Google Professional Cloud Network Engineer (PCNE) — Questions 601675

982 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?

A.The subnet purpose is PRIVATE, which blocks Google APIs.
B.Private Google Access is disabled on the subnet.
C.The subnet CIDR range is too small.
D.Flow logs are disabled, so traffic is not logged.
AnswerB

Private Google Access must be enabled for instances without external IPs to access Google APIs.

Why this answer

The instance has no external IP address, so it must use Private Google Access to reach Google APIs and services like Cloud Storage. Private Google Access is enabled at the subnet level; if it is disabled, the instance cannot route traffic to the Google API VIPs through the default route (0.0.0.0/0) without a NAT gateway or external IP. Option B correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates may assume a private subnet inherently blocks all external traffic, but Private Google Access is a separate, optional subnet setting that must be explicitly enabled for instances without external IPs to reach Google APIs.

How to eliminate wrong answers

Option A is wrong because the subnet purpose PRIVATE does not block Google APIs; it simply means the subnet is used for internal VPC traffic, and Private Google Access can still be enabled on it. Option C is wrong because the CIDR range size does not affect connectivity to Google APIs; it only limits the number of IP addresses available for instances. Option D is wrong because flow logs are a monitoring feature that capture metadata about traffic, but disabling them does not prevent connectivity; they are not required for traffic to flow.

602
MCQmedium

An organization wants to use Cloud Router with BGP to advertise a specific on-premises subnet (10.0.1.0/24) to its GCP VPC. Which BGP attribute should they use to influence route selection if multiple paths exist?

A.Weight
B.Local Preference
C.AS Path
D.Multi-Exit Discriminator (MED)
AnswerD

MED is the correct attribute for influencing inbound traffic preference.

Why this answer

The Multi-Exit Discriminator (MED) is the correct BGP attribute for influencing inbound route selection when multiple paths exist from different autonomous systems (ASes). In this scenario, the organization advertises 10.0.1.0/24 via Cloud Router, and MED allows the on-premises router to prefer a specific path by suggesting a lower metric value (default 0, lower is better). Unlike Weight or Local Preference, MED is exchanged between ASes and directly affects how the on-premises side selects among multiple GVP paths.

Exam trap

The trap here is that candidates confuse Local Preference (which influences outbound traffic from the AS) with MED (which influences inbound traffic to the AS), leading them to pick Option B instead of D.

How to eliminate wrong answers

Option A is wrong because Weight is a Cisco-proprietary BGP attribute that is local to a router and not advertised to peers, so it cannot influence route selection from the on-premises side. Option B is wrong because Local Preference is used to influence outbound traffic from an AS and is not exchanged with external BGP peers; it affects how routes are chosen within the local AS, not how the on-premises router selects among paths. Option C is wrong because AS Path is a well-known mandatory attribute used for loop prevention and path selection (shorter path preferred), but it is not the attribute specifically designed to influence inbound route selection when multiple paths exist from different ASes; MED is the explicit metric for that purpose.

603
Multi-Selecthard

Which THREE factors should be considered when designing a Cloud VPN for high availability? (Choose 3.)

Select 3 answers
A.Enable BGP for dynamic routing
B.Deploy VPN gateways in different regions
C.Use two tunnels from each VPN gateway
D.Use static routes for failover
E.Use a single Cloud Router for simplicity
AnswersA, B, C

BGP allows automatic route advertisement and failover.

Why this answer

Enabling BGP (Border Gateway Protocol) for dynamic routing is correct because it allows the Cloud VPN to automatically detect and route around failures. BGP exchanges route information between the on-premises router and the Cloud Router, enabling dynamic failover and load balancing across multiple tunnels. Without BGP, you would rely on static routes, which cannot adapt to network changes and require manual intervention during a failure.

Exam trap

The trap here is that candidates often think static routes with a higher metric can provide failover, but they fail to realize that static routes cannot dynamically detect a tunnel failure unless combined with a health check mechanism, which is not as reliable or fast as BGP's built-in path selection and withdrawal.

604
MCQmedium

A company wants to use Cloud DNS with a failover routing policy. They have two IP addresses serving the same application: primary in us-east1 and secondary in us-west1. They want traffic to go to primary unless health check fails, then fail over to secondary. Which configuration is required?

A.Create a geo routing policy with us-east1 as primary and us-west1 as secondary
B.Use a response policy to override the DNS response
C.Create a failover routing policy with primary and secondary targets, each associated with a health check
D.Create two A records with weighting 100 and 0
AnswerC

Failover policy uses health checks to determine active target.

Why this answer

Cloud DNS failover routing policy requires health checks to be attached to the routing policy. The primary and secondary targets are defined under the policy.

605
MCQhard

A company is planning a hybrid connectivity solution with 200 Gbps total bandwidth between their data center and Google Cloud. They need the highest SLA and lowest latency. Which combination of services would meet these requirements?

A.Two 100 Gbps Dedicated Interconnect connections
B.One 100 Gbps Dedicated Interconnect and one 100 Gbps Partner Interconnect
C.Twenty 10 Gbps Dedicated Interconnect connections
D.Four 50 Gbps Partner Interconnect connections
AnswerA

Two 100 Gbps connections provide 200 Gbps bandwidth and meet the highest SLA (99.99%) and lowest latency.

Why this answer

Dedicated Interconnect provides up to 100 Gbps per link. To achieve 200 Gbps, they need two 100 Gbps connections. Two connections provide redundancy and the 99.99% SLA.

606
MCQeasy

A developer needs to store a TLS certificate for use with a load balancer. Which Google Cloud service is used to create and manage SSL certificates?

A.Secret Manager
B.Certificate Manager
C.Cloud IAM
D.Cloud KMS
AnswerB

Correct. Certificate Manager is used to create, manage, and deploy SSL certificates.

Why this answer

Certificate Manager is the service for managing SSL/TLS certificates for load balancers. Cloud KMS is for encryption keys, Secret Manager for secrets, and Cloud IAM for access control.

607
Multi-Selecthard

A company is experiencing periodic packet loss between two Compute Engine instances in the same region but different zones. They have enabled VPC Flow Logs and see that the flows are marked with 'RTT' latency. Which THREE actions should they take to diagnose the issue? (Choose three.)

Select 3 answers
A.Check the Performance Dashboard for packet loss between the two zones
B.Analyze VPC Flow Logs for RTT latency values to identify congestion
C.Verify that the firewall rules are not blocking ICMP
D.Review the CPU utilization of both instances
E.Check BGP session status on the Cloud Router
AnswersA, B, D

Shows if there is underlying network packet loss.

Why this answer

VPC Flow Logs provide RTT latency for TCP flows. Analyzing the RTT values can indicate congestion. Checking the Performance Dashboard can show packet loss between zones.

Checking instance CPU metrics can reveal if one instance is overwhelmed. Checking firewall rules is less likely to cause intermittent loss; firewall rules either block or allow. Checking BGP sessions is irrelevant for intra-region traffic.

608
Multi-Selecteasy

Which TWO of the following are benefits of using Shared VPC?

Select 2 answers
A.Enhanced security through VPC Service Perimeters
B.Automatic cross-project routing
C.Centralized firewall rule management
D.Reduced IP address usage
E.Separation of network and application teams
AnswersB, C

Service project VMs automatically communicate using host project's routes.

Why this answer

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, enabling automatic cross-project routing. This is because all subnets in the host project are directly reachable from any service project attached to that host, without needing additional VPC peering or VPN tunnels. Option B is correct because this inherent routing simplifies network connectivity and reduces administrative overhead.

Exam trap

Google Cloud often tests the misconception that Shared VPC inherently provides security features like VPC Service Perimeters, when in fact those are separate controls; the trap here is confusing the administrative separation of network and application teams as a direct benefit of Shared VPC, rather than recognizing that the core technical benefit is automatic cross-project routing and centralized firewall rule management.

609
MCQeasy

A startup is migrating a two-tier application to GCP. The web tier must be accessible from the internet, and the database tier must only be accessible from the web tier. Which network design should be used?

A.Place web servers in a public subnet with external IPs, database in a private subnet, and add a firewall rule allowing traffic from web subnet to database
B.Place both tiers in separate VPCs and use VPC peering with no firewall rules
C.Place both tiers in the same subnet and configure firewall rules to restrict database access
D.Place web servers in a private subnet with Cloud NAT for outbound, database in the same private subnet
AnswerA

This design provides proper segmentation and security.

Why this answer

Option A is correct because it places the web servers in a public subnet with external IPs, allowing direct internet access, while the database resides in a private subnet with no external IP, enforcing isolation. A firewall rule (ingress on the database subnet) explicitly permits traffic from the web subnet’s CIDR range, typically on the database port (e.g., TCP 3306 for MySQL), ensuring the database is reachable only from the web tier. This design follows GCP’s best practice of using VPC firewall rules to control east-west traffic between subnets.

Exam trap

Google Cloud often tests the misconception that placing resources in the same subnet automatically allows isolation via firewall rules, but in GCP, firewall rules are applied at the instance level (via tags or service accounts) and cannot restrict traffic between instances in the same subnet without additional tagging, leading candidates to incorrectly choose Option C.

How to eliminate wrong answers

Option B is wrong because placing both tiers in separate VPCs with VPC peering and no firewall rules would allow unrestricted traffic between the VPCs (peering does not impose default deny), violating the requirement that the database be accessible only from the web tier. Option C is wrong because placing both tiers in the same subnet would give the database the same network access as the web servers, making it impossible to restrict database access to only the web tier using subnet-level firewall rules (firewall rules in GCP are applied at the subnet or instance level, but same-subnet traffic is not easily isolated without complex per-instance tags). Option D is wrong because placing web servers in a private subnet with Cloud NAT only provides outbound internet access, not inbound; the web tier would not be accessible from the internet, failing the requirement that the web tier must be internet-accessible.

610
Multi-Selecthard

A network engineer is troubleshooting connectivity issues with VPC Flow Logs. Which TWO statements about VPC Flow Logs are correct? (Choose TWO)

Select 2 answers
A.VPC Flow Logs capture only egress traffic.
B.VPC Flow Logs only capture traffic that is allowed by firewall rules.
C.VPC Flow Logs can be used to diagnose overly permissive firewall rules.
D.VPC Flow Logs capture all packets for every flow in the VPC.
E.VPC Flow Logs do not capture traffic that is generated by GCP health checks.
AnswersC, E

By analyzing logs, you can see allowed traffic and identify rules that are too broad.

Why this answer

Option C is correct because VPC Flow Logs capture metadata about accepted and rejected traffic, including traffic that is allowed by overly permissive firewall rules. By analyzing the logs, you can identify flows that should have been blocked, revealing rules that are too broad in scope (e.g., allowing all traffic from 0.0.0.0/0). This diagnostic capability directly helps tighten security posture.

Exam trap

Google Cloud often tests the misconception that VPC Flow Logs capture every packet or only allowed traffic, when in reality they sample flows and log both accepted and rejected traffic, making options B and D common traps.

611
MCQhard

An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?

A.Ensure the VPC firewall rules allow ingress from the source subnet or instance.
B.Set up VPC peering between the two regions.
C.No additional configuration is needed because internal IPs are routable within the VPC.
D.Enable Cloud NAT for the VPC.
AnswerA

Firewall rules control traffic within a VPC; by default, all internal traffic is allowed, but custom rules could block it.

Why this answer

Option A is correct because VPC firewall rules are stateful and must allow ingress traffic from the source subnet (10.0.1.0/24) or the specific source instance (10.0.1.2) to the destination VM in europe-west1. By default, VPCs have an implied deny-all ingress rule, so explicit firewall rules are required to permit traffic between subnets in different regions within the same VPC. The rule should specify the source IP range or tag and the destination protocol/port (e.g., ICMP, TCP/22) to enable communication.

Exam trap

Google Cloud often tests the misconception that internal IPs are automatically reachable across regions within the same VPC, but the trap is that while routing is global by default, firewall rules are not — candidates forget that an explicit ingress rule is required to allow cross-subnet traffic.

How to eliminate wrong answers

Option B is wrong because VPC peering is used to connect two separate VPC networks, not subnets within the same VPC; instances in different regions of the same VPC are already directly routable via the VPC's internal routing table. Option C is wrong because while internal IPs are routable within the VPC, the default firewall rules only allow traffic from the same subnet (10.0.1.0/24) and block cross-subnet traffic unless explicit ingress rules are configured. Option D is wrong because Cloud NAT provides outbound internet access for private instances, not internal VPC-to-VPC communication; it does not affect routing or firewall rules between subnets.

612
MCQeasy

A company has multiple projects that each need their own administrative control but must share a common VPC network. Which networking solution should they use?

A.Create a single VPC in one project and grant all users access to that project.
B.Create separate VPCs for each project and connect via Cloud VPN.
C.Use Shared VPC with the host project and attach service projects.
D.Create a VPC in each project and peer them all together.
AnswerC

Provides centralized network management with per-project resource control.

Why this answer

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, enabling centralized control of the network while maintaining administrative isolation for each project. The host project owns the VPC and firewall rules, and service projects can use subnets within that VPC, meeting the requirement for separate administrative control with a shared network.

Exam trap

The trap here is that candidates often confuse VPC peering (Option D) with Shared VPC, not realizing that peering does not allow a single common VPC network and lacks centralized administrative control, while Shared VPC is designed exactly for this use case.

How to eliminate wrong answers

Option A is wrong because granting all users access to a single project eliminates administrative isolation, as all users would have project-level permissions, not per-project control. Option B is wrong because creating separate VPCs and connecting via Cloud VPN introduces complexity, latency, and bandwidth limitations, and does not provide a single common VPC network; it creates multiple networks that are bridged. Option D is wrong because VPC peering does not support transitive routing and requires non-overlapping CIDR ranges, making it unsuitable for a shared network with multiple projects that need to communicate through a common VPC; it also does not allow centralized firewall or subnet management.

613
MCQeasy

What is the default MTU for packets sent between VMs within the same VPC network in Google Cloud?

A.8970 bytes
B.1400 bytes
C.1460 bytes
D.1500 bytes
AnswerC

Google's internal network uses 1460-byte MTU to allow for encapsulation.

614
Multi-Selecteasy

A developer wants to configure Cloud DNS for split-horizon DNS where internal queries resolve to private IPs and external queries resolve to public IPs. Which TWO steps should they take?

Select 2 answers
A.Set up DNS peering between the zones.
B.Configure the private zone with a VPC network binding.
C.Use DNS forwarding to on-premises servers.
D.Create a public managed zone for the domain.
E.Create a private managed zone for the domain.
AnswersD, E

Handles external queries.

Why this answer

Split-horizon DNS is achieved by having a private zone for internal resolution and a public zone for external resolution, both authoritative for the same domain.

615
MCQhard

A large organization uses Shared VPC with hundreds of projects. They want to implement fine-grained access control for SSH access to Compute Engine instances using IAP TCP forwarding. They have created a custom IAM role with the necessary permissions (iap.tunnel.dest, iap.tunnel.getIamPolicy, compute.instances.use) and granted it to a group of developers. The developers have also been granted the iap.tunnelUser role on the project. However, when they try to use `gcloud compute ssh --tunnel-through-iap instance-name`, they get a permission error: "Permission 'iap.tunnel.dest' denied on resource 'projects/project/zones/zone/instances/instance'". The network admin has verified that the custom role includes the required permissions and that the developers are members of the group with the role. What is the most likely missing configuration?

A.The developers need the `iap.tunnel` resource-level permission on the IAP TCP forwarding resource.
B.IAP TCP forwarding is not enabled for the project or VPC.
C.The instances do not have the required network tags for IAP.
D.The developers need the `compute.instances.osLogin` permission.
AnswerB

IAP TCP forwarding must be explicitly enabled at the project level. If not enabled, the permission check fails.

Why this answer

IAP TCP forwarding requires the IAP API to be enabled on the project and the service to be activated for the VPC. Without this, the IAP proxy cannot intercept and forward TCP traffic to the instance, even if the IAM permissions are correctly assigned. The error 'Permission 'iap.tunnel.dest' denied' typically occurs when the IAP TCP forwarding service itself is not enabled, as the permission check fails at the service level before evaluating the IAM role.

Exam trap

The trap here is that candidates assume the error is due to missing IAM permissions or instance configuration, when in fact the IAP TCP forwarding service must be explicitly enabled at the project level, which is a prerequisite often forgotten in Shared VPC environments.

How to eliminate wrong answers

Option A is wrong because 'iap.tunnel.dest' is already a resource-level permission on the instance, not a separate 'iap.tunnel' resource; IAP TCP forwarding uses resource-level permissions on the Compute Engine instance, not a distinct IAP resource. Option C is wrong because network tags are used for firewall rules, not for IAP TCP forwarding; IAP works through the IAP proxy and does not require specific tags on instances. Option D is wrong because 'compute.instances.osLogin' is for OS Login authentication, not for IAP TCP forwarding; the error is about IAP tunnel permissions, not OS-level access.

616
MCQmedium

A company wants to use Cloud CDN to serve private content to authenticated users only. Which feature should they use?

A.Cache invalidation
B.IAM roles on the backend bucket
C.Cloud Armor
D.Signed URLs
AnswerD

Correct: signed URLs and signed cookies allow time-limited access to private content.

Why this answer

Signed URLs or signed cookies allow Cloud CDN to serve private content by requiring a valid signature for access.

617
MCQmedium

A company has two Dedicated Interconnect connections from different metro areas to Google Cloud. They want to achieve a 99.99% SLA. What is the minimum requirement?

A.One Dedicated Interconnect connection with two VLAN attachments.
B.Two Dedicated Interconnect connections from different metro areas, configured for redundancy.
C.One Dedicated Interconnect and one Partner Interconnect.
D.Two Dedicated Interconnect connections in the same metro area.
AnswerB

Diverse metro areas ensure independence and meet SLA requirements.

Why this answer

To meet the 99.99% SLA, you need at least two connections that are diverse (different metro areas) and configured in active-active or active-passive mode. This ensures redundancy if one fails.

618
MCQhard

A company has two VPCs (Prod and Dev) that are peered. Both VPCs have routes to an on-premises network via separate Cloud VPN tunnels. The on-prem network has routes to both VPCs. The Dev VPC recently added a subnet that overlaps with an on-prem subnet. What is the likely impact on the Prod VPC?

A.No impact on either VPC
B.Prod VPC loses connectivity to the on-premises network
C.Prod VPC can now communicate with Dev VPC via on-prem
D.Dev VPC cannot communicate with on-prem due to overlap
AnswerD

Overlapping subnets cause routing issues for Dev VPC to on-prem.

Why this answer

When the Dev VPC adds a subnet that overlaps with an on-premises subnet, Cloud VPN routes for that overlapping prefix become ambiguous. GCP Cloud Router uses dynamic routing (BGP) and will prefer the more specific route, but if the prefixes are identical, the route to the on-premises network via the Dev VPN tunnel may be withdrawn or become unreachable due to the conflict. This directly impacts the Dev VPC's ability to communicate with the on-premises network over the VPN, while the Prod VPC, with its non-overlapping subnet, remains unaffected.

Exam trap

The trap here is that candidates assume overlapping subnets in one VPC will break all VPN connectivity across peered VPCs, but in reality, each VPC's VPN tunnel is independent, and only the VPC with the overlapping subnet loses connectivity to the on-premises network.

How to eliminate wrong answers

Option A is wrong because overlapping subnets between a VPC and an on-premises network cause routing conflicts that disrupt connectivity for the VPC with the overlap, so there is an impact. Option B is wrong because the Prod VPC has its own separate Cloud VPN tunnel and routes to the on-premises network, and the overlap in the Dev VPC does not affect Prod's routes or connectivity. Option C is wrong because VPC peering already enables direct communication between Prod and Dev VPCs; routing traffic via on-premises would be unnecessary and is not automatically enabled by the overlap—in fact, overlapping subnets would break such a path.

619
MCQmedium

A company wants to resolve DNS queries from their on-premises DNS servers for a private zone hosted in Cloud DNS. They also need GCP resources to resolve on-premises hostnames. Which combination of Cloud DNS features should they configure?

A.Outbound DNS server policy only
B.DNS peering with the on-premises network
C.Inbound DNS server policy only
D.Both inbound and outbound DNS server policies
AnswerD

Inbound allows on-premises to query Cloud DNS; outbound allows GCP to query on-premises DNS.

Why this answer

Inbound DNS server policy allows on-premises to forward queries to Cloud DNS private zones. Outbound DNS server policy allows GCP to forward queries to on-premises DNS servers.

620
Multi-Selecteasy

A company wants to protect its HTTP(S) Load Balancer from layer 7 attacks, including SQL injection and cross-site scripting (XSS). Which TWO Google Cloud services or features should be used together? (Choose TWO.)

Select 2 answers
A.HTTPS Load Balancer
B.Cloud CDN
C.VPC Service Controls
D.Cloud Armor
E.Identity-Aware Proxy (IAP)
AnswersA, D

Cloud Armor policies are attached to the backend service of an HTTPS Load Balancer.

Why this answer

Cloud Armor security policies provide WAF capabilities with preconfigured rules to block SQLi and XSS. These policies are attached to the backend service of the HTTPS Load Balancer.

621
MCQhard

A company uses a Shared VPC host project with three service projects: Prod, Staging, and Dev. All service projects have similar network requirements except that Prod requires Private Google Access to access Google APIs from VM instances without external IP addresses. The network team creates a single subnet in the Shared VPC with Private Google Access enabled. However, Staging and Dev teams report that their VMs cannot reach external IP addresses on the internet because the subnet's route has a next hop of default internet gateway. What is the most cost-effective solution that meets all requirements?

A.Create a separate subnet for each service project in the Shared VPC and enable Private Google Access only on the Prod subnet.
B.Enable Private Google Access on the Shared VPC's subnet for all projects and configure Cloud Router with BGP to advertise a default route.
C.Configure Cloud NAT in the Shared VPC for the Staging and Dev service projects to allow outbound internet access from their VMs without external IPs.
D.Disable Private Google Access on the subnet and create a separate subnet for Prod with Private Google Access enabled.
AnswerC

Cloud NAT provides internet access to VMs without external IPs; Private Google Access remains enabled for Prod. This is cost-effective because Cloud NAT shares IPs across multiple VMs.

Why this answer

Option C is correct because Cloud NAT provides outbound internet connectivity for VM instances without external IP addresses, which is exactly what Staging and Dev need. Since Private Google Access is already enabled on the shared subnet, Prod VMs can reach Google APIs without external IPs, while Cloud NAT handles the general internet access for the other projects. This is the most cost-effective solution because Cloud NAT incurs only egress data processing charges and does not require additional subnets or complex routing changes.

Exam trap

The trap here is that candidates confuse Private Google Access with general internet access, assuming that enabling it on a subnet automatically allows VMs to reach any external IP, when in fact Private Google Access only covers Google API and service endpoints, not arbitrary internet destinations.

How to eliminate wrong answers

Option A is wrong because creating separate subnets for each service project increases IP address consumption and management overhead, and it does not solve the outbound internet access issue for Staging and Dev VMs without external IPs—they still lack a route to the internet. Option B is wrong because enabling Private Google Access on all subnets does not provide outbound internet access; Cloud Router with BGP advertising a default route would require a VPN or Dedicated Interconnect to an on-premises router, which is not cost-effective and is unnecessary for simple internet access. Option D is wrong because disabling Private Google Access on the shared subnet would break Prod's requirement to access Google APIs from VMs without external IPs, and creating a separate Prod subnet with Private Google Access enabled does not address the outbound internet need for Staging and Dev.

622
MCQhard

An organization uses Cloud DNS private zones for internal service discovery. They want to override DNS responses for a specific domain (e.g., 'internal.example.com') to block access to malicious domains and redirect certain queries to a different IP for compliance. Which Cloud DNS feature should they use?

A.DNSSEC
B.Routing policies (weighted round robin, geolocation, failover)
C.Response Policies (RPZ)
D.Cloud DNS peering
AnswerC

Correct. RPZ allows overriding DNS responses to block or redirect queries.

Why this answer

Cloud DNS Response Policies (RPZ) allow overriding DNS responses based on policy rules. They can be used to block domains (by returning NXDOMAIN or redirecting to a sink IP) or to reroute queries to alternative IPs. Routing policies are for authoritative zones to control traffic distribution, not for overriding responses.

DNSSEC ensures authenticity but does not override DNS responses. Peering is for querying other zones, not overriding.

623
Multi-Selectmedium

A company is planning a hybrid connectivity strategy between their on-premises data center and GCP. They require at least 99.9% availability and are open to using a third-party service provider. Which TWO options meet these requirements? (Choose TWO.)

Select 2 answers
A.Dedicated Interconnect (single 10 Gbps connection)
B.VPC Network Peering
C.Classic VPN (static routing)
D.HA VPN (single tunnel)
E.Partner Interconnect (single 1 Gbps connection)
AnswersA, E

Dedicated Interconnect offers 99.9% SLA for a single connection, but it does not use a third-party provider. However, the scenario says 'open to using' but not required. So it still meets the SLA requirement.

Why this answer

Partner Interconnect with two connections offers 99.99% SLA, but a single connection offers 99.9%. HA VPN with two tunnels offers 99.99% SLA, but the scenario requires at least 99.9%, so any option meeting that is acceptable. Dedicated Interconnect with one connection offers 99.9% SLA, but it's not via a third-party provider.

Classic VPN does not have a 99.9% SLA.

624
MCQmedium

A company has a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises network to a VPC in us-central1. They recently added a new subnet (10.2.0.0/16) to the VPC. The on-premises network still cannot reach resources in the new subnet. The Cloud Router BGP session is established and routes from on-prem are being received. What is the most likely cause?

A.The Cloud Router does not support more than 10 custom dynamic routes
B.The new subnet range is not included in the Cloud Router's advertised routes
C.BGP session is not established
D.Firewall rules are blocking traffic
AnswerB

Custom dynamic routes must be added to the Cloud Router's advertised route list for the remote peer to learn them.

Why this answer

When a new subnet is added to a VPC, the Cloud Router must be configured to advertise that subnet's CIDR range to the on-premises BGP peer. Even though the BGP session is established and routes from on-premises are received, the Cloud Router will not automatically advertise the new subnet unless its advertised route list is updated. Without the new subnet in the Cloud Router's advertised routes, the on-premises network has no path to reach 10.2.0.0/16, causing connectivity failure.

Exam trap

Google Cloud often tests the distinction between route propagation (BGP session up) and route advertisement (what prefixes are actually sent), leading candidates to incorrectly assume that an established BGP session automatically advertises all VPC subnets.

How to eliminate wrong answers

Option A is wrong because Cloud Router does not have a hard limit of 10 custom dynamic routes; it supports up to 100 custom route advertisements per VPC, and the limit is configurable via quota. Option C is wrong because the question explicitly states the BGP session is established, so a lack of session is not the issue. Option D is wrong because firewall rules control traffic filtering, not route advertisement; even if firewall rules permit traffic, the on-premises network cannot send packets to the new subnet without a route to it.

625
MCQhard

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

A.Enable Cloud NAT and configure a firewall rule to allow egress to 0.0.0.0/0
B.Configure a Service Directory endpoint and attach an IAM policy to the bucket allowing access only from that endpoint
C.Create a firewall rule allowing egress to the storage.googleapis.com service IP range and enable VPC flow logs
D.Enable Private Google Access on the subnet and create a VPC Service Controls perimeter that includes the bucket project
AnswerD

Private Google Access enables internal IP access to Google APIs, and VPC Service Controls restricts access to the perimeter.

Why this answer

D is correct because VPC Service Controls create a security perimeter around the Cloud Storage bucket's project, preventing data exfiltration even if the bucket is publicly accessible. Private Google Access on the subnet allows VMs to reach Google APIs (including storage.googleapis.com) via internal IPs, avoiding the public internet. Together, they ensure only VMs within the specified VPC network can download objects, as the perimeter restricts access to authorized networks and Private Google Access provides the private connectivity path.

Exam trap

Google Cloud often tests the misconception that firewall rules alone (Option C) or NAT (Option A) are sufficient for restricting access, when in fact VPC Service Controls are required to enforce network-level boundaries beyond IAM and connectivity.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private VMs, but it does not restrict access to the bucket; it would actually allow VMs to reach the bucket via the public internet, violating the requirement to restrict access to only the VPC network. Option B is wrong because Service Directory is a service for service discovery and does not provide network-level access control; attaching an IAM policy to a Service Directory endpoint does not restrict network access to the bucket. Option C is wrong because a firewall rule allowing egress to storage.googleapis.com service IP range only enables connectivity, but without VPC Service Controls, any VM (or even external hosts) with the correct IP range could access the bucket; VPC flow logs are for monitoring, not access control.

626
MCQmedium

A company wants to cache static content globally to reduce latency for their users. They are using a Global HTTPS Load Balancer with a backend bucket. Which Cloud CDN cache mode should they use?

A.None: Cloud CDN cannot be used with backend buckets
B.USE_ORIGIN_HEADERS
C.CACHE_ALL_STATIC
D.FORCE_CACHE_ALL
AnswerC

Correct: caches static content automatically based on file type and response headers.

Why this answer

CACHE_ALL_STATIC caches static content based on file extension and response headers, which is suitable for a backend bucket serving static files.

627
Multi-Selectmedium

A company runs a web application on Compute Engine instances without external IPs. They need to ensure the instances can access Google APIs (e.g., Cloud Storage) and also provide outbound internet access for software updates. Which two features should be configured? (Choose two.)

Select 2 answers
A.VPC Service Controls
B.Private Service Connect
C.Cloud NAT
D.Cloud VPN
E.Private Google Access
AnswersC, E

Provides outbound internet access.

Why this answer

Private Google Access enables access to Google APIs without external IPs. Cloud NAT provides outbound internet access for instances without external IPs.

628
Multi-Selectmedium

Which THREE of the following are requirements for setting up a Dedicated Interconnect connection to Google Cloud? (Choose three.)

Select 3 answers
A.A Layer 2 circuit between the on-premises router and Google's edge router.
B.A public IP address on the on-premises router for BGP peering.
C.BGP sessions must be configured directly on the VLAN attachment.
D.A physical cross-connect in a colocation facility that supports Google Cloud Interconnect.
E.A VLAN attachment (VLAN) configured in Google Cloud to connect to a VPC.
AnswersA, D, E

The connection operates at Layer 2.

Why this answer

Option A is correct because a Dedicated Interconnect requires a Layer 2 circuit (e.g., Ethernet VLAN) that directly connects your on-premises router to a Google edge router at a colocation facility. This Layer 2 link provides the physical or virtual circuit over which BGP sessions are established to exchange routes between your network and Google Cloud.

Exam trap

Google Cloud often tests the misconception that BGP sessions are configured directly on the VLAN attachment, when in fact they are configured on the Cloud Router, which uses the VLAN attachment as the underlying Layer 2 transport.

629
Multi-Selecteasy

A developer wants to use Cloud CDN to cache content from an external origin backend. Which TWO configurations are required to set this up? (Choose two.)

Select 2 answers
A.A backend service or backend bucket with the origin defined
B.A custom domain mapped to the load balancer
C.A global static IP address
D.A Global External HTTPS Load Balancer with Internet NEG
E.Cloud CDN enabled on the backend service or backend bucket
AnswersA, E

Required to define the origin from which Cloud CDN fetches content.

Why this answer

To use Cloud CDN with an external origin, you need a backend service or backend bucket that points to the origin, and enable Cloud CDN on that backend. A Global External HTTPS Load Balancer with Internet NEG is not required; Cloud CDN can be used with external backends via backend service. A custom domain is not required for Cloud CDN to work, though often used.

630
MCQhard

A company has a VPC with several subnets and wants to force traffic between two specific subnets (A and B) to be inspected by a third-party firewall appliance in a separate subnet (C). The firewall has source/destination check disabled. What is the best way to route traffic from A to B through C?

A.Use Cloud NAT to route traffic through the firewall.
B.Use a custom route with a lower priority for the destination subnet.
C.Use VPC flow logs to monitor traffic.
D.Use a policy-based route to redirect traffic from A to B to the firewall's IP.
AnswerD

Policy-based routes can match source and destination and redirect to a next hop.

Why this answer

Policy-based routes allow you to define a forwarding rule that matches traffic based on source and destination IP ranges, then sends it to a next-hop instance (the firewall). Since the firewall has source/destination check disabled, it can forward the inspected traffic to the final destination. This is the only option that directly forces traffic between subnets A and B through the firewall in subnet C.

Exam trap

Google Cloud often tests the distinction between policy-based routes (which match on source and destination) and static routes (which match only on destination), leading candidates to incorrectly choose a custom static route (Option B) when a policy-based route is required.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for routing traffic between subnets within a VPC. Option B is wrong because a custom route with lower priority would only affect traffic destined for the subnet's IP range if no more specific route exists; it does not force traffic through a specific next-hop instance for inter-subnet communication. Option C is wrong because VPC flow logs only capture metadata about network flows for monitoring and analysis; they do not influence routing decisions.

631
MCQeasy

A company wants to enable Private Google Access for an on-premises network connected via Cloud VPN. Which configuration step is required?

A.Enable Private Google Access on the VPC subnet that hosts the Cloud VPN gateway.
B.Enable VPC Flow Logs for the VPN tunnel.
C.Create a default route with next hop set to the internet gateway.
D.Configure a Cloud NAT gateway for the on-premises network.
AnswerA

Private Google Access allows on-premises hosts to use internal IP addresses for Google APIs.

Why this answer

Option B is correct because Private Google Access must be enabled on the VPC subnet that hosts the Cloud VPN gateway. This allows on-premises hosts to use internal IPs to access Google APIs through the VPN tunnel. Option A is incorrect because a default route to the internet is not required; the traffic goes through the VPN.

Option C is incorrect because Cloud NAT is for outbound internet from private instances, not for on-premises access. Option D is incorrect because VPC Flow Logs are for logging, not enabling access.

632
MCQeasy

A developer created a Compute Engine instance in the default VPC network. The instance needs to communicate with an on-premises server over a Cloud VPN tunnel. The developer configured the VPN tunnel but the instances cannot ping the on-premises server. What is the most likely cause?

A.The subnet IP range overlaps with the on-premises network.
B.The instance has IP forwarding disabled.
C.The default VPC does not have a default route to the internet.
D.The firewall rules in the VPC are blocking ingress traffic from the on-premises network.
AnswerD

Default firewall rules allow only certain ingress; ICMP from on-premises is not allowed by default.

Why this answer

Option D is correct because, by default, the default VPC includes firewall rules that allow outbound traffic but restrict inbound traffic. Even though the Cloud VPN tunnel is established, the VPC firewall rules block ingress traffic from the on-premises network (e.g., ICMP for ping). To allow communication, a firewall rule must explicitly permit ingress traffic from the on-premises IP range or the remote tunnel IP.

Exam trap

Google Cloud often tests the misconception that a configured VPN tunnel automatically allows all traffic, when in reality firewall rules (ingress) and routes must be explicitly configured to permit communication between VPC and on-premises networks.

How to eliminate wrong answers

Option A is wrong because subnet IP range overlap with the on-premises network would cause routing conflicts, but the question states the VPN tunnel is configured and the issue is connectivity, not routing table errors; overlapping ranges typically prevent tunnel establishment or cause asymmetric routing, not just ping failure. Option B is wrong because IP forwarding is only required when the instance acts as a gateway (e.g., NAT instance or VPN gateway), not for a standard instance initiating traffic to an on-premises server over a VPN tunnel; the instance can send packets without IP forwarding enabled. Option C is wrong because the default VPC always includes a default route (0.0.0.0/0) to the internet via the default internet gateway; this route is automatically created and does not affect VPN-based communication.

633
MCQmedium

An engineer wants to use Traffic Director to split traffic between two versions of a microservice running on Compute Engine with Envoy sidecars. They want to send 10% of traffic to the new version. Which configuration should they apply?

A.Create a weighted backend service with versionA weight 90 and versionB weight 10
B.Use HTTP load balancer URL map to route 10% of requests
C.Configure a firewall rule to drop 10% of traffic to versionA
D.Deploy versionB in a different region and use geo-routing
AnswerA

Correct. Traffic Director supports weighted routing.

Why this answer

Traffic Director uses traffic splitting rules with weight percentages. The backend service or routing rule allows assigning weights to different versions.

634
MCQhard

Your company has a Dedicated Interconnect with two VLAN attachments (vlan-attachment-a and vlan-attachment-b) connected to two different Edge Availability Domains (EADs) in the us-central1 region. Both attachments are associated with a single Cloud Router named 'cr-us-central1'. On-premises, you have two routers (rtr-a and rtr-b) each connected to one VLAN attachment via BGP. The Cloud Router has four BGP sessions: rtr-a (vlan-a), rtr-a (vlan-b), rtr-b (vlan-a), rtr-b (vlan-b) — a full mesh for redundancy. All sessions are established and routes are exchanged. Recently, you added a new on-premises subnet 192.168.100.0/24 and advertised it via BGP from both on-premises routers. However, Google Cloud instances in the VPC cannot reach this subnet. Other on-premises subnets (e.g., 10.0.0.0/8) are reachable. The Cloud Router route table for 'cr-us-central1' shows multiple entries for 192.168.100.0/24, each with different next hops but all with status 'stacked'. There are no BGP route filters configured. What is the most likely cause of the issue?

A.The Cloud Router has reached its maximum route limit.
B.The BGP routes have incorrect MED values causing a conflict.
C.The new subnet 192.168.100.0/24 overlaps with an existing VPC subnet.
D.The on-premises routers are not advertising the subnet with a required community tag.
AnswerC

When a learned route overlaps with a VPC subnet, the route is stacked and not used to avoid conflict.

Why this answer

When a BGP-learned route overlaps with an existing VPC subnet, Google Cloud treats it as a conflict and marks the route as 'stacked' (i.e., not active). The Cloud Router can learn the route, but it will not be installed in the VPC's effective routes because the VPC subnet prefix takes precedence. Since 192.168.100.0/24 is a private IP range that could easily overlap with a subnet in the VPC, this is the most likely cause.

Exam trap

The trap here is that candidates often assume 'stacked' routes indicate a BGP peering or route advertisement issue, when in fact it is a route conflict caused by overlapping prefixes with existing VPC subnets.

How to eliminate wrong answers

Option A is wrong because the Cloud Router has not reached its maximum route limit; if it had, the new routes would not appear at all in the route table, and other routes would also be affected. Option B is wrong because MED values influence path selection among multiple BGP paths but do not cause routes to be 'stacked' or prevent them from being installed in the VPC; conflicting MEDs would not block the route from being used. Option D is wrong because community tags are not required for BGP route acceptance on Google Cloud; the absence of a community tag does not cause routes to be marked as 'stacked' or prevent them from being used.

635
MCQmedium

A company wants to allow their VPC instances to access Google APIs using internal IPs without using a NAT. They have set up Private Google Access on the subnet. What else is required?

A.A default route to the internet must be created.
B.A Cloud NAT must be configured.
C.No additional configuration is needed.
D.The instances must have external IPs.
AnswerC

Private Google Access works out of the box once enabled on the subnet.

Why this answer

Option A is correct because enabling Private Google Access on the subnet allows instances without external IPs to access Google APIs via the automatically generated default route for the private Google access ranges. No additional configuration is needed. Option B is incorrect because an explicit default route to the internet would send traffic to the internet, not to Google APIs via private access.

Option C is incorrect because Cloud NAT is not needed and would override private access. Option D is incorrect because instances should not have external IPs if using private access.

636
MCQmedium

An on-premises router uses BGP ASN 64512. The Cloud Router is also configured with ASN 64512. When the BGP peering is established, what behavior is expected?

A.The session works but routes are not exchanged.
B.Cloud Router will automatically prepend its ASN to avoid conflict.
C.The BGP session will fail or behave unpredictably.
D.The BGP session works normally since ASN 64512 is a private ASN.
AnswerC

Same ASN on both sides causes BGP to reject the session (at least one side will see a loop).

Why this answer

BGP requires each router in a peering session to have a unique ASN to properly enforce loop prevention and path selection. When both the on-premises router and Cloud Router use the same ASN 64512, the BGP session will fail or behave unpredictably because each router will see its own ASN in received updates, triggering the BGP loop detection mechanism (RFC 4271, Section 9.3) and causing the session to drop or routes to be rejected.

Exam trap

Google Cloud often tests the misconception that private ASNs (64512-65535) are exempt from BGP loop detection, but in reality, BGP treats all ASNs equally for loop prevention, and duplicate ASNs will cause the session to fail.

How to eliminate wrong answers

Option A is wrong because the BGP session will not work normally; the duplicate ASN causes the session to fail or behave unpredictably, not just a lack of route exchange. Option B is wrong because Cloud Router does not automatically prepend its ASN to avoid conflict; ASN prepending is a manual path manipulation technique, not an automatic fix for duplicate ASN issues. Option D is wrong because even though 64512 is a private ASN, BGP loop detection still applies regardless of ASN range; the session will not work normally with duplicate ASNs.

637
MCQmedium

An engineer has configured an HA VPN tunnel between an on-premises network and Google Cloud. The tunnel status shows as established, but traffic is not flowing. The engineer checks the Cloud Router BGP session and sees it is in the Active state. What is the most likely cause?

A.The tunnel's shared secret (pre-shared key) is mismatched.
B.The Cloud Router is not advertising the VPC subnet routes.
C.The on-premises router is not allowing BGP traffic on UDP port 179.
D.The Cloud Router is not configured with the correct BGP IP address for the on-premises side.
AnswerD

Incorrect peer IP is a common cause of BGP Active state.

Why this answer

The BGP session being in the Active state indicates that the Cloud Router has sent an Open message but has not received a valid response from the on-premises peer. This most commonly occurs when the BGP peer IP address configured on the Cloud Router does not match the IP address the on-premises router is using for BGP peering, preventing the TCP connection on port 179 from completing. Since the tunnel is established (IPsec is up), the issue is at the BGP layer, not the tunnel layer.

Exam trap

Google Cloud often tests the distinction between IPsec tunnel states and BGP session states, trapping candidates who assume a working tunnel means BGP must also be working, when in fact BGP has its own TCP-based connectivity requirements independent of the encrypted tunnel.

How to eliminate wrong answers

Option A is wrong because a mismatched pre-shared key would prevent the IPsec tunnel from establishing, but the question states the tunnel status is established. Option B is wrong because the Cloud Router not advertising VPC subnet routes would cause BGP to be established (Established state) but routes would be missing; the session being in Active state indicates a TCP connection failure, not a route advertisement issue. Option C is wrong because the on-premises router not allowing BGP traffic on UDP port 179 is incorrect—BGP uses TCP port 179, not UDP; blocking TCP port 179 would cause the same Active state, but the question specifies UDP, which is a protocol mismatch and thus not the most likely cause given the standard BGP behavior.

638
MCQeasy

An organization is migrating a legacy application to GCP. The application requires a static internal IP address for a Compute Engine VM that must persist even if the VM is stopped or deleted. Which IP address type should they assign?

A.Configure an alias IP range on the VM's network interface.
B.Assign an ephemeral external IP and configure a firewall rule.
C.Reserve a static internal IP address in the same region and subnetwork.
D.Use a regional internal IP address with auto-delete set to false.
AnswerC

Static internal IPs are reserved and persist until released.

Why this answer

A static internal IP address is reserved within a specific region and subnetwork, ensuring the IP persists even after the VM is stopped or deleted. This meets the requirement for a fixed internal address that remains available for reassignment to the same or a different VM in the same subnet. Ephemeral IPs are released on VM stop/delete, and external IPs are not relevant for internal-only communication.

Exam trap

The trap here is that candidates confuse 'ephemeral' with 'persistent' or assume that stopping a VM preserves the internal IP, but GCP releases ephemeral internal IPs on stop/delete unless explicitly reserved as a static internal IP.

How to eliminate wrong answers

Option A is wrong because an alias IP range is used to assign multiple IP addresses to a single network interface for container or multi-service workloads, but it does not provide a persistent static IP that survives VM deletion. Option B is wrong because an ephemeral external IP is a public, temporary address that is released when the VM is stopped or deleted, and a firewall rule does not affect IP persistence. Option D is wrong because there is no 'auto-delete' property for internal IP addresses; the correct mechanism to make an internal IP persistent is to reserve a static internal IP address, and the term 'regional internal IP address' is ambiguous without the reservation step.

639
MCQmedium

An organization is deploying a global application and wants to use an Internal Load Balancer (ILB) across multiple regions. What is the correct configuration?

A.Use a cross-region ILB by enabling global access
B.Use an Internal TCP/UDP Load Balancer in one region and route traffic via Cloud VPN
C.Deploy ELB in each region and use DNS to route traffic
D.Use a global External Load Balancer with internal backend
AnswerC

Regional ILBs combined with DNS provide global internal load balancing.

Why this answer

Option C is correct because Google Cloud does not support a native cross-region Internal Load Balancer (ILB). To distribute traffic across multiple regions, you must deploy a separate Internal TCP/UDP Load Balancer in each region and use DNS-based routing (e.g., Cloud DNS with geo-routing or weighted record sets) to direct clients to the appropriate regional ILB. This approach provides regional high availability and global reach without exposing internal IPs externally.

Exam trap

Google Cloud often tests the misconception that 'global access' can make an Internal Load Balancer cross-region, but in Google Cloud, global access only allows clients from any region within the same VPC to reach a regional ILB, not to load balance across regions.

How to eliminate wrong answers

Option A is wrong because there is no 'cross-region ILB' in Google Cloud; Internal Load Balancers are regional resources and cannot be made global by enabling 'global access' (that feature applies only to external load balancers). Option B is wrong because routing traffic via Cloud VPN from a single-region ILB to other regions adds latency, complexity, and defeats the purpose of a global application; it does not provide native multi-region load balancing. Option D is wrong because a global External Load Balancer with internal backends is not supported; external load balancers require backends with external connectivity or specific hybrid connectivity, and using them for internal-only traffic violates the requirement for an internal load balancer.

640
Multi-Selecthard

A company wants to use Cloud DNS response policy zones (RPZ) to override DNS responses for a set of internal domains. They need to ensure that only specific VPC networks can use these overrides. Which three steps are required? (Choose three.)

Select 3 answers
A.Create a forwarding zone for the overridden domains
B.Enable DNSSEC on the response policy zone
C.Bind the response policy zone to the desired VPC networks
D.Add DNS overrides (rules) to the response policy zone
E.Create a response policy zone
AnswersC, D, E

RPZ is applied per VPC network.

Why this answer

To use RPZ, you must create the response policy zone, bind it to the target VPC network(s), and ensure that the DNS queries from those VPCs use Cloud DNS. Additionally, you may need to configure the resolver. The correct steps: create the RPZ, bind it to VPC networks, and specify the DNS overrides (rules).

641
Multi-Selectmedium

A company wants to allow access to a Cloud Storage bucket only from Compute Engine instances that have a specific service account and are within a specific VPC. They also want to prevent access from other networks. Which TWO services or features should they use together?

Select 2 answers
A.Hierarchical firewall policy
B.Cloud Armor
C.IAM conditions on the bucket
D.VPC Service Controls
E.Cloud NAT
AnswersC, D

Allows you to conditionally grant access based on the caller's service account.

Why this answer

VPC Service Controls can restrict access to Google APIs to only specified VPCs and projects, creating a service perimeter. IAM conditions can further restrict access based on the caller's service account. This combination ensures that only instances with the correct service account in the correct VPC can access the bucket.

642
MCQhard

Your company uses Network Connectivity Center (NCC) to manage multiple on-premises sites connected via Cloud VPN and Partner Interconnect. You create a NCC hub and attach spokes (VPN tunnels and VLAN attachments). Traffic between two on-premises sites (Site A and Site B) should flow through Google Cloud. However, traffic is not passing between the sites. What is the most likely cause?

A.The on-premises routers need static routes pointing to the Google Cloud VPC for inter-site traffic.
B.The VPN spokes do not have custom dynamic route exchange enabled, so routes from Site A are not advertised to Site B.
C.Network Connectivity Center does not support Cloud VPN as a spoke type.
D.The NCC hub must be in the same VPC network as the sites' VPCs.
AnswerB

NCC requires route exchange to be enabled on spokes to propagate routes.

Why this answer

Option A is correct because NCC routes will only propagate if the spokes are configured with the proper route exchange options. By default, custom dynamic route exchange is not enabled for VPN tunnels; you need to configure advertisement of routes. Option B is wrong because NCC supports VPN and Interconnect.

Option C is wrong because NCC uses dynamic routing; static routes are not required. Option D is wrong because VPC networks are not directly involved if using NCC hub-and-spoke.

643
MCQhard

An organization uses a custom mode VPC with several subnets. They need to add a new subnet 192.168.1.0/24 for a new workload. After creating the subnet, they find that existing firewall rules with target tags don't apply to instances in the new subnet, even though the tags are applied. What is the most likely reason?

A.Firewall rules are scoped to a VPC, not to subnets.
B.The new subnet was created without enabling firewall rule enforcement.
C.The instances need to be recreated for the new rules to apply.
D.The firewall rules have a source or destination filter that excludes the new subnet's CIDR.
AnswerD

If a rule includes an IP range filter, it will only apply to traffic that matches that range.

Why this answer

Option C is correct because firewall rules may include source or destination IP range filters. Even if tags match, if the rule also specifies a source or destination IP range that does not include 192.168.1.0/24, the rule will not apply. Option A is incorrect because firewall rules are scoped to the VPC, not to subnets, so tags work across subnets.

Option B is incorrect because there is no such concept as firewall rule enforcement on subnets. Option D is incorrect because instances do not need to be recreated; changes to firewall rules apply immediately.

644
MCQhard

While configuring a health check for a backend service, an engineer notices that the health check is failing even though the instances are healthy. The health check is HTTP on port 80 with a request path of /health. The instances respond to curl http://localhost:80/health with 200 OK. What is a likely cause?

A.Firewall rules are blocking traffic from health check ranges
B.The backend service is not using an instance group
C.The health check protocol should be HTTPS
D.The health check interval is too long
AnswerA

Correct. Health check ranges must be allowed by firewall.

Why this answer

Health checks originate from Google's health check systems, which use source IP ranges. A firewall rule must allow traffic from those ranges. Other options are not as likely.

645
MCQeasy

A company uses an HTTPS load balancer with SSL certificates. They want to ensure only strong cipher suites are accepted. Which Google Cloud service should they use to enforce this?

A.Identity-Aware Proxy (IAP).
B.Cloud Armor security policy.
C.SSL policies on the target HTTPS proxy.
D.Firewall rules on the backend instances.
AnswerC

SSL policies control TLS versions and ciphers for load balancers.

Why this answer

SSL policies on the target HTTPS proxy allow you to define a set of allowed SSL/TLS cipher suites and protocols for the load balancer. By configuring an SSL policy with a 'RESTRICTED' profile or a custom list of strong ciphers, you can enforce that only secure cipher suites (e.g., TLS 1.2+ with ECDHE and AES-GCM) are accepted, rejecting weak or deprecated ciphers like RC4 or 3DES.

Exam trap

The trap here is that candidates confuse Cloud Armor (which enforces security policies at the application layer) with SSL policies (which control TLS cipher suites at the transport layer), leading them to pick Cloud Armor when the question specifically asks about cipher suite enforcement.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access to applications based on identity and context, not cipher suite enforcement; it operates at the application layer, not the TLS negotiation layer. Option B is wrong because Cloud Armor security policies provide web application firewall (WAF) and DDoS protection at Layer 7, but they do not control SSL/TLS cipher suites or protocol versions. Option D is wrong because firewall rules on backend instances control network traffic at Layers 3/4 (IP/port), not the cryptographic parameters of the TLS handshake, which is terminated at the load balancer.

646
MCQmedium

An organization needs to set up a Regional Internal HTTPS Load Balancer for internal microservices. They want to use Envoy-based load balancing. Which backend type must the backend service use?

A.Instance group
B.Zonal NEG
C.Internet NEG
D.Hybrid connectivity NEG
AnswerB

The Regional Internal HTTP(S) LB uses zonal NEGs for backend endpoints.

Why this answer

A Regional Internal HTTP(S) Load Balancer uses Envoy-based load balancing and requires a backend service that is either a zonal NEG (with GCE VMs or containers) or a serverless NEG. For internal microservices, typically a zonal NEG of Compute Engine instances is used.

647
MCQmedium

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect using VLAN attachments. They have set up a Cloud Router with BGP to exchange routes. The on-premises network advertises a prefix 10.0.0.0/8, and Google Cloud advertises the VPC's subnet ranges (10.0.0.0/24 and 10.0.1.0/24). After configuration, on-premises hosts cannot reach the Google Cloud instances in those subnets. The engineer checks the BGP session status and it is established. The Cloud Router shows that the on-premises prefix is learned, and the on-premises router shows that the specific /24 prefixes are received. However, traffic from on-premises to the Google Cloud subnets is not working. What is the most likely cause?

A.The on-premises router has a local route for 10.0.0.0/8 that overrides the BGP-learned /24 routes.
B.The VPN connection needs to be configured for the Interconnect.
C.The Google Cloud VPC has a custom static route that overrides the dynamically learned route.
D.The on-premises firewall is blocking the traffic.
AnswerA

A local route with a lower administrative distance can shadow the BGP routes.

Why this answer

The most likely cause is that the on-premises router has a local route for the larger prefix 10.0.0.0/8, which is more specific than the BGP-learned /24 routes. Since the local route has a lower administrative distance (typically 0 for directly connected or 1 for static) compared to BGP's administrative distance of 20 for eBGP, the on-premises router prefers the local route and forwards traffic locally instead of sending it over the Dedicated Interconnect to Google Cloud. This results in traffic not reaching the VPC subnets.

Exam trap

Google Cloud often tests the concept that administrative distance overrides prefix length in route selection when comparing routes from different sources, leading candidates to incorrectly assume that more specific prefixes are always preferred regardless of administrative distance.

How to eliminate wrong answers

Option B is wrong because a Dedicated Interconnect does not require a VPN connection; it is a direct physical connection that uses VLAN attachments and BGP for routing, not IPsec VPNs. Option C is wrong because Google Cloud VPC custom static routes have a lower priority (higher administrative distance) than dynamically learned routes from Cloud Router, so they would not override the BGP-learned routes; the issue is on the on-premises side. Option D is wrong because the firewall would typically block traffic at a higher layer, but the core routing issue is that traffic never reaches the firewall due to the local route overriding BGP-learned routes.

648
Multi-Selectmedium

A company has multiple GCP projects that need to resolve DNS queries for a private zone (e.g., example.internal) that is hosted in a central project. They want to avoid copying zone data. Which TWO features can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Outbound DNS forwarding
B.Creating duplicate private zones in each project
C.DNS peering
D.Shared VPC
E.Inbound DNS forwarding
AnswersC, D

DNS peering allows a source project to resolve queries from a target project's private zone.

Why this answer

DNS peering allows a zone to be shared from one project to another. Shared VPC can also enable DNS resolution if the private zone is attached to the shared VPC host project and service projects use that VPC. However, DNS peering is more direct.

Outbound forwarding is for on-premises resolution, not cross-project. Inbound forwarding is for on-premises to Cloud DNS. Private zones are per-project and don't automatically resolve cross-project.

649
Multi-Selecthard

Which THREE of the following could cause a Dedicated Interconnect BGP session to go to the 'IDLE' state?

Select 3 answers
A.Firewall rules blocking UDP port 179
B.BGP is not enabled on the Cloud Router
C.BGP keepalive timer mismatch
D.Multi-Exit Discriminator (MED) mismatch
E.Cloud Router is not configured to establish a BGP session with the on-premises peer
AnswersA, B, E

BGP uses TCP 179, not UDP. But if TCP is blocked, session stays IDLE.

Why this answer

Option A is correct because BGP uses TCP port 179 for establishing and maintaining sessions. If a firewall blocks UDP port 179, it would not affect BGP directly, as BGP relies on TCP, not UDP. However, the question states 'UDP port 179' which is a common misdirection; in reality, blocking TCP port 179 would cause the BGP session to go to IDLE state.

The IDLE state indicates that the BGP process is not attempting to establish a connection, often due to a failure in the underlying TCP connection.

Exam trap

Google Cloud often tests the misconception that BGP uses UDP port 179, but BGP actually uses TCP port 179; the trap here is that candidates may incorrectly select firewall rules blocking UDP port 179 as a cause, when in reality it is TCP port 179 that matters.

650
Multi-Selecteasy

A company is planning to use Partner Interconnect to connect their on-premises network to GCP. Which TWO of the following are characteristics of Partner Interconnect?

Select 2 answers
A.Requires colocation facility presence
B.Supports up to 100 Gbps
C.Uses VLAN attachments
D.Supports bandwidth from 50 Mbps to 10 Gbps
E.Provides 99.99% SLA with a single connection
AnswersC, D

Correct. Like Dedicated Interconnect, Partner Interconnect uses VLAN attachments.

Why this answer

Partner Interconnect supports bandwidth from 50 Mbps to 10 Gbps and provides a 99.9% or 99.99% SLA depending on configuration. It does not require colocation facility presence; the partner handles that.

651
Multi-Selectmedium

A company wants to restrict access to Google Cloud Storage from a specific VPC only, using VPC Service Controls. Which TWO components are required to create a service perimeter? (Choose two.)

Select 2 answers
A.A VPC accessible service configuration
B.A VPC network with Private Google Access enabled
C.An access level
D.A list of allowed APIs (restricted services)
E.A set of projects to protect
AnswersA, E

This configuration specifies which VPCs (and their subnets) are allowed to access the protected APIs. It is a key part of the perimeter.

Why this answer

A service perimeter is defined by a set of projects (the protected projects) and a set of VPCs (via VPC accessible services) that are allowed to access the protected APIs. Also, access levels can be used but are optional.

652
MCQeasy

A company wants to resolve on-premises DNS names from Google Cloud VMs. They have a Cloud DNS private zone for their domain and on-premises DNS servers at IP 10.1.1.1 and 10.1.1.2. Which Cloud DNS feature should they use?

A.Inbound DNS policy
B.Peering zones
C.Outbound DNS forwarding using an outbound forwarding zone
D.Managed reverse lookup zones
AnswerC

An outbound forwarding zone forwards DNS queries from Google Cloud to on-premises DNS servers for a specified domain.

Why this answer

DNS forwarding zones allow Cloud DNS to forward queries for a specific domain to on-premises DNS servers.

653
MCQmedium

A company is using Cloud VPN with BGP to connect their on-premises network to Google Cloud. They have two VPN tunnels from two different on-premises VPN gateways to a single Cloud VPN gateway. They notice that during maintenance on one on-premises gateway, traffic fails over to the other tunnel, but after the maintenance, traffic does not fail back. What is the most likely cause?

A.Only one VPN tunnel can be active at a time
B.The BGP local preference on the primary tunnel is not higher than the backup tunnel
C.Cloud VPN gateway does not support BGP
D.The backup tunnel does not have a valid BGP session
AnswerB

Without a higher local preference, the backup tunnel remains preferred after failover.

Why this answer

B is correct because BGP local preference is used to influence outbound traffic path selection. If the primary tunnel's local preference is not higher than the backup tunnel, BGP will not prefer the primary route after the backup session recovers, causing traffic to remain on the backup tunnel. This is a classic BGP route selection behavior where the highest local preference wins.

Exam trap

The trap here is that candidates often assume failback is automatic with BGP, but without explicit local preference tuning, BGP will not prefer the primary tunnel after recovery, leading to asymmetric traffic or persistent backup path usage.

How to eliminate wrong answers

Option A is wrong because Cloud VPN supports multiple active tunnels simultaneously with BGP, and both tunnels can be active at the same time. Option C is wrong because Cloud VPN fully supports BGP for dynamic routing, including route advertisement and selection. Option D is wrong because the backup tunnel does have a valid BGP session (traffic fails over to it), so the issue is not a missing session but rather the BGP path selection not reverting to the primary tunnel.

654
MCQeasy

A company has a VPC with three subnets and multiple firewall rules. They want to ensure that the most specific firewall rule takes precedence when there is a conflict. What is the default evaluation order of firewall rules?

A.Egress rules are evaluated before ingress rules.
B.The rule with the highest priority (lowest priority number) is evaluated first.
C.The more restrictive rule (with smaller IP range) is applied first.
D.Rules are evaluated in the order they were created.
AnswerB

Lower priority number = higher priority; rules are evaluated from high to low priority.

Why this answer

In Google Cloud Platform (GCP) VPC firewall rules, the default evaluation order is based on priority. Each rule is assigned a priority number from 0 to 65535 (lower number = higher priority), and rules are evaluated from highest priority (lowest number) to lowest priority. When multiple rules match traffic, the rule with the highest priority (lowest priority number) is applied first, and its action (allow/deny) is definitive; lower-priority rules are not evaluated for that traffic.

Exam trap

Google Cloud often tests the misconception that firewall rules are evaluated based on specificity (most restrictive wins) or creation order, but GCP explicitly uses a numeric priority system where lower numbers take precedence, not the breadth of the rule's match criteria.

How to eliminate wrong answers

Option A is wrong because GCP firewall rules do not have a default evaluation order based on direction (ingress vs. egress); both ingress and egress rules are evaluated independently using their priority numbers, and there is no inherent precedence of one direction over the other. Option C is wrong because GCP does not use rule restrictiveness (e.g., smaller IP range) as the default tiebreaker; instead, the priority number explicitly determines evaluation order, and if two rules have the same priority, the behavior is undefined (conflict resolution is not based on range size). Option D is wrong because GCP firewall rules are not evaluated in the order they were created; creation order has no effect on evaluation—only the priority field dictates the sequence.

655
MCQmedium

A company uses VPC Flow Logs to analyze traffic patterns. They notice that the logs show only 50% of the actual flows. What is the most likely cause?

A.The subnet does not have Flow Logs enabled.
B.The default sampling rate of 50% is applied.
C.Flow Logs are only generated for incoming traffic.
D.Logs are being filtered by a log sink.
AnswerB

VPC Flow Logs sample only 50% of flows by default.

Why this answer

By default, VPC Flow Logs sample 50% of flows. This is a known behavior and can be adjusted by configuring the sampling rate.

656
MCQmedium

An engineer is configuring a Global SSL Proxy Load Balancer to terminate SSL for a non-HTTP TCP application. They want to minimize latency by allowing the load balancer to reuse connections to backends. Which setting should they adjust?

A.Use a regional TCP proxy load balancer instead
B.Increase the backend service timeout
C.Enable proxy protocol
D.Set the SSL policy to use modern ciphers
AnswerB

A larger timeout allows idle connections to be reused for subsequent requests.

Why this answer

Connection timeouts and idle timeouts allow reuse of connections. SSL policies are for versions and ciphers. Proxy protocol adds header but does not affect connection reuse.

657
MCQhard

A large enterprise has a multi-site on-premises network with two data centers (DC1 and DC2) connected via a private WAN. They are migrating critical applications to Google Cloud and have established a Dedicated Interconnect at each data center, each with a single VLAN attachment (vlan-attachment-1 from DC1, vlan-attachment-2 from DC2) connected to a single VPC network in us-central1. Each VLAN attachment uses a separate Cloud Router (router-us-central1-dc1 and router-us-central1-dc2) with BGP sessions advertising the same on-premises prefixes. The VPC has auto-mode subnet ranges. They notice that traffic from Google Cloud to on-premises is flowing only through DC1, and when DC1's interconnect fails, traffic fails over to DC2, but after DC1 recovers, traffic does not return to DC1. The on-premises routers are advertising the same prefixes with equal MED values. What is the most likely cause and the best corrective action?

A.Configure the on-premises router at DC1 to set a lower MED value for its advertised routes to make DC1 preferred
B.Change the VPC routing mode from auto to custom to force route re-evaluation
C.Disable the BGP session on DC2's Cloud Router during normal operation and re-enable it only when DC1 fails
D.On the Google Cloud Router for DC1, apply a route policy to set a higher local preference for routes learned from DC1
AnswerA

Lower MED makes DC1 preferred; after failover, when DC1 recovers, its lower MED will cause traffic to return.

Why this answer

Option A is correct because with equal MED values from both on-premises routers, Google Cloud's Cloud Routers will prefer the first learned route and stick to it due to the default BGP best-path selection behavior (no tie-breaking based on router ID or other attributes when routes are identical). When DC1's interconnect fails, the route is withdrawn, and traffic fails over to DC2. After DC1 recovers, the route is re-advertised, but Cloud Router does not automatically preempt the existing DC2 route because the BGP best-path selection is stable and does not re-evaluate unless the current best path is withdrawn.

Setting a lower MED on DC1's advertised routes makes DC1's route more preferred, ensuring traffic returns to DC1 after recovery.

Exam trap

Google Cloud often tests the misconception that BGP automatically re-evaluates the best path when a new route is received, but in practice, BGP is stable and only switches to a new path if the current best path is withdrawn, which is why adjusting MED (or other attributes) is necessary to force traffic back to the primary link after recovery.

How to eliminate wrong answers

Option B is wrong because changing the VPC routing mode from auto to custom does not affect BGP route re-evaluation or failover behavior; it only changes how subnets are created and managed, not how dynamic routes are selected. Option C is wrong because manually disabling the BGP session on DC2's Cloud Router during normal operation defeats the purpose of having redundant connectivity and active-active load balancing; it also introduces operational complexity and potential for longer failover times. Option D is wrong because setting a higher local preference on the Google Cloud Router for DC1 would make DC1's routes more preferred, but local preference is an inbound attribute applied to routes received from BGP peers; however, Cloud Router does not support applying local preference to routes learned from on-premises—it is typically set on the on-premises side or via route policies on the Cloud Router, but the correct approach is to adjust MED on the on-premises router to influence the path selection from Google Cloud's perspective.

658
MCQhard

A large enterprise has multiple on-premises data centers connected to Google Cloud via a combination of Dedicated Interconnect and Cloud VPN. They have a VPC with subnets in us-east1 and us-west1. The on-premises network advertises a prefix 10.0.0.0/8 to both Cloud Routers (each in different regions) via BGP. The Cloud Routers are configured with 'global' dynamic routing mode. The network team notices that traffic from Google Cloud instances in us-west1 to on-premises destinations in 10.0.0.0/8 is always taking the path to the closest on-premises data center (west coast) even though the west coast data center is currently under high load, causing performance degradation. The east coast data center is underutilized. They want to influence the path selection so that the west coast instances prefer the east coast data center during peak times. They are using BGP. What is the most effective method to achieve this?

A.Set a higher local preference on the west coast Cloud Router for routes received from the east coast data center.
B.Set a higher MED on the west coast data center's BGP advertisements to increase its desirability.
C.Configure the east coast data center to prepend one additional AS path hop to its advertised routes.
D.Use BGP communities to tag routes from the west coast data center under load, and configure Cloud Router to match these communities and adjust the route priority (MED) accordingly.
AnswerD

This allows dynamic adjustment: when the west coast is loaded, it tags routes with a community, and Cloud Router increases MED for those routes, making east coast more preferred.

Why this answer

Option D is correct because BGP communities allow the west coast data center to tag its routes with a community value indicating high load. The Cloud Router can then be configured to match this community and adjust the route priority by lowering the MED (or local preference) for those routes, making the east coast data center's routes more preferred. This dynamic, policy-based approach directly addresses the need to shift traffic away from the overloaded west coast data center without manual reconfiguration.

Exam trap

The trap here is that candidates often confuse MED and local preference, thinking MED influences outbound path selection from the local AS, when in fact MED is used to influence inbound traffic from a neighboring AS, while local preference is used for outbound path selection within the AS.

How to eliminate wrong answers

Option A is wrong because setting a higher local preference on the west coast Cloud Router for routes from the east coast data center would make those routes more preferred globally (since local preference is propagated within the AS), but the question specifies influencing path selection for west coast instances specifically; local preference is an AS-wide attribute and would affect all regions, not just us-west1. Option B is wrong because MED is used to influence inbound traffic from a neighbor AS, not outbound traffic from Google Cloud to on-premises; increasing MED on the west coast data center's advertisements would make its routes less desirable for inbound traffic from Google Cloud, but the issue is about outbound path selection from Google Cloud instances. Option C is wrong because AS path prepending makes a route less preferred by artificially lengthening the AS path; prepending on the east coast data center would make its routes less attractive, which is the opposite of what is needed (we want to make east coast routes more preferred).

659
Multi-Selectmedium

A company is planning to connect multiple VPCs in different projects to a common on-premises network using a hub-and-spoke topology. They want to use Network Connectivity Center (NCC). Which TWO components are required to set up this topology?

Select 2 answers
A.VPC Network Peering
B.NCC hub
C.Dedicated Interconnect VLAN attachments
D.Cloud Router
E.VPC spokes
AnswersB, E

The hub is the central routing entity in NCC.

Why this answer

NCC uses a hub (NCC hub) and spokes (VPC spokes). Spokes are VPCs that connect to the hub. The hub acts as a central point for routing.

660
MCQhard

A company uses Shared VPC with a host project and multiple service projects. A service project administrator wants to create a VM with an internal IP from a specific subnet in the host project. The operation fails with a permission error. What is the most likely missing permission?

A.resourcemanager.projects.get on the host project.
B.compute.subnetworks.use on the host project subnet.
C.compute.instances.create on the service project.
D.compute.networks.use on the host project VPC.
AnswerB

This permission grants use of a specific subnet.

Why this answer

Option D is correct because the service project needs the compute.subnetworks.use permission on the specific subnet in the host project. This permission is part of the roles/compute.networkUser role. Option A is incorrect because compute.networks.use is needed for using the VPC network, but the error is more specific to subnet use.

Option B is incorrect because compute.instances.create is for creating instances, not for using a subnet. Option C is incorrect because resourcemanager.projects.get is not related to subnet usage.

661
MCQhard

A financial services company is deploying a multi-tier application in a custom VPC with three subnets: web (10.0.1.0/24), app (10.0.2.0/24), and db (10.0.3.0/24). They use a Cloud VPN with dynamic routing (BGP) to connect to their on-premises data center (10.1.0.0/16). The on-premises network administrator reports that traffic from the web tier (10.0.1.0/24) to on-premises is working, but traffic from the app tier (10.0.2.0/24) to on-premises is failing. The company uses an Identity-Aware Proxy (IAP) for SSH access. The following configurations are in place: - Cloud Router advertises all VPC subnets via BGP. - On-premises router advertises 10.1.0.0/16. - Firewall rules allow all traffic from 10.0.0.0/16 to 10.1.0.0/16. - The app tier instances have a network tag 'app-tier' and a service account 'app-sa@project.iam.gserviceaccount.com'. - There is a firewall rule with priority 1000 that denies egress from tags 'app-tier' to 10.1.0.0/16. What is the most likely cause of the failure?

A.The service account 'app-sa' does not have permissions to send traffic through the VPN.
B.IAP is blocking traffic from the app tier because it is not configured for that subnet.
C.A firewall egress rule with priority 1000 denies traffic from instances with tag 'app-tier' to 10.1.0.0/16.
D.The Cloud Router is not advertising the 10.0.2.0/24 subnet to on-premises.
AnswerC

This deny rule explicitly blocks the traffic, overriding any lower-priority allow rules.

Why this answer

Option C is correct because the firewall egress rule with priority 1000 explicitly denies traffic from instances tagged 'app-tier' to the on-premises network (10.1.0.0/16). Since firewall rules are evaluated in order of priority (lower numbers are higher priority), and this rule has a relatively low priority number, it will override any higher-numbered (lower priority) allow rules. The fact that web tier traffic works confirms that routing and VPN are functional, isolating the issue to the egress deny rule targeting the app tier.

Exam trap

Google Cloud often tests the misconception that service accounts or IAP control network-level traffic, when in reality firewall rules and routing are the only mechanisms that govern packet flow between VPC subnets and on-premises networks.

How to eliminate wrong answers

Option A is wrong because service accounts do not control network traffic permissions; they control API authorization via IAM roles, not packet-level routing or firewall decisions. Option B is wrong because IAP is used for SSH/RDP access and does not block general application traffic between subnets and on-premises; it operates at the application layer for administrative access, not at the network layer for inter-VPC or VPN traffic. Option D is wrong because the Cloud Router advertises all VPC subnets via BGP, and the web tier (10.0.1.0/24) works, proving that the app subnet (10.0.2.0/24) is also advertised; otherwise, web traffic would also fail.

662
MCQhard

A large e-commerce company has a hybrid cloud setup with a Dedicated Interconnect between their on-premises data center in Dallas and Google Cloud us-central1 region. They have a single VLAN attachment with a Cloud Router that uses BGP to exchange routes. The on-premises network uses 10.0.0.0/8, and Google Cloud VPC uses 172.16.0.0/16. They recently deployed a new application in us-west1 that uses IP range 172.17.0.0/16. They created a VPC peering between the us-central1 VPC and the us-west1 VPC. On-premises users can reach the us-central1 workloads but cannot reach the us-west1 application. There are no firewall rules blocking traffic. The on-premises router has a default route pointing to the Interconnect. What is the most likely cause of the issue?

A.The Cloud Router does not have routes for 172.17.0.0/16 because VPC peering does not automatically propagate routes to Cloud Router
B.BGP is not configured between Cloud Router and us-west1 VPC
C.Firewall rules in us-west1 are blocking traffic from the on-premises IP range
D.The Dedicated Interconnect is only available in us-central1 and cannot reach us-west1
AnswerA

VPC peering does not propagate routes to on-premises via Cloud Router; you must use a separate VLAN attachment or VPN in us-west1.

Why this answer

The issue is that VPC peering does not automatically propagate routes from the peered VPC (us-west1, 172.17.0.0/16) to the Cloud Router that is used for the Dedicated Interconnect. Cloud Router only learns routes that are present in the VPC’s routing table and that are explicitly advertised via BGP. Since VPC peering routes are not automatically imported into the VPC’s dynamic routing table for Cloud Router, the on-premises router never receives a route for 172.17.0.0/16, even though there are no firewall blocks.

Exam trap

The trap here is that candidates assume VPC peering automatically makes all peered networks reachable from on-premises via the Interconnect, forgetting that Cloud Router only advertises routes that are explicitly in the VPC’s routing table and not those learned through peering unless custom advertisement is set up.

How to eliminate wrong answers

Option B is wrong because BGP is configured between the Cloud Router and the on-premises router, not between Cloud Router and the us-west1 VPC; VPC peering does not involve BGP. Option C is wrong because the question explicitly states there are no firewall rules blocking traffic, so firewall rules in us-west1 are not the cause. Option D is wrong because a Dedicated Interconnect in us-central1 can reach us-west1 via Google’s internal network; the limitation is not geographic but rather the lack of route propagation from the peered VPC to the Cloud Router.

663
MCQeasy

What is the internal DNS name format for a Compute Engine instance named 'web-server' in zone 'us-central1-a' within project 'my-project'?

A.web-server.us-central1-a.my-project.internal
B.web-server.my-project.c.us-central1-a.internal
C.web-server.internal
D.web-server.us-central1-a.c.my-project.internal
AnswerD

This is the correct format.

Why this answer

GCP internal DNS uses the format vm-name.zone.c.project-id.internal. For the given example, it is web-server.us-central1-a.c.my-project.internal.

664
Multi-Selectmedium

A company wants to reduce outbound data transfer costs from Compute Engine to the internet. Which TWO strategies are effective?

Select 2 answers
A.Enable Private Google Access on subnets
B.Deploy a Squid proxy instance to cache content
C.Use a regional external HTTP(S) load balancer instead of global
D.Move all instances to the same region
E.Implement Cloud CDN for static content
AnswersC, E

Regional LB avoids premium tier routing, which is cheaper for local users.

Why this answer

Using Cloud CDN reduces egress by caching at edge. Using a regional load balancer avoids premium tier costs. Private Google Access reduces internet egress for Google APIs but not general internet traffic.

Squid proxy or in-region resources do not reduce egress.

665
MCQhard

An organization is using Cloud VPN with dynamic routing (BGP) to connect their on-premises network to Google Cloud. They notice that traffic from Google Cloud to on-premises is not using the VPN tunnel but instead going through the internet. They have verified that the VPN tunnel is up and BGP sessions are established. Which configuration issue is most likely causing this behavior?

A.The Cloud Router BGP IP address is misconfigured
B.The pre-shared key for the VPN tunnel is mismatched
C.The on-premises BGP ASN is incorrect
D.The on-premises router is not advertising the on-premises CIDR via BGP
AnswerD

Without the route advertisement, Google Cloud cannot route traffic to on-premises via the VPN.

Why this answer

Option D is correct because if the on-premises router does not advertise the on-premises CIDR via BGP, the Cloud Router will not have a route to that network in its routing table. Even though the VPN tunnel is up and BGP sessions are established, without the specific prefix being advertised, Google Cloud will use its default route (0.0.0.0/0) to send traffic to on-premises over the internet instead of through the VPN tunnel.

Exam trap

The trap here is that candidates assume a working VPN tunnel and established BGP session guarantee traffic flows correctly, but they overlook the critical requirement that the on-premises CIDR must be explicitly advertised via BGP for Cloud Router to install a specific route over the VPN.

How to eliminate wrong answers

Option A is wrong because a misconfigured Cloud Router BGP IP address would prevent the BGP session from establishing, but the question states BGP sessions are established. Option B is wrong because a mismatched pre-shared key would cause the IPsec tunnel to fail to come up, but the question confirms the VPN tunnel is up. Option C is wrong because an incorrect on-premises BGP ASN would cause the BGP session to fail to establish or be rejected, but the question explicitly states BGP sessions are established.

666
MCQeasy

A company is using Cloud DNS for private zone resolution within their VPC. They have a private zone for 'example.internal' and have attached it to the VPC. When they create a new Compute Engine VM and try to resolve 'myapp.example.internal', it fails. What is the most likely cause?

A.The private zone is not attached to the VPC
B.The VM's /etc/resolv.conf does not point to Cloud DNS
C.Firewall rule blocking DNS traffic (UDP 53) to the metadata server
D.The record 'myapp.example.internal' does not exist in the zone
AnswerD

Private zone is authoritative; records must be added explicitly.

Why this answer

Option D is correct because the most likely cause of a resolution failure for a specific record is that the record does not exist in the private zone. The question states the zone is attached to the VPC, so the zone itself is accessible; the failure is specific to the record name. Cloud DNS will return an NXDOMAIN response if the record is not defined, even if the zone is properly configured.

Exam trap

Google Cloud often tests the misconception that DNS failures in a private zone are due to firewall rules or resolver configuration, when in fact the metadata server handles DNS transparently and the most common cause is a missing DNS record.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the private zone is attached to the VPC, so this is not the cause. Option B is wrong because Compute Engine VMs automatically have their /etc/resolv.conf configured to use the metadata server (169.254.169.254) which proxies DNS queries to Cloud DNS; manual configuration is not required. Option C is wrong because DNS traffic to the metadata server uses a special internal path that does not traverse standard firewall rules; UDP 53 to 169.254.169.254 is allowed by default and not blocked by VPC firewall rules.

667
MCQmedium

A company wants to distribute traffic across multiple backend services based on the geographic location of the user. They are using an external HTTPS load balancer. Which routing configuration should they use?

A.Use a URL map with route rules that match on the Host header
B.Configure the load balancer with a weighted round-robin routing policy
C.Use a URL map with route rules that use a header matching condition based on Cloud Armor geo headers
D.Use Cloud DNS with geolocation routing policy to direct users to different load balancers
AnswerC

Cloud Armor security policies can insert geo headers, and URL map rules can match on those headers to route to different backends.

Why this answer

The URL map of a load balancer supports route rules. To route based on geographic location, you can use advanced traffic management with weighted routing based on origin region. However, the simplest approach is to use a multicloud or global load balancer with policies, but for a single load balancer, you can use a URL map with route rules that match based on request headers (like Cloud Armor geo headers) or use a backend bucket with CDN.

The most common method is to use a global load balancer with a URL map and route rules that include conditions based on geographic location using a pre-defined variable like {client_region}.

668
MCQmedium

An organization wants to design IP addresses for their GCP VPC that will be peered with an on-premises network using 10.0.0.0/8. Which subnet IP range should they avoid to prevent overlap?

A.10.1.0.0/16
B.192.168.0.0/16
C.10.0.0.0/8
D.172.16.0.0/12
AnswerA

This overlaps with 10.0.0.0/8.

Why this answer

Option A (10.1.0.0/16) is correct because the on-premises network uses 10.0.0.0/8, which encompasses all IPs from 10.0.0.0 to 10.255.255.255. The subnet 10.1.0.0/16 falls entirely within this range, so peering would cause an IP address overlap, breaking routing between the VPC and on-premises. GCP VPC peering requires non-overlapping CIDR blocks to avoid conflicts.

Exam trap

The trap here is that candidates assume only exact CIDR matches cause overlap, but any subnet that is a subset of the on-premises range (like 10.1.0.0/16 within 10.0.0.0/8) also overlaps and must be avoided.

How to eliminate wrong answers

Option B (192.168.0.0/16) is wrong because it is a private IPv4 range (RFC 1918) that does not overlap with 10.0.0.0/8, so it is safe to use for the VPC. Option C (10.0.0.0/8) is wrong because it is the exact same range as the on-premises network, causing a complete overlap and making peering impossible. Option D (172.16.0.0/12) is wrong because it is another RFC 1918 private range (172.16.0.0 to 172.31.255.255) that does not intersect with 10.0.0.0/8, so it is also safe.

669
MCQeasy

A company needs to map multiple domain names to different backend services on a single Global HTTPS Load Balancer. Which resource should they configure to direct traffic based on the requested hostname?

A.Backend service
B.Target proxy
C.SSL certificate
D.URL map
AnswerD

URL map maps hostnames and paths to backend services.

Why this answer

The URL map defines rules for routing based on hostnames and paths. SSL certificates are for termination, target proxies forward traffic, and backend services are the destination.

670
MCQeasy

A company wants to deploy a web application with a public-facing load balancer and a private backend. The backend instances must not have external IPs. Which statement about the VPC configuration is correct?

A.Cloud NAT must be configured for the backend subnet.
B.The backend subnet must have a default route to the internet.
C.Private Google Access must be enabled on the backend subnet.
D.No additional configuration is required beyond creating the subnet.
AnswerD

Backend instances without external IPs can be fronted by a public load balancer without any special network configuration.

Why this answer

Option D is correct because instances without external IPs can still receive traffic from a public load balancer. No additional configuration such as NAT or Private Google Access is needed for this purpose. Option A is incorrect because Private Google Access is for accessing Google APIs, not for load balancer traffic.

Option B is incorrect because Cloud NAT provides outbound internet access, which is not required. Option C is incorrect because the backend subnet does not need a default route; traffic from the load balancer comes through the VPC internal routing.

671
MCQeasy

A company is using Partner Interconnect with a service provider that requires the use of VLAN attachments. Which type of VLAN attachment should they create in Google Cloud to use the partner's connection?

A.DEDICATED
B.PARTNER
C.PARTNER_PROVIDER
D.CUSTOMER
AnswerB

PARTNER is the correct type for customer-managed VLAN attachments in Partner Interconnect.

Why this answer

For Partner Interconnect, you create a VLAN attachment of type PARTNER. This attachment represents the logical connection to the partner's network. The partner can also use PARTNER_PROVIDER type if they manage the attachment, but from the customer side, it's PARTNER.

672
MCQhard

A company has a Partner Interconnect connection (Layer 2) with a service provider. They need to configure BGP sessions on their on-premises router and Google Cloud Router. The engineer creates a VLAN attachment of type PARTNER. However, the BGP session does not come up. What is the most likely reason?

A.The Cloud Router BGP IP address is not in the same subnet as the VLAN attachment
B.The VLAN attachment type should be PARTNER_PROVIDER
C.The IAM permissions for the Cloud Router are missing
D.The on-premises router is using a different BGP AS number than configured
AnswerA

The BGP IP addresses on Cloud Router and on-premises must be in the same /29 subnet assigned by the VLAN attachment.

Why this answer

In Layer 2 Partner Interconnect, the customer must configure BGP sessions. The VLAN attachment type PARTNER requires the customer to manage BGP. Common issues include incorrect VLAN ID or IP addresses.

673
MCQmedium

An organization runs a web application on Compute Engine behind a regional external HTTP(S) load balancer. They need to log HTTP request details (e.g., user-agent, status codes) to BigQuery for analysis. Which logging feature should they enable?

A.Cloud Armor request logs
B.Load balancing access logs
C.Firewall rules logging
D.VPC Flow Logs on the subnets
AnswerB

Access logs contain request/response details and can be exported to BigQuery.

Why this answer

HTTP(S) load balancers support access logs that can be sent directly to BigQuery. You enable logging on the load balancer and configure the log sink to BigQuery.

674
MCQmedium

A company is designing a hybrid network between their on-premises data center and Google Cloud. They need high availability for traffic between the two environments and want to use Cloud VPN with dynamic routing. Which configuration ensures that if one VPN tunnel fails, traffic automatically fails over to the other tunnel without manual intervention?

A.Create one VPN tunnel and a static route with next hop set to the VPN gateway.
B.Use Cloud Interconnect instead of VPN, and configure two VLAN attachments.
C.Create two VPN tunnels to two separate peer VPN gateways on-premises, and use Cloud Router with BGP to advertise routes from both tunnels.
D.Create two VPN tunnels to the same peer VPN gateway, and configure equal-cost multi-path (ECMP) routing with static routes.
AnswerC

Cloud Router with BGP enables dynamic routing; with two tunnels, BGP will withdraw routes for the failed tunnel, and traffic will use the remaining tunnel automatically.

Why this answer

Option C is correct because it uses two VPN tunnels to separate on-premises peer gateways with Cloud Router and BGP. BGP automatically handles failover by withdrawing routes from the failed tunnel and advertising routes via the healthy tunnel, ensuring traffic fails over without manual intervention. This meets the high availability and dynamic routing requirements specified in the question.

Exam trap

The trap here is that candidates assume two tunnels to the same peer gateway (Option D) provide high availability, but they fail to recognize that the peer gateway itself is a single point of failure, and static routes with ECMP do not support automatic failover without BGP.

How to eliminate wrong answers

Option A is wrong because a single VPN tunnel with a static route provides no redundancy; if the tunnel fails, traffic is blackholed and requires manual route changes. Option B is wrong because Cloud Interconnect with VLAN attachments is a dedicated connection, not Cloud VPN, and the question explicitly requires Cloud VPN with dynamic routing. Option D is wrong because creating two VPN tunnels to the same peer VPN gateway creates a single point of failure; if that gateway goes down, both tunnels fail, and using static routes with ECMP does not provide dynamic failover without manual intervention.

675
Multi-Selecthard

Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?

Select 3 answers
A.The backend must be configured with Private Google Access.
B.The backend must support health checks from the load balancer's health check IP ranges.
C.The backend must have an SSL certificate installed.
D.Firewall rules must allow traffic from the load balancer's IP ranges.
E.The backend must have a public IP address or be accessible via internet.
AnswersB, D, E

Health checks are required for proper traffic routing.

Why this answer

Option B is correct because Global External HTTP(S) Load Balancers use Google's frontend (proxying) IP ranges to send health checks to backends. The backend must allow inbound traffic from these specific health check IP ranges (e.g., 35.191.0.0/16 and 130.211.0.0/22) to receive health probes; otherwise, the load balancer will mark the backend as unhealthy and stop forwarding traffic.

Exam trap

Google Cloud often tests the distinction between health check IP ranges and load balancer forwarding IP ranges, causing candidates to confuse which IP ranges must be allowed in firewall rules for external backends.

Page 8

Page 9 of 14

Page 10