CCNA Designing, planning, and prototyping a GCP network Questions

75 of 103 questions · Page 1/2 · Designing, planning, and prototyping a GCP network · Answers revealed

1
MCQmedium

A company is deploying an internal load balancer (ILB) in a VPC to distribute traffic among backend instances in a managed instance group. The ILB should only be accessible from within the VPC. Which of the following is a required step when configuring the ILB?

A.Assign a static external IP address to the forwarding rule.
B.Upload an SSL certificate to the load balancer.
C.Specify a subnet in the same region as the backend instances.
D.Create a Cloud NAT gateway for the backend instances.
AnswerC

The ILB's IP is allocated from a subnet in the same region.

Why this answer

An internal load balancer (ILB) in GCP requires a regional forwarding rule that routes traffic to backend instances within the same VPC. Specifying a subnet in the same region as the backend instances is mandatory because the ILB's internal IP address is allocated from that subnet, and the forwarding rule must reference a subnet to enable internal-only routing. Without a subnet, the ILB cannot be provisioned as an internal load balancer.

Exam trap

Google Cloud often tests the misconception that an internal load balancer requires an external IP or SSL termination, but the key requirement is specifying a subnet in the same region as the backends for internal IP allocation.

How to eliminate wrong answers

Option A is wrong because an internal load balancer uses an internal IP address, not an external one; assigning a static external IP would make it an external load balancer, which is not required for internal-only access. Option B is wrong because SSL certificates are only needed for HTTPS/SSL proxy load balancers, not for internal TCP/UDP load balancers, which operate at Layer 4 and do not terminate TLS. Option D is wrong because Cloud NAT is used to provide outbound internet access for instances without external IPs, but it is unrelated to inbound traffic distribution via an internal load balancer.

2
MCQeasy

A developer wants to deploy a single Compute Engine instance that needs to initiate outbound connections to the internet, but should not have a public IP address. Which GCP networking feature must be configured?

A.Cloud NAT on the subnet or VPC
B.Configure a private Google access for the subnet
C.Assign a static external IP address to the instance
D.Set up an internal HTTP(S) load balancer
AnswerA

Enables outbound internet access without external IP.

Why this answer

Cloud NAT (Network Address Translation) allows private Compute Engine instances to initiate outbound connections to the internet without assigning them public IP addresses. It translates the instance's private IP to a Cloud NAT external IP address for outbound traffic, while unsolicited inbound connections from the internet are blocked. This is the correct solution because the requirement explicitly states no public IP on the instance, yet outbound internet access is needed.

Exam trap

Google Cloud often tests the distinction between Private Google Access (which only reaches Google APIs) and Cloud NAT (which provides general internet access), causing candidates to confuse the two when the question mentions 'outbound connections to the internet' versus 'access to Google services'.

How to eliminate wrong answers

Option B is wrong because Private Google Access enables instances with only internal IPs to reach Google APIs and services (e.g., Cloud Storage, BigQuery) over Google's private network, not general internet destinations. Option C is wrong because assigning a static external IP address directly contradicts the requirement that the instance should not have a public IP address. Option D is wrong because an internal HTTP(S) load balancer distributes traffic among instances within a VPC using private IPs; it does not provide outbound internet connectivity for instances.

3
MCQmedium

A company has a VPC with a firewall rule that allows SSH (tcp:22) from 0.0.0.0/0. They want to restrict SSH access to only the public IP address of their Cloud VPN gateway. How should they modify the firewall rule?

A.Use Cloud Armor to block all SSH except from the VPN IP.
B.Change the source IP range to the VPN gateway's internal IP address.
C.Change the source IP range to the VPN gateway's public IP address.
D.Use IAP Tunneling instead of SSH firewall rules.
AnswerC

Restricts SSH to traffic coming from the VPN gateway.

Why this answer

The firewall rule currently allows SSH from any source IP (0.0.0.0/0). To restrict access to only the Cloud VPN gateway, you must change the source IP range to the gateway's public IP address, because the SSH connection originates from the VPN gateway's public-facing interface over the internet. Internal IP addresses are not routable over the internet and would not match the source of the incoming SSH traffic.

Exam trap

Google Cloud often tests the misconception that internal IPs can be used as source ranges for internet-originating traffic, leading candidates to choose Option B instead of recognizing that the source IP of the SSH connection is the VPN gateway's public IP.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall for HTTP/S traffic and cannot filter SSH (TCP/22) traffic at the network layer; it operates at Layer 7. Option B is wrong because the VPN gateway's internal IP address is private and not reachable from the internet; the SSH connection comes from the gateway's public IP, so using the internal IP would block all SSH traffic. Option D is wrong because IAP Tunneling is an alternative method for SSH access that does not modify the existing firewall rule; it requires separate IAP configuration and does not restrict the current rule's source range.

4
MCQhard

An organization wants to use Shared VPC but restrict access to certain subnets for specific service projects. Which GCP feature should they use?

A.Subnet-level IAM bindings
B.VPC Network Peering
C.VPC Service Perimeters
D.Firewall rules
AnswerA

Allows granular subnet access control for service projects.

Why this answer

Subnet-level IAM bindings allow you to grant roles (e.g., compute.networkUser) on specific subnets within a Shared VPC to service project principals. This restricts access to only those subnets, while the service project can still use the shared network. It is the native GCP mechanism for fine-grained subnet access control in a Shared VPC environment.

Exam trap

The trap here is that candidates confuse VPC Service Perimeters (which control data boundaries for managed services) with subnet-level IAM (which controls compute resource access within a Shared VPC), leading them to pick Option C when the question explicitly asks about restricting access to subnets for service projects.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering connects two separate VPC networks, not a Shared VPC with service projects, and does not support subnet-level access restrictions within a single shared network. Option C is wrong because VPC Service Perimeters (part of VPC Service Controls) restrict data exfiltration from managed services (e.g., BigQuery, Cloud Storage) by defining perimeters around projects, not subnet-level IAM access for compute resources. Option D is wrong because Firewall rules control traffic flow (allow/deny) based on IP addresses, ports, and protocols, but do not control which principals can use or access a subnet; they are not an IAM mechanism.

5
Multi-Selecthard

Which THREE actions are required to configure a High-Availability Cloud VPN (HA VPN) with dynamic routing to an on-premises peer?

Select 3 answers
A.Create two VPN tunnels, each associated with a different Cloud VPN gateway interface
B.Create two separate Cloud Routers, one for each tunnel
C.Allocate two external IP addresses for the Cloud VPN gateway
D.Create a Cloud Router in the same region as the VPN gateway
E.Configure static routes for the remote network in the VPC
AnswersA, C, D

Two tunnels provide redundancy.

Why this answer

Option A is correct because HA VPN requires two tunnels, each attached to a different interface of the Cloud VPN gateway, to provide redundancy and failover. This ensures that if one tunnel or interface fails, traffic can continue through the other tunnel, maintaining connectivity to the on-premises peer.

Exam trap

Google Cloud often tests the misconception that you need separate Cloud Routers for each tunnel, but HA VPN uses a single Cloud Router to manage BGP sessions for both tunnels, and static routes are not used with dynamic routing.

6
MCQhard

A large multinational corporation uses a Shared VPC in Google Cloud with multiple service projects. They have a central Cloud NAT configured in the host project in the us-central1 region to provide internet egress for all VMs. Recently, the IT team added a new subnet (10.0.10.0/24) in a service project and deployed VMs there. All other VMs in the same project but in different subnets (e.g., 10.0.1.0/24) can reach the internet, but the new VMs in 10.0.10.0/24 cannot. The Cloud NAT gateway is configured in us-central1 with all IP ranges allowed. The VPC firewall rules allow egress traffic to the internet. The team verified that the VMs have a default route (0.0.0.0/0) with next-hop 'default-internet-gateway' and that the Cloud NAT router's NAT IPs are properly assigned. However, the new subnet's VMs are unable to connect to any external IP. The network engineer suspects that the Cloud NAT's NAT reservations might be the issue, but all NAT IPs are ephemeral. Further investigation shows that the Cloud Router used by Cloud NAT is advertising custom IP ranges via BGP to an on-premises router for a different use case. What is the most likely cause and solution?

A.Remove the new subnet range (10.0.10.0/24) from the custom advertised routes on the Cloud Router associated with the Cloud NAT.
B.Add a static route for 0.0.0.0/0 with next-hop set to the Cloud NAT gateway's IP address in the VPC.
C.Update the VPC firewall rules to explicitly allow egress traffic from the new subnet's IP range to 0.0.0.0/0.
D.Reserve static NAT IPs for the new subnet in the Cloud NAT configuration to ensure that the VMs have a consistent egress IP.
AnswerA

The Cloud Router is advertising that subnet to on-premises, causing Cloud NAT to think traffic for that subnet should be sent through the VPN, not NATed.

Why this answer

The Cloud Router associated with Cloud NAT is advertising custom IP ranges via BGP to an on-premises router. If the new subnet range (10.0.10.0/24) is included in those custom advertised routes, the on-premises router may advertise a more specific route back to the VPC, causing the VMs in that subnet to prefer the on-premises route over the default route (0.0.0.0/0) for internet-bound traffic. Since the on-premises router does not have internet access, the traffic is blackholed.

Removing the subnet range from the custom advertised routes on the Cloud Router resolves the issue by ensuring the default route remains the preferred path for internet egress.

Exam trap

The trap here is that candidates often focus on Cloud NAT configuration or firewall rules, overlooking how BGP custom route advertisements from the Cloud Router can inject more specific routes that override the default route and cause asymmetric routing or blackholing.

How to eliminate wrong answers

Option B is wrong because adding a static route for 0.0.0.0/0 with next-hop set to the Cloud NAT gateway's IP address is not a valid configuration; Cloud NAT is not a next-hop target, and the default route already exists with next-hop 'default-internet-gateway'. Option C is wrong because the VPC firewall rules already allow egress traffic to the internet, and the issue is not firewall-related; the problem is a routing conflict caused by BGP advertisements. Option D is wrong because reserving static NAT IPs would not fix the routing issue; the Cloud NAT is already using ephemeral IPs and the problem stems from the Cloud Router's BGP advertisements overriding the default route for the new subnet.

7
Matchingmedium

Match each network troubleshooting command/tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tests basic connectivity to an IP address

Traces the path packets take to a destination

Displays network connections and listening ports

Queries DNS to resolve a hostname

Captures and analyzes network packets

Why these pairings

These are common tools for diagnosing network issues.

8
MCQeasy

A company wants to connect two VPC networks (vpc-a and vpc-b) that both reside in the same Google Cloud project. They need to ensure that all IP ranges in both VPCs can communicate using internal private IP addresses. Which solution should they implement?

A.Use Dedicated Interconnect to connect the VPCs.
B.Enable VPC Network Peering between vpc-a and vpc-b.
C.Set up Cloud VPN tunnels between the two VPCs.
D.Configure Cloud NAT to allow the VPCs to communicate through NAT.
AnswerB

VPC Network Peering allows private RFC 1918 connectivity across two VPCs, regardless of project or region, as long as they are in the same organization or project.

Why this answer

VPC Network Peering directly connects two VPCs within the same project using internal RFC 1918 IP addresses, with no bandwidth limitations and no single point of failure. It allows all subnets in both VPCs to communicate privately without requiring external connectivity, VPN tunnels, or NAT gateways.

Exam trap

Google Cloud often tests the misconception that VPN or Interconnect is required for VPC-to-VPC connectivity, but in Google Cloud, VPC Network Peering is the native, simpler solution for same-project or cross-project private communication.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect is a hybrid connectivity solution for connecting on-premises networks to a VPC, not for connecting two VPCs within the same project. Option C is wrong because Cloud VPN tunnels introduce latency, bandwidth limits, and complexity (e.g., BGP configuration) that are unnecessary when VPC Network Peering provides simpler, lower-latency private connectivity. Option D is wrong because Cloud NAT is designed to allow private instances to access the internet outbound, not to enable direct private communication between VPCs; it would force traffic through external IPs and break internal routing.

9
MCQeasy

A company wants to allow on-premises servers to access Google APIs and services through a Dedicated Interconnect without using public IPs. What should they configure?

A.Enable Private Google Access on the VPC subnet.
B.Set up VPC Network Peering.
C.Configure Private Service Connect.
D.Configure Cloud Router with custom route advertisement.
AnswerA

This enables private access to Google APIs via the interconnect.

Why this answer

Private Google Access enables on-premises hosts connected via Dedicated Interconnect to reach Google APIs and services using internal IP addresses. When enabled on the VPC subnet, traffic destined for Google APIs is routed through the interconnect without needing public IPs, as the VPC uses its default routes and Cloud NAT-like functionality to forward requests to Google's internal addresses.

Exam trap

Google Cloud often tests the misconception that Private Service Connect or Cloud Router alone can provide private API access from on-premises, but the key requirement is enabling Private Google Access on the subnet to route API traffic through the interconnect without public IPs.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering connects two VPC networks, not on-premises networks to Google APIs; it does not provide access to Google APIs from on-premises via interconnect. Option C is wrong because Private Service Connect is used to privately access managed services (e.g., Google APIs) from within a VPC using endpoints, but it does not extend that access to on-premises networks over Dedicated Interconnect without additional configuration like Private Google Access. Option D is wrong because Cloud Router with custom route advertisement manages dynamic routing (BGP) between on-premises and GCP, but it does not by itself enable access to Google APIs without public IPs; Private Google Access must be explicitly enabled on the subnet.

10
MCQmedium

Your company has a hybrid network architecture with two Cloud VPN tunnels (tunnel-a and tunnel-b) from an on-premises router to a Cloud VPN gateway in us-central1, and one Dedicated Interconnect connection from the same on-premises router to a VLAN attachment in us-east1. All connections use BGP to exchange routes. The on-premises router advertises the same CIDR block 10.0.0.0/8 to both VPN and Interconnect. Google Cloud routes for on-premises prefixes are learned via both paths with the same priority. You notice that traffic from Google Cloud VMs in us-central1 to on-premises destinations sometimes fails during periods of high load. Additionally, you observe ICMP redirects from the VMs. What is the most likely cause and recommended action?

A.Configure BGP ASN prepending on the Cloud Router associated with the VPN tunnels to make the Interconnect path more preferred for on-premises traffic back to Google Cloud.
B.Create a second Cloud VPN gateway in us-east1 and establish a separate VPN tunnel from on-premises to that gateway to provide symmetric routing.
C.Enable source NAT on the Cloud VPN gateway so that VMs' source IPs are rewritten, preventing ICMP redirects.
D.Disable route propagation on the Cloud Router in us-east1 to force all traffic through the VPN tunnels.
AnswerA

ASN prepending makes the VPN path less desirable, causing return traffic to use the Interconnect connection, achieving symmetric routing.

Why this answer

The issue is asymmetric routing: traffic from Google Cloud VMs in us-central1 to on-premises destinations uses the Interconnect (us-east1) due to equal-cost multipath (ECMP) or routing decisions, but return traffic from on-premises may prefer the VPN tunnels (tunnel-a/tunnel-b) because BGP path selection (e.g., local preference, AS path length) is not influenced. This causes ICMP redirects and failures under load. Option A corrects this by using BGP ASN prepending on the Cloud Router for the VPN tunnels, artificially lengthening the AS path for routes learned via VPN, making the Interconnect path more preferred for return traffic, ensuring symmetric routing.

Exam trap

The trap here is that candidates confuse ICMP redirects with a NAT or firewall issue, rather than recognizing them as a classic symptom of asymmetric routing in a multi-homed BGP environment, and they overlook the simple BGP path manipulation technique of ASN prepending to enforce symmetric routing.

How to eliminate wrong answers

Option B is wrong because creating a second VPN gateway in us-east1 does not solve the asymmetric routing problem; it adds another path without influencing path preference, and the core issue is route selection, not geographic proximity. Option C is wrong because source NAT on the Cloud VPN gateway would break end-to-end IP connectivity and does not address the routing asymmetry; ICMP redirects are a symptom of asymmetric routing, not a source IP issue. Option D is wrong because disabling route propagation on the Cloud Router in us-east1 would remove the Interconnect route entirely, forcing all traffic through VPN tunnels, which defeats the purpose of using Dedicated Interconnect and may cause performance degradation or single-path failure.

11
MCQhard

A company has a VPC with subnets in us-east1 and europe-west1. They have a Compute Engine instance in us-east1 with an internal IP 10.0.1.2. They need to allow SSH (port 22) from a specific on-premises IP 203.0.113.5 via Cloud VPN. The Cloud VPN tunnel uses a Cloud Router with BGP. The on-premises network advertises the route for 203.0.113.5/32 to the Cloud Router. Which firewall rule must be created?

A.Ingress rule: source 203.0.113.5/32, destination 169.254.0.1/32, tcp:22
B.Ingress rule: source 10.0.1.2/32, destination 203.0.113.5/32, tcp:22
C.Ingress rule: source 0.0.0.0/0, destination 203.0.113.5/32, tcp:22
D.Ingress rule: source 203.0.113.5/32, destination 10.0.1.2/32, tcp:22
AnswerD

Allows SSH from on-premises IP to the instance.

Why this answer

Option D is correct because firewall rules in GCP are stateful and applied at the instance level, not the VPN tunnel. The rule must allow ingress traffic from the on-premises source IP (203.0.113.5/32) to the Compute Engine instance's internal IP (10.0.1.2/32) on TCP port 22. The Cloud VPN and Cloud Router handle routing, but the firewall rule explicitly defines the allowed traffic flow.

Exam trap

The trap here is that candidates often confuse the direction of traffic in firewall rules, mistakenly thinking the on-premises IP should be the destination (as in Option B) or that the VPN tunnel's link-local address is the correct destination (as in Option A), when in fact the rule must match the actual source and destination IPs of the SSH session.

How to eliminate wrong answers

Option A is wrong because the destination 169.254.0.1/32 is a link-local address used for BGP peering between the Cloud Router and the VPN tunnel, not the Compute Engine instance; SSH traffic must reach the instance's internal IP. Option B is wrong because it reverses the source and destination: the on-premises host (203.0.113.5) is the source initiating SSH, not the destination, and the rule would incorrectly allow traffic from the instance to the on-premises host. Option C is wrong because it allows SSH from any source (0.0.0.0/0), which violates the requirement to restrict access to only the specific on-premises IP 203.0.113.5, creating a security risk.

12
MCQhard

A global application uses a global external HTTPS load balancer with backend NEGs in multiple regions. The content is static and must be cached at edge locations to reduce latency. Which GCP service should be enabled?

A.Cloud CDN
B.Cloud Storage
C.Cloud NAT
D.Cloud Memorystore
AnswerA

Provides edge caching for content.

Why this answer

Cloud CDN is the correct service because it leverages Google's global edge cache network to cache static content from an external HTTPS load balancer with backend NEGs. When enabled, Cloud CDN intercepts requests at edge locations and serves cached responses, reducing latency and offloading origin servers. This directly addresses the requirement to cache static content at edge locations for a global application.

Exam trap

The trap here is confusing Cloud CDN (edge caching) with Cloud Memorystore (backend caching) or Cloud Storage (origin storage), as candidates may think any caching service works at the edge, but only Cloud CDN integrates with the external HTTPS load balancer and Google's edge PoPs.

How to eliminate wrong answers

Option B (Cloud Storage) is wrong because Cloud Storage is a scalable object storage service, not a content delivery network; it can serve static content but does not provide edge caching without Cloud CDN enabled on the bucket. Option C (Cloud NAT) is wrong because Cloud NAT provides outbound internet connectivity for private instances, not inbound caching or content delivery. Option D (Cloud Memorystore) is wrong because Cloud Memorystore is a managed in-memory cache (Redis/Memcached) for backend caching, not an edge caching service; it operates within a VPC, not at Google's edge locations.

13
MCQhard

An organization is using Shared VPC with 100 service projects. They want to allow each service project to manage its own Cloud NAT, but the network administration team wants to control the outbound IP addresses used. What is the best design?

A.Create a single Cloud NAT in the host project and share it
B.Use a NAT instance with an external IP in the host project and route traffic from service projects
C.Create Cloud NAT in each service project with the same external IPs
D.Use Private Google Access with Cloud NAT in the host project
AnswerB

Network team controls the IP, service projects can manage routes to use it.

Why this answer

Option B is correct because a NAT instance in the host project allows the network administration team to control the outbound IP addresses (by attaching a static external IP to the instance) while service projects can manage their own Cloud NAT configurations for outbound traffic. The NAT instance acts as a centralized egress point, and service project traffic is routed to it via custom routes or policy-based routing, meeting both requirements: service project autonomy for NAT management and centralized IP control.

Exam trap

Google Cloud often tests the misconception that Cloud NAT can be shared across VPCs or service projects, or that multiple Cloud NATs can reuse the same external IP, leading candidates to pick Option A or C without realizing Cloud NAT's per-VPC and per-region scope and IP uniqueness constraints.

How to eliminate wrong answers

Option A is wrong because a single Cloud NAT in the host project cannot be 'shared' across service projects; Cloud NAT is per-VPC network and per-region, and service projects would need to use the host project's NAT, which prevents them from managing their own Cloud NAT. Option C is wrong because creating Cloud NAT in each service project with the same external IPs is not possible—Cloud NAT assigns ephemeral or static IPs per NAT gateway, and multiple service projects cannot use identical external IPs without complex, unsupported configurations. Option D is wrong because Private Google Access with Cloud NAT in the host project only enables outbound connections to Google APIs and services, not general internet egress, and still does not allow service projects to manage their own Cloud NAT.

14
MCQhard

An organization is connecting their on-premises data center to GCP using Dedicated Interconnect with multiple VLAN attachments. They have configured Cloud Router with BGP sessions for each VLAN attachment. They notice that traffic from GCP to on-premises is not load-balanced across the attachments; instead, all traffic uses a single link. What is the most likely cause?

A.Cloud Router's BGP is not configured for multipath; it selects only one best path per prefix.
B.The on-premises router is not advertising the same routes over all BGP sessions.
C.The VLAN attachments have different bandwidths, causing BGP to prefer the higher bandwidth link.
D.The BGP keepalive timers are misconfigured, causing session flapping.
AnswerA

BGP multipath must be enabled to load-balance across multiple equal-cost paths.

Why this answer

Cloud Router uses BGP to exchange routes with the on-premises router. By default, BGP selects only a single best path per prefix based on the lowest MED, weight, local preference, AS-path length, or IGP metric. Without BGP multipath enabled (e.g., 'maximum-paths' or 'bgp multipath' configuration), Cloud Router will not load-balance traffic across multiple VLAN attachments even if multiple equal-cost paths are available.

This causes all traffic to egress through a single link.

Exam trap

The trap here is that candidates often assume BGP automatically load-balances across multiple equal-cost paths, but BGP requires explicit multipath configuration to enable ECMP; otherwise, it selects only one best path per prefix.

How to eliminate wrong answers

Option B is wrong because if the on-premises router were not advertising the same routes over all BGP sessions, Cloud Router would not see multiple paths at all, but the question states that traffic is not load-balanced across the attachments, implying multiple paths are received but not used equally. Option C is wrong because BGP does not consider link bandwidth in its path selection algorithm; bandwidth is not a standard BGP attribute, and Cloud Router does not use bandwidth to influence path preference. Option D is wrong because misconfigured BGP keepalive timers would cause session flapping and intermittent connectivity, not a consistent failure to load-balance across stable sessions.

15
MCQmedium

Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?

A.Define a Kubernetes NetworkPolicy that allows ingress to backend pods from frontend pods on port 8080.
B.Configure Private Service Connect to restrict access to backend pods.
C.Create VPC firewall rules to allow ingress from frontend pods to backend pods on port 8080.
D.Use Cloud Armor security policies to restrict traffic to backend pods.
AnswerA

NetworkPolicy is the native Kubernetes mechanism for pod-level traffic control.

Why this answer

A Kubernetes NetworkPolicy is the native and most secure way to control pod-to-pod traffic within a GKE cluster. By defining an ingress rule that allows traffic only from frontend pods (selected via pod labels) to backend pods on TCP port 8080, you enforce micro-segmentation at the pod level, which is the recommended practice for multi-tier applications. This approach works regardless of the underlying node or VPC configuration and is fully integrated with GKE's network policies engine (Calico or Cilium).

Exam trap

The trap here is that candidates often confuse VPC firewall rules (which control traffic at the node level) with Kubernetes NetworkPolicy (which controls traffic at the pod level), leading them to choose option C, even though pod IPs are ephemeral and not directly manageable via VPC firewall rules.

How to eliminate wrong answers

Option B is wrong because Private Service Connect is used to expose managed services privately to VPC networks, not to restrict pod-to-pod traffic within a cluster. Option C is wrong because VPC firewall rules operate at the node/VM level, not at the pod level, and cannot distinguish between individual pods running on the same node; they also cannot enforce label-based selection. Option D is wrong because Cloud Armor is a web application firewall (WAF) that protects external HTTP(S) load balancers, not internal pod-to-pod traffic within a GKE cluster.

16
MCQeasy

A company is designing a VPC for a multi-tier application. The web tier must be accessible from the internet, the app tier only from the web tier, and the db tier only from the app tier. Which combination of firewall rules is appropriate?

A.Ingress allow from web to app, ingress allow from app to db, no rule for web
B.Ingress allow from 0.0.0.0/0 to web, ingress allow from web subnets to app, ingress allow from app subnets to db
C.Ingress allow from 0.0.0.0/0 to web, ingress allow from all subnets to app, ingress allow from app to db
D.Ingress allow from web to app, ingress allow from web to db, ingress allow from app to db
AnswerB

Correctly restricts access at each tier.

Why this answer

Option B is correct because it follows the principle of least privilege for a multi-tier VPC. The web tier must be accessible from the internet (0.0.0.0/0) on ingress, the app tier must only accept ingress from the web tier subnets, and the db tier must only accept ingress from the app tier subnets. This ensures that each tier is isolated and only reachable from the immediate upstream tier, which is a fundamental security best practice for multi-tier architectures in Google Cloud.

Exam trap

The trap here is that candidates often confuse 'ingress allow from web to app' with 'ingress allow from web subnets to app', forgetting that firewall rules must specify source CIDR ranges (e.g., subnet IPs) rather than just the tier name, and they may also incorrectly allow direct web-to-db access, thinking it simplifies connectivity without realizing it breaks the isolation requirement.

How to eliminate wrong answers

Option A is wrong because it lacks an ingress rule allowing traffic from the internet (0.0.0.0/0) to the web tier, making the web tier inaccessible from the internet, which violates the requirement. Option C is wrong because it allows ingress from 'all subnets' to the app tier, which would permit traffic from the db tier or other subnets to the app tier, breaking the isolation requirement that the app tier should only be reachable from the web tier. Option D is wrong because it includes an ingress rule allowing traffic from the web tier directly to the db tier, which bypasses the app tier and violates the requirement that the db tier should only be accessible from the app tier.

17
MCQhard

Refer to the exhibit. A VM in the default VPC with IP 10.0.0.5 is unable to receive traffic from another VM in the same VPC with IP 10.0.1.5. The firewall rule shown is in place. What is the most likely reason?

A.The source range does not include 10.0.1.5
B.The rule only allows TCP but the traffic is UDP
C.The target service account does not match the VM's service account
D.The priority is too low
AnswerC

The rule only applies to VMs with the specified service account.

Why this answer

The firewall rule shown uses a target service account, which means it applies only to VM instances that are associated with that specific service account. If the VM at 10.0.0.5 has a different service account (or no service account) than the one specified in the rule, the rule will not apply to it, and traffic will be blocked by the implicit deny-all egress/ingress firewall rules. This is the most likely reason the VM cannot receive traffic from 10.0.1.5.

Exam trap

Google Cloud often tests the distinction between target tags and target service accounts, and the trap here is that candidates assume a firewall rule with a broad source range (0.0.0.0/0) will apply to all VMs, overlooking that the target service account field restricts which VMs the rule actually applies to.

How to eliminate wrong answers

Option A is wrong because the source range in the rule is 0.0.0.0/0, which includes all IP addresses, including 10.0.1.5. Option B is wrong because the rule specifies 'tcp' as the protocol, but the exhibit does not indicate that the traffic is UDP; the question states the VM is unable to receive traffic, and if the traffic were UDP, the rule would not match, but the most likely reason given the target service account mismatch is more specific. Option D is wrong because the priority is 1000, which is the default priority; while a lower numerical value means higher priority, a priority of 1000 is not 'too low' to override the implicit deny rules, and the issue is not about priority but about the rule not being applied to the VM due to service account mismatch.

18
MCQeasy

A company wants to connect their on-premises data center to Google Cloud using a site-to-site VPN with dynamic routing. Which protocol should they use for route exchange?

A.OSPF
B.Static routing
C.BGP
D.RIP
AnswerC

BGP is used for dynamic route exchange in Cloud VPN.

Why this answer

C is correct because Cloud VPN with dynamic routing requires BGP (Border Gateway Protocol) to exchange routes between the on-premises router and the Cloud Router. BGP is the only dynamic routing protocol supported by Google Cloud for site-to-site VPN tunnels, as it allows route advertisement, failover, and policy-based control over multiple tunnels.

Exam trap

The trap here is that candidates often assume OSPF or RIP are valid for dynamic routing in cloud VPNs because they are common in on-premises networks, but Google Cloud exclusively supports BGP for dynamic route exchange over site-to-site VPN tunnels.

How to eliminate wrong answers

Option A is wrong because OSPF is a link-state interior gateway protocol (IGP) that is not supported by Google Cloud VPN; Cloud VPN only supports BGP for dynamic route exchange. Option B is wrong because static routing does not provide dynamic route exchange; it requires manual configuration and cannot adapt to network changes or support failover across multiple tunnels. Option D is wrong because RIP is a distance-vector IGP that is not supported by Google Cloud VPN; it is outdated and lacks the scalability and policy control needed for cloud-to-on-premises connectivity.

19
MCQmedium

A company needs to connect on-premises to GCP using Dedicated Interconnect with a 10 Gbps link, and they require high availability. They plan to use a single VLAN attachment. What is the best design?

A.Deploy two interconnects with one VLAN attachment each.
B.Deploy one interconnect with one VLAN attachment and a VPN as backup.
C.Deploy one interconnect with one VLAN attachment and use static routing.
D.Deploy two VLAN attachments on the same interconnect with separate BGP sessions.
AnswerA

This provides physical diversity and HA.

Why this answer

For high availability with Dedicated Interconnect, you need two separate physical connections (interconnects) to avoid a single point of failure. Each interconnect must have its own VLAN attachment and BGP session to ensure that if one link fails, traffic can still flow over the other. A single VLAN attachment cannot provide redundancy because it is tied to one physical interconnect.

Exam trap

Google Cloud often tests the misconception that multiple VLAN attachments on the same physical interconnect provide high availability, but in reality, they share the same physical path and single point of failure.

How to eliminate wrong answers

Option B is wrong because using a VPN as backup introduces lower bandwidth and higher latency, and does not meet the requirement for high availability with a 10 Gbps link; the VPN would be a significant bottleneck. Option C is wrong because static routing lacks the automatic failover capabilities of BGP, and a single interconnect is still a single point of failure. Option D is wrong because deploying two VLAN attachments on the same interconnect does not provide physical redundancy; if the interconnect fails, both VLAN attachments go down.

20
MCQmedium

A company is deploying a multi-tier application on Google Cloud. The frontend tier runs in a managed instance group behind a global external HTTP(S) load balancer. The backend tier runs on Compute Engine instances in a different VPC subnet. The frontend instances must communicate with the backend instances using internal IP addresses only. Which configuration should the network engineer use?

A.Use Cloud NAT to allow the frontend to reach the backend via the internet.
B.Use an internal TCP/UDP load balancer in the backend VPC and configure the frontend to send traffic to the load balancer's internal IP.
C.Place both frontend and backend instances in the same VPC but different subnets, and use firewall rules to allow traffic.
D.Set up VPC Network Peering between the frontend VPC and the backend VPC.
AnswerD

VPC peering enables private IP communication across VPCs without requiring external IPs or gateways, meeting the requirement of internal-only communication.

Why this answer

Option D is correct because VPC Network Peering allows two separate VPC networks to communicate using internal IP addresses without traversing the internet or requiring a VPN. Since the frontend and backend are in different VPCs (implied by the need for peering), peering enables direct internal IP connectivity between the frontend instances and the backend instances, satisfying the requirement for internal-only communication.

Exam trap

The trap here is that candidates may assume placing instances in the same VPC (Option C) is the simplest solution, but the question explicitly implies the frontend and backend are in separate VPCs, making VPC Network Peering the correct choice for internal IP communication across VPCs.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used to allow outbound internet access from instances without external IPs, not for internal communication between VPCs; it would force traffic over the internet, violating the internal IP requirement. Option B is wrong because an internal TCP/UDP load balancer is used to distribute traffic within the same VPC or across peered VPCs, but it does not establish connectivity between separate VPCs on its own; peering is still required for the frontend to reach the load balancer's internal IP. Option C is wrong because placing instances in the same VPC but different subnets would work for internal communication, but the question states the frontend and backend are in different VPCs (implied by the need for a solution), so this option does not apply to the given architecture.

21
MCQmedium

Refer to the exhibit. What is the purpose of the --enable-private-ip-google-access flag?

A.Enables the subnet to be used for Cloud VPN tunnels.
B.Allows external traffic to reach VMs using private IPs.
C.Enables Cloud NAT on this subnet.
D.Allows VMs to access Google APIs without requiring an external IP.
AnswerD

Private Google Access enables this.

Why this answer

The `--enable-private-ip-google-access` flag, when set to `true` on a subnet, allows VM instances in that subnet to reach Google APIs and services (e.g., Cloud Storage, BigQuery) using their private IP addresses, without requiring an external (public) IP. This works by routing traffic through Google's internal network to the Google API frontend, bypassing the public internet.

Exam trap

Google Cloud often tests the misconception that this flag enables Cloud NAT or provides general internet access, when in fact it only provides access to Google APIs and services, not arbitrary public IPs.

How to eliminate wrong answers

Option A is wrong because Cloud VPN tunnels are configured on the VPC network level or via a Cloud Router, not enabled by a subnet-level flag; the flag does not affect VPN functionality. Option B is wrong because external traffic cannot reach VMs using private IPs without a mechanism like a load balancer or Cloud NAT; this flag controls outbound access from VMs to Google APIs, not inbound external access. Option C is wrong because Cloud NAT is a separate resource configured on a Cloud Router, not enabled by a subnet flag; this flag provides direct private access to Google APIs, not NAT-based internet access.

22
Multi-Selecteasy

Which THREE components are part of a typical Cloud Hybrid Networking architecture?

Select 3 answers
A.VPC
B.Cloud Router
C.Cloud Interconnect
D.Cloud CDN
E.Cloud VPN
AnswersB, C, E

Manages BGP sessions for dynamic routing between on-prem and GCP.

Why this answer

Cloud Router is a core component of Cloud Hybrid Networking because it enables dynamic route exchange between a GCP VPC and an on-premises network using BGP. It works with Cloud VPN or Cloud Interconnect to automatically learn and propagate routes, eliminating the need for static route management.

Exam trap

Google Cloud often tests the misconception that a VPC itself is a hybrid networking component, but candidates must remember that hybrid connectivity requires dedicated services like Cloud VPN, Cloud Interconnect, or Cloud Router to bridge the VPC with external networks.

23
Multi-Selectmedium

A company needs to connect three VPC networks in separate projects (two in the same organization, one in a different organization) to each other for private IP communication. Which TWO GCP solutions should they consider? (Choose 2.)

Select 2 answers
A.Cloud Interconnect
B.VPC Network Peering hub-and-spoke topology
C.Shared VPC
D.VPC Network Peering
E.Cloud VPN with dynamic routing
AnswersB, D

Central VPC peers with all other VPCs, enabling transitive routing.

Why this answer

Option B is correct because a VPC Network Peering hub-and-spoke topology allows a central hub VPC to peer with multiple spoke VPCs, enabling transitive routing between spokes via the hub. This is necessary when VPCs are in different organizations, as VPC peering does not support transitive peering directly, but a hub-and-spoke design with explicit peering between each spoke and the hub can achieve private IP communication across organizations.

Exam trap

The trap here is that candidates confuse VPC Network Peering with Shared VPC, assuming Shared VPC can span organizations, but Shared VPC is strictly limited to projects within the same organization, while VPC peering can cross organizations.

24
MCQhard

A company has a VPC with a subnet in us-central1 (10.0.0.0/16) and a Cloud VPN tunnel to an on-premises network (192.168.0.0/16). They also have a static route for 0.0.0.0/0 internet gateway. On-premises traffic to 10.0.0.0/16 is working. However, traffic from a GCE instance in the VPC to an on-premises IP 192.168.1.10 is timing out. What is the most likely cause?

A.Cloud NAT is not configured for the VPC
B.Missing a custom static route in the VPC for destination 192.168.0.0/16 with next hop VPN gateway
C.The VPN tunnel is down and BGP session is not established
D.Firewall rule does not allow inbound traffic from on-premises to the instance
AnswerB

Without this route, traffic is sent to the internet instead of the VPN.

Why this answer

Option B is correct because the VPC has a default route (0.0.0.0/0) pointing to the internet gateway, but no specific route for the on-premises network (192.168.0.0/16). Without a custom static route with next hop set to the VPN gateway, traffic from the GCE instance to 192.168.1.10 will be forwarded to the internet gateway instead of the VPN tunnel, causing a timeout.

Exam trap

The trap here is that candidates assume a working VPN tunnel automatically routes traffic in both directions, but GCP requires explicit static routes for each destination network behind the VPN, even when the tunnel itself is up.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used to enable outbound internet access for private instances, not for routing traffic to on-premises networks over a VPN; the issue here is routing, not NAT. Option C is wrong because the question states that on-premises traffic to 10.0.0.0/16 is working, which confirms the VPN tunnel and BGP session are established and functional. Option D is wrong because the problem is traffic from the GCE instance to on-premises, not inbound traffic to the instance; firewall rules for inbound traffic would not affect outbound traffic initiated by the instance.

25
MCQmedium

Your company has a VPC with two subnets: 10.0.1.0/24 in us-central1 and 10.0.2.0/24 in us-east1. They have a Cloud VPN tunnel to the on-premises data center using dynamic routing (BGP). The Cloud Router was created in the us-central1 region with default settings. On-premises hosts can successfully communicate with instances in the 10.0.1.0/24 subnet, but cannot reach instances in the 10.0.2.0/24 subnet. All instances have appropriate firewall rules allowing traffic from on-premises. The BGP session is established and routes from on-premises are received in Cloud Router. What is the most likely reason for the issue?

A.Cloud Router by default only advertises subnets in its own region.
B.The firewall rules in us-east1 are blocking incoming traffic from on-premises.
C.The BGP session is down for the us-east1 region.
D.The VPN tunnel is only configured to route traffic for us-central1.
AnswerA

Subnets outside the router's region are not advertised unless 'Advertise all subnets' is enabled.

Why this answer

Cloud Router with default settings only advertises subnets that are in the same region as the Cloud Router itself. Since the Cloud Router was created in us-central1, it only advertises the 10.0.1.0/24 subnet to the on-premises BGP peer. The 10.0.2.0/24 subnet in us-east1 is not advertised, so on-premises hosts have no route to it, even though the BGP session is up and firewall rules are correct.

Exam trap

The trap here is that candidates assume Cloud Router automatically advertises all VPC subnets, but the default regional mode restricts advertisements to the router's own region, which is a common misconfiguration in multi-region VPN designs.

How to eliminate wrong answers

Option B is wrong because the question explicitly states that appropriate firewall rules allow traffic from on-premises, so firewall blocking is not the issue. Option C is wrong because the BGP session is established and routes from on-premises are received, indicating the session is up; Cloud Router does not have per-region BGP sessions. Option D is wrong because the VPN tunnel is a single tunnel using dynamic routing (BGP), and the tunnel itself does not filter which subnets are advertised; the Cloud Router's advertisement settings control route propagation.

26
MCQmedium

A network engineer is designing a VPC with custom subnet mode. They need to allocate IP addresses for three tiers: web (100 instances), app (200 instances), and db (50 instances). The VPC will be in the us-central1 region. Which subnet plan is most cost-effective and scalable?

A.Use one subnet per zone: us-central1-a: 10.0.0.0/22, us-central1-b: 10.0.4.0/22, us-central1-c: 10.0.8.0/22
B.Create two subnets: 10.0.1.0/24 (web+app) and 10.0.3.0/24 (db)
C.Create one subnet 10.0.0.0/20 and use network tags to isolate tiers via firewall rules
D.Create three subnets: 10.0.1.0/24 (web), 10.0.2.0/23 (app), 10.0.4.0/26 (db)
AnswerD

Adequate sizes, separate subnets provide security and flexibility.

Why this answer

Option D is correct because it allocates IP addresses efficiently for each tier: a /24 (256 IPs) for web (100 instances), a /23 (512 IPs) for app (200 instances), and a /26 (64 IPs) for db (50 instances). This minimizes wasted IP space while providing room for growth, and using separate subnets per tier allows granular firewall rules and routing. In a custom VPC, this design is both cost-effective (no over-provisioning) and scalable (each tier can expand within its subnet).

Exam trap

Google Cloud often tests the misconception that larger subnets are always better for scalability, but the trap here is that over-provisioning IPs (e.g., /22 or /20) wastes address space and can lead to higher costs or management overhead, whereas right-sizing subnets per tier with room for growth is the most cost-effective and scalable approach.

How to eliminate wrong answers

Option A is wrong because using three /22 subnets (each with 1024 IPs) across three zones wastes significant IP address space for the given instance counts, and the question does not require zonal separation for tiers; this design is not cost-effective. Option B is wrong because combining web and app into a single /24 (256 IPs) cannot support 300 total instances (100 web + 200 app) without IP exhaustion, and the db /24 is also over-provisioned for 50 instances. Option C is wrong because a single /20 subnet (4096 IPs) is massively over-provisioned for only 350 instances, and while network tags can isolate traffic, they do not provide the subnet-level segmentation needed for scalable tier management; this design wastes IPs and is not cost-effective.

27
MCQmedium

A company uses Dedicated Interconnect to connect their on-premises data center to Google Cloud. They have enabled Private Google Access on the VPC subnet to allow on-premises hosts to access Google APIs via private IPs over the interconnect. Performance tests show that throughput to Google APIs is lower than expected, and the interconnect link utilization is below 30%. What should they do to improve throughput?

A.Reduce the MTU on the interconnect to reduce packet loss.
B.Add another Dedicated Interconnect attachment.
C.Create a Private Service Connect endpoint for Google APIs with multiple IP addresses.
D.Enable Cloud NAT to provide multiple public IPs.
AnswerC

This provides multiple IPs, avoiding per-IP limits and improving throughput.

Why this answer

Private Google Access (PGA) uses the default Internet Gateway to route traffic to Google APIs, which can lead to throughput limitations due to source NAT and flow hashing constraints. Creating a Private Service Connect (PSC) endpoint for Google APIs with multiple IP addresses allows traffic to be load-balanced across multiple endpoints, improving throughput by enabling ECMP (Equal-Cost Multi-Path) routing over the Dedicated Interconnect, thus better utilizing the available bandwidth.

Exam trap

The trap here is that candidates assume low interconnect utilization means the link is underutilized and needs more capacity (Option B), when the real issue is a lack of multipathing to the destination, which is solved by creating multiple endpoints via Private Service Connect.

How to eliminate wrong answers

Option A is wrong because reducing the MTU on the interconnect would increase overhead and potentially cause fragmentation, not improve throughput; packet loss is not indicated by low utilization. Option B is wrong because adding another interconnect attachment does not address the bottleneck at the Google API access layer; the issue is not link capacity but how traffic is routed and load-balanced to Google APIs. Option D is wrong because Cloud NAT provides outbound connectivity to the internet, not to Google APIs via private IPs, and would not improve throughput over the existing Private Google Access configuration.

28
MCQhard

Refer to the exhibit. What is the purpose of the IP address 169.254.0.1 assigned to the Cloud Router interface?

A.It is the public IP address of the VPN gateway.
B.It is a private IP address for BGP peering with the on-premises router.
C.It is the management IP address of the Cloud Router.
D.It is a link-local IP address used for BGP sessions between the Cloud Router and the VPN gateway.
AnswerD

BGP uses link-local addresses (169.254.x.x) for peering.

Why this answer

The IP address 169.254.0.1 falls within the 169.254.0.0/16 range, which is reserved for link-local addressing (RFC 3927). In Google Cloud, Cloud Routers use link-local addresses for BGP sessions with VPN gateways (both HA VPN and Classic VPN). This address is not routable and is used exclusively for BGP peering between the Cloud Router and the VPN gateway, ensuring that the BGP session operates over the VPN tunnel without conflicting with other IP assignments.

Exam trap

Google Cloud often tests the distinction between link-local, private, and public IP addresses, and the trap here is that candidates see 'BGP peering' and assume a private IP is used, failing to recognize that GCP specifically uses link-local addresses from the 169.254.0.0/16 range for BGP sessions with VPN gateways.

How to eliminate wrong answers

Option A is wrong because 169.254.0.1 is not a public IP address; public IPs are globally routable and assigned by an ISP or cloud provider, whereas link-local addresses are non-routable and used only on a single link. Option B is wrong because 169.254.0.1 is not a private IP address (private ranges are 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16); it is a link-local address, and while it is used for BGP peering, calling it 'private' is technically incorrect and misleading. Option C is wrong because the management IP address of a Cloud Router is not 169.254.0.1; Cloud Routers are managed via the Google Cloud API and console, and their management plane does not use link-local addressing.

29
MCQmedium

A company is planning to migrate their on-premises application to Google Cloud. The application requires consistent high bandwidth and low latency to on-premises databases. They have a Dedicated Interconnect connection with a 10 Gbps link. To improve availability, they decide to add a second Interconnect connection. Which of the following is a best practice for configuring BGP sessions?

A.Configure two BGP sessions with the same ASN and MED values
B.Configure two BGP sessions, each on a separate connection, with different ASNs and MED values to influence path selection
C.Enable ECMP across the two connections with a single BGP session
D.Use a single BGP session across both connections
AnswerB

Separate sessions with different ASNs and MED values allow for load balancing and failover.

Why this answer

Option B is correct because using different ASNs on each BGP session allows the on-premises router to treat the two Dedicated Interconnect connections as separate routing peers, enabling path selection control via MED values. This ensures that if one connection fails, traffic can be rerouted through the other, improving availability without relying on ECMP or a single session, which would not provide the desired redundancy and traffic engineering.

Exam trap

Google Cloud often tests the misconception that a single BGP session can be used across multiple physical connections, but in Google Cloud, each Dedicated Interconnect link requires its own BGP session, and using different ASNs is a best practice for path selection and redundancy.

How to eliminate wrong answers

Option A is wrong because using the same ASN and MED values on both BGP sessions would cause the on-premises router to see them as equal-cost paths, potentially leading to suboptimal load balancing or failover behavior without the ability to influence path selection. Option C is wrong because ECMP across two connections with a single BGP session is not supported; each Dedicated Interconnect connection requires its own BGP session, and ECMP would require multiple sessions with equal route metrics. Option D is wrong because a single BGP session across both connections is not possible; BGP sessions are established per VLAN attachment or per connection, and a single session cannot span multiple physical links.

30
Multi-Selecteasy

Which TWO of the following are valid reasons to use a Shared VPC architecture?

Select 2 answers
A.To reduce latency by placing resources in the same region within a single VPC
B.To improve network connectivity between different organizational units without using VPN or peering
C.To prevent individual projects from creating their own VPCs and force them to use a common VPC
D.To allow a central network team to manage VPC resources while allowing application teams to deploy resources in separate projects
E.To reduce egress costs by having all resources in one VPC
AnswersC, D

Controls VPC creation via IAM.

Why this answer

Option C is correct because a Shared VPC architecture allows an organization to enforce that individual projects cannot create their own VPCs; instead, they must use a common VPC that is centrally managed. This is achieved by designating a host project that contains the shared VPC network, and attaching service projects to it, which prevents the service projects from having their own independent VPC networks.

Exam trap

Google Cloud often tests the misconception that Shared VPC reduces latency or egress costs, when in fact its primary benefits are centralized network management and policy enforcement, not performance or cost optimization.

31
MCQmedium

A company is designing a global application that requires low-latency access to GCP services like Cloud Storage and BigQuery. They also need to minimize egress costs for traffic to the internet. Which network service tier should they choose for their GCP resources?

A.Use a CDN to reduce latency and no specific tier
B.Premium Tier for all resources
C.Premium Tier for Compute Engine instances and Standard Tier for Cloud Storage
D.Standard Tier for all resources
AnswerB

Premium Tier uses Google's global network, reduces latency, and egress costs are lower for many Google services.

Why this answer

The Premium Tier routes traffic over Google's global network backbone, providing lower latency and higher performance for accessing GCP services like Cloud Storage and BigQuery. It also minimizes egress costs to the internet by keeping traffic on Google's private network for as long as possible, reducing reliance on public transit.

Exam trap

Google Cloud often tests the misconception that Standard Tier is sufficient for global applications, but the trap here is that Standard Tier uses public internet routing, which increases both latency and egress costs, making Premium Tier the correct choice for low-latency and cost-efficient global access to GCP services.

How to eliminate wrong answers

Option A is wrong because using a CDN does not replace the need for a network service tier; the tier determines how traffic is routed to GCP resources, and a CDN is a separate optimization for content delivery. Option C is wrong because mixing Premium Tier for Compute Engine and Standard Tier for Cloud Storage would cause inconsistent routing, with Cloud Storage traffic using the public internet (higher latency and egress costs), defeating the low-latency and cost-minimization goals. Option D is wrong because Standard Tier routes traffic over the public internet, which increases latency and egress costs, making it unsuitable for a global application requiring low-latency access to GCP services.

32
Multi-Selectmedium

Which THREE components are required to set up a Cloud VPN with dynamic routing (BGP) between an on-premises network and Google Cloud?

Select 3 answers
A.Cloud VPN gateway
B.Cloud Router
C.Cloud NAT
D.BGP peer on the on-premises router
E.Static routes for the remote network
AnswersA, B, D

The VPN gateway terminates the VPN tunnel on the Google Cloud side.

Why this answer

A Cloud VPN gateway is required because it acts as the Google Cloud-side endpoint for the VPN tunnel, handling the encryption and encapsulation of traffic. Without a VPN gateway, there is no secure tunnel termination point in GCP, making it impossible to establish the VPN connection.

Exam trap

The trap here is that candidates often confuse Cloud NAT as a required component for VPN connectivity, but Cloud NAT is unrelated to VPN tunnel establishment or BGP routing.

33
MCQeasy

A startup wants to minimize costs for their development VPC. They have a few VMs that need occasional internet access for updates. What is the most cost-effective approach?

A.Use Private Google Access
B.Use Cloud NAT with a static IP
C.Use a VPN to an on-prem network for internet
D.Assign external IPs to each VM
AnswerB

Cloud NAT allows private VMs to access the internet using one or more static IPs, minimizing costs.

Why this answer

Cloud NAT with a static IP is the most cost-effective approach because it allows multiple VMs to share a single static IP address for outbound internet access, eliminating the need for individual external IPs. This reduces costs since external IP addresses incur charges, and Cloud NAT provides managed, scalable outbound connectivity without requiring a VPN or dedicated gateway.

Exam trap

Google Cloud often tests the misconception that Private Google Access (option A) provides general internet access, but it only covers Google APIs and services, not arbitrary internet destinations like update servers.

How to eliminate wrong answers

Option A is wrong because Private Google Access only enables VMs without external IPs to reach Google APIs and services, not the general internet for updates. Option C is wrong because using a VPN to an on-prem network for internet access introduces additional latency, complexity, and costs (VPN gateway, traffic egress) without benefit if the on-prem network is not already used. Option D is wrong because assigning external IPs to each VM incurs per-IP charges and increases the attack surface, making it less cost-effective than a shared NAT solution.

34
MCQmedium

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth up to 10 Gbps. Which connectivity option should they choose?

A.VPN with Cloud Router
B.Direct Peering
C.Dedicated Interconnect with a single connection
D.Partner Interconnect with redundant connections
AnswerD

Partner Interconnect supports up to 10 Gbps and can be deployed with redundant connections for high availability.

Why this answer

Option D is correct because the requirement for high availability (redundancy) and bandwidth up to 10 Gbps is best met by Partner Interconnect with redundant connections. Partner Interconnect supports bandwidths from 50 Mbps to 10 Gbps and allows you to connect through a supported service provider, while redundant connections ensure failover and meet the high-availability requirement. Dedicated Interconnect offers up to 10 Gbps per circuit but requires two separate connections for high availability, not a single connection.

Exam trap

The trap here is that candidates often confuse 'Dedicated Interconnect with a single connection' as sufficient for high availability, but Cisco tests that a single physical circuit is a single point of failure, and high availability requires at least two redundant connections, which is explicitly supported by Partner Interconnect with redundant connections as the correct choice.

How to eliminate wrong answers

Option A is wrong because VPN with Cloud Router typically provides up to ~3 Gbps per tunnel (with IPsec overhead) and does not guarantee 10 Gbps bandwidth, nor does it offer the same latency or reliability as a dedicated physical connection. Option B is wrong because Direct Peering is a direct connection between your on-premises network and Google at an edge exchange location, but it does not offer SLA-backed bandwidth or support for 10 Gbps; it is intended for exchanging traffic with Google services, not for dedicated hybrid connectivity. Option C is wrong because Dedicated Interconnect with a single connection provides up to 10 Gbps per circuit, but a single connection is a single point of failure and does not meet the high-availability requirement; Google recommends at least two redundant connections for HA.

35
MCQhard

A company is experiencing asymmetric routing between their VPC and on-premises network over two Cloud VPN tunnels with different BGP sessions. Some traffic from GCP to on-premises is dropped by firewall stateful inspection on-premises. What is the most likely cause?

A.BGP keepalive timers are set too low, causing session flapping.
B.The MTU is mismatched between the tunnels.
C.The on-premises router is not receiving the VPC routes via BGP.
D.Traffic is taking one tunnel for outbound and the other for return, causing stateful firewall to drop packets.
AnswerD

Asymmetric paths break stateful firewalls that expect return traffic on same interface.

Why this answer

The most likely cause is asymmetric routing, where outbound traffic from GCP to on-premises takes one VPN tunnel while return traffic takes the other. Stateful firewalls track connection state based on the first packet seen; if return packets arrive via a different tunnel (and thus a different source IP or interface), the firewall does not recognize them as part of an existing session and drops them. This is a classic symptom of asymmetric routing with multiple BGP sessions over separate tunnels.

Exam trap

The trap here is that candidates often confuse asymmetric routing with route propagation failures or MTU issues, but the key clue is 'stateful firewall inspection' dropping traffic, which directly points to a session state mismatch caused by different paths for forward and return traffic.

How to eliminate wrong answers

Option A is wrong because BGP keepalive timers set too low would cause session flapping, not asymmetric routing; flapping would result in intermittent connectivity, not a consistent one-way drop. Option B is wrong because MTU mismatch typically causes fragmentation issues or packet loss, not stateful firewall drops due to asymmetric paths; it would manifest as connectivity failures for large packets, not a directional traffic drop. Option C is wrong because if the on-premises router were not receiving VPC routes via BGP, traffic from on-premises to GCP would fail entirely, not just be dropped by the firewall on return; the question states traffic is dropped by firewall inspection, implying routes are present.

36
MCQmedium

A company has a VPC with subnets in us-east1 and europe-west1. They need low-latency communication between instances in these regions using private IPs only. Which solution should they use?

A.Use Cloud VPN to connect the regions.
B.Use Cloud Interconnect to connect the regions.
C.Use VPC Network Peering between the two regional subnets.
D.Use a Global VPC (default VPC mode).
AnswerD

Global VPC provides automatic cross-region routing.

Why this answer

A Global VPC (default VPC mode) allows subnets in multiple regions to communicate using private IPs natively, without any additional VPN or peering configuration. This is because a Global VPC spans all regions, and instances within the same VPC can reach each other via internal IPs using Google's global network, providing low-latency communication.

Exam trap

The trap here is that candidates often confuse VPC Network Peering (which connects separate VPCs) with the native inter-region communication within a single Global VPC, leading them to select option C instead of recognizing that a Global VPC already provides private IP connectivity across regions.

How to eliminate wrong answers

Option A is wrong because Cloud VPN creates encrypted tunnels over the public internet, which adds latency and does not use private IPs natively; it is designed for hybrid connectivity, not for inter-region VPC communication. Option B is wrong because Cloud Interconnect provides dedicated on-premises to GCP connectivity, not connectivity between GCP regions; it is used for hybrid cloud, not for VPC-to-VPC within GCP. Option C is wrong because VPC Network Peering connects two separate VPCs, not subnets within the same VPC; it requires explicit peering setup and does not apply to subnets in the same VPC, which already communicate via the global VPC.

37
MCQeasy

Based on the exhibit, what is the purpose of Cloud Router's BGP configuration?

A.To advertise the VPC's IP range to the on-premises network.
B.To load balance traffic across multiple VPN tunnels.
C.To receive a default route from the on-premises network.
D.To advertise a default route to the on-premises network.
AnswerA

Cloud Router advertises 10.0.0.0/16 to on-premises.

Why this answer

Cloud Router uses BGP to dynamically exchange routes between a VPC network and an on-premises network over a VPN tunnel or Dedicated Interconnect. In this configuration, the purpose is to advertise the VPC's IP range (the custom or auto-mode subnet CIDR) to the on-premises router, enabling on-premises hosts to route traffic back to the VPC. This is achieved by configuring the Cloud Router with a BGP session and setting the advertised route for the VPC's IP range.

Exam trap

Google Cloud often tests the misconception that Cloud Router's primary function is to load balance traffic or receive default routes, but the core purpose is to dynamically advertise and learn specific IP prefixes via BGP for hybrid connectivity.

How to eliminate wrong answers

Option B is wrong because Cloud Router does not perform load balancing across VPN tunnels; load balancing is handled by Cloud VPN with dynamic routing, which uses multiple tunnels and BGP to distribute traffic, but the Cloud Router itself only manages BGP sessions and route advertisements. Option C is wrong because Cloud Router can be configured to receive custom routes from the on-premises network, but receiving a default route is not the purpose shown in the exhibit; the exhibit focuses on advertising the VPC's IP range, not receiving routes. Option D is wrong because while Cloud Router can advertise a default route (0.0.0.0/0) to the on-premises network if explicitly configured, the exhibit's purpose is to advertise the VPC's specific IP range, not a default route.

38
MCQeasy

A network engineer needs to design a VPC network for a global application that will have Compute Engine instances in multiple regions. The instances need to communicate with each other using internal IP addresses. What is the simplest way to enable this communication?

A.Use Dedicated Interconnect to connect regions.
B.Use Cloud VPN to connect the instances.
C.Create a single VPC network with subnets in each region.
D.Create separate VPC networks per region and peer them.
AnswerC

A global VPC network inherently provides internal connectivity across regions.

Why this answer

A single VPC network is global and can contain subnets in any region. By placing subnets in each required region within the same VPC, instances can communicate using internal IP addresses (RFC 1918) without any additional connectivity services. This is the simplest and most scalable approach because VPCs inherently provide global routing between subnets.

Exam trap

The trap here is that candidates may overcomplicate the solution by thinking inter-region communication requires explicit connectivity services like VPN or peering, when in fact a single global VPC network provides this natively.

How to eliminate wrong answers

Option A is wrong because Dedicated Interconnect is a hybrid connectivity service for connecting on-premises networks to GCP, not for enabling inter-region communication within GCP. Option B is wrong because Cloud VPN is also a hybrid connectivity solution for connecting external networks to GCP; using it to connect instances within the same cloud would add unnecessary complexity and latency. Option D is wrong because peering separate VPC networks per region would require explicit peering configurations and does not provide the automatic, global routing that a single VPC offers, making it more complex and less efficient.

39
Multi-Selectmedium

Which TWO of the following are valid methods to reduce latency between users in Europe and a GCP-hosted application?

Select 2 answers
A.Establish a Cloud VPN tunnel to the user's ISP.
B.Use Cloud CDN to cache content at edge locations.
C.Use Premium Tier networking instead of Standard Tier.
D.Use Cloud NAT for outbound traffic.
E.Deploy Compute Engine instances in a European region.
AnswersB, E

Brings content closer to users.

Why this answer

Cloud CDN uses Google's globally distributed edge caches to serve content from locations closer to users, reducing round-trip time and latency. For users in Europe, cached static or dynamic content is delivered from a nearby edge PoP, bypassing the need to fetch from the origin server in a potentially distant region.

Exam trap

Google Cloud often tests the misconception that Premium Tier networking alone reduces latency for end users, but the real latency reduction comes from deploying resources in the same continent as the users (Option E) or using CDN edge caching (Option B), not just the network tier.

40
Multi-Selecthard

Which THREE of the following are required to set up a highly available Cloud VPN with dynamic routing? (Choose THREE.)

Select 3 answers
A.A Cloud Router with BGP configured for each tunnel.
B.Two Cloud VPN gateways in different regions.
C.Redundant on-premises VPN gateways.
D.Two VPN tunnels from each gateway to the on-premises router.
E.A unique external IP address for each VPN gateway.
AnswersA, B, E

Cloud Router handles dynamic routing via BGP.

Why this answer

A is correct because Cloud VPN with dynamic routing requires a Cloud Router with BGP configured for each tunnel. BGP enables the exchange of routes between the on-premises network and Google Cloud, allowing automatic failover and route propagation. Without BGP, dynamic routing cannot function, and the VPN would rely on static routes, which do not support high availability.

Exam trap

The trap here is that candidates often think redundant on-premises gateways or multiple tunnels per gateway are required for high availability, but Google Cloud's HA VPN only requires two gateways in different regions, each with a unique IP and a Cloud Router with BGP, while on-premises redundancy is optional and not a Cloud-side requirement.

41
MCQhard

A company is deploying a global HTTP load balancer with a backend service that spans multiple regions. The backend instances are in a managed instance group. They want to use Cloud CDN to cache content. What is the minimal set of configurations required on the backend bucket or instance group to enable Cloud CDN?

A.Configure Identity-Aware Proxy (IAP) on the backend service to allow cache
B.Use the gcloud compute backend-services update command with the --enable-cdn flag on the load balancer itself
C.Enable Cloud CDN on the backend service and ensure that the load balancer's frontend uses HTTP or HTTPS protocol
D.Create a Cloud Storage bucket with public access and set it as the backend
AnswerC

Cloud CDN is enabled at the backend service level; protocol must be HTTP(S).

Why this answer

Cloud CDN must be enabled on the backend service of the HTTP(S) load balancer, and the frontend must use HTTP or HTTPS because Cloud CDN only supports HTTP(S) protocols. This is the minimal configuration; no changes to the backend bucket or instance group are required beyond ensuring the backend service is correctly associated with the load balancer.

Exam trap

Google Cloud often tests the misconception that Cloud CDN requires a Cloud Storage bucket or that it can be enabled on the load balancer itself rather than on the backend service, leading candidates to select options that involve bucket creation or incorrect command syntax.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) is an authentication and authorization layer that does not affect caching; enabling IAP does not allow or enable Cloud CDN. Option B is wrong because the --enable-cdn flag is applied to the backend service, not directly to the load balancer itself; the command syntax is gcloud compute backend-services update BACKEND_SERVICE_NAME --enable-cdn. Option D is wrong because creating a Cloud Storage bucket with public access is not required; Cloud CDN can be enabled on a backend service that uses a managed instance group as its backend, and the bucket is only one possible backend type.

42
MCQmedium

An organization has Compute Engine instances in a VPC without external IP addresses. They need to allow these instances to access Google Cloud Storage buckets but not the internet. What should they configure?

A.Enable Private Google Access on the subnets where the instances reside.
B.Set up Cloud NAT and configure a firewall rule to allow egress to Google Cloud Storage IP ranges.
C.Peer the VPC with the Google Cloud Storage service VPC.
D.Create an egress firewall rule allowing traffic to 0.0.0.0/0 and a route to the default internet gateway.
AnswerA

Allows instances to reach Google APIs and services using internal IPs.

Why this answer

Private Google Access allows Compute Engine instances without external IP addresses to reach Google APIs and services, including Cloud Storage, through the VPC network's default route to the internet gateway, but only to Google's published IP ranges. This is the correct solution because it provides the required access without exposing the instances to the general internet.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for outbound access to Google APIs, but Private Google Access is the correct mechanism for instances without external IPs to access Google services while blocking general internet traffic.

How to eliminate wrong answers

Option B is wrong because Cloud NAT would provide outbound connectivity to the internet, which is explicitly not allowed, and it would also require a default route to the internet gateway, defeating the restriction. Option C is wrong because Google Cloud Storage does not expose a VPC that can be peered; it is a global service accessed via API endpoints, not through VPC peering. Option D is wrong because allowing traffic to 0.0.0.0/0 with a route to the default internet gateway would grant full internet access, which violates the requirement to block internet access.

43
MCQmedium

A company is migrating its on-premises data center to Google Cloud. They currently have a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises router (ASN 65001) to a Cloud Router in us-central1 (ASN 64512). The on-premises network uses IP range 10.0.0.0/8, and the Google Cloud VPC uses 172.16.0.0/12. After migration, they notice intermittent connectivity issues: traffic from on-premises to a new VM (172.16.1.2) is sometimes dropped, while other VMs in the same subnet work fine. The VM 172.16.1.2 is fine when accessed from other Google Cloud VMs. The team suspects asymmetric routing. Investigation shows that the on-premises router receives two routes for 172.16.1.2/32: one with next-hop as the Cloud VPN tunnel and another with next-hop as the internet (default route). No custom route advertisements are configured on the Cloud Router. The VPC has a default route (0.0.0.0/0) pointing to the internet gateway. What should the network engineer do to resolve the issue without breaking other connectivity?

A.Configure an inbound route filter on the Cloud Router to reject the BGP route 0.0.0.0/0 from the on-premises router.
B.Enable global routing on the VPC and create a more specific static route for 172.16.1.2/32 with next-hop as the VPN tunnel.
C.Create a second Cloud VPN tunnel from a different region and establish a new BGP session to load balance traffic.
D.Change the Cloud Router's BGP advertise-mode to 'custom' and advertise only the subnets that contain migrated VMs.
AnswerA

This prevents the on-premises router from injecting a default route, eliminating the asymmetric routing issue.

Why this answer

The intermittent connectivity to 172.16.1.2 is caused by asymmetric routing: on-premises traffic uses the BGP-learned /32 route (via VPN) to reach the VM, but return traffic from the VM follows the VPC's default route (0.0.0.0/0) to the internet gateway, which drops the packet because the source IP is from the on-premises range. By configuring an inbound route filter on the Cloud Router to reject the BGP route 0.0.0.0/0 from the on-premises router, the on-premises router will no longer have a default route pointing to the VPN tunnel, forcing it to use the more specific /32 route for 172.16.1.2 and eliminating the asymmetric path.

Exam trap

The trap here is that candidates focus on the on-premises router's routing table (the /32 route) and assume the issue is on-premises, but the real problem is the VPC's default route causing asymmetric return traffic, which is resolved by filtering the BGP advertisement of 0.0.0.0/0 from the Cloud Router to the on-premises router.

How to eliminate wrong answers

Option B is wrong because enabling global routing does not affect route selection for a single VM, and creating a static route for 172.16.1.2/32 with next-hop as the VPN tunnel would not fix the root cause—the on-premises router already has a more specific /32 route via BGP, and the issue is the default route on the VPC side causing asymmetric return traffic. Option C is wrong because adding a second VPN tunnel from a different region does not address the asymmetric routing problem; it would only provide additional paths without resolving the conflicting default route. Option D is wrong because changing the Cloud Router's advertise-mode to 'custom' and advertising only subnets would not prevent the on-premises router from receiving the default route (0.0.0.0/0) from the VPC, which is the source of the asymmetric routing; the issue is inbound filtering on the Cloud Router, not outbound advertisement.

44
MCQhard

A financial company requires encrypted traffic between on-premise and GCP. They have strict compliance requiring that encryption keys are managed on-premise and rotated every 30 days. Which connectivity solution should they use?

A.Cloud VPN with certificate-based authentication using on-prem CA
B.Cloud Interconnect with MACsec
C.Cloud VPN with IKEv2 and pre-shared keys
D.Cloud Interconnect with VLAN attachments
E.Partner Interconnect with a service provider that supports MACsec
AnswerB

MACsec provides encryption with customer-managed keys, easily rotated.

Why this answer

B is correct because MACsec (IEEE 802.1AE) provides encryption at Layer 2, which is required for Cloud Interconnect to secure traffic between on-premise and GCP. Unlike VPN solutions, MACsec allows the customer to manage encryption keys on-premise and rotate them every 30 days, meeting strict compliance requirements. Cloud Interconnect with MACsec ensures low-latency, high-bandwidth connectivity while keeping key management under the customer's control.

Exam trap

Google Cloud often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and the trap here is that candidates assume Cloud VPN with IKEv2 or certificate-based authentication can satisfy on-premise key management, but GCP manages the IPsec keys, not the customer.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with certificate-based authentication uses TLS/IPsec encryption, which is managed by GCP and does not allow the customer to control key rotation on-premise. Option C is wrong because Cloud VPN with IKEv2 and pre-shared keys uses IPsec encryption where keys are managed by GCP, not on-premise, and pre-shared keys are not rotated every 30 days by default. Option D is wrong because Cloud Interconnect with VLAN attachments provides Layer 2 connectivity but does not include encryption; it relies on the customer to implement encryption separately, which does not meet the requirement for encrypted traffic.

Option E is wrong because Partner Interconnect with a service provider that supports MACsec still requires the service provider to manage the MACsec keys, violating the compliance requirement that keys be managed on-premise.

45
MCQeasy

A company wants to connect on-premise to GCP via Cloud VPN with dynamic routing. They have two on-prem routers for redundancy. Which configuration ensures automatic failover?

A.Create two VPN tunnels each with static routes pointing to the other router
B.Create one VPN tunnel with BGP and two interfaces
C.Create two VPN tunnels using Cloud Router with BGP and the same ASN
D.Create two VPN tunnels with BGP but different ASNs on each tunnel
AnswerC

This allows BGP to automatically fail over traffic if one peer goes down.

Why this answer

Option C is correct because creating two VPN tunnels with Cloud Router using BGP and the same ASN on both on-prem routers enables dynamic routing and automatic failover. Cloud Router establishes BGP sessions with each on-prem router, and when both tunnels advertise the same routes with the same ASN, Cloud Router can detect a BGP session failure and automatically route traffic through the remaining healthy tunnel. This setup ensures seamless failover without manual intervention.

Exam trap

The trap here is that candidates often think different ASNs provide better redundancy, but in GCP Cloud Router, the same ASN is required for proper ECMP and automatic failover, as different ASNs can cause routing loops or incomplete failover.

How to eliminate wrong answers

Option A is wrong because static routes do not support dynamic failover; if one tunnel goes down, traffic continues to be sent to the failed tunnel until the static route is manually updated or a separate health-check mechanism is implemented. Option B is wrong because a single VPN tunnel with two interfaces does not provide redundancy; if the tunnel itself fails, both interfaces become unavailable, offering no failover. Option D is wrong because using different ASNs on each tunnel would cause the on-prem routers to be treated as separate BGP peers, preventing proper route advertisement and failover; Cloud Router expects the same ASN for redundant paths to correctly handle route selection and failover.

46
Multi-Selecteasy

A company is designing a hybrid network with Cloud VPN. Which TWO best practices should they follow? (Choose TWO.)

Select 2 answers
A.Use a VPN tunnel per subnet.
B.Use static routes for simplicity.
C.Use pre-shared keys for authentication.
D.Use BGP with Cloud Router for dynamic routing.
E.Use a single VPN tunnel for all traffic.
AnswersC, D

Pre-shared keys are the default authentication method for Cloud VPN.

Why this answer

Pre-shared keys (PSKs) are a valid and commonly used authentication method for IPsec VPN tunnels in Google Cloud. They provide a simple, symmetric key-based mechanism to authenticate the VPN peers without requiring a PKI infrastructure, making them a best practice for straightforward deployments.

Exam trap

The trap here is that candidates often assume static routes are simpler and therefore better for hybrid networks, but the PCNE exam emphasizes dynamic routing (BGP) for reliability and scalability, and they may also overlook the need for multiple tunnels for redundancy.

47
MCQmedium

A company plans to connect an on-premises network to Google Cloud using HA VPN with dynamic routing (BGP). The on-premises side supports BGP and has two independent routers for redundancy. The company wants to ensure failover within seconds if one tunnel goes down. Which configuration meets this requirement?

A.Create two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises router, and configure a separate Cloud Router on each gateway with BGP.
B.Create two VPN tunnels from one Cloud VPN gateway to both on-premises routers, and configure one Cloud Router with active/passive BGP.
C.Create two Cloud VPN gateways in the same region, each with a tunnel to a different on-premises router, and use static routing with route metrics for failover.
D.Create two VPN tunnels from one Cloud VPN gateway to both on-premises routers, and configure a single Cloud Router with BGP.
AnswerA

Regional redundancy plus independent BGP sessions enable fast failover via BGP route withdrawals and advertisements.

Why this answer

Option A is correct because deploying two Cloud VPN gateways in different regions with separate Cloud Routers ensures true regional redundancy. If one gateway or its tunnel fails, BGP sessions on the other gateway remain active, and Google Cloud's network can immediately route traffic via the surviving path. This architecture meets the sub-second failover requirement by avoiding a single point of failure at the gateway level and leveraging BGP's fast convergence.

Exam trap

The trap here is that candidates assume multiple tunnels from a single gateway provide sufficient redundancy, overlooking that the gateway itself is a single point of failure; Google Cloud's HA VPN gateway is regional, not zonal, so a regional outage can bring down all tunnels on that gateway.

How to eliminate wrong answers

Option B is wrong because using a single Cloud VPN gateway creates a single point of failure; if the gateway fails, both tunnels fail, violating the failover requirement. Option C is wrong because static routing with route metrics does not provide dynamic failover within seconds; BGP is required for fast convergence, and static routes rely on manual intervention or slow timer-based failover. Option D is wrong because a single Cloud Router with two tunnels to the same gateway still has a single point of failure at the gateway; if the gateway goes down, both tunnels are lost, and BGP sessions cannot failover.

48
MCQhard

An organization wants to implement a hub-and-spoke network topology in Google Cloud using VPC Network Peering. The hub VPC hosts shared services and the spoke VPCs host application workloads. They need to ensure that spokes can communicate with each other through the hub. Which additional configuration is required?

A.Configure a managed VPN between the hub and each spoke, and enable dynamic routing
B.Enable 'Export custom routes' on the hub VPC and 'Import custom routes' on the spoke VPCs
C.Use a shared VPC instead of VPC Network Peering
D.Create a peering connection between each pair of spokes
AnswerA

Using a managed VPN with dynamic routing (e.g., Cloud Router with BGP) allows the hub to advertise routes between spokes.

Why this answer

VPC Network Peering does not support transitive routing by default. To enable spoke-to-spoke communication through the hub, you must configure a managed VPN (Cloud VPN) between the hub and each spoke with dynamic routing (BGP). This creates a routed overlay that allows the hub to forward traffic between spokes, effectively achieving transitive routing.

Exam trap

The trap here is that candidates assume exporting/importing custom routes (Option B) can enable transitive routing, but VPC Network Peering explicitly forbids transitive routing regardless of route propagation settings.

How to eliminate wrong answers

Option B is wrong because exporting and importing custom routes only propagates static or dynamically learned routes between directly peered VPCs; it does not enable transitive routing through the hub because VPC Network Peering explicitly prohibits forwarding traffic from one peering connection to another. Option C is wrong because Shared VPC does not solve the transitive routing requirement; it centralizes subnet management but still uses VPC peering for cross-project connectivity, which lacks transitive routing. Option D is wrong because creating a peering connection between each pair of spokes creates a full mesh, not a hub-and-spoke topology, and does not satisfy the requirement of routing through the hub; it also increases management complexity and does not leverage the hub for centralized inspection or policy enforcement.

49
MCQeasy

A company is designing a VPC network to support multiple projects that require isolation but also need to communicate with a shared services project. Which approach should the company use to minimize administrative overhead while ensuring isolation?

A.Assign all projects to a single VPC with separate subnets for each project.
B.Implement a Shared VPC in the host project and attach all service projects to it.
C.Use dedicated VPCs for each project and connect via Cloud VPN tunnels.
D.Create a separate VPC for each project and peer them with the shared services VPC.
AnswerB

Centralizes network management and enforces isolation through subnets and firewall rules.

Why this answer

A Shared VPC (XPN) allows an organization to connect resources from multiple service projects to a common host project's VPC network, enabling isolated projects to communicate with shared services while centralizing network administration. This minimizes administrative overhead because network policies, firewall rules, and routing are managed in one place, and service projects do not need to manage their own VPC infrastructure.

Exam trap

The trap here is that candidates often confuse VPC peering with Shared VPC, assuming that peering provides the same centralized management, but peering requires per-connection configuration and does not allow a single host project to centrally administer subnets and firewall rules across all projects.

How to eliminate wrong answers

Option A is wrong because using a single VPC with separate subnets does not provide true project-level isolation; all projects would share the same VPC and IAM boundaries are blurred, increasing the risk of unintended access and complicating resource management. Option C is wrong because using dedicated VPCs connected via Cloud VPN tunnels introduces significant administrative overhead for tunnel configuration, routing, and maintenance, and does not scale efficiently for multiple projects. Option D is wrong because peering each project's VPC with a shared services VPC requires managing multiple peering connections, each with its own routing and firewall rules, which increases complexity and administrative burden compared to a single Shared VPC.

50
Multi-Selecthard

A company is planning to migrate to Google Cloud and needs to design a VPC network for a multi-tier application (web, app, database). Which THREE best practices should they follow? (Choose THREE.)

Select 3 answers
A.Use one subnet for all tiers to simplify routing.
B.Use instance-level firewalls instead of VPC firewall rules.
C.Create separate subnets for each tier and use firewall rules to control traffic between them.
D.Use Cloud Armor to protect the web tier.
E.Use Private Google Access for instances to reach Google APIs privately.
AnswersC, D, E

Segmentation improves security and manageability.

Why this answer

Option C is correct because separating each application tier into its own subnet allows you to apply VPC firewall rules to control ingress and egress traffic between tiers based on source and destination CIDR ranges or service accounts. This follows the principle of least privilege, ensuring that only necessary traffic (e.g., web-to-app on TCP port 8080, app-to-database on TCP port 3306) is permitted, while all other traffic is denied by default.

Exam trap

Google Cloud often tests the misconception that instance-level firewalls are a best practice for multi-tier security in GCP, but the correct approach is to use VPC firewall rules with subnet segmentation and service account or tag-based controls for centralized, scalable traffic management.

51
Drag & Dropmedium

Drag and drop the steps to set up a Private Service Connect for accessing Google APIs privately into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Private Service Connect involves creating an endpoint, assigning IP, setting DNS, and testing.

52
MCQmedium

A team is deploying a new service in a Compute Engine instance without an external IP in subnet-b. The service needs to access Google Cloud Storage using internal IPs. What must the team do to enable this?

A.Assign an external IP address to the instance.
B.Move the instance to subnet-a where Private Google Access is already enabled.
C.Enable Private Google Access on subnet-b.
D.Set up Cloud NAT on the VPC to allow outbound access to Google APIs.
AnswerC

Enables instances without external IP to reach Google APIs via internal IPs.

Why this answer

Private Google Access enables a Compute Engine instance without an external IP address to reach Google APIs and services (including Cloud Storage) over the internal VPC network using RFC 1918 addresses. By enabling this feature on subnet-b, the instance can access Cloud Storage via internal IPs without needing an external IP or NAT gateway. This is the correct and minimal configuration for the requirement.

Exam trap

The trap here is that candidates often confuse Private Google Access with Cloud NAT, assuming outbound access to Google APIs always requires NAT, but Private Google Access is the specific feature designed for internal-only instances to reach Google APIs without external IPs.

How to eliminate wrong answers

Option A is wrong because assigning an external IP address would expose the instance to the internet, violating the requirement to use only internal IPs and introducing unnecessary security risk. Option B is wrong because moving the instance to subnet-a is not required; Private Google Access can be enabled on any subnet, including subnet-b, without moving resources. Option D is wrong because Cloud NAT is used for outbound internet access to non-Google services or for dynamic source IP translation, but Private Google Access directly provides internal IP access to Google APIs without NAT.

53
MCQhard

You run the command shown in the exhibit. Your on-premises network is connected to your VPC via a Cloud Router with two BGP sessions. You notice that your on-premises network receives routes for only the two custom IP ranges (10.0.1.0/24 and 10.0.2.0/24) but not for other subnets in the VPC. What is the most likely cause?

A.The BGP interface IP addresses 169.254.x.x are not reachable from the on-premises side.
B.The BGP peer ASN 65001 is not recognized by the on-premises router.
C.The advertisedGroups includes ALL_SUBNETS but the router is ignoring it because of a misconfiguration.
D.The Cloud Router is configured with custom route advertisement that only includes the two specified ranges.
AnswerD

With advertiseMode CUSTOM, the router only advertises the explicitly listed ranges, ignoring ALL_SUBNETS unless it is the only group. The advertisedGroups includes ALL_SUBNETS but since mode is CUSTOM, only custom ranges are advertised.

Why this answer

Option D is correct because the Cloud Router's custom route advertisement configuration explicitly controls which routes are advertised to on-premises via BGP. If only the two custom IP ranges (10.0.1.0/24 and 10.0.2.0/24) are included in the custom advertisement, other VPC subnets will not be advertised, even if they exist. The exhibit shows that the on-premises network receives only those two ranges, which directly matches a custom advertisement setup rather than the default ALL_SUBNETS behavior.

Exam trap

The trap here is that candidates often assume BGP session establishment implies all routes are automatically exchanged, but Cloud Router's custom advertisement feature allows granular control over which prefixes are advertised, and the default ALL_SUBNETS behavior is not active when custom ranges are explicitly listed.

How to eliminate wrong answers

Option A is wrong because if the BGP interface IP addresses 169.254.x.x were unreachable, the BGP sessions would not establish at all, and no routes would be received—not just a subset. Option B is wrong because the BGP peer ASN 65001 is a private ASN commonly used in GCP Cloud Router configurations; if the on-premises router did not recognize it, the BGP session would fail to establish, again resulting in zero routes. Option C is wrong because if advertisedGroups included ALL_SUBNETS, the Cloud Router would advertise all VPC subnets by default; the router does not 'ignore' this setting due to misconfiguration—either it is set or it is not, and the observed behavior (only two ranges) indicates custom advertisement is in use.

54
MCQhard

An enterprise uses Shared VPC with a host project and multiple service projects. A service project team wants to create a Cloud VPN tunnel to their on-premises network. What must the network team configure in the host project to allow this?

A.The service project can create the VPN gateway directly in its own project as long as it uses a VPC that is peered with the host project
B.The VPN gateway and Cloud Router must be created in the host project's VPC, and the service project must be granted compute.networkUser role on the host project
C.The service project cannot use Cloud VPN with Shared VPC; they must use Dedicated Interconnect instead
D.A Cloud Router must be created in the service project, and the VPN gateway in the host project
AnswerB

Correct configuration; the networking resources are in the host project.

Why this answer

In a Shared VPC setup, the VPN gateway and Cloud Router must reside in the host project's VPC because the host project owns the underlying network infrastructure. The service project can then use the VPN tunnel by being granted the `compute.networkUser` role on the host project, which allows it to create forwarding rules and use the VPN resources. This ensures that the VPN termination point is within the shared VPC network, enabling connectivity to on-premises networks.

Exam trap

The trap here is that candidates mistakenly think the service project can own the VPN gateway or Cloud Router because they are creating the tunnel, but Shared VPC requires all networking resources (VPN gateway, Cloud Router) to be in the host project's VPC.

How to eliminate wrong answers

Option A is wrong because the service project cannot create a VPN gateway directly in its own project using a VPC peered with the host project; VPC peering does not support Cloud VPN termination, and the VPN gateway must reside in the host project's VPC. Option C is wrong because Cloud VPN is fully supported with Shared VPC; Dedicated Interconnect is a separate, higher-bandwidth option, not a requirement. Option D is wrong because both the Cloud Router and the VPN gateway must be created in the host project, not split between projects; the service project cannot host the Cloud Router for a VPN tunnel terminating in the host project.

55
MCQmedium

A company needs a dedicated, low-latency connection from their on-premises data center to GCP with a 10 Gbps capacity. They require the highest availability and service level agreement (SLA). Which connectivity option should they choose?

A.Carrier Peering using Equinix or other carrier.
B.Dedicated Interconnect with two connections to different meet-me rooms.
C.Partner Interconnect with two VLAN attachments from different providers.
D.Cloud VPN with two tunnels from different VPN gateways.
AnswerB

Dedicated Interconnect provides dedicated, low-latency connection with high SLA.

Why this answer

Dedicated Interconnect provides a direct, private connection between the on-premises data center and GCP with 10 Gbps capacity. By using two connections to different meet-me rooms, the company achieves the highest availability and meets the 99.99% SLA, as this eliminates single points of failure at the physical layer and within a single facility.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect can match the SLA of Dedicated Interconnect, but the key trap is that Partner Interconnect's SLA is limited to the partner's network and does not cover the entire path from on-premises to GCP.

How to eliminate wrong answers

Option A is wrong because Carrier Peering uses a shared connection over the public internet, does not offer a 10 Gbps dedicated capacity, and provides no SLA for availability or latency. Option C is wrong because Partner Interconnect relies on a third-party provider's network, which introduces additional latency and does not offer the same 99.99% SLA as Dedicated Interconnect; two VLAN attachments from different providers still depend on the partner's infrastructure. Option D is wrong because Cloud VPN uses encrypted tunnels over the public internet, cannot guarantee 10 Gbps throughput (typically limited to ~3 Gbps per tunnel), and provides no SLA for latency or availability.

56
Multi-Selectmedium

Which TWO of the following are true regarding VPC Network Peering? (Choose TWO.)

Select 2 answers
A.The VPCs' subnet IP ranges must not overlap.
B.It supports transitive routing across multiple peering connections.
C.It supports exchange of routes with custom dynamic routing.
D.Custom dynamic routes are automatically exchanged.
E.It can be used to connect VPCs in different organizations.
AnswersA, E

Overlapping IP ranges are not allowed in VPC peering.

Why this answer

Option A is correct because VPC Network Peering requires that the subnet IP ranges of the peered VPCs do not overlap. Overlapping ranges would cause routing conflicts and ambiguous destination addresses, as GCP uses the subnet CIDR blocks to determine the next hop for traffic. If two VPCs have overlapping ranges, packets cannot be reliably forwarded to the correct destination, breaking the peering connection.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing or dynamic route exchange, leading candidates to select options B or C, when in fact peering is strictly non-transitive and only exchanges subnet and static routes.

57
MCQhard

A company uses Shared VPC with multiple service projects. They want to ensure that only specific service projects can use the Cloud NAT configured in the host project. What should they do?

A.Configure Cloud NAT with a specific network tag and assign that tag only to VMs in authorized service projects.
B.Use firewall rules to restrict traffic from service projects.
C.Use VPC Service Controls to restrict access.
D.Configure IAM roles on the Cloud NAT resource to allow only specific projects.
AnswerA

This is the standard method to restrict Cloud NAT usage.

Why this answer

Cloud NAT can be restricted to specific VMs using network tags. By configuring the Cloud NAT gateway in the host project with a specific network tag, and then assigning that tag only to the VM instances in authorized service projects, only those tagged VMs can use the NAT gateway. This ensures that only specific service projects (via their tagged VMs) can leverage the Cloud NAT, while all other VMs in the shared VPC are excluded.

Exam trap

The trap here is that candidates often assume IAM is the correct way to restrict access to a Cloud NAT resource, but Cloud NAT does not have an IAM resource—it is a regional service that is controlled via network tags or subnet-level configuration, not IAM permissions.

How to eliminate wrong answers

Option B is wrong because firewall rules control traffic flow (allow/deny) based on IP addresses, ports, and protocols, but they cannot restrict which VMs can use a Cloud NAT gateway; Cloud NAT operates at the network address translation layer, not at the firewall rule level. Option C is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs and services, not to manage which VMs can use a Cloud NAT gateway within a shared VPC. Option D is wrong because Cloud NAT does not have its own IAM resource; IAM roles on the Cloud NAT resource do not exist—Cloud NAT is a regional resource that is automatically used by VMs in the VPC, and access is controlled via network tags or subnet-level configuration, not IAM.

58
MCQeasy

Refer to the exhibit. A company has enabled Private Google Access on the subnet. What effect does this have on VMs in the subnet?

A.VMs can use external IPs to access Google services
B.VMs can access the internet using Cloud NAT
C.VMs can communicate with each other without firewall rules
D.VMs can access Google services using only internal IPs
AnswerD

Private Google Access enables access to Google APIs over internal IPs.

Why this answer

Private Google Access enables VMs in a subnet that have only internal IP addresses (RFC 1918) to reach Google APIs and services (e.g., Cloud Storage, BigQuery) through Google's internal network. The traffic is routed via the default internet gateway (which does not require an external IP on the VM) and uses a special 0.0.0.0/0 route with next hop 'default internet gateway' to reach Google's external IPs, but the VM itself never needs a public IP. This is why D is correct: VMs can access Google services using only internal IPs.

Exam trap

Google Cloud often tests the misconception that Private Google Access provides general internet access (like Cloud NAT) or that it requires VMs to have external IPs, when in fact it is strictly for Google APIs and services using internal-only VMs.

How to eliminate wrong answers

Option A is wrong because Private Google Access specifically allows VMs without external IPs to reach Google services; if a VM already has an external IP, it can reach Google services directly without needing Private Google Access. Option B is wrong because Cloud NAT is used to enable outbound internet connectivity for VMs without external IPs, but Private Google Access is a separate feature that only covers Google APIs and services, not general internet access. Option C is wrong because VM-to-VM communication within a subnet is governed by VPC firewall rules (ingress/egress), and Private Google Access has no effect on internal traffic between VMs.

59
MCQmedium

Refer to the exhibit. A network engineer checks the BGP status of a Cloud Router. The on-prem router has two BGP peers configured. What is the most likely cause of the IDLE session for the second peer?

A.The VLAN attachment is not configured
B.The BGP timers are misconfigured
C.The peer router is not configured with the correct BGP ASN
D.The peer router's firewall is blocking TCP port 179
AnswerD

Blocking port 179 prevents TCP connection, causing IDLE.

Why this answer

The IDLE state in BGP indicates that the session has not been established or has been reset. Since the on-prem router has two BGP peers and only one is IDLE, a per-peer issue like a firewall blocking TCP port 179 on the second peer's router is the most likely cause. This prevents the TCP three-way handshake required for BGP session establishment, leaving the session stuck in IDLE.

Exam trap

The trap here is that candidates often assume an IDLE session is always due to a BGP configuration mismatch (like ASN or timers), but Cisco tests the nuance that a per-peer firewall rule blocking TCP 179 can cause IDLE on only one peer while the other remains established.

How to eliminate wrong answers

Option A is wrong because a VLAN attachment is a Layer 2 construct used for Cloud Router interfaces; its absence would affect all BGP sessions or the underlying connectivity, not just one specific peer. Option B is wrong because misconfigured BGP timers (e.g., keepalive or hold timers) would cause the session to oscillate between ESTABLISHED and IDLE or flap, not remain persistently in IDLE without any prior connection. Option C is wrong because an incorrect BGP ASN on the peer router would cause a NOTIFICATION message and the session to go to IDLE, but the question states the peer router is configured with two BGP peers—if the ASN were wrong, both peers would likely fail, not just one.

60
MCQeasy

An organization needs to allow on-premises servers to resolve DNS names of GCP VM instances using RFC 1918 addresses. They have a Cloud VPN connection. Which DNS resolution approach should they implement?

A.Set up a public zone and use the instance's external IP for DNS
B.Configure Cloud DNS outbound server policy and forward from Cloud DNS to on-premises DNS
C.Use DNS peering with a private zone in the on-premises DNS
D.Configure Cloud DNS inbound server policy and set up forwarding from on-premises DNS to the Cloud DNS inbound endpoint
AnswerD

Enables on-premises to query Cloud DNS for private zones.

Why this answer

Option D is correct because the on-premises servers need to resolve DNS names of GCP VM instances using RFC 1918 addresses over a Cloud VPN connection. Configuring a Cloud DNS inbound server policy creates a VPC-wide inbound DNS endpoint (using an internal IP address) that on-premises DNS servers can forward queries to. This allows the on-premises DNS to send DNS requests for GCP private zone records (e.g., `vm-instance.c.example.internal`) directly to the Cloud DNS inbound endpoint, which then resolves the private RFC 1918 addresses of the VM instances.

Exam trap

The trap here is that candidates confuse inbound and outbound server policies, often selecting Option B (outbound) because they think 'forwarding to on-premises' is needed, but the requirement is for on-premises to query GCP, which requires an inbound endpoint.

How to eliminate wrong answers

Option A is wrong because using a public zone and the instance's external IP would expose the DNS records to the internet and require public IP addresses, contradicting the requirement to use RFC 1918 addresses. Option B is wrong because Cloud DNS outbound server policy is used to forward DNS queries from GCP VPCs to on-premises DNS servers, not the reverse direction needed here. Option C is wrong because DNS peering is used to allow DNS resolution between two GCP VPCs or between a GCP VPC and a service producer network; it does not support forwarding from an on-premises DNS server to Cloud DNS.

61
Multi-Selectmedium

Which TWO services can be used to provide outbound connectivity to the internet for private VMs in a VPC? (Assume VMs have no external IPs.)

Select 2 answers
A.Instance with external IP
B.Cloud Router
C.Private Google Access
D.Cloud NAT
E.Cloud VPN
AnswersA, D

Can be configured as a NAT gateway for other private VMs.

Why this answer

Option A is correct because an instance with an external IP can provide outbound connectivity for private VMs if it is configured as a NAT gateway or proxy. However, the question specifies that VMs have no external IPs, so this option is technically incorrect in the context of the question's constraint. The intended correct answer for outbound connectivity without external IPs is Cloud NAT, which allows private VMs to access the internet using source network address translation (SNAT) without assigning external IPs to individual VMs.

Exam trap

The trap here is that candidates often confuse Private Google Access (which only works for Google services) with general internet access, or assume Cloud Router or Cloud VPN can provide NAT-like functionality, when in fact only Cloud NAT (or a custom NAT instance) can provide outbound internet connectivity for private VMs without external IPs.

62
MCQhard

A request comes from IP 192.0.2.5, with origin region code 'US', and path '/admin/dashboard'. What will be the final action?

A.Deny by rule priority 1000.
B.Deny by rule priority 2000.
C.Deny by rule priority 3000.
D.Allow (default rule).
AnswerB

The request path starts with '/admin', matching rule 2000.

Why this answer

The request matches a rule with priority 2000 that denies traffic from IP 192.0.2.5 to path '/admin/dashboard' with origin region 'US'. Since Cloud Armor security policies evaluate rules in ascending priority order, rule 2000 is evaluated before rule 3000 and after rule 1000. Rule 1000 does not match (likely a different condition), so rule 2000 applies and denies the request.

Exam trap

Google Cloud often tests the misconception that rules are evaluated in descending priority order (e.g., 3000 before 2000) or that the default rule overrides explicit deny rules, when in fact the lowest numeric priority wins and evaluation stops at the first match.

How to eliminate wrong answers

Option A is wrong because priority 1000 is evaluated first but does not match the request (e.g., it might allow all traffic or match a different path/region), so it does not deny. Option C is wrong because priority 3000 is evaluated after priority 2000; once a match occurs at priority 2000, evaluation stops and rule 3000 is never reached. Option D is wrong because the default rule (allow) only applies if no higher-priority rule matches; here, rule 2000 matches and denies the request.

63
MCQhard

A company has two VPCs in the same project, VPC-A and VPC-B. They have set up VPC peering between them. In VPC-A, there is a subnet 10.0.1.0/24. In VPC-B, there are subnets 10.0.2.0/24 and 10.0.3.0/24. A compute instance in VPC-A can ping an instance in VPC-B with IP 10.0.2.10, but fails to ping an instance in VPC-B with IP 10.0.3.10. All subnets are in the same region. Firewall rules allow all traffic between VPC-A and VPC-B. What is the most likely cause?

A.VPC-A has a static route to 10.0.3.0/24 that preempts the peering route.
B.The peering is not bidirectional; VPC-B is not exporting routes.
C.The firewall rules in VPC-B block ICMP from VPC-A to 10.0.3.0/24.
D.The subnet 10.0.3.0/24 was added after the peering, and the peering routes were not updated. Recreate the peering.
AnswerA

Static routes have higher priority than peering routes, causing traffic to go elsewhere.

Why this answer

VPC peering routes are automatically added to the route tables of both VPCs when the peering is established. However, if a more specific static route (e.g., to 10.0.3.0/24) exists in VPC-A, it will take precedence over the peering route due to longest prefix match routing. Since the instance in VPC-A can reach 10.0.2.10 but not 10.0.3.10, the most likely cause is that VPC-A has a static route that preempts the peering route for the 10.0.3.0/24 subnet.

Exam trap

The trap here is that candidates often assume VPC peering automatically works for all subnets in the peered VPC, forgetting that static routes with more specific prefixes can override peering routes, even when firewall rules are permissive.

How to eliminate wrong answers

Option B is wrong because VPC peering is bidirectional by default; both VPCs export and import routes unless explicitly configured otherwise, and the question does not indicate any custom export/import settings. Option C is wrong because the question explicitly states that firewall rules allow all traffic between VPC-A and VPC-B, so ICMP is not blocked. Option D is wrong because VPC peering routes are dynamically updated when subnets are added or removed; there is no need to recreate the peering, as route propagation is automatic.

64
MCQhard

A company uses a Shared VPC with a host project and multiple service projects. They have deployed Cloud NAT in the host project's network to provide internet access for service project instances. The Cloud NAT is configured to use a network tag 'nat'. Instances in service projects that have the tag 'nat' can reach the internet. A new service project is added and its instances are created with the same tag 'nat' in a subnet in europe-west1. However, these instances cannot reach the internet. Other service project instances with the tag 'nat' in us-central1 work fine. The Cloud NAT is deployed in us-central1. What is the most likely cause?

A.The Cloud NAT's UDP timeout is too short.
B.The firewall rules in the host project block traffic from the new service project's subnets.
C.The Cloud NAT is not in the same region as the new service project's instances.
D.The new service project's instances are not tagged with 'nat'.
AnswerC

Cloud NAT only works for instances in its region.

Why this answer

Cloud NAT is a regional resource; it only provides outbound internet access to instances within the same region. Since the Cloud NAT is deployed in us-central1, instances in europe-west1 cannot use it, regardless of their network tag. The instances in the new service project must have a Cloud NAT deployed in europe-west1 to reach the internet.

Exam trap

The trap here is that candidates assume Cloud NAT is a global resource or that network tags alone ensure connectivity, overlooking the critical regional scope of Cloud NAT and the fact that it must be deployed in the same region as the instances it serves.

How to eliminate wrong answers

Option A is wrong because UDP timeout settings affect the duration of NAT connections, not the ability to establish them across regions; a short timeout would cause dropped idle connections, not a complete lack of internet access. Option B is wrong because firewall rules in the host project control traffic at the network level, but Cloud NAT operates at the regional level and does not require explicit firewall rules for NAT traffic; the issue is regional mismatch, not firewall blocking. Option D is wrong because the question explicitly states the new instances are created with the same tag 'nat', so the tag is present; the problem is regional, not tag-related.

65
MCQeasy

A company has Compute Engine instances without external IPs that need to access the internet for updates. They do not want any inbound traffic. What is the best design?

A.Configure Cloud NAT and rely on default firewall rules.
B.Configure Cloud NAT and add firewall rules to allow only necessary egress and deny all ingress.
C.Configure Cloud NAT and add a firewall rule to allow all egress traffic.
D.Configure Cloud NAT and add a firewall rule to deny all ingress and egress.
AnswerB

Meets both outbound access and inbound blocking requirements.

Why this answer

Option B is correct because Cloud NAT provides outbound internet connectivity for instances without external IPs, and the explicit firewall rules ensure only necessary egress traffic is allowed while denying all ingress, meeting the requirement of no inbound traffic. Default firewall rules allow some ingress (e.g., ICMP), so they must be overridden with a deny-all-ingress rule to fully block inbound traffic.

Exam trap

The trap here is that candidates assume default firewall rules are sufficient for security, but they actually allow some ingress (e.g., ICMP from internal ranges), so a deny-all-ingress rule is necessary to fully block inbound traffic.

How to eliminate wrong answers

Option A is wrong because default firewall rules allow certain ingress traffic (e.g., ICMP from RFC 1918 ranges), which violates the 'no inbound traffic' requirement. Option C is wrong because allowing all egress traffic is overly permissive and does not follow the principle of least privilege; the question implies only necessary egress (e.g., updates) should be allowed. Option D is wrong because denying all egress traffic would block the outbound updates the instances need, defeating the purpose of Cloud NAT.

66
Multi-Selectmedium

Which TWO statements are true about VPC Network Peering?

Select 2 answers
A.Each VPC can have up to 25 peerings by default
B.Peered VPCs can communicate using RFC 1918 IP addresses without the need for VPN or Interconnect
C.Firewall rules in one VPC are automatically applied to the peered VPC
D.VPC peering incurs additional cost beyond standard egress charges
E.Custom static routes are automatically exchanged between peered VPCs
AnswersA, B

Default limit is 25 peerings per VPC.

Why this answer

Option A is correct because the default limit for VPC Network Peering per VPC is 25, as documented in Google Cloud's quotas and limits. This is a soft limit that can be increased by requesting a quota adjustment, but by default, each VPC can have up to 25 peerings. Option B is correct because VPC Network Peering allows direct communication between VPCs using RFC 1918 private IP addresses without requiring VPN tunnels or Cloud Interconnect, as the peering connection uses Google's internal network infrastructure.

Exam trap

The trap here is that candidates often assume firewall rules or custom routes are automatically shared across peered VPCs, but Google Cloud explicitly requires separate firewall rule management and manual route exchange configuration for custom routes.

67
MCQmedium

A company wants to migrate an on-premises application that uses IPsec VPN tunnels to Google Cloud. They need to ensure encrypted connectivity between the on-premises network and a VPC. Which GCP service should they use?

A.Cloud Router
B.Cloud Interconnect
C.VPC Network
D.Cloud VPN
AnswerD

Provides IPsec VPN connectivity.

Why this answer

Cloud VPN (D) is the correct service because it securely extends an on-premises network to a Google Cloud VPC over the public internet using IPsec VPN tunnels. It provides encrypted connectivity that matches the existing IPsec-based architecture, ensuring data confidentiality and integrity between the two sites.

Exam trap

The trap here is that candidates confuse Cloud Router (a routing protocol component) with the actual VPN connectivity service, or assume Cloud Interconnect is required for encryption, when in fact Cloud Interconnect offers no native encryption and relies on separate IPsec overlays.

How to eliminate wrong answers

Option A is wrong because Cloud Router is a BGP-based dynamic routing component that exchanges routes between a Cloud VPN tunnel and a VPC, not a connectivity service itself. Option B is wrong because Cloud Interconnect provides dedicated, high-bandwidth physical connections between on-premises and Google Cloud, but it does not inherently include IPsec encryption; encryption would require an additional overlay. Option C is wrong because VPC Network is the virtual network container within Google Cloud that defines subnets, routes, and firewall rules, not a service that establishes encrypted tunnels to on-premises networks.

68
MCQeasy

Refer to the exhibit. A network engineer reviews the firewall rules in a VPC. What is the most significant security concern?

A.There is no deny rule.
B.RDP is allowed from 10.0.0.0/8.
C.SSH is allowed from any source.
D.Firewall rules are not in order.
AnswerC

0.0.0.0/0 includes all public IPs, which is insecure.

Why this answer

Option C is correct because allowing SSH (TCP/22) from any source (0.0.0.0/0) exposes the VPC instances to brute-force attacks, unauthorized access, and potential compromise. This violates the principle of least privilege and is a critical security misconfiguration in a VPC firewall rule.

Exam trap

Google Cloud often tests the misconception that a missing explicit deny rule is a security risk, but in GCP VPC, the implicit deny at the end of the rule evaluation makes an explicit deny unnecessary unless you need to override a higher-priority allow rule.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are implicitly deny-all at the end; a missing explicit deny rule is not a security concern as long as allow rules are properly scoped. Option B is wrong because RDP from 10.0.0.0/8 is a private RFC 1918 range, which is acceptable for internal administrative access and does not represent a significant security concern. Option D is wrong because VPC firewall rules are evaluated based on priority numbers, not order of creation; the lowest priority number wins, and there is no requirement for rules to be in a specific sequence.

69
MCQhard

A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?

A.The subnet purpose is PRIVATE, which blocks Google APIs.
B.Private Google Access is disabled on the subnet.
C.The subnet CIDR range is too small.
D.Flow logs are disabled, so traffic is not logged.
AnswerB

Private Google Access must be enabled for instances without external IPs to access Google APIs.

Why this answer

The instance has no external IP address, so it must use Private Google Access to reach Google APIs and services like Cloud Storage. Private Google Access is enabled at the subnet level; if it is disabled, the instance cannot route traffic to the Google API VIPs through the default route (0.0.0.0/0) without a NAT gateway or external IP. Option B correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates may assume a private subnet inherently blocks all external traffic, but Private Google Access is a separate, optional subnet setting that must be explicitly enabled for instances without external IPs to reach Google APIs.

How to eliminate wrong answers

Option A is wrong because the subnet purpose PRIVATE does not block Google APIs; it simply means the subnet is used for internal VPC traffic, and Private Google Access can still be enabled on it. Option C is wrong because the CIDR range size does not affect connectivity to Google APIs; it only limits the number of IP addresses available for instances. Option D is wrong because flow logs are a monitoring feature that capture metadata about traffic, but disabling them does not prevent connectivity; they are not required for traffic to flow.

70
Multi-Selecthard

Which THREE factors should be considered when designing a Cloud VPN for high availability? (Choose 3.)

Select 3 answers
A.Enable BGP for dynamic routing
B.Deploy VPN gateways in different regions
C.Use two tunnels from each VPN gateway
D.Use static routes for failover
E.Use a single Cloud Router for simplicity
AnswersA, B, C

BGP allows automatic route advertisement and failover.

Why this answer

Enabling BGP (Border Gateway Protocol) for dynamic routing is correct because it allows the Cloud VPN to automatically detect and route around failures. BGP exchanges route information between the on-premises router and the Cloud Router, enabling dynamic failover and load balancing across multiple tunnels. Without BGP, you would rely on static routes, which cannot adapt to network changes and require manual intervention during a failure.

Exam trap

The trap here is that candidates often think static routes with a higher metric can provide failover, but they fail to realize that static routes cannot dynamically detect a tunnel failure unless combined with a health check mechanism, which is not as reliable or fast as BGP's built-in path selection and withdrawal.

71
Multi-Selecteasy

Which TWO of the following are benefits of using Shared VPC?

Select 2 answers
A.Enhanced security through VPC Service Perimeters
B.Automatic cross-project routing
C.Centralized firewall rule management
D.Reduced IP address usage
E.Separation of network and application teams
AnswersB, C

Service project VMs automatically communicate using host project's routes.

Why this answer

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, enabling automatic cross-project routing. This is because all subnets in the host project are directly reachable from any service project attached to that host, without needing additional VPC peering or VPN tunnels. Option B is correct because this inherent routing simplifies network connectivity and reduces administrative overhead.

Exam trap

Google Cloud often tests the misconception that Shared VPC inherently provides security features like VPC Service Perimeters, when in fact those are separate controls; the trap here is confusing the administrative separation of network and application teams as a direct benefit of Shared VPC, rather than recognizing that the core technical benefit is automatic cross-project routing and centralized firewall rule management.

72
MCQeasy

A startup is migrating a two-tier application to GCP. The web tier must be accessible from the internet, and the database tier must only be accessible from the web tier. Which network design should be used?

A.Place web servers in a public subnet with external IPs, database in a private subnet, and add a firewall rule allowing traffic from web subnet to database
B.Place both tiers in separate VPCs and use VPC peering with no firewall rules
C.Place both tiers in the same subnet and configure firewall rules to restrict database access
D.Place web servers in a private subnet with Cloud NAT for outbound, database in the same private subnet
AnswerA

This design provides proper segmentation and security.

Why this answer

Option A is correct because it places the web servers in a public subnet with external IPs, allowing direct internet access, while the database resides in a private subnet with no external IP, enforcing isolation. A firewall rule (ingress on the database subnet) explicitly permits traffic from the web subnet’s CIDR range, typically on the database port (e.g., TCP 3306 for MySQL), ensuring the database is reachable only from the web tier. This design follows GCP’s best practice of using VPC firewall rules to control east-west traffic between subnets.

Exam trap

Google Cloud often tests the misconception that placing resources in the same subnet automatically allows isolation via firewall rules, but in GCP, firewall rules are applied at the instance level (via tags or service accounts) and cannot restrict traffic between instances in the same subnet without additional tagging, leading candidates to incorrectly choose Option C.

How to eliminate wrong answers

Option B is wrong because placing both tiers in separate VPCs with VPC peering and no firewall rules would allow unrestricted traffic between the VPCs (peering does not impose default deny), violating the requirement that the database be accessible only from the web tier. Option C is wrong because placing both tiers in the same subnet would give the database the same network access as the web servers, making it impossible to restrict database access to only the web tier using subnet-level firewall rules (firewall rules in GCP are applied at the subnet or instance level, but same-subnet traffic is not easily isolated without complex per-instance tags). Option D is wrong because placing web servers in a private subnet with Cloud NAT only provides outbound internet access, not inbound; the web tier would not be accessible from the internet, failing the requirement that the web tier must be internet-accessible.

73
MCQeasy

A company has multiple projects that each need their own administrative control but must share a common VPC network. Which networking solution should they use?

A.Create a single VPC in one project and grant all users access to that project.
B.Create separate VPCs for each project and connect via Cloud VPN.
C.Use Shared VPC with the host project and attach service projects.
D.Create a VPC in each project and peer them all together.
AnswerC

Provides centralized network management with per-project resource control.

Why this answer

Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, enabling centralized control of the network while maintaining administrative isolation for each project. The host project owns the VPC and firewall rules, and service projects can use subnets within that VPC, meeting the requirement for separate administrative control with a shared network.

Exam trap

The trap here is that candidates often confuse VPC peering (Option D) with Shared VPC, not realizing that peering does not allow a single common VPC network and lacks centralized administrative control, while Shared VPC is designed exactly for this use case.

How to eliminate wrong answers

Option A is wrong because granting all users access to a single project eliminates administrative isolation, as all users would have project-level permissions, not per-project control. Option B is wrong because creating separate VPCs and connecting via Cloud VPN introduces complexity, latency, and bandwidth limitations, and does not provide a single common VPC network; it creates multiple networks that are bridged. Option D is wrong because VPC peering does not support transitive routing and requires non-overlapping CIDR ranges, making it unsuitable for a shared network with multiple projects that need to communicate through a common VPC; it also does not allow centralized firewall or subnet management.

74
MCQhard

A company uses a Shared VPC host project with three service projects: Prod, Staging, and Dev. All service projects have similar network requirements except that Prod requires Private Google Access to access Google APIs from VM instances without external IP addresses. The network team creates a single subnet in the Shared VPC with Private Google Access enabled. However, Staging and Dev teams report that their VMs cannot reach external IP addresses on the internet because the subnet's route has a next hop of default internet gateway. What is the most cost-effective solution that meets all requirements?

A.Create a separate subnet for each service project in the Shared VPC and enable Private Google Access only on the Prod subnet.
B.Enable Private Google Access on the Shared VPC's subnet for all projects and configure Cloud Router with BGP to advertise a default route.
C.Configure Cloud NAT in the Shared VPC for the Staging and Dev service projects to allow outbound internet access from their VMs without external IPs.
D.Disable Private Google Access on the subnet and create a separate subnet for Prod with Private Google Access enabled.
AnswerC

Cloud NAT provides internet access to VMs without external IPs; Private Google Access remains enabled for Prod. This is cost-effective because Cloud NAT shares IPs across multiple VMs.

Why this answer

Option C is correct because Cloud NAT provides outbound internet connectivity for VM instances without external IP addresses, which is exactly what Staging and Dev need. Since Private Google Access is already enabled on the shared subnet, Prod VMs can reach Google APIs without external IPs, while Cloud NAT handles the general internet access for the other projects. This is the most cost-effective solution because Cloud NAT incurs only egress data processing charges and does not require additional subnets or complex routing changes.

Exam trap

The trap here is that candidates confuse Private Google Access with general internet access, assuming that enabling it on a subnet automatically allows VMs to reach any external IP, when in fact Private Google Access only covers Google API and service endpoints, not arbitrary internet destinations.

How to eliminate wrong answers

Option A is wrong because creating separate subnets for each service project increases IP address consumption and management overhead, and it does not solve the outbound internet access issue for Staging and Dev VMs without external IPs—they still lack a route to the internet. Option B is wrong because enabling Private Google Access on all subnets does not provide outbound internet access; Cloud Router with BGP advertising a default route would require a VPN or Dedicated Interconnect to an on-premises router, which is not cost-effective and is unnecessary for simple internet access. Option D is wrong because disabling Private Google Access on the shared subnet would break Prod's requirement to access Google APIs from VMs without external IPs, and creating a separate Prod subnet with Private Google Access enabled does not address the outbound internet need for Staging and Dev.

75
MCQhard

A company has a VPC with several subnets and wants to force traffic between two specific subnets (A and B) to be inspected by a third-party firewall appliance in a separate subnet (C). The firewall has source/destination check disabled. What is the best way to route traffic from A to B through C?

A.Use Cloud NAT to route traffic through the firewall.
B.Use a custom route with a lower priority for the destination subnet.
C.Use VPC flow logs to monitor traffic.
D.Use a policy-based route to redirect traffic from A to B to the firewall's IP.
AnswerD

Policy-based routes can match source and destination and redirect to a next hop.

Why this answer

Policy-based routes allow you to define a forwarding rule that matches traffic based on source and destination IP ranges, then sends it to a next-hop instance (the firewall). Since the firewall has source/destination check disabled, it can forward the inspected traffic to the final destination. This is the only option that directly forces traffic between subnets A and B through the firewall in subnet C.

Exam trap

Google Cloud often tests the distinction between policy-based routes (which match on source and destination) and static routes (which match only on destination), leading candidates to incorrectly choose a custom static route (Option B) when a policy-based route is required.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for routing traffic between subnets within a VPC. Option B is wrong because a custom route with lower priority would only affect traffic destined for the subnet's IP range if no more specific route exists; it does not force traffic through a specific next-hop instance for inter-subnet communication. Option C is wrong because VPC flow logs only capture metadata about network flows for monitoring and analysis; they do not influence routing decisions.

Page 1 of 2 · 103 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Designing, planning, and prototyping a GCP network questions.