting global peering.

Exam trap

Google Cloud often tests the distinction between Shared VPC (same org) and VPC Network Peering (cross-org), leading candidates to mistakenly choose Shared VPC when the question specifies different organizations.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private instances, not private inter-VPC communication. Option B is wrong because Shared VPC requires both VPCs to be in the same organization, not across different organizations. Option C is wrong because Cloud VPN uses public internet tunnels (IPsec) and is not a private IP-only solution, violating the requirement to avoid VPNs.

463
Multi-Selecthard

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC flow logs show traffic being dropped. Firewall rules are correctly configured. Which TWO actions should the engineer take to identify the cause?

Select 2 answers
A.Ensure that the subnets in both VPCs don't overlap.
B.Use Packet Mirroring to capture traffic on both sides and compare.
C.Check for asymmetric routing by reviewing the VPC peering routes and Cloud Router sessions.
D.Disable the firewall rules to see if traffic flows.
E.Verify that the VPCs are in the same project.
AnswersB, C

Packet Mirroring can help identify if traffic is reaching the destination instance.

Why this answer

Packet Mirroring allows you to capture and inspect actual traffic at the packet level on both sides of the VPC peering connection. Since firewall rules are correctly configured but flow logs still show drops, the issue is likely at a lower layer (e.g., routing, MTU, or asymmetric traffic). By comparing mirrored packets, you can see if traffic is actually reaching the destination interface and whether responses are being sent back, which flow logs alone cannot reveal.

Exam trap

Google Cloud often tests the misconception that flow logs provide enough detail to diagnose all connectivity issues, when in fact they only show summary statistics and cannot capture packet-level details needed to identify asymmetric routing or MTU problems.

464
MCQmedium

A company has Compute Engine instances without external IP addresses that need to access external APIs. The instances are in multiple zones within a region, and each zone has a subnet. The company wants a cost-effective and highly available solution that does not require manual failover. What should they do?

A.Create a Cloud NAT gateway in each zone and configure region-specific NAT rules.
B.Create a Cloud NAT gateway in one zone and configure an instance tag-based route to the gateway.
C.Enable Private Google Access on the subnets and configure a Cloud NAT gateway in one zone.
D.Assign external IP addresses to each instance and create appropriate firewall rules.
AnswerA

Regional NAT with gateways per zone provides automatic failover and high availability.

Why this answer

A Cloud NAT gateway per zone provides highly available outbound connectivity for instances without external IPs. By placing a gateway in each zone, traffic from instances in that zone uses the local gateway, avoiding cross-zone hops and ensuring automatic failover if a zone fails. This meets the cost-effective and no-manual-failover requirements without needing instance-level external IPs.

Exam trap

The trap here is that candidates assume a single Cloud NAT gateway is sufficient for high availability, but the PCNE exam expects zone-level redundancy to avoid a single point of failure and to meet the 'no manual failover' requirement.

How to eliminate wrong answers

Option B is wrong because a single Cloud NAT gateway in one zone creates a single point of failure; if that zone goes down, all outbound connectivity is lost, and instance tag-based routes do not provide automatic failover. Option C is wrong because Private Google Access only enables access to Google APIs and services, not external APIs; adding a single Cloud NAT gateway still lacks zone-level high availability. Option D is wrong because assigning external IPs to each instance is not cost-effective (each IP incurs cost) and does not provide a managed, highly available solution; it also requires manual failover if an instance fails.

465
MCQhard

A company has a complex on-premises network with multiple BGP AS numbers. They are connecting to GCP using Cloud VPN and wish to advertise specific prefixes. They want to ensure that only selected on-prem prefixes are advertised to GCP and no other prefixes leak. What is the best approach?

A.Use route advertisements from on-prem routers and rely on GCP's route import policy
B.Configure Cloud Router with custom advertised route maps to filter prefixes
C.Use VPC firewall rules to restrict incoming traffic
D.Set up a separate Cloud Router for each prefix
AnswerB

Cloud Router can be configured to accept only specific BGP prefixes.

Why this answer

Cloud Router with custom advertised route maps allows you to explicitly define which on-premises prefixes are advertised to GCP via Cloud VPN. This ensures only the selected prefixes are propagated, preventing route leaks. Unlike relying on GCP's import policy, this approach gives you direct control over outbound advertisements from your on-premises network.

Exam trap

The trap here is that candidates confuse route advertisement control with traffic filtering, assuming firewall rules can solve a routing protocol issue, or they overcomplicate the solution by creating multiple Cloud Routers instead of using a single router with proper filtering.

How to eliminate wrong answers

Option A is wrong because relying on GCP's route import policy only controls which routes GCP accepts, not which prefixes your on-premises routers advertise; this can still allow unintended prefixes to be sent to GCP. Option C is wrong because VPC firewall rules control traffic flow based on IP addresses and ports, not BGP route advertisement; they cannot prevent prefix leaks at the routing protocol level. Option D is wrong because setting up a separate Cloud Router for each prefix is unnecessary and inefficient; a single Cloud Router with custom advertised route maps can filter multiple prefixes without additional overhead.

466
MCQhard

Refer to the exhibit. A company uses a Cloud Router with two BGP sessions for an HA VPN to on-premises. Traffic is not flowing correctly to the on-premises network. What is the most likely issue?

A.The advertised route priority is too low.
B.The BGP session with vpn-tunnel-2 is down, causing asymmetric routing.
C.The keepalive interval is too high.
D.The ASN 65000 is private and not allowed.
AnswerB

A down BGP session can disrupt proper route advertisement and traffic flow.

Why this answer

One BGP session (vpn-tunnel-2) is down, which can cause asymmetric routing or loss of connectivity. Option A identifies this. Option B is incorrect because ASN 65000 is private and valid for Cloud Router.

Option C is incorrect because priority 100 is fine. Option D is incorrect because keepalive interval 20 seconds is within typical range.

467
MCQmedium

A company has two VPC networks (VPC-A and VPC-B) in the same project. They are connected via VPC peering. VPC-A contains an internal TCP load balancer with IP 10.1.2.3 serving on port 80. VPC-B needs to access this load balancer. The network engineer has verified that the firewall rules allow traffic from VPC-B to the load balancer's IP and port. However, instances in VPC-B cannot connect to 10.1.2.3:80. What is the most likely reason for this failure?

A.Internal load balancers are regional; clients must be in the same region as the load balancer when using VPC peering.
B.The VPC peering connection does not propagate routes for the load balancer IP.
C.The backend instances are unhealthy and the load balancer is not serving traffic.
D.Firewall rules in VPC-B are not allowing egress to the load balancer IP.
AnswerA

Internal TCP/UDP LBs are regional and only accept connections from VPCs in the same region via peering.

Why this answer

Option C is correct: Internal TCP/UDP load balancers are regional and only accept traffic from clients in the same region when using VPC peering. The load balancer is in a specific region (e.g., us-central1), but if VPC-B's instances are in a different region (e.g., us-west1), they will not be able to reach the internal LB via peering unless the LB has global access enabled (which is only available for external LBs). Option A is incorrect because firewall rules are already verified.

Option B is irrelevant; VPC peering does not insert a default route for load balancer IPs. Option D is incorrect because health checks are for the load balancer to backends, not client connectivity.

468
Multi-Selecthard

A company uses Cloud VPN with dynamic routing (BGP). The on-premises network advertises a prefix that overlaps with a subnet in the VPC. Which TWO actions can resolve this conflict? (Choose TWO.)

Select 2 answers
A.Delete the conflicting subnet in the VPC.
B.Modify the on-premises BGP advertisement to use a more specific prefix (longer subnet mask) that does not overlap.
C.Use route propagation with a filter in the VPC route table.
D.Create a static route in the VPC with the same prefix as the overlapping route.
E.Use Cloud Router custom route advertisements to control which routes are learned or advertised.
AnswersB, E

A more specific prefix will be preferred for traffic destined to that subnet, eliminating the conflict.

Why this answer

Option A: Advertise a more specific prefix from on-premises (e.g., a smaller CIDR block) to differentiate traffic. Option C: On Cloud Router, configure custom route advertisements to filter or modify the overlapping route. Option B would not work because a static route cannot override a dynamic route with the same prefix length; the more specific route wins.

Option D is too drastic and unnecessary. Option E is not a native feature.

469
Multi-Selecteasy

Which TWO configurations provide high availability for Dedicated Interconnect? (Choose two.)

Select 2 answers
A.Two connections to different PoPs.
B.A single circuit with L2 redundancy.
C.Using Cloud NAT for failover.
D.A single connection from one provider.
E.Two connections to the same PoP.
AnswersA, E

Geographic redundancy for higher availability.

Why this answer

Option A is correct because connecting to two different Points of Presence (PoPs) provides geographic redundancy; if one PoP fails, traffic can be rerouted through the other. Option E is correct because two connections to the same PoP provide link-level redundancy; if one circuit fails, the other can continue carrying traffic, and BGP can be used to load-balance or failover between them.

Exam trap

Google Cloud often tests the misconception that a single circuit with L2 redundancy (like LACP) is sufficient for high availability, but for Dedicated Interconnect, true HA requires multiple physical circuits (either to the same PoP or different PoPs) with BGP-based failover.

470
Multi-Selecthard

Which THREE statements about VPC Flow Logs are correct?

Select 3 answers
A.Flow logs support sampling with a configurable interval.
B.Flow logs can be sent to BigQuery for analysis.
C.Flow logs record traffic to and from external IP addresses only.
D.Flow logs are enabled by default for all subnets.
E.VPC Flow Logs are enabled at the subnet level.
AnswersA, B, E

Sampling interval can be set to 5 seconds (default) or 1 minute.

Why this answer

Flow logs are subnet-level, can be sent to BigQuery, and support configurable sampling.

471
MCQhard

A company is designing an HA VPN to connect their on-premises data center to Google Cloud VPC. The on-premises router supports two independent interfaces with public IPs. They want to achieve 99.99% availability for the VPN connection, understanding that HA VPN uses two tunnels and two Cloud Router instances. Which configuration meets this goal?

A.Two tunnels: both tunnels from the same on-premises interface to two different Cloud Router instances
B.Two tunnels: each tunnel from a separate on-premises interface to the same Cloud Router instance
C.Four tunnels: two tunnels from each on-premises interface to the same Cloud Router instance
D.Four tunnels: one tunnel from each on-premises interface to each Cloud Router instance, totaling four BGP sessions
AnswerD

This provides full device and path redundancy suitable for 99.99% availability.

Why this answer

Option D is correct because HA VPN requires at least two Cloud Router instances and two tunnels from each on-premises interface to each Cloud Router instance to achieve 99.99% availability. This configuration creates four BGP sessions, ensuring that if one on-premises interface, one Cloud Router, or one tunnel fails, traffic can still flow through the remaining paths. The design leverages both redundancy of interfaces and redundancy of Cloud Routers to meet the high availability SLA.

Exam trap

The trap here is that candidates often think two tunnels (one per interface) to the same Cloud Router is sufficient, but they overlook that the Cloud Router itself is a single point of failure, and HA VPN requires redundancy at both the on-premises and Cloud Router layers to achieve 99.99% availability.

How to eliminate wrong answers

Option A is wrong because using the same on-premises interface for both tunnels creates a single point of failure at the on-premises side; if that interface fails, both tunnels go down, violating the 99.99% availability goal. Option B is wrong because both tunnels terminate on the same Cloud Router instance, which is a single point of failure in the Google Cloud side; if that Cloud Router fails, all BGP sessions are lost. Option C is wrong because four tunnels from two interfaces to the same Cloud Router instance still leaves the Cloud Router as a single point of failure, and the BGP sessions are not fully redundant across Cloud Routers.

472
MCQhard

A company has a VPC with a single subnet in us-central1 (10.0.0.0/24). They have a Compute Engine instance running a database that uses an internal IP address 10.0.0.10. They need to ensure that this database instance can be accessed by a legacy on-premises application via a Cloud VPN tunnel. The on-premises network uses 192.168.0.0/16. They have set up a HA VPN gateway with two tunnels and BGP routing. The Cloud Router is configured to advertise the subnet 10.0.0.0/24. On the on-premises side, the router receives the route for 10.0.0.0/24 and has a static route for 10.0.0.0/24 pointing to the VPN tunnel. However, the on-premises application cannot reach the database. The application's server can ping the on-premises gateway, but not the database IP. The database instance's OS firewall allows all traffic from 0.0.0.0/0. What is the most likely cause?

A.The database instance's OS firewall is blocking the traffic despite the setting.
B.The VPC firewall rules are blocking ingress from on-premises; add a rule allowing traffic from 192.168.0.0/16 to the database IP.
C.The Cloud Router is not advertising the specific database IP 10.0.0.10, only the subnet 10.0.0.0/24.
D.The BGP session is not establishing properly; check the shared secret and IP addresses.
AnswerB

By default, VPC firewall denies ingress; an explicit allow rule is needed.

Why this answer

The issue is likely that the VPC firewall rules are blocking ingress traffic from the on-premises network. Even though the database OS firewall is permissive, the VPC firewall must allow ingress from the on-premises IP range (192.168.0.0/16) to the database's IP. Option B is correct: Create a firewall rule allowing ingress from 192.168.0.0/16 to 10.0.0.10 on the required port.

473
MCQeasy

A network engineer is designing a VPC in Google Cloud with multiple subnets across different regions. The application requires low-latency communication between instances in the same region but not across regions. Which VPC network configuration should be used?

A.Auto mode VPC with global subnets
B.Legacy network
C.Auto mode VPC with regional subnets
D.Custom mode VPC with regional subnets
AnswerD

Custom mode allows you to create subnets only in required regions, reducing complexity and latency.

Why this answer

Custom mode VPC with regional subnets (D) is correct because it allows you to explicitly define subnets in specific regions, ensuring that instances within the same region communicate over low-latency paths without cross-region traffic. This design avoids the automatic creation of subnets in every region (as in auto mode) and prevents the use of deprecated legacy networks, giving you full control over regional placement for latency-sensitive applications.

Exam trap

Google Cloud often tests the misconception that auto mode VPCs can be configured with regional subnets, but in reality, auto mode automatically creates subnets in every region, and only custom mode gives you the granularity to define subnets per region for low-latency designs.

How to eliminate wrong answers

Option A is wrong because auto mode VPC with global subnets automatically creates subnets in every GCP region, which would introduce unnecessary cross-region subnets and potential latency if instances are inadvertently placed in different regions. Option B is wrong because legacy networks are deprecated and do not support regional subnets or modern VPC features like custom subnetting, making them unsuitable for a multi-region design with low-latency requirements. Option C is wrong because auto mode VPC with regional subnets is a misnomer—auto mode VPCs always create subnets globally (one per region) and cannot be restricted to only regional subnets; the correct approach for regional control is custom mode.

474
MCQeasy

Which GCP service provides a dedicated, low-latency connection from an on-premises data center to Google Cloud?

A.Cloud Router
B.Cloud Interconnect
C.Cloud VPN
D.VPC Network
AnswerB

Provides dedicated bandwidth and lower latency.

Why this answer

Cloud Interconnect provides a dedicated, low-latency connection from an on-premises data center to Google Cloud, bypassing the public internet. It offers two options: Dedicated Interconnect (a direct physical connection via a colocation facility) and Partner Interconnect (via a supported service provider). This ensures consistent bandwidth and lower latency compared to VPN-based solutions.

Exam trap

The trap here is that candidates often confuse Cloud Router (which handles routing) with the actual connection service, or assume Cloud VPN provides dedicated bandwidth, when in fact only Cloud Interconnect offers a dedicated, low-latency link that bypasses the public internet.

How to eliminate wrong answers

Option A is wrong because Cloud Router is a managed BGP-based router that dynamically exchanges routes between a Cloud VPN or Cloud Interconnect and a VPC network, but it does not provide the physical or dedicated connection itself. Option C is wrong because Cloud VPN uses the public internet with IPsec tunnels, which introduces variable latency and bandwidth, and does not offer a dedicated, low-latency connection. Option D is wrong because VPC Network is a virtual private cloud networking construct that defines the network topology within GCP, not a service for connecting on-premises data centers to Google Cloud.

475
Multi-Selectmedium

A company is designing a VPC with multiple subnets across two regions for high availability. They want to ensure that instances in different regions can communicate using internal IP addresses without traversing the public internet. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Set up VPC peering between the VPCs in each region.
B.Set up Cloud VPN or Dedicated Interconnect between the two VPCs.
C.Create firewall rules allowing all traffic from the other region's subnet CIDR.
D.Configure instances to use external IP addresses for cross-region communication.
E.Use a shared VPC to connect both regions.
AnswersA, B

VPC peering allows using internal IP addresses across regions.

Why this answer

Option A is correct because VPC peering allows direct, private IP connectivity between two VPCs using the AWS global network backbone, without traversing the public internet. This enables instances in different regions to communicate using internal IP addresses, provided the VPCs have non-overlapping CIDR blocks and appropriate route table entries are configured.

Exam trap

Google Cloud often tests the misconception that firewall rules alone can enable cross-VPC communication, but candidates must remember that a Layer 3 path (via peering or VPN) is required first, and that shared VPCs are region-scoped, not cross-region.

476
Matchingmedium

Match each Cloud DNS record type to its use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Alias of one hostname to another

Specifies mail servers for a domain

Holds arbitrary text, often for verification

Why these pairings

These are common DNS record types used in Cloud DNS.

477
MCQeasy

A network engineer is configuring Cloud Router for Dedicated Interconnect. The on-premises router is advertising a route to 10.1.0.0/16. The engineer wants to ensure that Google Cloud always prefers this route over other routes learned from different on-premises routers. Which BGP attribute should be set on the on-premises router?

A.NEXT_HOP
B.AS_PATH
C.LOCAL_PREF
D.MED
AnswerD

Lower MED makes the route more preferred for inbound traffic from on-premises.

Why this answer

MED (Multi-Exit Discriminator) is the correct BGP attribute to influence inbound traffic from Google Cloud to prefer a specific on-premises router when multiple paths exist. By setting a lower MED value on the on-premises router, the Cloud Router will select that route over others with higher MED values, ensuring Google Cloud always prefers this path for traffic destined to 10.1.0.0/16.

Exam trap

The trap here is that candidates often confuse LOCAL_PREF (used for outbound path selection within an AS) with MED (used for inbound path selection between ASes), leading them to incorrectly choose LOCAL_PREF when the question asks about influencing Google Cloud's route preference from on-premises routers.

How to eliminate wrong answers

Option A is wrong because NEXT_HOP is a mandatory BGP attribute that specifies the IP address of the next-hop router, not a metric for path selection; it cannot influence route preference. Option B is wrong because AS_PATH is used for loop prevention and path selection (shorter AS_PATH is preferred), but it is not the attribute to force preference for a specific on-premises router; modifying AS_PATH artificially is not the intended mechanism. Option C is wrong because LOCAL_PREF is a well-known discretionary attribute used to influence outbound traffic from an AS, not inbound traffic; it is set within the local AS and not exchanged between peers, so it cannot be set on the on-premises router to affect Google Cloud's path selection.

478
MCQeasy

Which Google Cloud hybrid connectivity option can be configured without using BGP?

A.Partner Interconnect
B.Dedicated Interconnect
C.HA VPN
D.Classic VPN with static routes
AnswerD

Classic VPN supports static routes, eliminating the need for BGP.

Why this answer

Option A is correct because Classic VPN can use static routes and does not require BGP. Options B, C, and D all require BGP for route exchange (Dedicated Interconnect, HA VPN, and Partner Interconnect all support or require dynamic routing with BGP).

479
MCQmedium

An enterprise is using a 10 Gbps Dedicated Interconnect between their on-premises data center and Google Cloud. They measure throughput and find it is only 5 Gbps even though there is no congestion. The on-premises router is configured with a single VLAN attachment. What is the most likely cause?

A.BGP is not configured, causing routing loop
B.The on-premises router does not support full line rate
C.MTU mismatch between on-premises and Google Cloud
D.QoS policy is limiting throughput on Google Cloud side
AnswerB

The on-premises router may be the bottleneck.

Why this answer

A single VLAN attachment on a 10 Gbps Dedicated Interconnect means the on-premises router must handle all traffic through one physical interface. If the router lacks the forwarding capacity to process packets at 10 Gbps line rate, throughput will be capped at its maximum switching or routing performance, which in this case is 5 Gbps. This is a common hardware limitation, not a configuration or congestion issue.

Exam trap

Google Cloud often tests the misconception that throughput issues are always caused by configuration errors (e.g., MTU, BGP, QoS) rather than hardware limitations, leading candidates to overlook the router's actual forwarding capacity.

How to eliminate wrong answers

Option A is wrong because BGP is required for Dedicated Interconnect to exchange routes; without BGP, the interconnect would not establish connectivity at all, not just limit throughput to 5 Gbps. Option C is wrong because an MTU mismatch would cause packet fragmentation or drops, not a consistent 50% throughput reduction, and would typically manifest as packet loss or connectivity issues rather than a steady 5 Gbps cap. Option D is wrong because Google Cloud does not apply QoS policies that throttle throughput on Dedicated Interconnect attachments; throughput is limited by the on-premises router's capacity or the interconnect's bandwidth, not by cloud-side QoS.

480
MCQmedium

A company has deployed a globally distributed application on Google Cloud using Cloud Load Balancing and managed instance groups across multiple regions. They need to restrict access to the application's backend instances so that only traffic from the load balancer's health check ranges and the load balancer's source IP addresses is allowed. Which firewall rule configuration should be used?

A.Create an ingress firewall rule that allows traffic from the load balancer's health check ranges and uses a service account filter to allow traffic from the cloud-services service account (used by the load balancer).
B.Create an ingress firewall rule allowing all traffic from 0.0.0.0/0 with a target tag applied to the backend instances.
C.Create an ingress firewall rule that denies all traffic except from the load balancer's frontend IP address.
D.Create an ingress firewall rule allowing traffic from the health check ranges (35.191.0.0/16, 130.211.0.0/22) and the load balancer's source IP ranges (e.g., 130.211.0.0/22) to the backend instances.
AnswerA

This ensures that only traffic from the load balancer's health check probes and the load balancer itself (via service account) reaches the backend instances.

Why this answer

Option A is correct because it uses a service account filter to allow traffic from the cloud-services service account, which is the identity used by Cloud Load Balancing to forward traffic to backend instances. This ensures that only traffic originating from the load balancer (including health check probes) is permitted, while also automatically covering the health check ranges (35.191.0.0/16, 130.211.0.0/22) without needing to hardcode IP ranges. This approach is more secure and scalable than IP-based rules, as it avoids the risk of IP range changes and provides identity-based access control.

Exam trap

Google Cloud often tests the misconception that you can simply allow the load balancer's frontend IP address, but the trap here is that the frontend IP is a virtual IP that never appears as the source IP in packets reaching the backend—instead, the source IP is the load balancer's internal IP or health check ranges, so candidates must understand the difference between frontend and backend traffic flows.

How to eliminate wrong answers

Option B is wrong because allowing all traffic from 0.0.0.0/0 would permit any source on the internet to reach the backend instances, completely bypassing the load balancer and violating the requirement to restrict access only to the load balancer's health check ranges and source IPs. Option C is wrong because denying all traffic except from the load balancer's frontend IP address is ineffective; the frontend IP is a virtual IP (VIP) that does not appear as the source IP in packets arriving at the backend instances—the actual source IPs are the load balancer's internal IPs (e.g., 130.211.0.0/22) and health check ranges, so this rule would block legitimate traffic. Option D is wrong because it relies on static IP ranges (35.191.0.0/16, 130.211.0.0/22) which can change over time as Google updates its infrastructure, leading to potential access failures; additionally, it does not cover all possible load balancer source IPs in all scenarios (e.g., when using internal load balancers or cross-region load balancing).

481
Multi-Selecteasy

A network engineer is designing a hybrid cloud architecture connecting an on-premises data center to Google Cloud via Dedicated Interconnect. The on-premises network uses BGP for dynamic routing. The engineer needs to configure Cloud Router to exchange routes with the on-premises router. Which two configuration steps are required? (Choose two.)

Select 2 answers
A.Enable the BGP session on the Cloud Router and configure the peer IP address and ASN.
B.Create a VLAN attachment for the Interconnect connection.
C.Configure a static route in Google Cloud VPC with the on-premises prefix.
D.Assign a primary and secondary IP range to the Cloud Router interface.
E.Configure the Cloud Router with the same ASN as the on-premises router.
AnswersA, B

A BGP session is needed to exchange routes with the on-premises router.

Why this answer

Option A is correct because Cloud Router uses BGP to dynamically exchange routes with the on-premises router over Dedicated Interconnect. Enabling the BGP session requires configuring the peer IP address (the on-premises router's interface IP) and the on-premises ASN, which allows the two routers to establish a BGP peering and exchange prefixes.

Exam trap

Google Cloud often tests the misconception that Cloud Router must use the same ASN as the on-premises router, but eBGP requires different ASNs, and Cloud Router does not support iBGP for Dedicated Interconnect.

482
MCQeasy

You want to manage DNS records for a domain that you own in Google Cloud DNS. You create a public managed zone and add A records. After waiting several hours, the domain does not resolve. What is the most likely missing step?

A.Update the registrar's name servers to the Google Cloud DNS name servers.
B.Create a private zone for the domain.
C.Enable DNSSEC for the zone.
D.Set up DNS forwarding to Google's public DNS.
AnswerA

The domain will not resolve until the registrar points to Google's name servers.

Why this answer

Option B is correct because after creating a public zone, you must update the domain's registrar name servers to point to the Google Cloud DNS name servers assigned to the zone. Option A is wrong because DNSSEC is optional. Option C is wrong because a private zone is for internal DNS.

Option D is wrong because forwarding is not required for public resolution.

483
MCQmedium

A company has two VPC networks in the same project: Network A (hosting a private zone for 'example.internal.') and Network B. They are connected via VPC peering. The network engineer created a DNS peering zone in Network B for 'example.internal.' pointing to Network A. However, instances in Network B cannot resolve 'host.example.internal.' which is defined in Network A's private zone. The engineer verified that the peering zone is active and the networks are properly peered. What is the most likely reason for the resolution failure?

A.An inbound server policy must be created in Network A.
B.The peering zone should be a forwarding zone instead.
C.An outbound server policy must be created in Network B.
D.The private zone in Network A is not configured to allow resolution from peered networks.
AnswerD

Private zones must explicitly list which VPC networks can query them via peering.

Why this answer

Option D is correct because Cloud DNS private zones do not automatically allow resolution from peered VPC networks unless explicitly configured. Even though VPC peering and DNS peering are active, the private zone in Network A must have its 'Allow resolution from peered networks' setting enabled. Without this, queries from Network B via the DNS peering zone are rejected, causing resolution failures for records like 'host.example.internal.'.

Exam trap

Google Cloud often tests the distinction between VPC peering connectivity and DNS resolution permissions, trapping candidates who assume that active VPC peering and a DNS peering zone are sufficient without checking the private zone's peering settings.

How to eliminate wrong answers

Option A is wrong because an inbound server policy is used to allow DNS queries from on-premises or external networks into a VPC, not for VPC peering scenarios. Option B is wrong because a forwarding zone is used to send queries to a specific target (e.g., on-premises DNS), whereas a peering zone is the correct type for recursively resolving from another VPC's private zone. Option C is wrong because an outbound server policy controls DNS queries leaving a VPC to on-premises or external targets, not for resolving via a peering zone within the same project.

484
MCQeasy

A company wants to ensure that only traffic from specific source IP ranges can reach a Cloud Load Balancer. How should they enforce this?

A.Use IAP.
B.Configure Cloud Armor with IP allowlist.
C.Set up Cloud NAT.
D.Use VPC firewall rules on the load balancer's backend.
AnswerB

Cloud Armor can filter traffic to the load balancer based on source IP.

Why this answer

Cloud Armor is a web application firewall (WAF) that can be attached to a Cloud Load Balancer to filter incoming traffic based on IP addresses, including allowlisting specific source IP ranges. This directly meets the requirement to restrict access to the load balancer by source IP without affecting backend instance configurations.

Exam trap

The trap here is that candidates confuse VPC firewall rules (which apply to VM instances) with Cloud Armor (which applies to the load balancer frontend), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option A is wrong because IAP (Identity-Aware Proxy) controls access based on user identity and context, not source IP ranges, and it operates at the application layer, not the network layer. Option C is wrong because Cloud NAT provides outbound internet access for private instances, not inbound traffic filtering or allowlisting. Option D is wrong because VPC firewall rules apply to the load balancer's backend instances, not to the load balancer itself, and they cannot filter traffic arriving at the load balancer's frontend IP.

485
MCQmedium

A company uses Cloud NAT to allow private instances to reach the internet. They notice that egress traffic from Compute Engine VMs is intermittently failing. The VMs are in us-central1-a and use the default VPC network. Cloud NAT is configured with a single NAT IP address. What is the most likely cause?

A.Missing default route to Internet gateway
B.Port exhaustion due to insufficient NAT IP addresses
C.Cloud NAT not configured in the correct region
D.Firewall rule blocking egress traffic from VM
AnswerB

A single NAT IP provides limited ports; many VMs can exhaust them.

Why this answer

Cloud NAT uses source network address translation (SNAT) to map private VM IPs to a public NAT IP. With only a single NAT IP address, the available port range (typically 64,512 ephemeral ports per NAT IP per VM) can be exhausted under high egress traffic, causing intermittent failures. This is the most likely cause given the symptom of intermittent failures and the single IP configuration.

Exam trap

Google Cloud often tests the misconception that Cloud NAT automatically scales with traffic or that a single NAT IP is sufficient for any workload, when in reality port exhaustion is a common scaling bottleneck.

How to eliminate wrong answers

Option A is wrong because the default VPC network already includes a default route (0.0.0.0/0) pointing to the internet gateway, so a missing default route is not the issue. Option C is wrong because Cloud NAT is regionally scoped, and the VMs are in us-central1-a, which is within the us-central1 region; if the NAT were misconfigured for a different region, no traffic would work at all, not just intermittently. Option D is wrong because firewall rules in VPC are stateful and allow return traffic; an egress firewall rule blocking traffic would cause consistent failure, not intermittent, and the default VPC allows all egress by default.

486
MCQeasy

A startup is deploying a microservices application on Google Kubernetes Engine (GKE). They want to expose a service to the internet using a load balancer that provides SSL termination and supports WebSocket. Which type of Service should they use?

A.Create a Service of type ClusterIP and use an Ingress resource with a backendConfig.
B.Create a Service of type LoadBalancer with an HTTP(S) load balancer.
C.Create a Service of type NodePort and configure an external TCP/UDP load balancer.
D.Create a Headless Service with an external DNS A record pointing to the pod IPs.
AnswerB

GKE integrates with Cloud Load Balancing; HTTP(S) LB supports SSL and WebSocket.

Why this answer

A Service of type LoadBalancer with an HTTP(S) load balancer is correct because it provides a public IP address, handles SSL termination at the load balancer level, and natively supports WebSocket connections without additional configuration. This is the simplest and most direct way to expose a microservice to the internet with these requirements on GKE.

Exam trap

Google Cloud often tests the misconception that an Ingress resource is always required for SSL termination and WebSocket support, but in GKE, a LoadBalancer Service with an HTTP(S) load balancer directly provides these features without the complexity of Ingress.

How to eliminate wrong answers

Option A is wrong because a ClusterIP Service is only reachable within the cluster, and while an Ingress with a backendConfig can provide SSL termination, it does not inherently support WebSocket without additional annotations and configuration, making it less straightforward. Option C is wrong because a NodePort Service exposes a static port on each node, but an external TCP/UDP load balancer does not provide SSL termination (which requires an HTTP/HTTPS layer) and is not the recommended approach for HTTP-based WebSocket traffic. Option D is wrong because a Headless Service is used for stateful workloads and DNS-based service discovery, not for exposing a service to the internet with SSL termination and load balancing.

487
MCQhard

An organization has a Dedicated Interconnect with two VLAN attachments connected to two different edge availability domains (EADs). They want to use a single Cloud Router for both attachments. How many BGP sessions should be established on the Cloud Router?

A.It depends on the redundancy requirements; typically two per attachment for active-active.
B.Four: two per VLAN attachment.
C.Two: one per VLAN attachment.
D.One: one session per Cloud Router.
AnswerA

For HA, each VLAN attachment should have two BGP sessions from two different on-premises routers, totaling four sessions.

Why this answer

Option A is correct because with a Dedicated Interconnect using two VLAN attachments in different edge availability domains (EADs), the recommended best practice for high availability is to establish two BGP sessions per VLAN attachment (one active and one redundant) on the same Cloud Router, resulting in four sessions total. However, the question asks 'how many BGP sessions should be established' and the correct answer acknowledges that it depends on the redundancy requirements; typically two per attachment for active-active, but if active-passive is acceptable, fewer sessions may suffice. This flexibility makes 'It depends' the most accurate choice.

Exam trap

The trap here is that candidates assume a fixed number of BGP sessions (e.g., two or four) without considering that the redundancy model (active-active vs. active-passive) dictates the session count, leading them to pick a definitive number rather than the flexible 'it depends' answer.

How to eliminate wrong answers

Option B is wrong because stating 'Four: two per VLAN attachment' is too rigid; while four sessions are common for active-active redundancy, the requirement may vary based on design choices (e.g., active-passive could use two sessions total). Option C is wrong because 'Two: one per VLAN attachment' assumes a single BGP session per attachment, which provides no redundancy and violates best practices for high availability across EADs. Option D is wrong because 'One: one session per Cloud Router' ignores the need for per-attachment BGP sessions and fails to account for the separate VLAN attachments in different EADs, which require distinct sessions to maintain path diversity.

488
MCQeasy

A company wants to enforce that all HTTPS load balancer traffic uses TLS 1.2 or higher. Which Google Cloud resource should they configure?

A.SSL certificate resource
B.SSL policy attached to the target HTTPS proxy
C.VPC firewall rule to block TLS 1.0/1.1
D.Identity-Aware Proxy (IAP)
AnswerB

SSL policy specifies minimum TLS version and ciphers.

Why this answer

Option B is correct because an SSL policy in Google Cloud can be attached to a target HTTPS proxy to enforce minimum TLS version requirements, such as TLS 1.2 or higher. This policy directly controls the TLS handshake parameters at the load balancer level, ensuring that only clients supporting TLS 1.2 or above can establish HTTPS connections.

Exam trap

The trap here is that candidates often confuse SSL certificates (which only provide cryptographic material) with SSL policies (which enforce protocol and cipher restrictions), leading them to select the SSL certificate resource as the answer.

How to eliminate wrong answers

Option A is wrong because an SSL certificate resource only stores the certificate and private key for TLS termination; it does not enforce TLS protocol version restrictions. Option C is wrong because VPC firewall rules operate at the network layer (IP/port) and cannot inspect or enforce TLS protocol versions, which are part of the application layer handshake. Option D is wrong because Identity-Aware Proxy (IAP) provides access control based on identity and context, not TLS version enforcement; it does not replace the need for an SSL policy on the load balancer.

489
Multi-Selectmedium

A company uses Shared VPC. They want to restrict which service project's VMs can use a specific subnet. Which TWO methods can achieve this? (Choose TWO.)

Select 2 answers
A.Use VPC network peering.
B.Use IAM roles on the subnet resource to grant 'compute.subnetUser' to specific service projects.
C.Use firewall rules to deny traffic from other service projects.
D.Use network tags on VMs and associate the subnet with those tags.
E.Use organizational policy constraints like 'compute.restrictVpcSubnetworks'.
AnswersB, E

This IAM role controls which projects can use the subnet.

Why this answer

Option B is correct because IAM roles on a subnet resource allow you to grant the `compute.subnetUser` role to specific service projects, which controls which projects can create VM instances in that subnet. This is a direct method to restrict subnet usage within a Shared VPC environment, as the role grants permission to use the subnet without granting broader network access.

Exam trap

Google Cloud often tests the misconception that firewall rules or network tags can control subnet access, when in fact they only control traffic flow or VM-level attributes, not the authorization to use a subnet resource.

490
MCQeasy

A company has an external HTTP(S) load balancer with a backend service pointing to an instance group in us-east1. They enable Cloud CDN to improve performance for global users. After enabling, they observe that users in Asia still experience high latency. They verify that the backend instances respond with Cache-Control headers that allow caching. What is the most likely reason for the high latency?

A.The cache TTL is too short.
B.Cloud CDN is not enabled on the correct backend.
C.The load balancer is a regional load balancer, not a global one.
D.The backend instances are in us-east1, too far from Asia.
AnswerC

Regional load balancers do not have global anycast IP, so users far away experience high latency.

Why this answer

Option C is correct because an external HTTP(S) load balancer that is regional (e.g., a regional external HTTP(S) load balancer) cannot serve traffic globally with low latency; it is confined to a single region. Cloud CDN caches content at edge locations, but if the load balancer itself is regional, the cache points are also regional, so users in Asia still route to us-east1 for cache misses or even for cache hits if the edge is not globally distributed. Only a global external HTTP(S) load balancer (with a global anycast IP) can leverage Cloud CDN's global edge cache locations to serve users from the nearest point of presence.

Exam trap

The trap here is that candidates assume Cloud CDN automatically provides global low latency regardless of the load balancer type, but Cisco tests the distinction between regional and global external HTTP(S) load balancers and their impact on CDN edge placement.

How to eliminate wrong answers

Option A is wrong because the cache TTL being too short would cause frequent cache misses but not inherently high latency for all users; it would increase origin load but not prevent caching entirely. Option B is wrong because Cloud CDN is enabled on the backend service, which is the correct place; the issue is not about enabling it on the wrong backend but about the load balancer type. Option D is wrong because while backend instances in us-east1 are far from Asia, Cloud CDN is designed to mitigate that distance by caching at edge locations; the high latency persists because the load balancer is regional, so the edge caches are also regional and not globally distributed.

491
MCQeasy

An engineer is troubleshooting high latency in a VPC and suspects packet drops. Which VPC feature should they enable to get detailed information about network traffic?

A.Cloud NAT logging
B.VPC Flow Logs
C.Packet Mirroring
D.Traffic Director
AnswerB

VPC Flow Logs sample and log network flows, useful for diagnostics.

Why this answer

Option A is correct because VPC Flow Logs capture information about IP traffic going to and from network interfaces. They help diagnose packet drops and latency issues. Option B is incorrect because Cloud NAT logging provides logs about NAT connections.

Option C is incorrect because Packet Mirroring is for capturing and inspecting traffic, not for logging. Option D is incorrect because Traffic Director is a service mesh control plane, not a traffic logging tool.

492
Multi-Selectmedium

Which THREE statements about Shared VPC are correct?

Select 3 answers
A.The Shared VPC admin role can be assigned to manage the host VPC network.
B.Service projects can use subnetworks from the host VPC.
C.The host project must be in the same organization as the service projects.
D.Service projects can delete subnets in the host VPC.
E.Service projects can create their own VPCs that peer with the host VPC.
AnswersA, B, C

The compute.xpnAdmin role allows management of Shared VPC.

Why this answer

Shared VPC allows service projects to use host VPC subnets, requires same organization, and can be managed via Shared VPC admin role.

493
MCQmedium

A company has a VPC with subnets in us-east1 and europe-west1. They have deployed a global external HTTP(S) load balancer with backend services in both regions. Users in Europe report high latency. What is the most likely cause?

A.Incorrect health check configuration causing backends to be marked unhealthy
B.Firewall rules blocking traffic from the load balancer's health check probes
C.The load balancer is not enabled for global access
D.Session affinity set to CLIENT_IP, causing sticky sessions to a distant backend
AnswerD

Traffic might be pinned to us-east1 even for European users.

Why this answer

Option D is correct because CLIENT_IP session affinity causes the load balancer to hash the client's IP address to a specific backend instance. If a user in Europe is hashed to a backend in us-east1, all their requests will be forwarded to that distant region, resulting in high latency. This occurs even though a healthy backend exists in europe-west1, because the affinity overrides the load balancer's normal least-latency or proximity-based routing.

Exam trap

Google Cloud often tests the misconception that high latency is always caused by health check or firewall issues, when in fact session affinity can override geographic routing and force traffic to a distant backend.

How to eliminate wrong answers

Option A is wrong because incorrect health checks would cause backends to be marked unhealthy, leading to 502 errors or failover to healthy backends, not consistently high latency to a distant region. Option B is wrong because firewall rules blocking health check probes would also cause backends to be marked unhealthy, not sustained high latency; the load balancer would stop sending traffic to those backends. Option C is wrong because global external HTTP(S) load balancers are inherently global by design; there is no 'global access' toggle to enable—they always route traffic to the closest healthy backend based on the client's location and backend capacity.

494
MCQeasy

A company uses Cloud NAT to enable outbound connectivity for private VMs. They notice that some VMs are not able to reach a specific external IP range. The VMs have no tags or service accounts. What is the most likely cause?

A.Cloud NAT requires each VM to have a unique external IP address.
B.The VMs need a default route pointing to the NAT gateway.
C.A static route must be created for the external IP range via the NAT gateway.
D.The VMs might be in a different subnet than the one where Cloud NAT is configured.
AnswerD

Cloud NAT is applied per subnet; VMs in other subnets won't use it unless also configured.

Why this answer

Option C is correct because Cloud NAT uses the source IP address of the VM to determine which NAT IP to use, and if the VM is not in the subnet where Cloud NAT is configured, it won't use that NAT. Option A is wrong because Cloud NAT does not require a default route via the NAT gateway; it works with dynamic routes. Option B is wrong because there is no static route requirement.

Option D is wrong because Cloud NAT does use unique external IPs per VM if configured, but that wouldn't block traffic.

495
MCQeasy

A security engineer wants to allow SSH access to a VM that has no external IP. The VM is in a VPC with IAP configured. What is the simplest way to enable secure SSH without a bastion host?

A.Use Identity-Aware Proxy (IAP) TCP forwarding with the gcloud compute start-iap-tunnel command.
B.Create a VPN tunnel to the VPC and SSH over the VPN.
C.Configure a SOCKS proxy on a bastion host.
D.Assign an external IP to the VM and use a firewall rule to restrict access.
AnswerA

IAP TCP forwarding provides secure access without external IPs.

Why this answer

Identity-Aware Proxy (IAP) TCP forwarding allows secure SSH access to a VM without an external IP by tunneling traffic through the IAP service. The `gcloud compute start-iap-tunnel` command establishes an encrypted tunnel from your local machine to the VM via the IAP proxy, using the VM's internal IP and port 22. This eliminates the need for a bastion host or public IP while leveraging IAP's identity-based access controls.

Exam trap

Google Cloud often tests the misconception that IAP is only for web-based access (HTTP/HTTPS) and not for TCP forwarding, causing candidates to overlook the `gcloud compute start-iap-tunnel` command as a valid solution for SSH without a bastion host.

How to eliminate wrong answers

Option B is wrong because creating a VPN tunnel adds unnecessary complexity and cost, and it does not leverage IAP which is already configured in the VPC; it also requires additional VPN gateway setup. Option C is wrong because configuring a SOCKS proxy on a bastion host contradicts the requirement of 'without a bastion host' and introduces an extra hop and management overhead. Option D is wrong because assigning an external IP directly exposes the VM to the internet, violating the security intent of having no external IP and requiring firewall rules that could be misconfigured.

496
MCQmedium

Refer to the exhibit. A VM in the default VPC with an internal IP 10.0.1.2 tries to SSH (tcp:22) from a host at 10.0.2.5. What is the result?

A.The traffic is denied because the source IP is not in the same subnet as the VM.
B.The traffic is denied because the deny-ssh rule has a lower priority number and blocks all SSH traffic.
C.The traffic is denied due to the implicit deny rule at the end.
D.The traffic is allowed because it matches the allow-internal rule.
AnswerD

allow-internal allows all traffic from 10.0.0.0/8.

Why this answer

The default VPC in a cloud environment (such as AWS) includes a default security group that allows all inbound traffic from other resources within the same security group. Since both the VM (10.0.1.2) and the host (10.0.2.5) are in the default VPC and likely associated with the same default security group, the allow-internal rule permits the SSH connection. The traffic matches the allow rule before any deny rules are evaluated, so it is allowed.

Exam trap

Google Cloud often tests the misconception that security group rules are evaluated in priority order like ACLs, when in fact they are evaluated as a set of allow rules with an implicit deny at the end, and the order of rules does not affect the outcome.

How to eliminate wrong answers

Option A is wrong because the source IP (10.0.2.5) is in a different subnet (10.0.2.0/24) than the VM (10.0.1.0/24), but security group rules in a VPC are not subnet-aware; they evaluate based on IP addresses or CIDR blocks, not subnet membership. Option B is wrong because there is no explicit 'deny-ssh' rule with a lower priority number in the default VPC; the exhibit shows only an allow-internal rule, and security group rules are evaluated as a whole (all allow rules are checked first, then implicit deny). Option C is wrong because the implicit deny rule only applies if no explicit allow rule matches; here, the traffic matches the allow-internal rule, so the implicit deny is not triggered.

497
Multi-Selectmedium

A company has a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They are experiencing intermittent connectivity issues on a specific VLAN attachment. The VLAN attachment is configured with a single Cloud Router and BGP sessions are established. Which two steps should they take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Verify the BGP session status on the Cloud Router.
B.Check the MTU configuration on the on-premises router.
C.Verify the physical interconnect location and cable connections.
D.Review the VLAN attachment status in the Google Cloud Console.
E.Review the Cloud NAT configuration for the VPC network.
AnswersA, D

Correct. BGP session flapping can cause intermittent connectivity.

Why this answer

Option A is correct because BGP session status on the Cloud Router directly indicates whether the routing protocol is functioning correctly between the on-premises router and Google Cloud. Intermittent connectivity on a VLAN attachment often stems from BGP flapping or session drops, which can be verified by checking the BGP state (e.g., Established, Idle, or Active) and associated error counters in the Google Cloud Console or via gcloud commands.

Exam trap

The trap here is that candidates often confuse physical layer issues (Option C) with logical layer problems, but the question specifies a single VLAN attachment, which points to a logical configuration error rather than a physical interconnect fault.

Page 6

Page 7 of 7

All pages