CCNA Implementing hybrid interconnectivity Questions

75 of 144 questions · Page 1/2 · Implementing hybrid interconnectivity · Answers revealed

1
MCQhard

A network engineer sees the above output from a Cloud Router. There are two BGP peers from the on-premises router (10.0.0.1 and 10.0.0.2). Both learned the same route 10.1.0.0/16 from their respective peers. However, traffic from Google Cloud to 10.1.0.0/16 is only going through the first peer (10.0.0.1) and not load-balanced. What could be the reason?

A.The on-premises router is advertising the route with different MED values
B.The on-premises router is advertising the route with different AS_PATH lengths
C.The VPC routing mode is set to 'global'
D.Cloud Router has a limit of one route per prefix
AnswerA

Different MED values prevent ECMP; Cloud Router selects the route with the lower MED.

Why this answer

Option A is correct because BGP uses the MED (Multi-Exit Discriminator) attribute to influence inbound traffic from a neighboring AS. When the on-premises router advertises the same route (10.1.0.0/16) to the Cloud Router via two peers (10.0.0.1 and 10.0.0.2) with different MED values, the Cloud Router will prefer the route with the lower MED value. This causes all traffic to be sent through the peer with the lower MED, preventing load balancing.

By default, Cloud Router does not perform ECMP (Equal-Cost Multi-Path) for BGP routes unless the paths are identical in all BGP path selection criteria, including MED.

Exam trap

The trap here is that candidates often assume BGP automatically load-balances across multiple peers for the same prefix, forgetting that BGP's path selection algorithm picks a single best path unless all attributes (including MED) are equal, and that MED is compared even when AS_PATH lengths are the same.

How to eliminate wrong answers

Option B is wrong because if the on-premises router advertised the route with different AS_PATH lengths, the Cloud Router would prefer the shorter AS_PATH, which would also result in a single preferred path, not load balancing. However, the question states that both peers learned the same route, implying the AS_PATH lengths are likely equal; the issue is specifically about MED. Option C is wrong because the VPC routing mode (global vs. regional) affects how routes are propagated across regions, not how BGP path selection chooses between two peers in the same region.

Option D is wrong because Cloud Router does not have a limit of one route per prefix; it can learn multiple routes for the same prefix from different BGP peers and can perform ECMP if the routes are equal in all BGP selection criteria.

2
Drag & Dropmedium

Drag and drop the steps to troubleshoot a VPN tunnel that is not passing traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting starts with tunnel status, then BGP, firewall, routing, and finally connectivity tests.

3
Matchingmedium

Match each VPC firewall rule component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Determines rule evaluation order (lower number = higher priority)

Specifies ingress or egress traffic

Allow or deny matching traffic

Specifies IP ranges or tags for traffic filtering

Selects VM instances to apply the rule

Why these pairings

These are key fields when defining VPC firewall rules.

4
MCQmedium

A company uses a shared VPC with multiple service projects. They want to connect their on-premises data center to the shared VPC through a Dedicated Interconnect. Where should they configure the Cloud Router and VLAN attachment?

A.In the same region as the majority of service project instances
B.In the host project of the shared VPC
C.In a global resource policy, cross-project
D.In the service project that will use the connectivity
AnswerB

Host project manages networking for all service projects.

Why this answer

In a shared VPC architecture, the Cloud Router and VLAN attachment for Dedicated Interconnect must be configured in the host project because the host project owns the VPC network and manages all network resources, including interconnect attachments. Service projects consume subnets from the host project but cannot create or manage interconnect resources. This ensures that the on-premises connectivity is centrally managed and that all service projects can use the interconnect through the shared VPC's routing.

Exam trap

Google Cloud often tests the misconception that interconnect resources can be configured in a service project because the service project uses the VPC, but in reality, the host project owns the VPC and all network-level resources like Cloud Routers and VLAN attachments must be created there.

How to eliminate wrong answers

Option A is wrong because the Cloud Router and VLAN attachment are not tied to the region of service project instances; they must be in the host project, and the Cloud Router can be regional or global, but the VLAN attachment is always regional and must be in the same region as the interconnect location, not the majority of instances. Option C is wrong because there is no 'global resource policy, cross-project' for interconnect configuration; Cloud Router and VLAN attachments are always project-scoped resources, and cross-project connectivity is handled via shared VPC host project ownership. Option D is wrong because service projects cannot configure Cloud Router or VLAN attachments; they lack the necessary permissions and the VPC network is not owned by them, so they cannot create interconnect resources in the host project's VPC.

5
MCQhard

Company A and Company B both have networks in Google Cloud. They want to connect their VPCs using VPC peering, but they have overlapping IP addresses. How can they resolve this?

A.Use Cloud VPN to establish connectivity between the VPCs, as VPC peering cannot handle overlapping IPs.
B.Configure Private Service Connect to connect the VPCs.
C.Configure VPC peering with custom route exchange to exclude the overlapping subnets.
D.Use Dedicated Interconnect to connect the VPCs through a central router.
AnswerA

Cloud VPN can be configured with NAT or traffic selectors to handle overlapping IPs.

Why this answer

VPC peering does not support overlapping IP ranges. The only option from the list that can handle overlapping IPs is Cloud VPN with network address translation or filtering.

6
Multi-Selectmedium

A company is planning to connect multiple VPCs in different regions to their on-premises network using a single Dedicated Interconnect. Which TWO configurations are required to achieve this?

Select 2 answers
A.Create a single Cloud Router for all VPCs
B.Set up Cloud VPN tunnels for regional connectivity
C.Create a Cloud Router in each VPC
D.Use a global VLAN attachment
E.Provision a separate VLAN attachment for each VPC
AnswersC, E

Each VPC needs its own Cloud Router to establish BGP sessions.

Why this answer

Option C is correct because each VPC requires its own Cloud Router to establish dynamic routing (BGP) over the Dedicated Interconnect. A Cloud Router is a per-VPC resource that manages BGP sessions and routes for that specific VPC, and since the interconnect is shared, each VPC must have its own router to participate in routing independently.

Exam trap

Google Cloud often tests the misconception that a single Cloud Router or global VLAN attachment can serve multiple VPCs across regions, but in reality, each VPC requires its own regional Cloud Router and VLAN attachment for Dedicated Interconnect.

7
Multi-Selecteasy

Which TWO are necessary components for setting up Dedicated Interconnect? (Choose two.)

Select 2 answers
A.A Cloud VPN tunnel for management traffic
B.A QoS policy to ensure bandwidth guarantee
C.A Cloud Router in the same region as the VLAN attachment
D.Two physical interconnect connections for redundancy
E.A VLAN attachment mapped to a VPC
AnswersC, E

Cloud Router handles BGP routing for the interconnect.

Why this answer

A Cloud Router is required in the same region as the VLAN attachment to enable dynamic routing (BGP) between your on-premises network and Google Cloud VPC. The VLAN attachment must be mapped to a VPC to define which VPC network the interconnect circuit connects to, allowing traffic to flow between your on-premises network and Google Cloud resources.

Exam trap

Google Cloud often tests the misconception that Dedicated Interconnect requires a VPN tunnel for management or redundancy, when in fact the VPN tunnel is a separate service for encrypted connectivity and is not a component of Dedicated Interconnect setup.

8
MCQhard

Refer to the exhibit. The Cloud Router shows one BGP peer as ESTABLISHED and one as IDLE. The best routes show two routes to the same destination with different priorities. What is the most likely reason the IDLE peer is not establishing?

A.The on-premises router is not sending routes for the IDLE peer
B.The IDLE peer has a higher priority route, so it is not needed
C.BGP configuration mismatch between Cloud Router and on-premises router for the IDLE peer
D.The IDLE peer is not configured on the Cloud Router
AnswerC

IDLE state indicates a BGP session issue, typically misconfiguration.

Why this answer

The IDLE state in BGP indicates that the session has not been established, typically due to a configuration mismatch. Since the Cloud Router shows one peer as ESTABLISHED and another as IDLE, the most likely cause is a mismatch in BGP parameters (such as AS number, peer IP, or authentication) between the Cloud Router and the on-premises router for the IDLE peer. This prevents the BGP session from transitioning out of the IDLE state.

Exam trap

Google Cloud often tests the misconception that route advertisement or route priority affects BGP session state, but the IDLE state is strictly a session establishment issue caused by misconfiguration or network reachability problems between the peers.

How to eliminate wrong answers

Option A is wrong because the on-premises router not sending routes does not prevent BGP session establishment; the session can still reach ESTABLISHED state even if no routes are advertised. Option B is wrong because route priority (administrative distance or local preference) affects route selection, not BGP peering state; a higher priority route does not cause a peer to remain IDLE. Option D is wrong because if the IDLE peer were not configured on the Cloud Router, it would not appear in the BGP peer list at all; the fact that it is listed as IDLE indicates it is configured but not establishing.

9
MCQeasy

An organization requires a hybrid connectivity option that offers an SLA of 99.99% availability and supports bandwidth up to 100 Gbps. They are willing to manage their own physical infrastructure in a Google colocation facility. Which connectivity solution should they choose?

A.Cloud VPN with multiple tunnels
B.Dedicated Interconnect
C.Partner Interconnect
D.HA VPN
AnswerB

Direct physical connection with high SLA and bandwidth.

Why this answer

Dedicated Interconnect is the correct choice because it provides a direct, private connection between your on-premises network and Google Cloud, supporting bandwidth up to 100 Gbps (via multiple 10 Gbps or 100 Gbps links) and offering a 99.99% availability SLA when configured with redundant attachments. This solution requires you to manage your own physical infrastructure in a Google colocation facility, meeting the organization's requirement for self-managed hardware.

Exam trap

Google Cloud often tests the distinction between Dedicated and Partner Interconnect, where candidates mistakenly choose Partner Interconnect because they overlook the requirement for the organization to manage its own physical infrastructure, assuming any 'Interconnect' option meets the SLA and bandwidth needs.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with multiple tunnels is an internet-based, encrypted connection that does not offer an SLA of 99.99% availability (typically 99.9% at best) and cannot support bandwidth up to 100 Gbps due to per-tunnel throughput limits (e.g., 3 Gbps per tunnel for HA VPN). Option C is wrong because Partner Interconnect relies on a third-party service provider to manage the physical connection, which contradicts the requirement that the organization manages its own physical infrastructure in a Google colocation facility. Option D is wrong because HA VPN, while providing high availability, is still an internet-based VPN solution with a maximum throughput of 3 Gbps per tunnel and does not meet the 100 Gbps bandwidth requirement or the 99.99% SLA.

10
MCQeasy

An engineer configured a Cloud Router with the above settings. The VPC network has subnets 10.1.0.0/16 and 10.2.0.0/16, as well as subnets 10.3.0.0/16 and 10.4.0.0/16. The on-premises router is only receiving routes for 10.1.0.0/16 and 10.2.0.0/16 but not for 10.3.0.0/16 and 10.4.0.0/16. What is the cause?

A.The BGP session is not established
B.The Cloud Router is in global routing mode, which does not advertise all subnets
C.The Cloud Router is set to custom advertisement mode, and the missing subnets are not included in the advertised IP ranges
D.The on-premises router has a filter that blocks the other routes
AnswerC

Custom mode requires explicit specification of ranges to advertise; only listed ranges are advertised.

Why this answer

Option C is correct because when a Cloud Router is configured in custom advertisement mode, it only advertises the specific CIDR ranges explicitly listed in the 'Advertised IP ranges' field. Since the missing subnets (10.3.0.0/16 and 10.4.0.0/16) are not included in that list, they are not propagated via BGP to the on-premises router, even though they exist in the VPC.

Exam trap

Google Cloud often tests the distinction between default advertisement mode (which automatically advertises all VPC subnets) and custom advertisement mode (which requires explicit configuration), leading candidates to overlook the fact that missing routes are due to an incomplete custom list rather than a BGP session issue or routing mode setting.

How to eliminate wrong answers

Option A is wrong because if the BGP session were not established, the on-premises router would receive no routes at all, not just a subset. Option B is wrong because global routing mode (as opposed to regional routing mode) does not affect which subnets are advertised; it only controls the scope of route propagation within Google Cloud, not the BGP advertisement list. Option D is wrong because the question states the on-premises router is 'only receiving routes for 10.1.0.0/16 and 10.2.0.0/16', which matches the advertised IP ranges; a filter on the on-premises router would typically block all or specific routes, but the pattern here points to a missing advertisement on the Cloud Router side.

11
MCQhard

A company has two HA VPN tunnels from on-premises to Google Cloud using two separate Cloud Routers for redundancy. The on-premises network uses BGP and advertises a default route to Google Cloud. The company wants to ensure that traffic from Google Cloud to on-premises prefers the primary Cloud Router over the secondary. Which configuration should be applied?

A.Set the primary Cloud Router's BGP IP as the next-hop for all routes on the secondary.
B.Set a lower MED on the primary Cloud Router's BGP session for the default route advertisement.
C.Set a higher LOCAL_PREF on the primary Cloud Router for the default route.
D.Set a shorter AS_PATH on the primary Cloud Router's BGP session.
AnswerC

Higher LOCAL_PREF makes the route more preferred for outbound traffic from Google Cloud.

Why this answer

Option C is correct because LOCAL_PREF is a well-known mandatory BGP attribute that is used to influence outbound traffic from an AS. By setting a higher LOCAL_PREF on the primary Cloud Router for the default route, Google Cloud will prefer that path for traffic destined to on-premises, as LOCAL_PREF is evaluated before other attributes like AS_PATH and MED.

Exam trap

The trap here is that candidates often confuse MED (which influences inbound traffic) with LOCAL_PREF (which influences outbound traffic), leading them to incorrectly select Option B, thinking MED can control which path Google Cloud uses to send traffic to on-premises.

How to eliminate wrong answers

Option A is wrong because manually setting the primary Cloud Router's BGP IP as the next-hop on the secondary does not influence BGP path selection; BGP next-hop is used for reachability, not preference, and this configuration would not cause the primary to be preferred. Option B is wrong because MED is a multi-exit discriminator that influences inbound traffic to an AS, not outbound traffic from Google Cloud; it is used by the on-premises router to choose which path to use when multiple paths exist to the same prefix, not by Google Cloud. Option D is wrong because a shorter AS_PATH makes a route more preferred, but this attribute is typically manipulated on the on-premises side to influence Google Cloud's path selection; setting a shorter AS_PATH on the primary Cloud Router would not be effective because AS_PATH is prepended by the router advertising the route, and Google Cloud would see the same AS_PATH length from both routers if they are in the same AS.

12
MCQmedium

A company has deployed a Dedicated Interconnect with multiple VLAN attachments connected to a single Cloud Router. They want to influence inbound traffic from on-premises to Google Cloud to use a specific attachment for certain prefixes. Which BGP attribute can they manipulate on the on-premises router to achieve this?

A.AS_PATH
B.LOCAL_PREF
C.MED
D.Community tags
AnswerC

MED can be set on routes advertised from on-premises to Google Cloud, influencing which attachment is preferred for those prefixes.

Why this answer

Option C is correct because the Multi-Exit Discriminator (MED) attribute is used to influence inbound traffic from on-premises to Google Cloud when multiple paths exist via a Dedicated Interconnect. By setting a lower MED value on the on-premises router for specific prefixes, the Cloud Router will prefer that attachment for those prefixes, as MED is compared first among paths from the same neighboring AS.

Exam trap

Google Cloud often tests the distinction between attributes that influence inbound vs. outbound traffic, and the trap here is that candidates confuse MED (inbound influence) with LOCAL_PREF (outbound influence) or AS_PATH prepending (outbound influence), assuming any attribute can be manipulated on the on-premises router to affect Google Cloud's path selection.

How to eliminate wrong answers

Option A is wrong because AS_PATH is used to influence outbound traffic from Google Cloud to on-premises by prepending AS numbers, not inbound traffic from on-premises to Google Cloud. Option B is wrong because LOCAL_PREF is a well-known mandatory attribute that is only used within a single AS to influence outbound traffic from the local router, and it is not exchanged between ASes, so it cannot be set on the on-premises router to affect Google Cloud's path selection. Option D is wrong because Community tags are used for tagging routes to trigger routing policies (like route filtering or preference) but do not directly influence path selection; they require explicit configuration on the receiving router to interpret them, unlike MED which is a standard BGP attribute compared automatically.

13
MCQmedium

A customer reports that after setting up HA VPN, some on-premises subnets are not reachable from Google Cloud. The Cloud Router shows the missing routes. What is the most likely cause?

A.The VPN tunnel is down.
B.The on-premises router is not configured to advertise those subnets.
C.BGP route filters are blocking the advertisement of those subnets.
D.The shared secret is incorrect.
AnswerC

Route filters on the Cloud Router or on-premises router can selectively allow or deny routes.

Why this answer

Option C is correct because the Cloud Router shows the missing routes, indicating that the VPN tunnel and BGP session are up, but the routes are not being installed. BGP route filters on the Cloud Router or on-premises router can explicitly block the advertisement of specific subnets, preventing them from being learned and installed in the routing table even though the BGP session is established.

Exam trap

The trap here is that candidates often assume missing routes are due to a tunnel or BGP session failure, but Cisco tests the distinction between routes being received (BGP table) versus being installed (routing table), which points to route filtering as the cause.

How to eliminate wrong answers

Option A is wrong because if the VPN tunnel were down, the Cloud Router would not show any routes from the on-premises side, and the BGP session would be down, not just missing specific subnets. Option B is wrong because the on-premises router not advertising those subnets would result in the Cloud Router not seeing those routes at all, but the question states the Cloud Router shows the missing routes, meaning they are present in the BGP updates but not installed. Option D is wrong because an incorrect shared secret would prevent the IPsec tunnel from establishing, causing the BGP session to fail entirely, not just filter specific subnets.

14
MCQmedium

A network engineer is troubleshooting a Cloud VPN tunnel that is not passing traffic. The tunnel status shows as established, and BGP sessions are up. However, traffic from an on-premises subnet (10.0.1.0/24) to a GCP subnet (192.168.1.0/24) is not working. What should the engineer check first?

A.Verify that the on-premises router is advertising the 10.0.1.0/24 prefix via BGP
B.Ensure that the Cloud Router is configured with the correct BGP ASN
C.Check that GCP has a static route for 10.0.1.0/24 pointing to the VPN tunnel
D.Check GCP firewall rules to allow ingress from 10.0.1.0/24
AnswerA

If the prefix is not advertised, GCP will not have a route to reach it.

Why this answer

Option A is correct because even though the VPN tunnel and BGP session are established, traffic may still fail if the on-premises router is not advertising the on-premises subnet (10.0.1.0/24) to GCP via BGP. Without this advertisement, GCP's Cloud Router has no route to reach that subnet, so return traffic from GCP to on-premises is dropped. The first step in troubleshooting is to verify that the on-premises BGP speaker is sending the correct prefix in its UPDATE messages.

Exam trap

Google Cloud often tests the misconception that a 'tunnel established' and 'BGP up' guarantee traffic flow, but the trap here is that route advertisement via BGP is a separate requirement that must be explicitly verified.

How to eliminate wrong answers

Option B is wrong because the BGP ASN on the Cloud Router is already configured correctly if the BGP session is up; an incorrect ASN would prevent the session from establishing. Option C is wrong because GCP does not require a static route for the on-premises subnet when using dynamic routing (BGP); the route is learned automatically via BGP from the on-premises router. Option D is wrong because firewall rules control ingress traffic into GCP, but if GCP has no route back to 10.0.1.0/24, traffic will be dropped before firewall rules are evaluated; the routing issue must be resolved first.

15
MCQeasy

An organization has two Cloud VPN tunnels from the same on-premises router to a Cloud Router in Google Cloud. Both tunnels are using BGP, and the on-premises router is sending the same routes over both tunnels. The Cloud Router is configured to use 'route propagation' from a VPC network. Which of the following is true regarding route priority?

A.Cloud Router will use both tunnels for load balancing (ECMP) if the routes are identical
B.The tunnel with the lower local preference value will be used
C.The tunnel with the higher BGP MED value will be preferred
D.Only the tunnel with the lowest IP address will be used
AnswerA

With identical BGP routes (same prefix, next hop different, same MED and local preference), Cloud Router will install multiple paths and use ECMP.

Why this answer

When both BGP routes are identical in prefix, AS path, local preference, MED, and other attributes, Cloud Router uses ECMP (Equal-Cost Multi-Path) to load balance traffic across both Cloud VPN tunnels. Route propagation in the VPC network does not alter the BGP best-path selection; it simply injects the learned routes into the VPC routing table. Since the on-premises router advertises the same routes over both tunnels, Cloud Router treats them as equal-cost paths and distributes traffic across both tunnels.

Exam trap

The trap here is that candidates often assume BGP always selects a single best path and ignore that ECMP is enabled when routes are identical, leading them to incorrectly choose options that involve attribute-based tiebreakers like local preference or MED.

How to eliminate wrong answers

Option B is wrong because local preference is a BGP attribute used to influence outbound traffic from the Cloud Router's perspective, but when both tunnels receive the same local preference (default 100), it does not cause one tunnel to be preferred over the other. Option C is wrong because a higher BGP MED value makes a route less preferred, not more; MED is a metric used to influence inbound traffic from the on-premises side. Option D is wrong because Cloud Router does not use the tunnel's IP address as a tiebreaker; it uses BGP attributes and, if all attributes are equal, it will use ECMP rather than selecting a single tunnel.

16
MCQmedium

Refer to the exhibit. The Cloud Router is connected to two on-premises routers via dedicated interconnect. The on-premises routers advertise the same prefix 10.1.0.0/16. Which on-premises router's route will be preferred by Google Cloud for traffic destined to 10.1.0.0/24? (Assume equal AS path length and MED from on-premises.)

A.The route with lower peer IP address
B.Both routes will be used equally (ECMP)
C.The route from peer with IP 169.254.0.1
D.The route from peer with IP 169.254.1.1
AnswerD

This peer has customLearnedRoutePriority 100, which is lower (more preferred).

Why this answer

Google Cloud Router prefers the route with the higher link-local (peer) IP address when two on-premises routers advertise the same prefix via separate VLAN attachments on a Dedicated Interconnect, assuming equal AS path length and MED. Since 169.254.1.1 is higher than 169.254.0.1, the route from the peer with IP 169.254.1.1 is selected. This behavior is specific to Google Cloud's BGP best-path selection tie-breaking logic, which uses the peer IP address as a deterministic tiebreaker.

Exam trap

Google Cloud often tests the misconception that BGP always uses the lowest neighbor IP address as a tiebreaker, but Google Cloud Router uses the highest peer IP address (link-local address) for Dedicated Interconnect VLAN attachments.

How to eliminate wrong answers

Option A is wrong because Google Cloud Router does not use a lower peer IP address as a tiebreaker; it uses the higher peer IP address. Option B is wrong because ECMP is not applied when the same prefix is received from two different BGP peers on a Cloud Router; a single best path is selected based on deterministic tie-breaking rules. Option C is wrong because 169.254.0.1 is the lower link-local address, and the route from that peer would be rejected in favor of the route from the peer with the higher IP address (169.254.1.1).

17
MCQhard

A multinational company is migrating workloads to Google Cloud and requires a hybrid connectivity solution between their on-premises data centers in New York and London and Google Cloud regions us-central1 and europe-west1. Each data center has a pair of redundant border routers. The network team has set up a Dedicated Interconnect connection in each Google Cloud region, with two VLAN attachments per region (total 4 attachments). Each VLAN attachment is associated with a separate Cloud Router. The Cloud Routers in us-central1 are configured with BGP sessions to the on-premises routers in New York, and the Cloud Routers in europe-west1 peer with the London routers. The VPC is in 'global' dynamic routing mode. After deployment, traffic from on-premises London to Google Cloud in us-central1 takes a suboptimal path: it goes from London to us-central1 via the internet instead of using the Dedicated Interconnect in europe-west1 and then internal Google Cloud backbone. All BGP sessions are up, and routes are being exchanged. The on-premises routers are advertising all their subnets. The Cloud Routers are learning the on-premises prefixes. What is the most likely cause of this suboptimal routing?

A.The VPC subnets in us-central1 are using smaller prefixes that are not being summarized by the Cloud Router.
B.The on-premises London routers are not receiving routes for the VPC subnets in us-central1, so they send traffic via the internet.
C.The Cloud Router in europe-west1 is prepending AS path for routes coming from us-central1, making them less preferred.
D.The on-premises New York routers are setting a lower MED for routes to us-central1, causing London to deprefer them.
AnswerB

Cloud Router only sends routes for subnets in its own region to its BGP peers; global routing mode does not change this.

Why this answer

Option B is correct because the on-premises London routers are not receiving routes for the VPC subnets in us-central1. Since the Cloud Routers in europe-west1 only peer with London, they must advertise the us-central1 VPC subnets to London via BGP. If those routes are missing, London has no path via the Dedicated Interconnect and falls back to the internet.

The VPC is in global dynamic routing mode, so Cloud Routers in both regions learn all VPC subnets, but the europe-west1 Cloud Router must explicitly advertise them to London.

Exam trap

The trap here is that candidates assume global dynamic routing automatically ensures all Cloud Routers advertise all VPC subnets to all on-premises peers, but in reality, each Cloud Router must be explicitly configured to advertise the prefixes it learns from the VPC to its BGP neighbors.

How to eliminate wrong answers

Option A is wrong because smaller prefixes are not the issue; Cloud Routers advertise the exact VPC subnet prefixes learned from the VPC, and summarization is not required for correct routing. Option C is wrong because AS path prepending would make routes less preferred, but the question states all BGP sessions are up and routes are being exchanged; prepending would not cause a complete absence of routes, only a preference change. Option D is wrong because MED is a metric used to influence inbound traffic from a single AS; New York routers setting a lower MED for us-central1 routes would not affect London's routing decisions, as MED is not transitive between different AS paths.

18
MCQhard

A network engineer is troubleshooting an HA VPN setup between Google Cloud and an on-premises data center. The two tunnels are established, and BGP sessions are up on both tunnels. However, traffic from Google Cloud to the on-premises network is only using one tunnel, even though both BGP sessions are advertising the same routes. What is the most likely cause?

A.The on-premises router is sending different BGP metrics (MED) for the same route on the two BGP sessions.
B.The Cloud Router is not configured for dynamic routing.
C.One of the IPsec tunnels is in a dead state.
D.The on-premises router is setting a higher local preference on one route.
AnswerA

If MED differs, Cloud Router will prefer lower MED, leading to single-path use.

Why this answer

When both BGP sessions are up and advertising the same routes, but traffic only uses one tunnel, the most likely cause is that the on-premises router is sending different Multi-Exit Discriminator (MED) values for the same route on the two BGP sessions. MED is a metric that influences inbound traffic to an AS; a lower MED value is preferred. If one tunnel's BGP update carries a lower MED, Google Cloud's Cloud Router will select that path for all traffic, even though both tunnels are functional.

Exam trap

Google Cloud often tests the distinction between BGP attributes that influence inbound vs. outbound traffic; the trap here is that candidates may confuse MED (inbound metric) with local preference (outbound metric) and incorrectly select Option D, not realizing that local preference set by the on-premises router is not sent to Google Cloud's eBGP peer.

How to eliminate wrong answers

Option B is wrong because Cloud Router is explicitly configured for dynamic routing in an HA VPN setup (BGP sessions are up), so the issue is not a lack of dynamic routing configuration. Option C is wrong because the question states both tunnels are established and BGP sessions are up, so neither IPsec tunnel is in a dead state. Option D is wrong because local preference is used to influence outbound traffic from an AS, not inbound traffic to the on-premises network; Google Cloud's Cloud Router would not consider local preference set by the on-premises router, as local preference is typically only propagated within an AS and not sent to eBGP peers.

19
MCQeasy

An organization wants to connect their on-premises network to Google Cloud using Partner Interconnect. Which of the following is a requirement that must be met before the partner can provision the connection?

A.The organization must purchase a cross-connect at a colocation facility.
B.The organization must have a Dedicated Interconnect connection already set up.
C.The organization must have a VLAN attachment created and share the pairing key.
D.The organization must have a Cloud Router configured with BGP sessions.
AnswerC

The VLAN attachment and pairing key are required for the partner to provision.

Why this answer

Partner Interconnect requires the customer to create a VLAN attachment in their Google Cloud project and share the generated pairing key with the service provider. The partner uses this key to provision the connection on their side, ensuring the correct mapping to the customer's VPC. Without the VLAN attachment and pairing key, the partner cannot establish the Layer 2 circuit.

Exam trap

Google Cloud often tests the distinction between the prerequisites for Partner Interconnect versus Dedicated Interconnect, trapping candidates who confuse the cross-connect requirement (Dedicated) with the VLAN attachment and pairing key requirement (Partner).

How to eliminate wrong answers

Option A is wrong because purchasing a cross-connect at a colocation facility is a requirement for Dedicated Interconnect, not Partner Interconnect, where the partner manages the physical infrastructure. Option B is wrong because Dedicated Interconnect is a separate product and is not a prerequisite for Partner Interconnect; they are independent connectivity options. Option D is wrong because a Cloud Router with BGP sessions is configured after the VLAN attachment is created and the partner provisions the connection, not as a prerequisite before provisioning.

20
Multi-Selectmedium

A company is planning to connect their on-premises data center to Google Cloud. They require high bandwidth (10 Gbps) and low latency for real-time data replication. They also want a cost-effective solution that supports burstable traffic. Which TWO connectivity options should they consider? (Choose TWO.)

Select 2 answers
A.Classic VPN (route-based VPN)
B.Cloud VPN (IPsec VPN)
C.Partner Interconnect
D.Dedicated Interconnect
E.Direct Peering
AnswersC, D

Offers flexible bandwidth up to 10 Gbps or more via supported partners, with pay-as-you-go pricing suitable for burstable traffic.

Why this answer

Partner Interconnect (Option C) is correct because it provides dedicated, high-bandwidth connections (up to 10 Gbps per circuit) with low latency, suitable for real-time data replication, and supports burstable traffic through a service provider's network, offering a cost-effective alternative to Dedicated Interconnect for enterprises that need flexibility without full physical infrastructure ownership.

Exam trap

Google Cloud often tests the misconception that Cloud VPN or Classic VPN can meet high-bandwidth, low-latency requirements because they are 'VPNs,' but the trap is that these options lack the dedicated physical infrastructure and SLAs needed for real-time replication, whereas Interconnect options provide guaranteed performance.

21
Multi-Selectmedium

A company is planning to connect their on-premises network to Google Cloud using Dedicated Interconnect. They require high availability for the connection. Which TWO of the following are recommended by Google for achieving high availability? (Choose two.)

Select 2 answers
A.Use a single Dedicated Interconnect with double the bandwidth
B.Connect to two different edge availability domains in the same POP
C.Order connections from two different service providers
D.Order two Dedicated Interconnect connections in the same metro
E.Connect to two different Interconnect locations (POPs)
AnswersD, E

Two connections provide link redundancy, even in the same metro.

Why this answer

Option D is correct because Google recommends ordering two Dedicated Interconnect connections in the same metro to provide link-level redundancy. Option E is correct because connecting to two different Interconnect locations (POPs) provides site-level redundancy, protecting against a single POP failure. Together, these two approaches ensure high availability for the hybrid connection.

Exam trap

The trap here is that candidates often confuse 'high availability' with 'increased bandwidth' (Option A) or think that connecting to two edge availability domains in the same POP (Option B) is sufficient, when Google actually requires diversity at the POP level for full high availability.

22
Multi-Selectmedium

Which TWO are valid methods to allow on-premises traffic to reach Google Cloud resources that only have internal (private) IP addresses? (Choose two.)

Select 2 answers
A.Set up Cloud VPN or Interconnect and configure proper routing and firewall rules.
B.Assign public IP addresses to the resources and use firewall rules to allow on-premises traffic.
C.Use Cloud NAT to allow inbound connections from on-premises.
D.Use the default internet gateway route for the VPC.
E.Configure Private Google Access for on-premises hosts.
AnswersA, E

VPN/Interconnect provide direct connectivity to private IPs from on-premises.

Why this answer

Option A is correct because Cloud VPN or Interconnect creates a secure, private connection between on-premises and Google Cloud VPCs. By configuring proper routing (e.g., custom static routes or BGP) and firewall rules, on-premises traffic can reach internal-only IP addresses without needing public IPs, as the traffic traverses the private network path.

Exam trap

Google Cloud often tests the misconception that Cloud NAT can handle inbound connections, but it only supports outbound SNAT/DNAT for outbound traffic, not inbound-initiated connections from on-premises.

23
MCQmedium

A company has a Hybrid Connectivity setup using Cloud VPN with dynamic routing (BGP). They notice that traffic from their on-premises network to Google Cloud is intermittently dropping. The on-premises BGP speaker is sending routes with a higher local preference (200) than the Google Cloud router (default 100). What is the most likely cause of the intermittent drops?

A.AS path prepending is causing route flapping
B.Asymmetric routing is causing traffic to be dropped by stateful firewalls
C.Cloud Router is not configured for ECMP
D.The BGP MED attribute is misconfigured
AnswerB

Higher local preference can cause asymmetric routing, leading to stateful firewall drops.

Why this answer

The on-premises BGP speaker is sending routes with a higher local preference (200) than the default on Cloud Router (100). This makes the on-premises route preferred for return traffic from Google Cloud, but the forward traffic from on-premises may still use the Cloud VPN tunnel. This asymmetry causes stateful firewalls (e.g., on-premises firewall or Google Cloud firewall) to drop packets that do not match an existing session, leading to intermittent drops.

Exam trap

Google Cloud often tests the misconception that BGP attributes like local preference only affect inbound traffic, when in fact local preference influences outbound path selection from the router's perspective, and a mismatch between on-premises and cloud can cause asymmetric routing that stateful firewalls drop.

How to eliminate wrong answers

Option A is wrong because AS path prepending is used to influence inbound route selection by artificially lengthening the AS path, not to cause route flapping; route flapping is typically due to unstable BGP sessions or route withdrawals, not local preference manipulation. Option C is wrong because ECMP (Equal-Cost Multi-Path) is unrelated to the issue; the problem is asymmetric routing due to local preference mismatch, not load balancing across multiple paths. Option D is wrong because MED (Multi-Exit Discriminator) is used to influence inbound traffic from a neighboring AS, not outbound path selection within the same AS; the local preference mismatch is the direct cause of the asymmetry.

24
MCQmedium

An organization has multiple VPCs in Google Cloud that need to communicate with an on-premises network through a single Dedicated Interconnect. All VPCs are in the same project. What is the most efficient way to enable connectivity from all VPCs to on-premises?

A.Create a separate Interconnect for each VPC
B.Create a single VLAN attachment and use it for all VPCs
C.Create a Cloud Router per VPC, each with its own VLAN attachment on the same Interconnect
D.Use VPC Network Peering to connect VPCs and attach one VPC to Interconnect
AnswerC

Each VPC gets its own Cloud Router and VLAN attachment, allowing all to use the same Interconnect.

Why this answer

Option C is correct because each VPC requires its own Cloud Router and VLAN attachment to establish a dedicated BGP session over the same Dedicated Interconnect. This allows multiple VPCs in the same project to share a single physical interconnect while maintaining separate Layer 3 routing domains. A single VLAN attachment cannot be shared across VPCs, as each attachment is associated with exactly one Cloud Router and one VPC.

Exam trap

The trap here is that candidates assume a single VLAN attachment can be shared across multiple VPCs, but in Google Cloud, each VLAN attachment is a per-VPC resource that requires its own Cloud Router and BGP session.

How to eliminate wrong answers

Option A is wrong because creating a separate Interconnect for each VPC is unnecessary and cost-inefficient; a single Dedicated Interconnect can support multiple VLAN attachments. Option B is wrong because a single VLAN attachment is tied to one Cloud Router and one VPC; it cannot be used directly by multiple VPCs. Option D is wrong because VPC Network Peering does not extend the Interconnect connectivity; peering only allows communication between VPCs, but the on-premises network would still only be reachable from the VPC that has the VLAN attachment, unless additional routing is configured.

25
MCQmedium

A company is setting up a Dedicated Interconnect connection between their on-premises network and Google Cloud. They have configured a VLAN attachment and assigned a Cloud Router with BGP sessions. They notice that traffic is being dropped intermittently. The BGP session status shows 'Established' but routes are not being exchanged consistently. What is the most likely cause?

A.Bidirectional Forwarding Detection (BFD) is not enabled on the BGP session
B.The on-premises firewall is blocking BGP port 179
C.The Cloud Router has reached the maximum number of routes
D.The MTU on the VLAN attachment is set too low
AnswerA

Without BFD, BGP may remain Established while the data plane is down, causing dropped traffic.

Why this answer

When BFD is not enabled on a BGP session, the BGP keepalive timers (typically 60 seconds) are used to detect failures, which can cause intermittent traffic drops because BGP does not detect link failures quickly enough. With BFD enabled (default interval of 300ms), failures are detected in sub-seconds, preventing route flapping and ensuring consistent route exchange. The 'Established' BGP state with inconsistent route exchange is a classic symptom of BFD being absent, as routes may be withdrawn and re-advertised due to transient link issues that BGP alone cannot react to fast enough.

Exam trap

Google Cloud often tests the misconception that a BGP session in 'Established' state guarantees stable route exchange, but the trap here is that BFD is required for fast failure detection in cloud interconnect scenarios, and its absence causes intermittent route flapping that does not break the BGP session itself.

How to eliminate wrong answers

Option B is wrong because if the on-premises firewall were blocking BGP port 179, the BGP session would never reach the 'Established' state; it would remain in 'Active' or 'Idle'. Option C is wrong because the Cloud Router maximum route limit (1000 routes by default, expandable) would cause routes to be rejected, not intermittent exchange; the BGP session would still show 'Established' but routes would be missing entirely, not inconsistently exchanged. Option D is wrong because a low MTU on the VLAN attachment would cause packet fragmentation or drops for large packets, but BGP route exchange uses small packets (typically 4096 bytes max for BGP updates) and would not cause intermittent route exchange; MTU issues manifest as connectivity failures for data traffic, not BGP route flapping.

26
Multi-Selecthard

Which THREE are true regarding Cloud HA VPN when used with dynamic routing (BGP)? (Choose three.)

Select 3 answers
A.Cloud HA VPN requires two Cloud Routers in the same region for redundancy.
B.Cloud HA VPN allows custom BGP timers.
C.Cloud HA VPN requires two interfaces per VPN gateway.
D.Cloud HA VPN BGP sessions use link-local addresses (169.254.x.x).
E.Cloud HA VPN supports using multiple tunnels for ECMP.
AnswersC, D, E

Each HA VPN gateway has two external interfaces for redundancy.

Why this answer

Option C is correct because Cloud HA VPN requires two interfaces per VPN gateway to provide high availability and redundancy. Each gateway interface connects to a separate Cloud Router, enabling active-active failover and ensuring continuous connectivity if one interface or tunnel fails.

Exam trap

Google Cloud often tests the misconception that Cloud HA VPN requires multiple Cloud Routers for redundancy, when in fact it uses multiple interfaces on a single Cloud Router, and that custom BGP timers are allowed, whereas Google Cloud enforces fixed timers for stability.

27
MCQhard

A company has two Dedicated Interconnects in different metro regions connecting to Google Cloud. They want to use BGP communities to influence Cloud Router's route selection to prefer the closer interconnect for outbound traffic to on-premises. Which community action can they apply on the on-premises routers?

A.Set BGP community 2:100 on routes to indicate MED change
B.Set BGP community 0:100 on routes to mark them as high preference
C.Set BGP community 79ba:100 on routes from the preferred interconnect
D.Set BGP community 79ba:101 on routes from the preferred interconnect
AnswerC

The community 79ba:100 (lowest RTT) is supported by Google's Cloud Router to influence route preference for outbound traffic.

Why this answer

Option C is correct because Google Cloud uses 16-bit ASN format for BGP communities, and the well-known community 79ba:100 (equivalent to 31210:256 in decimal) is a Google-defined community that sets a higher local preference on routes received from the preferred interconnect. This influences Cloud Router's route selection to prefer the closer interconnect for outbound traffic to on-premises, as higher local preference is evaluated before MED or AS-path length.

Exam trap

Google Cloud often tests the specific Google-defined BGP community format (79ba:xxxx) and its meaning, so candidates may confuse it with standard 2-byte communities or assume any community value works, leading them to pick generic options like 2:100 or 0:100.

How to eliminate wrong answers

Option A is wrong because BGP community 2:100 is not a Google-defined community; Google uses communities in the 79ba:xxxx range (31210:xxxx decimal) for route preference, and MED is not directly set via communities in this context. Option B is wrong because community 0:100 is not a valid Google-defined community; Google uses 79ba:100 for high preference, and community 0:100 has no meaning in Google Cloud's BGP implementation. Option D is wrong because community 79ba:101 is used to set a medium preference (lower than 79ba:100), not the highest preference; using it would not make the preferred interconnect the most preferred path.

28
MCQeasy

You are designing a hybrid network using Cloud VPN with dynamic routing (BGP) to connect multiple on-premises sites to Google Cloud. What is a best practice to avoid asymmetric routing when you have multiple VPN tunnels from different on-premises routers?

A.Use static routes instead of BGP to have precise control over path selection
B.Use a different BGP ASN for each on-premises router to ensure uniqueness
C.Configure all on-premises routers with the same BGP ASN and enable ECMP on the Cloud Router
D.Disable ECMP on the Cloud Router to avoid multipath issues
AnswerC

Same ASN allows multiple sessions to be treated as redundant, and ECMP load balances traffic.

Why this answer

Option C is correct because using the same BGP ASN on all on-premises routers and enabling ECMP on the Cloud Router allows the Cloud Router to treat multiple BGP sessions as equal-cost paths. This prevents asymmetric routing by ensuring that return traffic can be load-balanced across any available tunnel, while the same ASN avoids BGP loop-prevention mechanisms that would otherwise reject routes from routers with different ASNs.

Exam trap

The trap here is that candidates mistakenly think different ASNs are required for redundancy, but in fact, using the same ASN is necessary to allow ECMP and avoid BGP loop prevention rejecting routes from multiple on-premises routers.

How to eliminate wrong answers

Option A is wrong because static routes lack dynamic failover and cannot adapt to topology changes, leading to potential black-holing or asymmetric routing when tunnels go down. Option B is wrong because using different BGP ASNs on each on-premises router would cause the Cloud Router to see each path as a separate eBGP route, and the BGP best-path selection would prefer one path over the other, preventing ECMP and potentially causing asymmetric routing. Option D is wrong because disabling ECMP forces the Cloud Router to select a single best path, which can still result in asymmetric routing if the selected path differs from the path used by the on-premises router for return traffic.

29
MCQmedium

A company is using Partner Interconnect to connect their data center to Google Cloud. They notice that traffic from their on-premises network to a specific subnet in VPC is taking a suboptimal path. Which action should they take to influence the routing preference?

A.Use route priorities on the Cloud Router for the learned routes.
B.Change the VLAN attachment's mode to active-active.
C.Set a lower cost on the Cloud Router interface for the preferred VLAN attachment.
D.Configure BGP MED values on the on-premises router for the prefixes advertised to the Cloud Router.
AnswerD

MED influences the Cloud Router's path selection, giving preference to lower MED.

Why this answer

Option D is correct because BGP MED (Multi-Exit Discriminator) is the standard mechanism for influencing inbound traffic path selection when multiple connections exist between two autonomous systems. By setting a lower MED value on the on-premises router for prefixes advertised to the Cloud Router, the on-premises network can signal Google Cloud to prefer that specific VLAN attachment for traffic destined to the subnet, thereby correcting the suboptimal path.

Exam trap

The trap here is that candidates often confuse influencing inbound vs. outbound traffic and incorrectly choose options that affect Cloud Router's outbound path selection (like route priorities or interface cost) instead of using BGP MED to influence the on-premises router's advertisement.

How to eliminate wrong answers

Option A is wrong because route priorities on Cloud Router affect the selection among multiple learned routes for the same prefix within Google Cloud, but they do not influence the path that on-premises routers use to send traffic into Google Cloud; route priorities are for outbound traffic from Google Cloud. Option B is wrong because changing the VLAN attachment's mode to active-active affects high availability and load balancing of traffic across multiple attachments, but it does not influence routing preference or path selection for inbound traffic. Option C is wrong because setting a lower cost on the Cloud Router interface influences the outbound traffic path from Google Cloud to on-premises (via BGP cost metrics), not the inbound path from on-premises to Google Cloud; the question concerns traffic from on-premises to a subnet in VPC, which is inbound to Google Cloud.

30
MCQmedium

A company is deploying a Global Cloud VPN with multiple tunnels from different Cloud Router instances to the same on-premises peer. The on-premises BGP speaker is configured with multiple peers. How should they configure the BGP ASN on the Cloud Routers to ensure optimal routing?

A.Use different private ASNs for each Cloud Router to differentiate the tunnels.
B.Use the same private ASN for all Cloud Routers in the same region.
C.Assign a unique public ASN to each Cloud Router.
D.Use the same ASN across all Cloud Routers globally.
AnswerB

Same private ASN ensures the on-premises router treats all Cloud Router peers from the same region as one entity, preventing loops and allowing ECMP.

Why this answer

Option B is correct because using the same private ASN on all Cloud Routers in the same region allows the on-premises BGP speaker to treat multiple tunnels from that region as a single BGP session, enabling load balancing and failover without creating BGP path selection issues. This approach aligns with Google Cloud's recommendation for redundant VPN tunnels, where the same ASN ensures the on-premises router sees the Cloud Routers as a single BGP peer, simplifying routing policy and avoiding unnecessary AS path prepending.

Exam trap

The trap here is that candidates often assume each BGP session needs a unique ASN for redundancy, but in Google Cloud's multi-tunnel VPN design, using the same ASN within a region is required to enable proper load balancing and failover without causing BGP path selection conflicts.

How to eliminate wrong answers

Option A is wrong because using different private ASNs for each Cloud Router would cause the on-premises BGP speaker to treat each tunnel as a separate BGP session, potentially leading to suboptimal routing due to AS path length differences and preventing effective load balancing. Option C is wrong because assigning a unique public ASN to each Cloud Router is unnecessary and wasteful; private ASNs (64512-65534) are sufficient for internal BGP peering, and public ASNs are typically reserved for internet-facing connections, not internal hybrid interconnectivity. Option D is wrong because using the same ASN across all Cloud Routers globally can cause BGP to reject routes from multiple peers with the same ASN if the on-premises router has BGP multi-hop or loop prevention enabled, and it does not account for regional routing policies or failover scenarios where distinct regional ASNs are beneficial.

31
MCQhard

An organization has a hybrid network with multiple VPN tunnels connecting their on-premises network to Google Cloud. They use Cloud Router with BGP to propagate routes. They recently added a new subnet 192.168.100.0/24 in Google Cloud. On-premises devices can reach resources in the new subnet, but Google Cloud resources cannot initiate traffic to certain on-premises hosts in the 10.0.0.0/8 subnet. BGP sessions are all established. What is the most likely cause?

A.The VPC firewall rules are blocking outbound traffic from the new subnet.
B.The on-premises firewall is blocking traffic initiated from the 192.168.100.0/24 subnet because it is not in the permitted list.
C.There is a route conflict between the 192.168.100.0/24 route and an existing route in the on-premises routing table.
D.The on-premises BGP router is not advertising the 10.0.0.0/8 network because a mask mismatch.
AnswerB

On-premises firewalls often have stateful inspection; new subnet traffic may not be allowed.

Why this answer

The issue is that on-premises hosts in 10.0.0.0/8 can be reached from the new Google Cloud subnet (192.168.100.0/24) because BGP routes are propagated, but return traffic initiated from on-premises hosts is blocked by the on-premises firewall. Since BGP sessions are established and routes are exchanged, the problem is not routing but stateful firewall filtering: the on-premises firewall likely has a rule that permits traffic from known subnets but does not include 192.168.100.0/24, so return packets for connections initiated from Google Cloud are dropped.

Exam trap

Google Cloud often tests the distinction between routing (BGP/route tables) and firewall filtering, leading candidates to incorrectly blame route advertisement or VPC firewall rules when the actual issue is a missing permit entry in the on-premises firewall for the new subnet.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules control traffic entering or leaving Google Cloud resources, but the problem states that on-premises devices can reach the new subnet, so outbound traffic from the new subnet is not blocked; the issue is with traffic initiated from Google Cloud to on-premises. Option C is wrong because a route conflict would cause asymmetric routing or unreachability in both directions, but on-premises devices can reach the new subnet, and BGP sessions are established, so there is no route conflict. Option D is wrong because a mask mismatch would prevent the on-premises BGP router from advertising 10.0.0.0/8, but the problem states BGP sessions are all established and on-premises devices can reach the new subnet, implying the 10.0.0.0/8 route is present in Google Cloud; the issue is with return traffic filtering, not route advertisement.

32
MCQmedium

An engineer runs the command above to check the status of a Dedicated Interconnect VLAN attachment. The state shows DEFECTIVE. The associated interconnect connection is in ACTIVE state. What is the most likely cause?

A.The VLAN ID is already in use on a different attachment on the same interconnect
B.The Cloud Router is not configured with a BGP session for this attachment
C.The maximum number of VLAN attachments for this interconnect has been exceeded
D.The data center power is down
AnswerA

Duplicate VLAN IDs cause the attachment to be DEFECTIVE.

Why this answer

A Dedicated Interconnect VLAN attachment showing DEFECTIVE state while the interconnect connection itself is ACTIVE indicates a configuration conflict at the VLAN level. The most common cause is that the VLAN ID specified for this attachment is already allocated to another VLAN attachment on the same interconnect, as VLAN IDs must be unique per interconnect. This conflict prevents the attachment from establishing proper Layer 2 connectivity, resulting in a DEFECTIVE state.

Exam trap

Google Cloud often tests the distinction between Layer 2 attachment health and Layer 3 BGP session status — candidates mistakenly assume a BGP misconfiguration causes the attachment to be DEFECTIVE, but the attachment state is independent of BGP and reflects only the VLAN-level connectivity.

How to eliminate wrong answers

Option B is wrong because a missing BGP session on the Cloud Router would cause the BGP session to be down or not established, but the VLAN attachment state would still be ACTIVE (or PENDING) — the attachment itself is a Layer 2 construct and does not depend on BGP configuration for its operational state. Option C is wrong because exceeding the maximum number of VLAN attachments would result in a failure to create the attachment or an error during provisioning, not a DEFECTIVE state on an already-created attachment; the attachment would either be rejected or show a different error. Option D is wrong because a data center power outage would affect the interconnect connection itself, causing it to go DOWN or UNAVAILABLE, not remain ACTIVE while only the VLAN attachment shows DEFECTIVE.

33
MCQhard

A company with multiple VPCs in a Shared VPC environment wants to connect their on-premises network to all VPCs with high availability and minimal cost. They already have a Dedicated Interconnect. What is the most efficient solution?

A.Set up Cloud VPN with dynamic routing to each VPC.
B.Create an HA VPN gateway for each VPC and peer with on-prem.
C.Use the existing Dedicated Interconnect to create multiple VLAN attachments, one per VPC.
D.Provision a new Partner Interconnect for each VPC.
AnswerC

VLAN attachments allow a single interconnect to connect multiple VPCs efficiently.

Why this answer

Option C is correct because a Dedicated Interconnect can support multiple VLAN attachments (each with a separate VLAN ID and BGP session) to connect to different VPCs in a Shared VPC environment. This approach leverages the existing physical connection, provides high availability through redundant attachments, and minimizes cost by avoiding additional circuits or VPN tunnels.

Exam trap

Google Cloud often tests the misconception that a single Dedicated Interconnect can only connect to one VPC, leading candidates to incorrectly choose VPN-based solutions or additional interconnects.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing would require separate tunnels to each VPC, increasing complexity and cost, and it does not utilize the existing Dedicated Interconnect, which is already paid for. Option B is wrong because creating an HA VPN gateway for each VPC duplicates effort and cost; the Dedicated Interconnect can handle multiple VPCs via VLAN attachments without needing separate VPN gateways. Option D is wrong because provisioning a new Partner Interconnect for each VPC would incur significant additional expense and is unnecessary when the existing Dedicated Interconnect can be extended with VLAN attachments.

34
MCQhard

A financial services firm needs to connect their on-premises data center to Google Cloud VPC with 50 Gbps of bandwidth and latency under 5 ms. They are in a metropolitan area with a Google Cloud region. They require an SLA of 99.99% and need to support VLAN attachments to multiple VPCs. Which connectivity option should they choose?

A.Direct Peering
B.Dedicated Interconnect
C.Cloud VPN with multiple tunnels and ECMP
D.Partner Interconnect
AnswerB

Dedicated Interconnect provides up to 100 Gbps per circuit, low latency, 99.99% SLA, and supports multiple VLAN attachments to different VPCs.

Why this answer

Dedicated Interconnect is the correct choice because it provides direct, private connections between the on-premises data center and Google Cloud VPC, supporting up to 80 Gbps per interconnect (via 8 x 10 Gbps links) and offering a 99.99% SLA when configured with redundant links. It supports VLAN attachments (VLANs) to multiple VPCs, enabling segmentation across different environments, and meets the sub-5 ms latency requirement within a metropolitan area with a Google Cloud region.

Exam trap

Google Cloud often tests the misconception that Cloud VPN with ECMP can scale to high bandwidths like 50 Gbps, but in reality, Cloud VPN is limited to 3 Gbps per tunnel and aggregate throughput is constrained by the underlying internet path and encryption overhead.

How to eliminate wrong answers

Option A (Direct Peering) is wrong because it is an ISP-based peering arrangement that does not offer an SLA, does not support VLAN attachments to multiple VPCs, and typically provides best-effort bandwidth without guaranteed 50 Gbps or sub-5 ms latency. Option C (Cloud VPN with multiple tunnels and ECMP) is wrong because Cloud VPN is limited to 3 Gbps per tunnel (even with ECMP, aggregate bandwidth is capped at ~10 Gbps) and does not meet the 50 Gbps requirement; it also lacks a 99.99% SLA. Option D (Partner Interconnect) is wrong because it relies on a third-party service provider, which introduces additional latency and does not guarantee the sub-5 ms latency or the 99.99% SLA that Dedicated Interconnect offers directly.

35
MCQmedium

A company has set up an HA VPN tunnel between their on-premises router and a Cloud Router in Google Cloud. The on-premises router establishes BGP sessions to both Cloud Router instances, but the routes learned from one Cloud Router instance are not being received. The other instance works fine. What is the most likely cause?

A.The tunnel is in a failed state
B.The on-premises router has incorrect ASN configured for that BGP session
C.The on-premises router has a firewall blocking BGP updates only on one IP address
D.The Cloud Router is set to advertisement mode 'Custom' and does not advertise all subnets
AnswerB

Incorrect ASN (Autonomous System Number) on one BGP session could prevent route exchange while the other session works.

Why this answer

The most likely cause is that the on-premises router has an incorrect ASN configured for the BGP session with the failing Cloud Router instance. In Google Cloud HA VPN, each Cloud Router instance uses a unique BGP IP address but both must use the same peer ASN as configured on the on-premises side. If the ASN mismatch occurs, BGP will not establish or will reject routes, while the other session with the correct ASN works fine.

Exam trap

Google Cloud often tests the concept that BGP session establishment and route exchange are separate phases, and an ASN mismatch specifically prevents route exchange even if the tunnel is up, leading candidates to incorrectly blame tunnel failure or firewall rules.

How to eliminate wrong answers

Option A is wrong because a failed tunnel would prevent both BGP sessions from working, not just one, and the question states the other instance works fine. Option C is wrong because a firewall blocking BGP updates on only one IP address would typically affect both TCP port 179 traffic and BGP session establishment, but the symptom here is routes not being received, not session failure, and a firewall would likely block the entire session. Option D is wrong because the Cloud Router's advertisement mode being set to 'Custom' would affect both BGP sessions equally, not selectively cause one to not receive routes while the other works.

36
MCQhard

Refer to the exhibit. An engineer is troubleshooting a dual-tunnel HA VPN. The BGP session on one interface is established (State/PfxRcd 1) but the other is stuck in Active state. What can cause this?

A.The on-premises router does not have a BGP configuration for the second peer IP address (169.254.x.x).
B.The Cloud Router is using the same BGP identifier for both sessions, causing a conflict.
C.The on-premises router is configured with BGP MD5 authentication that only matches the first peer.
D.The MTU on the second tunnel is not matching between the two ends.
AnswerA

If the on-premises router is not expecting a connection from the second peer IP, it will not respond, leaving the Cloud Router in Active state.

Why this answer

In a dual-tunnel HA VPN, each tunnel uses a separate BGP session with its own peer IP address (typically from the 169.254.x.x link-local range). If the on-premises router only has a BGP neighbor statement for the first peer IP, it will ignore incoming BGP packets from the second peer. The Cloud Router sees the session stuck in Active state because it is sending BGP OPEN messages but never receiving a response, as the on-premises router is not listening on that IP.

Exam trap

Google Cloud often tests the distinction between BGP session states — Active specifically means the TCP connection is not being completed by the remote end, often due to missing neighbor configuration or ACL blocking, not authentication or MTU issues.

How to eliminate wrong answers

Option B is wrong because using the same BGP identifier (router-id) for both sessions is allowed in BGP; it does not cause a session to remain in Active state — it may cause a warning or minor issue but not a stuck Active. Option C is wrong because MD5 authentication mismatch would cause the session to fail authentication and likely show a state of Idle or Connect, not Active; Active means the router is listening for a TCP connection that never completes. Option D is wrong because MTU mismatch does not prevent BGP session establishment; it would cause packet fragmentation or drops after the session is up, not keep it in Active state.

37
MCQmedium

A company is using Cloud VPN to connect to Google Cloud. They notice that traffic from their on-premises network to Google Cloud is not being routed correctly after a recent change. On the on-premises router, they verify that the BGP session is established and routes are received. Which step should they take next to troubleshoot?

A.Verify that the routes learned via BGP are being propagated to the VPC network by examining Cloud Router details
B.Check the on-premises firewall logs
C.Disable and re-enable the VPN tunnel
D.Check the tunnel status in Cloud Console
AnswerA

Routes learned via BGP must be propagated to the VPC. Cloud Router shows advertised and learned routes.

Why this answer

Since the BGP session is established and routes are received on the on-premises router, the issue is likely that those routes are not being propagated into the VPC network. Cloud Router acts as the BGP speaker for the VPC; even if the VPN tunnel is up and BGP peering is successful, the learned routes must be advertised into the VPC’s routing tables. Verifying Cloud Router details (e.g., using `gcloud compute routers get-status` or checking the Cloud Console) confirms whether the routes are being accepted and propagated, which directly addresses the routing failure.

Exam trap

Google Cloud often tests the misconception that a working BGP session and tunnel status guarantee correct routing, but the real failure point is the propagation of learned routes into the VPC’s routing tables, which requires explicit verification of Cloud Router’s learned routes and advertisements.

How to eliminate wrong answers

Option B is wrong because on-premises firewall logs would only show dropped or allowed packets at the on-premises side, but the problem is about route propagation within Google Cloud, not packet filtering. Option C is wrong because disabling and re-enabling the VPN tunnel is a disruptive, brute-force action that does not diagnose the root cause of route propagation; the tunnel and BGP session are already established. Option D is wrong because checking the tunnel status in Cloud Console only confirms the VPN tunnel is up, but the tunnel is already established and BGP is up, so this provides no insight into why routes are not being used in the VPC.

38
MCQhard

A financial services company is required to encrypt all data in transit between their on-premises data center and Google Cloud. They have a Dedicated Interconnect connection. They want to meet the encryption requirement while minimizing overhead and complexity. Which solution should they implement?

A.Enable MACsec on the Dedicated Interconnect
B.Enable TLS encryption on all applications
C.Use Cloud VPN over the internet instead of Dedicated Interconnect
D.Establish an IPsec VPN tunnel over the Dedicated Interconnect
AnswerA

Provides link-layer encryption with minimal overhead.

Why this answer

MACsec (IEEE 802.1AE) provides Layer 2 encryption on the Dedicated Interconnect link itself, encrypting all traffic between the on-premises router and the Google Cloud edge router without requiring any changes to applications or additional VPN gateways. This meets the encryption requirement with minimal overhead and complexity because MACsec operates transparently at the data link layer, adding negligible latency and no per-packet processing overhead compared to IPsec or TLS.

Exam trap

Google Cloud often tests the misconception that IPsec VPNs are the only way to encrypt traffic over a dedicated connection, but MACsec is the correct choice when the requirement is to minimize overhead and complexity because it operates at Layer 2 with hardware offload.

How to eliminate wrong answers

Option B is wrong because TLS encryption must be implemented per application, requiring application-level changes and configuration, which adds significant complexity and does not encrypt all data in transit (e.g., non-HTTP traffic). Option C is wrong because using Cloud VPN over the internet introduces higher latency, lower reliability, and more operational overhead than Dedicated Interconnect, and it does not leverage the existing dedicated connection. Option D is wrong because establishing an IPsec VPN tunnel over Dedicated Interconnect adds unnecessary encapsulation and encryption overhead at Layer 3, increasing complexity and reducing throughput compared to MACsec's hardware-accelerated Layer 2 encryption.

39
MCQeasy

What is the maximum number of VLAN attachments that can be configured on a single 10 Gbps Dedicated Interconnect connection?

A.16
B.4
C.2
D.8
AnswerD

8 VLAN attachments per 10 Gbps interconnect.

Why this answer

A single 10 Gbps Dedicated Interconnect connection supports a maximum of 8 VLAN attachments. This limit is defined by Google Cloud's interconnect architecture, where each VLAN attachment consumes a portion of the 10 Gbps bandwidth and is mapped to a unique VLAN ID. The 8-attachment cap ensures predictable performance and avoids oversubscription on the physical link.

Exam trap

The trap here is that candidates often confuse the VLAN attachment limit for Dedicated Interconnect with the higher limits of Partner Interconnect or assume the limit scales linearly with bandwidth, leading them to select 16 or 2 instead of the correct 8.

How to eliminate wrong answers

Option A is wrong because 16 VLAN attachments exceed the maximum of 8 for a 10 Gbps Dedicated Interconnect; this limit is not configurable and is enforced by Google Cloud's resource allocation model. Option B is wrong because 4 VLAN attachments is too low; while a 10 Gbps interconnect can support up to 8 attachments, 4 is not the maximum and reflects a misunderstanding of the scaling limits. Option C is wrong because 2 VLAN attachments is far below the actual limit; this misconception might arise from confusing Dedicated Interconnect with Partner Interconnect, which has different attachment limits per connection.

40
MCQeasy

A company wants to migrate a legacy application to Google Cloud that requires low-latency communication with on-premises databases. The application is latency-sensitive and must use private IP addresses only. Which hybrid connectivity solution should they choose?

A.Partner Interconnect
B.Cloud VPN
C.Carrier Peering
D.Direct Peering
AnswerA

Partner Interconnect provides dedicated, low-latency private connectivity.

Why this answer

Partner Interconnect is the correct choice because it provides a dedicated, high-bandwidth connection with low latency, supports private IP addresses, and meets the requirement for latency-sensitive communication with on-premises databases. Unlike other options, it offers a Service Level Agreement (SLA) for uptime and performance, ensuring consistent low-latency connectivity.

Exam trap

Google Cloud often tests the misconception that Cloud VPN is sufficient for low-latency requirements, but the trap here is that VPNs introduce encryption overhead and rely on the public internet, which cannot guarantee the low latency and private IP addressing needed for latency-sensitive applications.

How to eliminate wrong answers

Option B (Cloud VPN) is wrong because it uses the public internet with IPsec encryption, which introduces higher latency and jitter, making it unsuitable for latency-sensitive applications. Option C (Carrier Peering) is wrong because it provides connectivity to Google Cloud through a carrier's network but does not offer a private connection with guaranteed low latency or an SLA, and it may still traverse the public internet. Option D (Direct Peering) is wrong because it is designed for exchanging traffic between Google and a customer's network at an edge location, but it does not support private IP addresses and lacks an SLA, making it inappropriate for latency-sensitive hybrid connectivity.

41
MCQeasy

A company wants to connect an on-premises network to Google Cloud using Cloud VPN. The on-premises network has a single subnet and no dynamic routing capabilities. The company needs a simple, low-cost solution. Which VPN configuration should they choose?

A.Classic VPN with route-based configuration
B.HA VPN with dynamic routing (BGP)
C.HA VPN with static routing
D.Classic VPN with policy-based configuration
AnswerA

Classic VPN route-based supports static routing without BGP, ideal for simple setups.

Why this answer

Classic VPN with route-based configuration is the correct choice because the on-premises network lacks dynamic routing capabilities and requires a simple, low-cost solution. Route-based VPNs use static routes and do not require BGP, making them ideal for environments without dynamic routing support. Classic VPN is the legacy, lower-cost option compared to HA VPN, and route-based configuration allows traffic to be forwarded based on routing table entries rather than policy-based selectors.

Exam trap

Google Cloud often tests the misconception that HA VPN is always superior, but the trap here is that HA VPN is unnecessary and more expensive for a simple, single-subnet network without dynamic routing, leading candidates to overlook the simpler Classic VPN option.

How to eliminate wrong answers

Option B is wrong because HA VPN with dynamic routing (BGP) requires BGP support on the on-premises side, which the company does not have, and it is more complex and costly than needed. Option C is wrong because HA VPN with static routing, while technically possible, is overkill for a simple, low-cost solution; HA VPN is designed for high availability and incurs higher costs and complexity than Classic VPN. Option D is wrong because Classic VPN with policy-based configuration requires defining traffic selectors (source/destination subnets and protocols), which adds complexity and is less flexible than route-based configuration; route-based is simpler and more suitable for a single-subnet network.

42
MCQeasy

An organization uses Partner Interconnect to connect their on-premises network to Google Cloud. They are experiencing intermittent connectivity issues and suspect the partner service provider is causing the problem. Which Google Cloud tool or feature can help verify the connection status and performance from the Google Cloud side?

A.Cloud Router logs
B.Network Service Tiers
C.VPC flow logs
D.Cloud Interconnect monitoring
AnswerD

Cloud Interconnect monitoring provides metrics and alerts for interconnect attachments, including partner interconnects.

Why this answer

Cloud Interconnect monitoring provides detailed metrics and status information for Partner Interconnect connections, including VLAN attachment health, throughput, and packet loss. This tool allows you to verify connectivity and performance from the Google Cloud side, helping isolate issues that may originate from the partner service provider.

Exam trap

The trap here is that candidates confuse Cloud Router logs (which show BGP routing events) with the ability to monitor the underlying interconnect link status, but Cloud Interconnect monitoring is the correct tool for verifying physical/virtual circuit health and performance from Google's perspective.

How to eliminate wrong answers

Option A is wrong because Cloud Router logs capture BGP routing events and route advertisements, not the underlying physical or virtual circuit health or performance metrics of the interconnect. Option B is wrong because Network Service Tiers control the quality of service for internet egress traffic (Premium vs. Standard), not the monitoring or troubleshooting of dedicated interconnect links.

Option C is wrong because VPC flow logs record metadata about network flows within a VPC (e.g., source/destination IPs, ports, protocols), but they do not provide status or performance data for the interconnect connection itself.

43
MCQhard

A multinational corporation is connecting five on-premises data centers to Google Cloud using Cloud Interconnect. Each data center has a dedicated 10 Gbps connection. They want to ensure that if one Interconnect fails, traffic is automatically redistributed across the remaining connections without manual intervention. Which solution meets this requirement?

A.Configure multiple VLAN attachments on a single Cloud Router and rely on link aggregation
B.Deploy Cloud VPN tunnels as backup and configure static routes with lower priority
C.Configure VPC Network Peering between all data centers and Google Cloud
D.Use a Cloud Router with BGP and establish multiple BGP sessions over each Interconnect
AnswerD

BGP with ECMP allows automatic failover across multiple Interconnects.

Why this answer

Option D is correct because Cloud Router with BGP enables dynamic routing, allowing multiple BGP sessions over each Cloud Interconnect. When one interconnect fails, BGP withdraws the affected routes, and traffic is automatically redistributed across the remaining BGP sessions without manual intervention. This meets the requirement for automatic failover and load balancing across the five 10 Gbps connections.

Exam trap

Google Cloud often tests the misconception that static routes or VPN tunnels can provide seamless automatic failover for high-bandwidth interconnects, but the correct approach requires dynamic BGP routing to react to link failures without manual intervention.

How to eliminate wrong answers

Option A is wrong because VLAN attachments on a single Cloud Router do not provide automatic failover; link aggregation (LAG) bundles multiple connections into a single logical link but does not redistribute traffic if one physical link fails—it only provides increased bandwidth and redundancy within the bundle, not across separate interconnects. Option B is wrong because Cloud VPN tunnels as backup with static routes require manual intervention or additional automation to fail over; static routes with lower priority do not dynamically react to interconnect failures, and VPN tunnels typically have lower bandwidth (e.g., 3 Gbps per tunnel) compared to 10 Gbps interconnects, making them unsuitable for seamless redistribution. Option C is wrong because VPC Network Peering is used for connecting VPC networks within Google Cloud, not for connecting on-premises data centers to Google Cloud; it does not support Cloud Interconnect or BGP-based dynamic routing for hybrid connectivity.

44
Multi-Selectmedium

Which three of the following are best practices for designing a highly available Dedicated Interconnect connection to Google Cloud? (Choose three.)

Select 3 answers
A.Use a single Cloud Router for both interconnect attachments.
B.Ensure that the on-premises routers are in different failure zones.
C.Configure both connections to use the same BGP session.
D.Use VLAN attachments in different regions to provide geographic redundancy.
E.Deploy two physical connections to different Google edge availability domains.
AnswersB, D, E

Diverse on-premises routers prevent single point of failure.

Why this answer

Option B is correct because deploying on-premises routers in different failure zones ensures that a single zone failure does not disrupt both BGP sessions. This aligns with Google Cloud's recommendation to use diverse failure domains for on-premises equipment to maintain high availability for Dedicated Interconnect.

Exam trap

The trap here is that candidates often assume a single Cloud Router or a single BGP session simplifies management, but this creates a single point of failure that violates high-availability design principles.

45
Multi-Selecteasy

A company is troubleshooting connectivity issues between their on-premises network and Google Cloud over a Dedicated Interconnect. They can ping the VLAN attachment IP but cannot reach Compute Engine instances. Which TWO checks should they perform?

Select 2 answers
A.Verify that the on-premises network has IAM permissions to access instances
B.Confirm that the subnet routes for the instance IP ranges are present in the VPC
C.Verify that VPC firewall rules allow traffic from the on-premises subnets
D.Ensure that the VLAN attachment IP is in the same subnet as the instances
E.Check that BGP sessions are established between Cloud Router and on-premises router
AnswersB, C

Routes must exist for return traffic.

Why this answer

Option B is correct because for on-premises traffic to reach Compute Engine instances over Dedicated Interconnect, the VPC must have a subnet route (either automatically created or custom static/dynamic route) that matches the instance IP ranges. Without this route, packets from the on-premises network will be dropped by the VPC router, even if the VLAN attachment is reachable.

Exam trap

Google Cloud often tests the misconception that pinging the VLAN attachment IP confirms end-to-end connectivity to instances, but in reality it only confirms BGP session health and Layer 3 reachability to the Cloud Router interface, not the VPC routing or firewall rules required for instance access.

46
MCQmedium

A company has set up a Cloud VPN with dynamic routing (BGP) between their on-premises network (AS 65001) and Google Cloud (AS 64514). They are using Cloud Router with a regional dynamic routing mode. The on-premises router is advertising a subnet 10.1.0.0/16. The Google Cloud VPC has subnet 10.2.0.0/16 in the same region as the Cloud Router. Both subnets are unique. The connection has been working for months. However, after a recent maintenance window, the on-premises router started experiencing BGP flapping with the Cloud Router. The Cloud Router logs show 'BGP notification sent: Hold timer expired'. The on-premises router logs show similar errors. The network team has verified that the VPN tunnel is established and stable. What is the most likely cause of the BGP flapping?

A.The VPN tunnel's MTU is set to 1500 bytes, but BGP packets are larger and are being fragmented.
B.The Cloud Router's BGP keepalive interval is set to 30 seconds, while the on-premises router is using 10 seconds.
C.The on-premises router's BGP hold timer is set to 30 seconds, but the Cloud Router's hold timer is set to 180 seconds.
D.The on-premises router is advertising too many routes, causing the Cloud Router to run out of memory.
AnswerC

If the remote side sends keepalives less frequently than the local hold timer, the session drops.

Why this answer

The BGP hold timer defines the maximum time a router waits to receive a keepalive or update message from a peer before declaring the session dead. When the on-premises router uses a hold timer of 30 seconds and the Cloud Router uses 180 seconds, the on-premises router expects keepalives every 10 seconds (one-third of hold time). If the Cloud Router sends keepalives at its own negotiated interval (e.g., 60 seconds based on its hold timer), the on-premises router will not receive them within its 30-second window, causing it to send a 'Hold timer expired' notification and flap the BGP session.

The VPN tunnel remains stable because the issue is at the BGP session layer, not the underlying tunnel.

Exam trap

Google Cloud often tests the misconception that BGP flapping is always caused by VPN tunnel instability, but here the tunnel is stable and the issue is specifically a BGP hold timer mismatch, which is a common misconfiguration when connecting to cloud providers with fixed BGP timers.

How to eliminate wrong answers

Option A is wrong because BGP packets are typically small (keepalives are 19 bytes, updates rarely exceed 1500 bytes) and fragmentation is handled by IP, not a common cause of hold timer expiry. Option B is wrong because BGP keepalive intervals are derived from the negotiated hold timer (one-third of hold time), not independently configured; mismatched keepalive intervals would be overridden by the hold timer negotiation. Option D is wrong because advertising too many routes would cause memory or CPU issues, not a 'Hold timer expired' error; the Cloud Router would log route limit or memory errors instead.

47
MCQmedium

A company has deployed Dedicated Interconnect with a 10 Gbps connection. They are experiencing packet loss when transferring large files. The on-premises MTU is set to 1500. What is the maximum MTU that can be set on the Cloud Router interface to avoid fragmentation?

A.1460 bytes
B.1500 bytes
C.1400 bytes
D.8896 bytes
AnswerB

Must match the on-premises MTU to avoid fragmentation.

Why this answer

Dedicated Interconnect uses VLAN attachments that encapsulate packets with an additional 4-byte 802.1Q VLAN tag and a 4-byte outer Ethernet header. With an on-premises MTU of 1500 bytes, the maximum payload that can traverse the interconnect without fragmentation is 1500 bytes, because the interconnect path supports jumbo frames up to 1440 bytes for the payload after overhead, but the Cloud Router interface MTU must match the on-premises MTU to avoid fragmentation. Setting the Cloud Router MTU to 1500 bytes ensures that packets are not fragmented at the router, as the interconnect handles the encapsulation overhead transparently.

Exam trap

Google Cloud often tests the misconception that the Cloud Router MTU must be reduced to account for VLAN encapsulation overhead, but in Google Cloud Dedicated Interconnect, the Cloud Router MTU should match the on-premises MTU because the interconnect handles the additional headers transparently.

How to eliminate wrong answers

Option A is wrong because 1460 bytes assumes an additional 40-byte overhead (e.g., IPsec or GRE tunnel), but Dedicated Interconnect does not add such overhead; the VLAN tag is only 4 bytes and is handled by the interconnect, not the Cloud Router MTU. Option C is wrong because 1400 bytes is an arbitrary low value that would cause unnecessary fragmentation and performance degradation, as the actual path supports 1500-byte packets without issue. Option D is wrong because 8896 bytes is the maximum MTU for Google Cloud's jumbo frame support, but the on-premises MTU is 1500, so setting the Cloud Router MTU higher would cause fragmentation when packets exceed the on-premises limit.

48
MCQeasy

An organization wants to migrate legacy on-premises applications to Google Cloud but must maintain low-latency connectivity for real-time data synchronization. The on-premises data center is in a colocation facility that is not directly served by Google Cloud. Which hybrid connectivity option is most cost-effective while meeting the latency requirement?

A.Direct Peering
B.Cloud VPN with dynamic routing
C.Partner Interconnect
D.Dedicated Interconnect
AnswerC

Uses a service provider to connect to Google Cloud, cost-effective and low latency.

Why this answer

Partner Interconnect is the most cost-effective option because it provides a dedicated, low-latency connection through a supported service provider that can extend connectivity from the colocation facility to a Google Cloud region. Unlike Dedicated Interconnect, it does not require physical cross-connects in a Google Cloud colocation facility, making it ideal when the on-premises site is not directly served by Google Cloud. It meets the real-time synchronization latency requirement by offering a reliable, high-bandwidth connection with SLA-backed uptime.

Exam trap

Google Cloud often tests the misconception that Direct Peering or Cloud VPN can meet low-latency requirements, but the trap here is that only Partner Interconnect or Dedicated Interconnect provide SLA-backed, low-latency connectivity, and Partner Interconnect is the correct choice when the on-premises site is not in a Google Cloud colocation facility.

How to eliminate wrong answers

Option A is wrong because Direct Peering is not a Google Cloud connectivity product; it is a BGP-based peering arrangement at an IXP that does not provide SLA-backed connectivity or guaranteed bandwidth, and it is not designed for hybrid cloud connectivity to Google Cloud. Option B is wrong because Cloud VPN with dynamic routing uses the public internet, which introduces variable latency and jitter that cannot guarantee the low-latency requirement for real-time data synchronization. Option D is wrong because Dedicated Interconnect requires a physical cross-connect in a Google Cloud colocation facility, and the on-premises data center is in a colocation facility not directly served by Google Cloud, making it impractical and more expensive to implement.

49
MCQeasy

A customer wants to use Cloud VPN to connect a small branch office to Google Cloud. The branch office has a dynamic public IP address. Which Cloud VPN type should they use?

A.Classic VPN with a static IP on the peer
B.A custom SSL VPN appliance on Compute Engine
C.HA VPN with a single VPN gateway and a dynamic peer IP
D.HA VPN with two VPN gateways and static peer IPs
AnswerC

HA VPN supports dynamic peer IP addresses, making it suitable for branches with dynamic IPs.

Why this answer

Option C is correct because HA VPN supports dynamic peer IP addresses through its use of IKEv2 and route-based VPN tunnels. When the branch office has a dynamic public IP, HA VPN can establish tunnels using the peer's current IP address, which is discovered during IKE negotiation. Classic VPN (option A) requires a static peer IP, and option D requires two static peer IPs, making them unsuitable for a dynamic IP scenario.

Exam trap

The trap here is that candidates often assume HA VPN always requires static peer IPs, but Cisco tests the nuance that HA VPN with a single gateway (and dynamic peer IP support) is the correct choice when the remote peer has a dynamic public IP, not the dual-gateway HA configuration.

How to eliminate wrong answers

Option A is wrong because Classic VPN with a static IP on the peer requires the branch office to have a static public IP address, which contradicts the given dynamic IP condition. Option B is wrong because a custom SSL VPN appliance on Compute Engine is not a native Cloud VPN service; it introduces additional complexity, licensing, and management overhead, and is not the recommended or simplest solution for site-to-site IPsec VPN connectivity. Option D is wrong because HA VPN with two VPN gateways and static peer IPs requires both peer IPs to be static, which is not possible when the branch office has a single dynamic public IP.

50
MCQmedium

A customer has established a Dedicated Interconnect, but traffic from on-premises to Google Cloud is still using the internet path instead of the interconnect. What is the most likely cause?

A.The on-premises firewall blocks BGP traffic.
B.The Google Cloud Router has not learned any routes.
C.The VLAN attachment is in a different region.
D.The BGP routes from on-premises have a lower priority than the default route via internet.
AnswerD

Route priority (e.g., weight, MED) determines which path is used; lower priority routes are less preferred.

Why this answer

Option D is correct because when both an internet default route and more specific BGP routes from the Dedicated Interconnect exist, the route with the highest administrative distance (lowest priority) wins. By default, static routes or internet-learned routes often have a lower administrative distance (e.g., 1 for static) compared to eBGP routes (AD 20). If the on-premises router is sending BGP routes with a higher AD or the cloud router prefers the internet default route due to route priority, traffic will not use the interconnect.

Exam trap

Google Cloud often tests the misconception that BGP routes are always preferred over static routes, but the trap here is that administrative distance (or route priority in Google Cloud) can cause the internet default route to take precedence over BGP-learned routes from the interconnect.

How to eliminate wrong answers

Option A is wrong because if the on-premises firewall blocks BGP traffic, the BGP session would not establish at all, resulting in no routes learned via the interconnect, not a scenario where traffic still uses the internet path while BGP is up. Option B is wrong because if the Google Cloud Router has not learned any routes, there would be no path via the interconnect, and traffic would default to the internet; however, the question states the interconnect is established, implying BGP sessions are up and routes are exchanged, so this is not the most likely cause. Option C is wrong because the VLAN attachment must be in the same region as the Cloud Router for the interconnect to function; if it were in a different region, the interconnect would not be operational, and the customer would not have a working Dedicated Interconnect.

51
Multi-Selecthard

A network engineer is troubleshooting a BGP session between an on-premises router and a Cloud Router. The BGP session state is 'CONNECT' and never transitions to 'ESTABLISHED'. The engineer has verified that the Cloud Router and on-premises router have the same BGP ASN, and that the peer IP addresses are correctly configured. Which two additional steps should the engineer take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Change the BGP ASN on the Cloud Router to a different number
B.Ensure the on-premises router has a route to the Cloud Router's BGP peer IP address
C.Increase the BGP hold timer on the Cloud Router
D.Change the BGP keepalive interval to 10 seconds
E.Verify the Cloud VPN tunnel is established and passing traffic
AnswersB, E

Without a return route, BGP packets cannot reach the Cloud Router.

Why this answer

When the BGP session state is stuck in 'CONNECT', it indicates that the router is actively trying to initiate a TCP connection to the peer but is not receiving a response. For BGP to establish a TCP session (port 179), the on-premises router must have a valid IP route to the Cloud Router's BGP peer IP address. Without this route, TCP SYN packets are dropped, preventing the session from transitioning to 'ESTABLISHED'.

Exam trap

Google Cloud often tests the misconception that BGP session issues in the 'CONNECT' state are caused by BGP timer or ASN misconfigurations, when the real root cause is almost always a lack of IP reachability (missing route or tunnel failure) preventing the TCP connection from forming.

52
Matchingmedium

Match each Google Cloud Armor feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pre-configured rules to block common web attacks

Limits requests per client to prevent abuse

Allows or denies traffic from specific IPs

ML-based detection of DDoS and application attacks

Rules attached to backend services or load balancers

Why these pairings

Cloud Armor provides web application firewall and DDoS protection.

53
Multi-Selectmedium

A company is designing a hybrid network with Partner Interconnect. They need to ensure high availability and meet a 99.99% SLA. Which TWO actions should they take?

Select 2 answers
A.Provision two Partner Interconnects from different providers or locations
B.Create two VLAN attachments, each on a different Interconnect
C.Enable VPN as a backup to the Interconnect
D.Create a single VLAN attachment with multiple BGP sessions
E.Provision a single Partner Interconnect with two VLAN attachments
AnswersA, B

Redundant Interconnects are required for high availability.

Why this answer

To meet a 99.99% SLA, the design must eliminate single points of failure at both the physical interconnect and the logical attachment level. Provisioning two Partner Interconnects from different providers or locations ensures physical diversity, while creating two VLAN attachments (each on a different Interconnect) provides logical redundancy, allowing traffic to fail over if one attachment or interconnect fails.

Exam trap

Google Cloud often tests the misconception that multiple BGP sessions on a single attachment or a single interconnect provide sufficient redundancy, but the trap here is that the 99.99% SLA requires both physical and logical diversity, so candidates must recognize that a single interconnect (even with two VLAN attachments) is a single point of failure.

54
MCQmedium

A company has a VPC with subnets in us-east1 and us-west1. They have established a Cloud VPN tunnel to their on-premises network through a Cloud Router in us-east1. They want to ensure that traffic from on-premises to resources in us-west1 uses the VPN tunnel and not the public internet. What must be configured?

A.Configure a custom dynamic route on the Cloud Router for us-west1 subnets
B.Create a separate VPN tunnel from on-premises to a Cloud Router in us-west1
C.Add a route on the on-premises router for us-west1 subnets with next hop pointing to the VPN tunnel
D.Configure VPC firewall rules to allow traffic from on-premises to us-west1
AnswerC

The on-premises router must have a route for the remote subnets pointing to the VPN tunnel to forward traffic through it.

Why this answer

The correct answer is C because the on-premises router must have a route for the us-west1 subnets with the VPN tunnel as the next hop. Without this, the on-premises router will use its default route (typically the public internet) to reach us-west1, bypassing the VPN tunnel. The Cloud Router in us-east1 advertises the us-west1 subnets via BGP over the VPN tunnel, but the on-premises router must be explicitly configured to forward traffic for those subnets into the tunnel.

Exam trap

The trap here is that candidates assume the Cloud Router automatically directs traffic to the correct region, but the on-premises router must have an explicit route for the remote subnets pointing to the VPN tunnel, as the Cloud Router only advertises routes and does not control the on-premises forwarding table.

How to eliminate wrong answers

Option A is wrong because the Cloud Router already advertises the us-west1 subnets via BGP if they are in the same VPC; configuring a custom dynamic route on the Cloud Router is unnecessary and does not control the on-premises router's forwarding decision. Option B is wrong because a separate VPN tunnel to us-west1 is not required; the existing VPN tunnel in us-east1 can carry traffic to us-west1 as long as the on-premises router has a route pointing to it, and Cloud Router can advertise the us-west1 prefixes over the existing BGP session. Option D is wrong because VPC firewall rules control traffic within Google Cloud, not routing decisions on the on-premises side; they do not force traffic to use the VPN tunnel.

55
Multi-Selecteasy

An organization is experiencing high latency on their Partner Interconnect connection. Which TWO tools or features can they use to diagnose the issue from within Google Cloud? (Choose two.)

Select 2 answers
A.Network Intelligence Center performance dashboard
B.Cloud Router logs
C.Cloud Load Balancing logs
D.VPC Flow Logs
E.Cloud Interconnect monitoring metrics
AnswersD, E

Flow logs can show RTT and help pinpoint which traffic is experiencing latency.

Why this answer

VPC Flow Logs capture metadata about network traffic flowing to and from VPC instances, including latency-related metrics such as packet loss and retransmissions. By analyzing these logs, you can identify if high latency is caused by dropped packets or congestion on the Partner Interconnect link. This makes VPC Flow Logs a direct diagnostic tool for latency issues from within Google Cloud.

Exam trap

Google Cloud often tests the misconception that Cloud Router logs or Load Balancing logs can diagnose network latency, when in fact they are designed for BGP routing events and application-layer metrics, respectively, not for interconnect-level packet loss or latency.

56
MCQhard

Refer to the exhibit. A network engineer configured a Cloud Router to advertise the on-premises subnet 10.0.0.0/8 to the VPC. However, traffic from VPC instances to 10.0.0.0/8 is being dropped. What is the most likely issue?

A.The advertised route has a priority that is too low.
B.The Cloud Router's ASN is private, causing routes to be rejected.
C.The subnet 10.0.0.0/8 overlaps with the VPC's auto-allocated IP range.
D.The on-premises router is not configured to accept the advertised route.
AnswerC

Overlap causes VPC to prefer local routes, dropping traffic destined for on-premises.

Why this answer

Option C is correct because Cloud Router uses custom route advertisements, and if the on-premises subnet 10.0.0.0/8 overlaps with the VPC's auto-allocated IP range (e.g., the default or custom subnet ranges within the VPC), Google Cloud will not install or will drop traffic for that route due to a conflict. Overlapping routes cause the VPC to prefer its own local routes, resulting in dropped traffic to the on-premises subnet.

Exam trap

Google Cloud often tests the misconception that route priority or BGP ASN issues cause traffic drops, but the trap here is that overlapping IP ranges between on-premises and VPC subnets silently cause traffic to be dropped due to VPC local route precedence, not because of BGP configuration errors.

How to eliminate wrong answers

Option A is wrong because route priority (preference) in Cloud Router is used for route selection among multiple paths, but a low priority does not cause traffic to be dropped; it would simply make the route less preferred, not block it entirely. Option B is wrong because Cloud Router supports private ASNs (e.g., 64512-65534) by default, and BGP does not reject routes based solely on ASN being private; the on-premises router must be configured to accept private ASNs if needed, but this is not the cause of traffic being dropped within the VPC. Option D is wrong because the on-premises router not accepting the advertised route would prevent the route from being learned on-premises, but the question states traffic from VPC instances to 10.0.0.0/8 is being dropped, which is a VPC-side issue, not an on-premises acceptance problem.

57
MCQeasy

A company wants to connect their on-premises data center to Google Cloud using Dedicated Interconnect. They have ordered a 10 Gbps connection and plan to use a single VLAN attachment. How many Cloud Router interfaces are required for a single VLAN attachment with active/active BGP?

A.4 interfaces (two for each BGP session)
B.2 interfaces (one for each VLAN)
C.1 interface
D.2 interfaces (one for each BGP session)
AnswerC

A single VLAN attachment corresponds to one Cloud Router interface; you configure two BGP sessions on that same interface.

Why this answer

For a single VLAN attachment using Dedicated Interconnect with active/active BGP, only one Cloud Router interface is required. The Cloud Router interface represents the VLAN attachment itself, and BGP sessions are configured as sub-interfaces under that single interface. Active/active BGP does not require multiple interfaces; it uses two BGP sessions (one for each router in the pair) but both sessions share the same VLAN attachment and Cloud Router interface.

Exam trap

Google Cloud often tests the misconception that each BGP session requires its own interface, leading candidates to choose option D, but the correct behavior is that both sessions share the same single Cloud Router interface for a given VLAN attachment.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that each BGP session requires two interfaces (one per session), but in reality, both BGP sessions are established over the same single VLAN attachment and Cloud Router interface. Option B is wrong because it suggests one interface per VLAN, but a single VLAN attachment uses exactly one VLAN, so only one interface is needed, not two. Option D is wrong because it claims one interface per BGP session, but both BGP sessions (active/active) share the same single Cloud Router interface; they are not separate interfaces.

58
MCQmedium

A customer is configuring a route-based IPsec VPN tunnel to Google Cloud. On their on-premises router, they must specify traffic selectors (proxy IDs). What should they set the local and remote traffic selectors to?

A.Configure IKE version to match.
B.Set local to on-prem subnet and remote to VPC subnet.
C.Use policy-based VPN instead.
D.Set both local and remote traffic selectors to 0.0.0.0/0.
AnswerD

Route-based tunnels use wildcard selectors; routing decisions are based on routes, not selectors.

Why this answer

Option A is correct: For route-based VPN, traffic selectors should be set to 0.0.0.0/0 (any) because route-based tunnels use routing tables to determine which traffic is sent through the tunnel, rather than policy-based selectors. Option B is wrong because policy-based VPN uses specific selectors, but the question specifies route-based. Option C is wrong because IKE version does not affect traffic selectors.

Option D is wrong.

59
MCQhard

A global company has multiple on-premises data centers connected to Google Cloud via separate Dedicated Interconnects. Each on-premises site advertises the same IP prefix for a critical application. They want to ensure that traffic from Google Cloud to that prefix is load-balanced across the two interconnects and also provide automatic failover. Which configuration on Cloud Router meets this requirement?

A.Configure Cloud Router with the same MED value for both paths
B.Use BGP multipath on Cloud Router with 'maximum-paths' set to 2
C.Ensure on-premises routers advertise the prefix with the same AS_PATH length and MED
D.Enable 'set-community' on the on-premises routers to mark routes equally
AnswerC

ECMP requires equal BGP path attributes including AS_PATH length and MED.

Why this answer

To load-balance and provide failover, you need equal-cost multi-path (ECMP) routing. Cloud Router supports ECMP only when the routes have the same MED and AS_PATH length. Setting both on-premises routers to advertise with the same attributes allows ECMP.

60
Multi-Selectmedium

A company is planning to migrate workloads to Google Cloud and needs to establish hybrid connectivity with high bandwidth (10 Gbps) and low latency. They also require the ability to scale bandwidth up to 80 Gbps in the future. Which TWO options should they consider?

Select 2 answers
A.CDN Interconnect
B.Dedicated Interconnect
C.Direct Peering
D.Cloud VPN with multiple tunnels
E.Partner Interconnect
AnswersB, E

Supports up to 10 Gbps per attachment and can scale up to 80 Gbps with multiple attachments.

Why this answer

Dedicated Interconnect provides direct, private physical connections between your on-premises network and Google Cloud, supporting 10 Gbps or 100 Gbps per circuit. This meets the requirement for high bandwidth (10 Gbps) and low latency, and allows scaling up to 80 Gbps by adding multiple 10 Gbps circuits or using a 100 Gbps circuit. It is the only option that offers dedicated, non-shared bandwidth with guaranteed performance.

Exam trap

Google Cloud often tests the misconception that Direct Peering or Cloud VPN can meet high-bandwidth, low-latency requirements, but Direct Peering lacks SLA and scalability, and Cloud VPN is limited by internet performance and cannot guarantee 10 Gbps.

61
MCQhard

Refer to the exhibit. A Cloud VPN tunnel is configured between an on-premises router and Google Cloud. The BGP session is not established. The on-premises router shows 'Connection refused'. What is the most likely cause?

A.The Cloud VPN tunnel is not established.
B.The on-premises router's BGP configuration has the wrong ASN.
C.The BGP MD5 password is mismatched between the two peers.
D.The Cloud Router is not configured to accept BGP connections from this on-premises peer.
AnswerD

'Connection refused' indicates the Cloud Router TCP port 179 is not accepting the connection, likely because the BGP peer is not defined on the Cloud Router or the interface is down.

Why this answer

The 'Connection refused' error on the on-premises router indicates that the Cloud Router is actively rejecting the TCP connection attempt for the BGP session. This typically occurs when the Cloud Router does not have a BGP peer configured with the on-premises router's IP address, or the peer is in an 'inactive' state. Since the Cloud VPN tunnel itself can be established (option A is not necessarily true), the most likely cause is that the Cloud Router is not configured to accept BGP connections from this specific on-premises peer.

Exam trap

Google Cloud often tests the distinction between TCP-level errors (like 'Connection refused') and BGP-level errors (like ASN mismatch or MD5 failure), leading candidates to incorrectly choose B or C when they see a BGP-related symptom without analyzing the specific error message.

How to eliminate wrong answers

Option A is wrong because a 'Connection refused' error occurs at the TCP layer, which requires the underlying IP connectivity to be working; if the Cloud VPN tunnel were not established, the on-premises router would likely see 'No route to host' or a timeout, not a TCP reset. Option B is wrong because a mismatched ASN would cause the BGP session to be rejected after the TCP connection is established, resulting in a 'BGP Notification' or 'Open message error', not a 'Connection refused' at the TCP handshake stage. Option C is wrong because an MD5 password mismatch would still allow the TCP three-way handshake to complete; the BGP session would then fail with an authentication error (e.g., 'MD5 mismatch' or 'BGP Notification sent' after the OPEN message), not a 'Connection refused'.

62
MCQhard

Your company has a Dedicated Interconnect between on-premises and Google Cloud. After a maintenance window, some routes are missing from the on-premises side. On the Cloud Router, you see that the BGP session status is 'ESTABLISHED'. However, the route table on the on-premises router does not contain any of the VPC subnets. What is the most likely cause?

A.The Cloud Router is not configured to advertise any custom routes
B.MD5 authentication is enabled but passwords differ
C.The Cloud Router has an empty 'Advertised IP ranges' list
D.BGP configuration mismatch on the on-premises router
AnswerC

If the list is empty, no prefixes are advertised.

Why this answer

The BGP session is 'ESTABLISHED', confirming that the TCP connection and BGP peering are working correctly. However, the on-premises router is not receiving any VPC subnet routes because the Cloud Router's 'Advertised IP ranges' list is empty, meaning it is not advertising any routes to the peer. This is a common misconfiguration where the Cloud Router is configured to use custom route advertisements but the list of prefixes to advertise is left blank.

Exam trap

Google Cloud often tests the misconception that an 'ESTABLISHED' BGP session guarantees that routes are being exchanged, but in reality, the session can be up while no prefixes are advertised due to missing or empty route advertisement configurations.

How to eliminate wrong answers

Option A is wrong because the Cloud Router can be configured to advertise custom routes, but the issue is that the 'Advertised IP ranges' list is empty, not that custom routes are disabled entirely. Option B is wrong because if MD5 authentication passwords differed, the BGP session would not reach the 'ESTABLISHED' state; it would remain in 'ACTIVE' or 'IDLE'. Option D is wrong because a BGP configuration mismatch on the on-premises router would typically prevent the session from establishing, but the session is 'ESTABLISHED', indicating the BGP parameters (ASN, neighbor IP, etc.) match.

63
MCQmedium

An organization has multiple VPCs in different regions that need to connect to a single on-premises data center via Dedicated Interconnect. They want to minimize cost and complexity. What is the recommended architecture?

A.Use a single VPC and then use VPC Peering to connect to the other VPCs.
B.Use Cloud VPN for the additional VPCs to avoid additional interconnect costs.
C.Create a separate interconnect connection for each VPC.
D.Create a single interconnect connection and use multiple VLAN attachments, one per VPC.
AnswerD

One physical connection can support multiple VLAN attachments, each assigned to a different VPC.

Why this answer

Option D is correct because a single Dedicated Interconnect connection can support multiple VLAN attachments (each with a unique VLAN ID) to connect multiple VPCs in different regions to the same on-premises data center. This minimizes cost by using one physical connection and reduces complexity by avoiding separate interconnects or VPNs for each VPC.

Exam trap

The trap here is that candidates often assume each VPC requires its own physical interconnect, but Cisco tests the understanding that a single Dedicated Interconnect can be partitioned into multiple VLAN attachments to serve multiple VPCs, reducing cost and complexity.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not provide connectivity to an on-premises data center; it only connects VPCs within Google Cloud, and a single VPC cannot span multiple regions for Dedicated Interconnect attachments. Option B is wrong because Cloud VPN introduces additional latency and bandwidth limitations compared to Dedicated Interconnect, and it does not eliminate the need for interconnect costs if you already have a Dedicated Interconnect for the primary VPC. Option C is wrong because creating a separate interconnect connection for each VPC significantly increases cost and operational complexity, as each connection requires its own physical circuit and Google Cloud charges per connection.

64
MCQmedium

Refer to the exhibit. A BGP session between a Cloud Router and an on-premises router is not establishing. The Cloud Router logs show 'BGP_OPEN_MSG_ERROR: unsupported capability'. What is the most likely issue?

A.The on-premises router cannot reach the Cloud Router's BGP IP.
B.The BGP session is stuck in the Connect state due to firewall blocking TCP port 179.
C.The BGP ASN configured on the Cloud Router doesn't match the peer.
D.The on-premises router is attempting to negotiate a BGP capability that Cloud Router does not support, such as 4-byte ASNs or IPv6 unicast.
AnswerD

Cloud Router supports only basic BGP; advanced capabilities like 4-byte ASN or IPv6 may cause this error.

Why this answer

The error message 'BGP_OPEN_MSG_ERROR: unsupported capability' indicates that during the BGP OPEN message exchange, the on-premises router advertised a BGP capability (such as 4-byte ASN support or IPv6 unicast address family) that the Cloud Router does not support. This causes the Cloud Router to reject the OPEN message and reset the session. Option D correctly identifies this mismatch in negotiated capabilities.

Exam trap

Google Cloud often tests the distinction between BGP session failures caused by TCP-level issues (firewall, reachability) versus BGP protocol-level errors (OPEN message parameters), and the trap here is that candidates confuse a generic 'BGP session not establishing' with connectivity or ASN problems, ignoring the specific error message that points to capability negotiation.

How to eliminate wrong answers

Option A is wrong because reachability issues would manifest as a TCP connection failure (session stuck in Idle or Active state), not a BGP OPEN message error. Option B is wrong because firewall blocking TCP port 179 would prevent the TCP three-way handshake entirely, resulting in a Connect or Active state, not an OPEN message error after the TCP session is established. Option C is wrong because an ASN mismatch triggers a 'BGP_OPEN_MSG_ERROR: bad peer AS' or 'BGP Notification: OPEN Message Error/2 (bad peer AS)', not an 'unsupported capability' error.

65
MCQeasy

You are troubleshooting an HA VPN connection between Google Cloud and on-premises. The tunnels appear as 'UP' but no routes are exchanged. The Cloud Router logs show 'BGP session state: IDLE'. What is the most likely cause?

A.The BGP keepalive timer is set too high on the on-premises router
B.BGP is not enabled on the Cloud Router
C.Firewall rules are blocking UDP port 179
D.The on-premises BGP peer is configured with a different next-hop IP
AnswerB

Without BGP, session remains IDLE.

Why this answer

B is correct because the BGP session state IDLE indicates that BGP is not configured or enabled on the Cloud Router. Even though the IPsec tunnels are UP, no BGP routes can be exchanged if the BGP process itself is not running. In Google Cloud, you must explicitly enable BGP on the Cloud Router for each VPN tunnel; otherwise, the BGP session cannot transition from IDLE to any other state.

Exam trap

Google Cloud often tests the misconception that a BGP session stuck in IDLE is always a firewall or reachability issue, but in Google Cloud HA VPN, the most common cause is that BGP was never enabled on the Cloud Router, especially when the IPsec tunnels are UP and the candidate assumes BGP is automatically active.

How to eliminate wrong answers

Option A is wrong because a high BGP keepalive timer would cause the session to flap or time out (transition to IDLE after the hold timer expires), but the session would initially establish and show an ACTIVE or CONNECT state, not remain persistently IDLE. Option C is wrong because firewall rules blocking UDP port 179 would prevent the TCP connection for BGP (port 179 is TCP, not UDP), and the session would show CONNECT or ACTIVE, not IDLE. Option D is wrong because a different next-hop IP on the on-premises peer would affect route propagation or next-hop reachability, not the BGP session state; the session would still establish and show ESTABLISHED if the TCP connection and BGP open messages succeed.

66
Drag & Dropmedium

Drag and drop the steps to configure Cloud Router with BGP for on-premises connectivity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud Router requires a router first, then a tunnel, followed by BGP configuration. Custom advertisements and verification complete the setup.

67
MCQeasy

A company wants to connect their VPC to an on-premises network using Cloud VPN. They need to ensure that traffic from Google Cloud to on-premises uses a specific route only when the primary path is available, and otherwise fails over to a backup path. Which configuration should they use?

A.Configure Cloud NAT to route traffic through the backup path
B.Configure BGP on Cloud Router and advertise custom routes with appropriate metrics
C.Use static routes with a higher priority for the primary path
D.Create firewall rules to allow failover traffic
AnswerB

BGP allows dynamic failover and route selection based on metrics.

Why this answer

Option B is correct because Cloud VPN with dynamic routing (BGP) allows you to control path selection by advertising custom routes with different metrics (MED values) for the primary and backup paths. When the primary path is available, the lower metric route is preferred; if the BGP session fails, the route is withdrawn and traffic automatically fails over to the backup path with a higher metric. This meets the requirement for active/passive failover without manual intervention.

Exam trap

The trap here is that candidates confuse static route priority with dynamic BGP metric-based failover, assuming that a higher-priority static route will automatically fail over when the tunnel is down, but Google Cloud static routes do not have health-check awareness and will continue to forward traffic into a dead tunnel unless the route is removed.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for controlling routing between a VPC and on-premises over VPN; it does not influence path selection or failover. Option C is wrong because static routes in Google Cloud have a fixed priority (lower number = higher priority), but they do not support dynamic failover based on path availability; if the primary static route is still present in the routing table, traffic will continue to use it even if the VPN tunnel is down, unless you manually remove it. Option D is wrong because firewall rules control which traffic is allowed or denied, not how traffic is routed; they cannot trigger failover or change the forwarding path.

68
MCQmedium

A network engineer is configuring a Cloud VPN tunnel with route-based VPN and BGP. The tunnel is established, but the Cloud Router does not learn any routes from the on-premises peer. What is the most likely cause?

A.Firewall rules on the on-prem router block UDP port 179.
B.The BGP session is not configured on the VPN tunnel.
C.All of the above are possible causes.
D.The Cloud Router does not have an ASN configured.
AnswerC

Multiple factors commonly cause BGP route learning failure, including missing BGP config, ASN mismatch, firewall blocking TCP 179, etc.

Why this answer

Option C is correct because both A and B are independently plausible causes for the Cloud Router not learning routes from the on-premises peer. Firewall rules blocking UDP port 179 would prevent BGP session establishment entirely, while failing to configure the BGP session on the VPN tunnel interface means the BGP peering cannot form even if the tunnel is up. Since the question asks for the 'most likely cause' and both are valid, 'All of the above are possible causes' is the best answer.

Exam trap

Google Cloud often tests the misconception that BGP uses UDP port 179 (it uses TCP), and that a VPN tunnel being 'established' automatically implies BGP is configured, when in fact BGP configuration is a separate step required for route exchange.

How to eliminate wrong answers

Option A is wrong because it is a possible cause—UDP port 179 is used by BGP for session establishment, and if blocked by on-premises firewall rules, the BGP session cannot form, so routes would not be learned. Option B is wrong because it is also a possible cause—if the BGP session is not explicitly configured on the VPN tunnel interface (e.g., using 'neighbor <peer-ip> remote-as <asn>' under the tunnel interface or BGP process), the session will not establish, and no routes will be exchanged. Option D is wrong because the Cloud Router must have an ASN configured to participate in BGP; without it, the BGP process cannot start, but this is a less likely cause in practice as Cloud Router ASN is typically set during deployment.

69
Multi-Selecteasy

Which THREE components are required to set up a Partner Interconnect connection?

Select 3 answers
A.A Dedicated Interconnect connection
B.A VLAN attachment
C.A Cloud Router
D.A Cloud VPN gateway
E.The partner's network
AnswersB, C, E

The VLAN attachment is the logical connection to the partner.

Why this answer

A VLAN attachment (option B) is required because it defines the connection between your VPC and the partner's network over a Partner Interconnect, specifying the VLAN ID and IP addressing for the BGP session. Without a VLAN attachment, the Layer 2 and Layer 3 parameters for the interconnect cannot be established.

Exam trap

Google Cloud often tests the distinction between Dedicated Interconnect and Partner Interconnect, where candidates mistakenly think a Dedicated Interconnect connection is a prerequisite for Partner Interconnect, but they are mutually exclusive options for private connectivity.

70
Multi-Selecteasy

Which two of the following are prerequisites for configuring an HA VPN tunnel to an on-premises network? (Choose two.)

Select 2 answers
A.A VLAN attachment in the same region.
B.A Cloud Router with BGP configured in the same region as the VPN gateway.
C.A pre-shared key that is at least 20 characters long.
D.An on-premises VPN device that supports static routing only.
E.Two external IP addresses for the VPN gateway.
AnswersB, E

Cloud Router is required for BGP route exchange.

Why this answer

B is correct because an HA VPN tunnel uses dynamic routing via BGP to provide active-active or active-passive failover. A Cloud Router with BGP configured in the same region as the VPN gateway is required to exchange routes with the on-premises network, enabling automatic failover and load balancing across the two tunnels.

Exam trap

Google Cloud often tests the misconception that HA VPN requires a VLAN attachment or static routing, but the key requirement is a Cloud Router with BGP in the same region to support dynamic routing and failover.

71
MCQmedium

A company needs to connect their on-premises data center to Google Cloud with a consistent, high-availability connection that offers 99.99% availability SLA. The on-premises router supports VLAN tagging and BGP. They expect to burst up to 50 Gbps peak traffic. Which interconnect solution should they choose?

A.Cloud VPN with dynamic routing
B.Dedicated Interconnect
C.Partner Interconnect
D.HA VPN
AnswerB

Dedicated Interconnect offers 99.99% SLA and supports multiple 10/40/100 Gbps connections.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between the on-premises data center and Google Cloud, supporting up to 80 Gbps per connection (via 10 or 100 Gbps links) and offering a 99.99% availability SLA when configured with redundant links and BGP sessions. The on-premises router's support for VLAN tagging and BGP aligns perfectly with Dedicated Interconnect's requirements for 802.1Q VLANs and eBGP peering, making it the only option that meets the 50 Gbps burst requirement and high-availability SLA.

Exam trap

Google Cloud often tests the misconception that HA VPN can achieve high throughput by aggregating multiple tunnels, but in Google Cloud, each HA VPN tunnel is limited to 3 Gbps and cannot be combined to exceed that per-VPC limit, making it unsuitable for 50 Gbps bursts.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing is limited to a maximum throughput of 3 Gbps per tunnel (using HA VPN) and does not offer a 99.99% SLA, making it insufficient for 50 Gbps peak traffic. Option C is wrong because Partner Interconnect relies on a third-party service provider's network, which introduces additional latency and typically offers a maximum of 10 Gbps per VLAN attachment, and its SLA is often lower than 99.99% due to the partner's infrastructure. Option D is wrong because HA VPN, while providing high availability with two tunnels, still caps at 3 Gbps per tunnel and cannot aggregate to 50 Gbps, and its SLA is 99.99% only for the VPN service itself, not the underlying bandwidth capacity.

72
MCQhard

Refer to the exhibit. A Cloud VPN tunnel is configured with the above Cloud Router configuration. The on-premises BGP peer is at 169.254.0.2 with ASN 65001. The on-premises router is receiving the route 10.0.0.0/8 from the Cloud Router, but it is not receiving any of the specific subnets (e.g., 10.1.0.0/16) that exist in the VPC. What is the most likely cause?

A.The advertised_route_priority is set too low, causing the routes to be suppressed.
B.The Cloud Router is configured with custom advertise mode and is only advertising the manually specified ranges.
C.The BGP session is not established due to ASN mismatch.
D.The on-premises peer ASN is incorrect.
AnswerB

Custom mode means only the listed ranges are advertised; VPC subnets are not included unless explicitly added.

Why this answer

The Cloud Router is configured with custom advertise mode, which means it only advertises the manually specified CIDR ranges to the on-premises BGP peer. Since the specific subnets (e.g., 10.1.0.0/16) are not included in the custom advertised ranges, the on-premises router receives only the explicitly listed 10.0.0.0/8 route, not the more specific subnets.

Exam trap

Google Cloud often tests the distinction between route advertisement control (custom vs. default mode) and route selection attributes (like priority/MED), leading candidates to incorrectly attribute missing routes to priority settings rather than advertisement configuration.

How to eliminate wrong answers

Option A is wrong because advertised_route_priority influences route selection (MED) but does not suppress route advertisement; routes are still sent regardless of priority value. Option C is wrong because if the BGP session were not established due to ASN mismatch, the on-premises router would not receive any routes at all, not just missing specific subnets. Option D is wrong because an incorrect on-premises peer ASN would prevent the BGP session from forming, which contradicts the fact that the on-premises router is already receiving the 10.0.0.0/8 route.

73
MCQeasy

A company is setting up HA VPN between on-premises and Google Cloud. They have two Cloud VPN gateways with two tunnels each. They want to ensure automatic failover if one tunnel goes down. Which BGP configuration is a best practice?

A.Configure active-passive BGP with a single session.
B.Configure active-active BGP with multiple sessions using different ASNs.
C.Use policy-based routing to fail between tunnels.
D.Use static routes with a primary and backup route.
AnswerB

Active-active BGP with multiple sessions allows both tunnels to be active and provides automatic failover.

Why this answer

Option B is correct because active-active BGP with multiple sessions using different ASNs allows each tunnel to be treated as an independent path. If one tunnel fails, BGP withdraws the routes learned over that session, and traffic automatically shifts to the remaining tunnels without manual intervention. This configuration provides true automatic failover and load balancing, which is a best practice for HA VPN with multiple tunnels.

Exam trap

The trap here is that candidates often assume active-passive BGP is sufficient for HA, but in Google Cloud's HA VPN, active-active BGP with multiple sessions and different ASNs is required to achieve automatic failover across multiple tunnels without relying on static route manipulation.

How to eliminate wrong answers

Option A is wrong because active-passive BGP with a single session creates a single point of failure; if the session or tunnel fails, there is no automatic failover to another tunnel. Option C is wrong because policy-based routing does not integrate with BGP's dynamic route advertisement and withdrawal, making failover slower and less reliable in a multi-tunnel HA VPN setup. Option D is wrong because static routes require manual intervention or complex scripting to detect tunnel failure and switch routes, whereas BGP provides automatic failover through route withdrawal.

74
MCQhard

A financial institution is setting up Dedicated Interconnect with Google Cloud. They have two on-premises routers (R1 and R2) each connected to a separate Google Cloud router via VLAN attachments in two different zones (us-central1-a and us-central1-b). The on-premises routers are configured with BGP, and they advertise the corporate prefix 10.0.0.0/8. Google Cloud routers are configured with custom route advertisements. After provisioning, you notice that traffic from some on-premises subnets to GCP experiences asymmetrical routing, causing packet drops. You verify that both BGP sessions are established and that both Cloud Routers have received the 10.0.0.0/8 route. What is the most likely cause of the asymmetrical routing?

A.On-premises routers have mismatched BGP local preference values for routes received from Google Cloud
B.The on-premises routers are using the same AS number causing BGP loop prevention
C.VLAN attachments are configured with different MTU sizes
D.Cloud Router is setting different BGP metric attributes for each VLAN attachment
AnswerA

Different local preferences cause one path to be preferred for return traffic, while forward traffic may take the other path, leading to asymmetry.

Why this answer

Asymmetrical routing in a dual-homed Dedicated Interconnect setup occurs when on-premises routers have different BGP local preference values for routes received from Google Cloud. Local preference is the first BGP attribute considered when selecting the best path outbound from the on-premises network. If R1 has a higher local preference for the GCP routes than R2, all outbound traffic from on-premises will prefer R1, while return traffic from GCP may arrive via either router (depending on GCP's routing), causing a mismatch in traffic paths and packet drops.

Exam trap

Google Cloud often tests the distinction between BGP attributes that influence inbound traffic (MED, AS-path prepend) versus outbound traffic (local preference), and the trap here is that candidates may incorrectly attribute asymmetrical routing to MED or MTU issues rather than recognizing that local preference mismatch on the on-premises side is the root cause of asymmetric outbound path selection.

How to eliminate wrong answers

Option B is wrong because using the same AS number on both on-premises routers would cause BGP loop prevention only if the routers are in the same AS and the Cloud Routers see the same AS path; however, Google Cloud allows multi-homing with the same ASN by using 'allowas-in' or 'as-path prepend', and this would not directly cause asymmetrical routing—it would more likely cause route rejection or path selection issues. Option C is wrong because mismatched MTU sizes on VLAN attachments would cause fragmentation or packet drops at the link layer, not asymmetrical routing; asymmetrical routing is a Layer 3 path selection issue, not a Layer 2 MTU mismatch. Option D is wrong because Cloud Router sets BGP metric (MED) attributes per VLAN attachment only when custom route advertisements are configured with specific MED values, but MED is used to influence inbound traffic from on-premises, not outbound; asymmetrical routing here is caused by outbound path selection differences on the on-premises side, not by GCP's MED settings.

75
MCQmedium

An enterprise uses HA VPN to connect their on-premises network to Google Cloud. The on-premises side has a single VPN device that supports BGP. They want to maximize availability. What is the recommended Google Cloud configuration?

A.Deploy two Cloud VPN gateways in different regions to provide regional failover.
B.Deploy a single Cloud VPN gateway with one interface and one BGP session.
C.Deploy a single Cloud VPN gateway with two interfaces, each with its own external IP, and configure two BGP sessions to the single on-premises device.
D.Deploy a single Cloud VPN gateway with two interfaces, but only use one BGP session for simplicity.
AnswerC

This provides interface-level redundancy and achieves maximal availability with a single on-premises device.

Why this answer

Option C is correct because it provides high availability by using a single Cloud VPN gateway with two interfaces, each with its own external IP, and two BGP sessions to the on-premises device. This configuration allows active/active failover: if one interface or BGP session fails, traffic automatically switches to the other, maximizing availability without requiring multiple regions.

Exam trap

Google Cloud often tests the misconception that high availability requires multiple regions or gateways, but the trap here is that a single HA VPN gateway with dual interfaces and dual BGP sessions provides sufficient redundancy for a single on-premises device, avoiding unnecessary complexity.

How to eliminate wrong answers

Option A is wrong because deploying two Cloud VPN gateways in different regions introduces unnecessary complexity and cost; regional failover is not needed when the on-premises side has a single VPN device, and HA VPN with two interfaces on a single gateway already provides sufficient availability. Option B is wrong because a single interface and single BGP session creates a single point of failure; if the interface or BGP session goes down, connectivity is lost, which does not maximize availability. Option D is wrong because using only one BGP session with two interfaces defeats the purpose of redundancy; the second interface would remain idle and not provide automatic failover, leaving a single point of failure in the control plane.

Page 1 of 2 · 144 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Implementing hybrid interconnectivity questions.