CCNA Implementing hybrid interconnectivity Questions

69 of 144 questions · Page 2/2 · Implementing hybrid interconnectivity · Answers revealed

76
MCQhard

After configuring Cloud VPN with dynamic routing (BGP), you notice that on-premises routes are not appearing in Google Cloud. BGP sessions are established but no prefixes are exchanged. Cloud Router logs show: 'No route advertisement received'. On-premises BGP configuration shows 'network 10.0.0.0/8' and 'neighbor 10.1.1.1 remote-as 65000'. What is the most likely cause?

A.The 'network 10.0.0.0/8' command does not have a corresponding exact route in the on-premises routing table; also missing 'neighbor 10.1.1.1 activate' under BGP.
B.The on-premises router's BGP peer IP is not in the same subnet as the Cloud Router's interface.
C.The Cloud Router's BGP peer IP is not reachable from the on-premises router.
D.The BGP MD5 password is configured incorrectly on the on-premises router.
AnswerA

BGP requires the network to be in the routing table, and 'activate' is needed to start sending updates.

Why this answer

Option A is correct because the on-premises BGP configuration uses the 'network 10.0.0.0/8' command, which requires an exact match in the local routing table to be advertised. Without a route for 10.0.0.0/8 (e.g., a connected or static route), BGP will not advertise it. Additionally, the 'neighbor 10.1.1.1 activate' command is missing under BGP, which is required to enable the exchange of prefixes with that neighbor.

These two issues together prevent route advertisement to Google Cloud.

Exam trap

Google Cloud often tests the misconception that an established BGP session automatically implies route exchange, but candidates must remember that the 'network' command requires an exact routing table match and that 'neighbor activate' is needed under the address family to actually send prefixes.

How to eliminate wrong answers

Option B is wrong because BGP peers do not need to be in the same subnet; they only need Layer 3 reachability, which is confirmed by the established BGP session. Option C is wrong because the BGP session is already established, indicating that the Cloud Router's BGP peer IP is reachable from the on-premises router. Option D is wrong because an incorrect MD5 password would prevent the BGP session from establishing, but the session is up, so authentication is not the issue.

77
Multi-Selecthard

Which TWO statements about Cloud Router BGP are correct? (Choose two.)

Select 2 answers
A.Cloud Router uses multi-hop eBGP by default.
B.Cloud Router can use a private ASN.
C.Cloud Router requires a public ASN.
D.Cloud Router supports multiple BGP sessions per router.
E.Cloud Router only supports MED for routes it sends to on-premises.
AnswersB, D

Private ASN is commonly used.

Why this answer

Option B is correct because Cloud Router can use a private ASN (64512-65534) for BGP peering, which is common when connecting to on-premises networks that do not require a public ASN. This allows flexibility in hybrid interconnectivity without needing to register a public ASN.

Exam trap

Google Cloud often tests the misconception that Cloud Router requires a public ASN or that it uses multi-hop eBGP by default, when in fact private ASNs are supported and single-hop eBGP is the default behavior.

78
MCQhard

A company has two Dedicated Interconnect connections to two separate Google Cloud regions for redundancy. They use Cloud Router with BGP to exchange routes. They want to ensure that traffic from on-premises to a specific VPC in us-central1 uses only the interconnect to us-central1, and the other interconnect is used only as a backup. How can they achieve this?

A.Configure MED values on the on-premises router to prefer the us-central1 interconnect.
B.Configure BGP communities on Google Cloud to prefer the us-central1 interconnect.
C.Configure AS path prepending on the on-premises router to make the us-central1 path longer.
D.Use Cloud Router's custom route advertisements to influence path selection.
AnswerA

Lower MED on us-central1 interconnect will make on-premises router prefer that path.

Why this answer

Option A is correct because Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from an AS to a specific entry point. By setting a lower MED value on the on-premises router for the routes advertised via the us-central1 interconnect, the on-premises network will prefer that path for traffic destined to the VPC in us-central1. The other interconnect will only be used if the preferred path fails, providing the desired active/backup behavior.

Exam trap

The trap here is that candidates often confuse MED with AS path prepending, thinking that making a path longer (prepending) increases preference, when in fact it decreases it, and they may also mistakenly believe that Google Cloud can directly influence on-premises path selection via communities or custom advertisements.

How to eliminate wrong answers

Option B is wrong because BGP communities on Google Cloud are used to tag routes for controlling route advertisement or applying routing policies within Google's network, not to influence path selection from on-premises; the on-premises router must set the MED or other attributes. Option C is wrong because AS path prepending makes a path longer (less preferred), which would cause the on-premises router to prefer the other interconnect, not the us-central1 one. Option D is wrong because Cloud Router's custom route advertisements control which routes are advertised to on-premises, not how on-premises selects among multiple paths; path selection is determined by BGP attributes on the on-premises side.

79
MCQmedium

A company has deployed Cloud HA VPN between their on-premises network and Google Cloud. They have two tunnels from the on-premises VPN appliance to the HA VPN gateway. The on-premises appliance uses a single public IP address for both tunnels, while the Cloud VPN gateway uses two different public IPs. BGP sessions are established over both tunnels, and the Cloud Router is configured with 'active/active' mode. The network team notices that all outbound traffic from Google Cloud to on-premises is using only one of the two tunnels, even though both tunnels are up. BGP metrics are identical for routes received over both sessions. What is the most likely cause?

A.The BGP sessions have different hold timers causing one to be preferred.
B.The on-premises appliance must use two different public IPs for ECMP to work.
C.The Cloud Router does not support ECMP when both BGP sessions have the same peer IP address.
D.The Cloud Router must be configured with 'active/standby' mode instead of 'active/active'.
AnswerC

Even if routes are identical, ECMP may not work if the next hop is the same; Cloud Router uses flow-based hashing that may not balance in this case.

Why this answer

Option C is correct because Cloud Router uses the BGP peer IP address as part of the ECMP hash key. When both BGP sessions originate from the same on-premises public IP (the single IP used for both tunnels), Cloud Router sees them as the same peer and does not load-balance across them. Even though the tunnels use different Cloud VPN gateway IPs, the BGP sessions share a common peer IP, which prevents ECMP from being enabled.

Exam trap

Google Cloud often tests the misconception that ECMP requires different tunnel endpoints or different BGP metrics, when the actual requirement is that the BGP peer IP addresses must be unique for the Cloud Router to treat the sessions as separate multipath candidates.

How to eliminate wrong answers

Option A is wrong because BGP hold timers affect session stability, not route preference; identical BGP metrics mean the routes are equally preferred, and differing hold timers would not cause one tunnel to be exclusively used. Option B is wrong because ECMP can work with a single on-premises IP if the Cloud Router sees distinct BGP peer IPs; the issue is that the peer IP is the same for both sessions, not that the on-premises appliance must use two IPs. Option D is wrong because active/active mode is the correct configuration for ECMP; active/standby would intentionally use only one tunnel, which is not the desired behavior here.

80
MCQmedium

A company currently uses a site-to-site Cloud VPN (IPsec) to connect their on-premises network to a VPC. Due to growing bandwidth demands, they plan to migrate to Partner Interconnect using a supported service provider. They have ordered a 1 Gbps connection and the provider has indicated the VLAN attachment is ready. After creating the VLAN attachment and pairing it with a Cloud Router, the on-premises router sees the BGP session come up, but no traffic is forwarded over the interconnect. The Cloud VPN is still operational. What step is most likely missing?

A.Create a VPC firewall rule to allow traffic on the VLAN attachment
B.Add a firewall rule in the VPC allowing traffic from the on-premises IP ranges on the interconnect
C.Adjust the BGP metric (MED) on the Cloud Router for the Partner Interconnect VLAN attachment to be lower than the VPN route
D.Delete the Cloud VPN tunnel and gateway to force traffic over the interconnect
AnswerC

Without explicitly setting a lower metric, the route from the VPN might be preferred; lowering the metric makes the interconnect the preferred path.

Why this answer

Option C is correct because when both a Cloud VPN and a Partner Interconnect are connected to the same VPC, the Cloud Router will have multiple BGP routes for the same destination prefixes. By default, the VPN BGP session may have a lower MED (Multi-Exit Discriminator) or a higher local preference, causing traffic to prefer the VPN path. Lowering the MED on the VLAN attachment's BGP session makes the interconnect route more preferred, allowing traffic to be forwarded over the interconnect without deleting the VPN.

Exam trap

Google Cloud often tests the misconception that firewall rules are the missing step for traffic flow over a new interconnect, when in fact the issue is BGP route preference between parallel connections.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are stateful and apply to traffic entering or leaving VM instances, not to the VLAN attachment itself; the attachment is a Layer 2/3 construct that does not require a dedicated firewall rule. Option B is wrong because firewall rules in the VPC already exist for the on-premises IP ranges if the VPN was working; the issue is routing, not firewall filtering. Option D is wrong because deleting the Cloud VPN tunnel and gateway is unnecessary and disruptive; the correct approach is to adjust BGP path selection (e.g., MED) to prefer the interconnect route while keeping the VPN as a backup.

81
Multi-Selectmedium

An enterprise is evaluating connectivity options to Google Cloud. They have moderate bandwidth requirements (up to 1 Gbps) and need high availability. Which two of the following are appropriate solutions? (Choose two.)

Select 2 answers
A.HA VPN over the internet.
B.VPC peering with a third-party network.
C.Partner Interconnect with 1 Gbps connection.
D.Classic VPN with a single tunnel.
E.Dedicated Interconnect with 10 Gbps connections.
AnswersA, C

HA VPN provides up to 1.5 Gbps per tunnel and high availability with BGP.

Why this answer

HA VPN (High-Availability VPN) uses two tunnels to two separate Cloud VPN gateways, providing automatic failover and meeting the 99.99% SLA when configured with dynamic routing (BGP). This solution supports up to 3 Gbps per tunnel pair, easily covering the 1 Gbps requirement, and uses the public internet without needing physical cross-connects.

Exam trap

Google Cloud often tests the misconception that any VPN with 'HA' in the name is automatically suitable for high availability, but the trap here is that Classic VPN (option D) lacks redundancy and BGP, while HA VPN (option A) is the correct choice; candidates may also incorrectly assume Dedicated Interconnect (option E) is always better, ignoring the bandwidth requirement and cost efficiency.

82
MCQeasy

An organization has an on-premises router that only supports static routing and does not support BGP. They need private connectivity to a single Google Cloud VPC. Which solution should they use?

A.Cloud VPN with dynamic routing (BGP)
B.Ha VPN with policy-based routing
C.Dedicated Interconnect with static routing
D.Partner Interconnect with BGP
AnswerC

Dedicated Interconnect supports configuring static routes for the VLAN attachment without needing BGP.

Why this answer

Dedicated Interconnect supports static routing, which is required because the on-premises router does not support BGP. This solution provides direct, private connectivity to a single Google Cloud VPC without relying on dynamic routing protocols, making it the correct choice for this scenario.

Exam trap

Google Cloud often tests the misconception that Cloud VPN or Partner Interconnect can operate without BGP, but in Google Cloud, all VPN and Partner Interconnect solutions require BGP for dynamic routing, while Dedicated Interconnect uniquely supports static routing.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing requires BGP, which the on-premises router does not support. Option B is wrong because HA VPN with policy-based routing is not supported in Google Cloud; HA VPN uses route-based routing with BGP. Option D is wrong because Partner Interconnect requires BGP for routing, which is incompatible with the on-premises router's static routing limitation.

83
MCQmedium

An organization has established a Dedicated Interconnect to Google Cloud. They can ping instances in a VPC subnet but cannot connect to a service running on a different subnet within the same VPC. What is the most likely cause?

A.The MTU is too small.
B.The firewall rules are blocking the traffic.
C.The VLAN attachment is down.
D.The BGP routes for that subnet are not advertised.
AnswerD

If the on-premises router does not advertise the subnet via BGP, the VPC will not know how to route traffic back.

Why this answer

The Dedicated Interconnect is up and the organization can ping instances in one subnet, which confirms that Layer 2 and basic Layer 3 connectivity (via the VLAN attachment) are working. However, the inability to reach a service on a different subnet within the same VPC indicates that the on-premises router does not have a route to that specific subnet. This is most likely because the BGP session is not advertising the prefix for that subnet, or the on-premises router is not receiving the route via BGP.

Without the route, traffic from on-premises to that subnet will be dropped.

Exam trap

Google Cloud often tests the misconception that firewall rules are the default cause of connectivity issues within a VPC, but here the key clue is that ping to one subnet works, isolating the problem to route advertisement rather than security policies.

How to eliminate wrong answers

Option A is wrong because MTU issues typically cause packet fragmentation problems or connectivity failures for large packets, not a complete inability to reach a different subnet while ping (which uses small packets) works. Option B is wrong because firewall rules in Google Cloud VPC are stateful and apply to all traffic; if ping to one subnet works, firewall rules are not blocking traffic to another subnet within the same VPC (assuming similar ingress/egress rules). Option C is wrong because if the VLAN attachment were down, the organization would not be able to ping any instances in the VPC at all, as the interconnect link would be non-functional.

84
MCQmedium

A company is using Partner Interconnect to connect to Google Cloud. They notice that traffic from on-premises to GCP takes one path, but return traffic takes a different path, causing asymmetric routing. How can they resolve this?

A.Configure the same BGP ASN on both sides.
B.Apply BGP MED values to influence path selection.
C.Enable asymmetric routing mode on the Cloud Router.
D.Use different link-local addresses for each session.
AnswerB

MED allows you to indicate the preferred path for inbound traffic.

Why this answer

B is correct because applying BGP MED (Multi-Exit Discriminator) values allows you to influence the path selection for return traffic from Google Cloud to your on-premises network. By setting a lower MED value on one of the Partner Interconnect connections, you can make Google Cloud prefer that path for return traffic, thereby matching the forward path and resolving asymmetric routing. This is a standard BGP technique for controlling inbound traffic to an AS.

Exam trap

Google Cloud often tests the misconception that BGP ASN configuration or link-local addresses can fix routing asymmetry, when in fact only path-selection attributes like MED or AS path prepending can influence return traffic in a multi-homed BGP setup.

How to eliminate wrong answers

Option A is wrong because configuring the same BGP ASN on both sides would cause BGP to reject the session (eBGP requires different ASNs) or require allowas-in, which does not address asymmetric routing. Option C is wrong because Cloud Router does not have an 'asymmetric routing mode'; asymmetric routing is a network behavior, not a configurable mode on Cloud Router. Option D is wrong because using different link-local addresses for each session is a best practice for BGP session establishment but has no effect on path selection or routing symmetry.

85
MCQeasy

Your company has two on-premises data centers, DC1 and DC2, each connected to a separate Google Cloud VPC via Dedicated Interconnect. Both VPCs are connected via VPC Network Peering. A new application deployed in VPC1 needs to communicate with a database in DC2. The database IP range is 10.0.0.0/16. You have configured firewall rules to allow the traffic. However, the application cannot reach the database. You have verified that routes for 10.0.0.0/16 exist in VPC1's route table with next hop to VPC Peering, and in VPC2's route table with next hop to the interconnect attachment. The BGP sessions on both interconnects are up. What is the most likely reason for the connectivity failure?

A.The route for 10.0.0.0/16 in VPC1 is not imported correctly from VPC Peering
B.VPC Network Peering does not support transitive routing through a peered VPC
C.BGP session on the interconnect between VPC2 and DC2 is down
D.Firewall rules in VPC2 are blocking traffic
AnswerB

VPC Peering does not allow a peered VPC to forward traffic to another network, breaking the path from VPC1 to DC2.

Why this answer

VPC Network Peering does not support transitive routing. In this topology, VPC1 is peered with VPC2, but traffic from VPC1 to DC2 must pass through VPC2 and then over the interconnect. Since VPC1's route for 10.0.0.0/16 points to the VPC peering as next hop, VPC1 expects the traffic to be forwarded directly to VPC2.

However, VPC2 cannot forward that traffic to DC2 because Google Cloud VPC peering does not allow a peered VPC to act as a transit hub; each VPC can only communicate directly with its peer, not with resources reachable through that peer. This is a fundamental limitation of VPC Network Peering, which is non-transitive.

Exam trap

The trap here is that candidates assume VPC peering behaves like a router or a traditional network switch, supporting transitive routing, when in fact Google Cloud VPC peering is strictly non-transitive and requires a separate peering or a dedicated interconnect for each VPC-to-on-premises path.

How to eliminate wrong answers

Option A is wrong because the route for 10.0.0.0/16 in VPC1 is correctly pointing to VPC Peering as the next hop, and the question states that routes exist, so import is not the issue. Option C is wrong because the BGP sessions on both interconnects are explicitly stated as up, so the interconnect between VPC2 and DC2 is functioning. Option D is wrong because firewall rules have been verified to allow the traffic, and the problem is at the routing layer, not the firewall layer.

86
MCQeasy

A company wants to use a third-party VPN appliance on Google Cloud (Compute Engine) to connect to an on-premises network. Which networking feature must be enabled to allow the VPN appliance to forward traffic between VPC subnets and the tunnel?

A.Create a custom route in the VPC pointing to the VPN appliance's internal IP.
B.Enable Private Google Access on the subnet hosting the VPN appliance.
C.Enable IP forwarding on the VPN appliance VM instance.
D.Create a firewall rule allowing traffic from the on-premises network to the VPC subnets.
AnswerC

IP forwarding is required for the VM to act as a router.

Why this answer

Option C is correct because a third-party VPN appliance running as a Compute Engine VM must have IP forwarding enabled to act as a router. Without this setting, the VM will drop any traffic that is not destined to its own IP address, even if the kernel is configured to forward packets. Enabling IP forwarding (via the `canIpForward` flag or the `gcloud compute instances create --can-ip-forward` option) allows the VM to forward traffic between the VPC subnets and the VPN tunnel interfaces.

Exam trap

Google Cloud often tests the distinction between network-level configurations (routes, firewall rules) and instance-level capabilities (IP forwarding), trapping candidates who assume that creating a route or firewall rule alone is sufficient for a VM to act as a gateway.

How to eliminate wrong answers

Option A is wrong because creating a custom route pointing to the VPN appliance's internal IP is necessary for directing traffic from VPC subnets to the on-premises network, but it is not the feature that must be enabled on the appliance itself; the question asks which feature must be enabled to allow the appliance to forward traffic, and that is IP forwarding. Option B is wrong because Private Google Access enables VMs without external IPs to reach Google APIs and services, but it has no role in forwarding traffic between VPC subnets and a VPN tunnel. Option D is wrong because firewall rules control which traffic is permitted to enter or leave the VPC, but they do not enable the VM to forward packets; without IP forwarding, the VM will not forward traffic even if firewall rules allow it.

87
MCQhard

A company with limited public IP addresses on-premises needs to connect to Google Cloud using Cloud VPN. They require high availability. Which solution should they implement?

A.Use NAT to map multiple private IPs to one public IP.
B.Use Classic VPN with a single tunnel.
C.Use HA VPN with two on-premises public IPs and two tunnels.
D.Use HA VPN with the same public IP for both tunnels.
AnswerC

HA VPN provides redundancy by supporting active-active or active-passive with separate endpoints.

Why this answer

HA VPN provides high availability by using two tunnels, each terminating on a separate on-premises VPN gateway with a unique public IP address. This ensures that if one on-premises public IP or tunnel fails, traffic can still flow through the other tunnel, meeting the high-availability requirement. Classic VPN (option B) does not support active-active failover, and using the same public IP for both tunnels (option D) creates a single point of failure at the on-premises side.

Exam trap

Google Cloud often tests the misconception that HA VPN can use the same on-premises public IP for both tunnels, but in reality, each tunnel must terminate on a separate on-premises device or interface with a unique public IP to achieve true high availability.

How to eliminate wrong answers

Option A is wrong because NAT is a method for translating private IPs to a public IP for outbound internet access, not a solution for establishing a highly available VPN connection to Google Cloud. Option B is wrong because Classic VPN uses a single tunnel and a single on-premises public IP, providing no redundancy or automatic failover, thus failing the high-availability requirement. Option D is wrong because HA VPN requires two distinct on-premises public IP addresses for the two tunnels; using the same public IP for both tunnels would create a single point of failure at the on-premises gateway, negating the high-availability benefit.

88
MCQmedium

A company is using Dedicated Interconnect to connect their on-premises network to Google Cloud. They have two VLAN attachments configured, each with a separate Cloud Router with active/active BGP. They want to ensure that traffic from their on-premises network to Google Cloud uses both attachments equally. Which configuration should they implement?

A.Set the same MED value on both on-premises BGP peers, and ensure the AS path length is identical.
B.Configure local preference on the Cloud Router to prefer one attachment, and rely on the other for backup.
C.Configure a single BGP session on one Cloud Router and use static routing for the other attachment.
D.Set a higher MED value on one on-premises peer to deprefer that attachment.
AnswerA

Equal MED and AS path length enables ECMP, balancing traffic across both attachments.

Why this answer

Option A is correct because setting the same MED (Multi-Exit Discriminator) value on both on-premises BGP peers ensures that Google Cloud's Cloud Routers, which are configured with active/active BGP, will see both paths as equally preferred. When the AS path length is also identical, the BGP best-path selection algorithm on the Cloud Routers will load-balance traffic across both VLAN attachments, achieving equal utilization. This is the standard method for enabling equal-cost multipath (ECMP) over Dedicated Interconnect with multiple attachments.

Exam trap

The trap here is that candidates often assume MED is only for influencing inbound traffic from Google Cloud to on-premises, but in this scenario, the MED values are set on the on-premises peers to influence how Google Cloud selects the return path, and equal MED is required for ECMP to work.

How to eliminate wrong answers

Option B is wrong because configuring local preference to prefer one attachment would make that attachment the primary path and the other a backup, which directly contradicts the requirement for equal traffic distribution. Option C is wrong because using a single BGP session on one Cloud Router with static routing on the other attachment would not allow dynamic load balancing; static routes lack the BGP attributes needed for equal-cost multipath, and the second attachment would only be used as a failover. Option D is wrong because setting a higher MED value on one on-premises peer would deprefer that attachment, making it less preferred and preventing equal traffic distribution; MED is a metric that influences path selection, and unequal values break ECMP.

89
Multi-Selecthard

A Cloud Router BGP session is flapping. Which TWO actions are appropriate troubleshooting steps?

Select 2 answers
A.Check the MTU size on the VPN tunnel or interconnect.
B.Delete and recreate the VLAN attachment.
C.Revert all BGP routes to static routes.
D.Verify BGP timers and hold time settings.
E.Increase the bandwidth of the interconnect.
AnswersA, D

MTU mismatches can cause packet loss and BGP session drops.

Why this answer

Option A is correct because an MTU mismatch on the VPN tunnel or interconnect can cause packet fragmentation or drops, leading to BGP session flapping. Cloud Router uses Google's internal infrastructure, and if the MTU is set too low, large BGP update packets may be silently discarded, triggering hold timer expiry and session resets. Checking and adjusting the MTU ensures that BGP packets can traverse the path without fragmentation.

Exam trap

Google Cloud often tests the misconception that increasing bandwidth or recreating attachments resolves BGP flapping, when in fact the issue is typically related to MTU mismatches or BGP timer misconfigurations that affect session stability.

90
MCQeasy

A company wants to connect their on-premises network to Google Cloud using a VPN with high availability and 99.99% SLA. They have two Cloud VPN gateways, each with two external IP addresses. Which configuration best meets the high availability requirement?

A.Deploy two Cloud VPN gateways, each with one tunnel to one on-premises VPN device
B.Deploy two Cloud VPN gateways, each with two tunnels to two separate on-premises VPN devices
C.Deploy one Cloud VPN gateway with two tunnels to two separate on-premises VPN devices
D.Deploy one Cloud VPN gateway with one tunnel to one on-premises VPN device
AnswerB

Provides redundancy at both ends; meets 99.99% SLA.

Why this answer

Option B is correct because it meets the 99.99% SLA requirement by deploying two Cloud VPN gateways, each with two tunnels to two separate on-premises VPN devices. This configuration provides both gateway-level redundancy and tunnel-level redundancy, ensuring that if one gateway, tunnel, or on-premises device fails, traffic can failover to another tunnel. Google Cloud's HA VPN requires at least two tunnels per gateway to achieve the 99.99% SLA, and using two separate on-premises devices eliminates the single point of failure on the customer side.

Exam trap

The trap here is that candidates often assume two gateways with one tunnel each is sufficient for high availability, but they overlook the requirement for two tunnels per gateway to meet the 99.99% SLA, as well as the need for two separate on-premises devices to avoid a single point of failure on the customer side.

How to eliminate wrong answers

Option A is wrong because deploying two Cloud VPN gateways each with only one tunnel to one on-premises VPN device creates a single point of failure on the on-premises side; if that single on-premises device fails, connectivity is lost, and the 99.99% SLA cannot be met. Option C is wrong because deploying only one Cloud VPN gateway, even with two tunnels to two on-premises devices, lacks gateway-level redundancy; if the single gateway fails, all tunnels go down, violating the high availability requirement. Option D is wrong because a single Cloud VPN gateway with a single tunnel to a single on-premises device provides no redundancy at any layer, making it impossible to achieve any meaningful SLA.

91
Multi-Selectmedium

An organization is using Cloud VPN with dynamic routing and wants to improve failover time between two VPN tunnels. Which THREE configuration changes can help reduce failover time?

Select 3 answers
A.Set a lower BGP MED value on the primary tunnel
B.Increase the BGP keepalive interval to reduce overhead
C.Configure BGP timers with lower values for faster detection
D.Add static routes with a higher priority than BGP routes
E.Use multiple VPN tunnels with equal BGP metrics
AnswersA, C, E

Lower MED makes the primary path preferred, allowing faster fallback.

Why this answer

Option A is correct because lowering the BGP Multi-Exit Discriminator (MED) value on the primary tunnel makes it more preferred by the BGP best-path selection process. When the primary tunnel fails, BGP withdraws the route, and the backup tunnel (with a higher MED) is immediately used without waiting for timers to expire. This reduces failover time by ensuring the backup path is already known and only needs to be selected upon withdrawal.

Exam trap

Google Cloud often tests the misconception that increasing keepalive intervals improves performance, when in fact it delays failure detection and increases failover time.

92
MCQmedium

A company has a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises network to a VPC in us-central1. They recently added a new subnet (10.2.0.0/16) to the VPC. The on-premises network still cannot reach resources in the new subnet. The Cloud Router BGP session is established and routes from on-prem are being received. What is the most likely cause?

A.The Cloud Router does not support more than 10 custom dynamic routes
B.The new subnet range is not included in the Cloud Router's advertised routes
C.BGP session is not established
D.Firewall rules are blocking traffic
AnswerB

Custom dynamic routes must be added to the Cloud Router's advertised route list for the remote peer to learn them.

Why this answer

When a new subnet is added to a VPC, the Cloud Router must be configured to advertise that subnet's CIDR range to the on-premises BGP peer. Even though the BGP session is established and routes from on-premises are received, the Cloud Router will not automatically advertise the new subnet unless its advertised route list is updated. Without the new subnet in the Cloud Router's advertised routes, the on-premises network has no path to reach 10.2.0.0/16, causing connectivity failure.

Exam trap

Google Cloud often tests the distinction between route propagation (BGP session up) and route advertisement (what prefixes are actually sent), leading candidates to incorrectly assume that an established BGP session automatically advertises all VPC subnets.

How to eliminate wrong answers

Option A is wrong because Cloud Router does not have a hard limit of 10 custom dynamic routes; it supports up to 100 custom route advertisements per VPC, and the limit is configurable via quota. Option C is wrong because the question explicitly states the BGP session is established, so a lack of session is not the issue. Option D is wrong because firewall rules control traffic filtering, not route advertisement; even if firewall rules permit traffic, the on-premises network cannot send packets to the new subnet without a route to it.

93
Multi-Selectmedium

Which THREE of the following are requirements for setting up a Dedicated Interconnect connection to Google Cloud? (Choose three.)

Select 3 answers
A.A Layer 2 circuit between the on-premises router and Google's edge router.
B.A public IP address on the on-premises router for BGP peering.
C.BGP sessions must be configured directly on the VLAN attachment.
D.A physical cross-connect in a colocation facility that supports Google Cloud Interconnect.
E.A VLAN attachment (VLAN) configured in Google Cloud to connect to a VPC.
AnswersA, D, E

The connection operates at Layer 2.

Why this answer

Option A is correct because a Dedicated Interconnect requires a Layer 2 circuit (e.g., Ethernet VLAN) that directly connects your on-premises router to a Google edge router at a colocation facility. This Layer 2 link provides the physical or virtual circuit over which BGP sessions are established to exchange routes between your network and Google Cloud.

Exam trap

Google Cloud often tests the misconception that BGP sessions are configured directly on the VLAN attachment, when in fact they are configured on the Cloud Router, which uses the VLAN attachment as the underlying Layer 2 transport.

94
MCQhard

Your company has a Dedicated Interconnect with two VLAN attachments (vlan-attachment-a and vlan-attachment-b) connected to two different Edge Availability Domains (EADs) in the us-central1 region. Both attachments are associated with a single Cloud Router named 'cr-us-central1'. On-premises, you have two routers (rtr-a and rtr-b) each connected to one VLAN attachment via BGP. The Cloud Router has four BGP sessions: rtr-a (vlan-a), rtr-a (vlan-b), rtr-b (vlan-a), rtr-b (vlan-b) — a full mesh for redundancy. All sessions are established and routes are exchanged. Recently, you added a new on-premises subnet 192.168.100.0/24 and advertised it via BGP from both on-premises routers. However, Google Cloud instances in the VPC cannot reach this subnet. Other on-premises subnets (e.g., 10.0.0.0/8) are reachable. The Cloud Router route table for 'cr-us-central1' shows multiple entries for 192.168.100.0/24, each with different next hops but all with status 'stacked'. There are no BGP route filters configured. What is the most likely cause of the issue?

A.The Cloud Router has reached its maximum route limit.
B.The BGP routes have incorrect MED values causing a conflict.
C.The new subnet 192.168.100.0/24 overlaps with an existing VPC subnet.
D.The on-premises routers are not advertising the subnet with a required community tag.
AnswerC

When a learned route overlaps with a VPC subnet, the route is stacked and not used to avoid conflict.

Why this answer

When a BGP-learned route overlaps with an existing VPC subnet, Google Cloud treats it as a conflict and marks the route as 'stacked' (i.e., not active). The Cloud Router can learn the route, but it will not be installed in the VPC's effective routes because the VPC subnet prefix takes precedence. Since 192.168.100.0/24 is a private IP range that could easily overlap with a subnet in the VPC, this is the most likely cause.

Exam trap

The trap here is that candidates often assume 'stacked' routes indicate a BGP peering or route advertisement issue, when in fact it is a route conflict caused by overlapping prefixes with existing VPC subnets.

How to eliminate wrong answers

Option A is wrong because the Cloud Router has not reached its maximum route limit; if it had, the new routes would not appear at all in the route table, and other routes would also be affected. Option B is wrong because MED values influence path selection among multiple BGP paths but do not cause routes to be 'stacked' or prevent them from being installed in the VPC; conflicting MEDs would not block the route from being used. Option D is wrong because community tags are not required for BGP route acceptance on Google Cloud; the absence of a community tag does not cause routes to be marked as 'stacked' or prevent them from being used.

95
MCQmedium

An on-premises router uses BGP ASN 64512. The Cloud Router is also configured with ASN 64512. When the BGP peering is established, what behavior is expected?

A.The session works but routes are not exchanged.
B.Cloud Router will automatically prepend its ASN to avoid conflict.
C.The BGP session will fail or behave unpredictably.
D.The BGP session works normally since ASN 64512 is a private ASN.
AnswerC

Same ASN on both sides causes BGP to reject the session (at least one side will see a loop).

Why this answer

BGP requires each router in a peering session to have a unique ASN to properly enforce loop prevention and path selection. When both the on-premises router and Cloud Router use the same ASN 64512, the BGP session will fail or behave unpredictably because each router will see its own ASN in received updates, triggering the BGP loop detection mechanism (RFC 4271, Section 9.3) and causing the session to drop or routes to be rejected.

Exam trap

Google Cloud often tests the misconception that private ASNs (64512-65535) are exempt from BGP loop detection, but in reality, BGP treats all ASNs equally for loop prevention, and duplicate ASNs will cause the session to fail.

How to eliminate wrong answers

Option A is wrong because the BGP session will not work normally; the duplicate ASN causes the session to fail or behave unpredictably, not just a lack of route exchange. Option B is wrong because Cloud Router does not automatically prepend its ASN to avoid conflict; ASN prepending is a manual path manipulation technique, not an automatic fix for duplicate ASN issues. Option D is wrong because even though 64512 is a private ASN, BGP loop detection still applies regardless of ASN range; the session will not work normally with duplicate ASNs.

96
MCQmedium

An engineer has configured an HA VPN tunnel between an on-premises network and Google Cloud. The tunnel status shows as established, but traffic is not flowing. The engineer checks the Cloud Router BGP session and sees it is in the Active state. What is the most likely cause?

A.The tunnel's shared secret (pre-shared key) is mismatched.
B.The Cloud Router is not advertising the VPC subnet routes.
C.The on-premises router is not allowing BGP traffic on UDP port 179.
D.The Cloud Router is not configured with the correct BGP IP address for the on-premises side.
AnswerD

Incorrect peer IP is a common cause of BGP Active state.

Why this answer

The BGP session being in the Active state indicates that the Cloud Router has sent an Open message but has not received a valid response from the on-premises peer. This most commonly occurs when the BGP peer IP address configured on the Cloud Router does not match the IP address the on-premises router is using for BGP peering, preventing the TCP connection on port 179 from completing. Since the tunnel is established (IPsec is up), the issue is at the BGP layer, not the tunnel layer.

Exam trap

Google Cloud often tests the distinction between IPsec tunnel states and BGP session states, trapping candidates who assume a working tunnel means BGP must also be working, when in fact BGP has its own TCP-based connectivity requirements independent of the encrypted tunnel.

How to eliminate wrong answers

Option A is wrong because a mismatched pre-shared key would prevent the IPsec tunnel from establishing, but the question states the tunnel status is established. Option B is wrong because the Cloud Router not advertising VPC subnet routes would cause BGP to be established (Established state) but routes would be missing; the session being in Active state indicates a TCP connection failure, not a route advertisement issue. Option C is wrong because the on-premises router not allowing BGP traffic on UDP port 179 is incorrect—BGP uses TCP port 179, not UDP; blocking TCP port 179 would cause the same Active state, but the question specifies UDP, which is a protocol mismatch and thus not the most likely cause given the standard BGP behavior.

97
Drag & Dropmedium

Drag and drop the steps to configure a global external HTTP(S) load balancer in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Load balancer setup: backend, health check, URL map, target proxy, forwarding rule.

98
Multi-Selecthard

Which THREE of the following could cause a Dedicated Interconnect BGP session to go to the 'IDLE' state?

Select 3 answers
A.Firewall rules blocking UDP port 179
B.BGP is not enabled on the Cloud Router
C.BGP keepalive timer mismatch
D.Multi-Exit Discriminator (MED) mismatch
E.Cloud Router is not configured to establish a BGP session with the on-premises peer
AnswersA, B, E

BGP uses TCP 179, not UDP. But if TCP is blocked, session stays IDLE.

Why this answer

Option A is correct because BGP uses TCP port 179 for establishing and maintaining sessions. If a firewall blocks UDP port 179, it would not affect BGP directly, as BGP relies on TCP, not UDP. However, the question states 'UDP port 179' which is a common misdirection; in reality, blocking TCP port 179 would cause the BGP session to go to IDLE state.

The IDLE state indicates that the BGP process is not attempting to establish a connection, often due to a failure in the underlying TCP connection.

Exam trap

Google Cloud often tests the misconception that BGP uses UDP port 179, but BGP actually uses TCP port 179; the trap here is that candidates may incorrectly select firewall rules blocking UDP port 179 as a cause, when in reality it is TCP port 179 that matters.

99
MCQmedium

A company is using Cloud VPN with BGP to connect their on-premises network to Google Cloud. They have two VPN tunnels from two different on-premises VPN gateways to a single Cloud VPN gateway. They notice that during maintenance on one on-premises gateway, traffic fails over to the other tunnel, but after the maintenance, traffic does not fail back. What is the most likely cause?

A.Only one VPN tunnel can be active at a time
B.The BGP local preference on the primary tunnel is not higher than the backup tunnel
C.Cloud VPN gateway does not support BGP
D.The backup tunnel does not have a valid BGP session
AnswerB

Without a higher local preference, the backup tunnel remains preferred after failover.

Why this answer

B is correct because BGP local preference is used to influence outbound traffic path selection. If the primary tunnel's local preference is not higher than the backup tunnel, BGP will not prefer the primary route after the backup session recovers, causing traffic to remain on the backup tunnel. This is a classic BGP route selection behavior where the highest local preference wins.

Exam trap

The trap here is that candidates often assume failback is automatic with BGP, but without explicit local preference tuning, BGP will not prefer the primary tunnel after recovery, leading to asymmetric traffic or persistent backup path usage.

How to eliminate wrong answers

Option A is wrong because Cloud VPN supports multiple active tunnels simultaneously with BGP, and both tunnels can be active at the same time. Option C is wrong because Cloud VPN fully supports BGP for dynamic routing, including route advertisement and selection. Option D is wrong because the backup tunnel does have a valid BGP session (traffic fails over to it), so the issue is not a missing session but rather the BGP path selection not reverting to the primary tunnel.

100
MCQhard

A large enterprise has a multi-site on-premises network with two data centers (DC1 and DC2) connected via a private WAN. They are migrating critical applications to Google Cloud and have established a Dedicated Interconnect at each data center, each with a single VLAN attachment (vlan-attachment-1 from DC1, vlan-attachment-2 from DC2) connected to a single VPC network in us-central1. Each VLAN attachment uses a separate Cloud Router (router-us-central1-dc1 and router-us-central1-dc2) with BGP sessions advertising the same on-premises prefixes. The VPC has auto-mode subnet ranges. They notice that traffic from Google Cloud to on-premises is flowing only through DC1, and when DC1's interconnect fails, traffic fails over to DC2, but after DC1 recovers, traffic does not return to DC1. The on-premises routers are advertising the same prefixes with equal MED values. What is the most likely cause and the best corrective action?

A.Configure the on-premises router at DC1 to set a lower MED value for its advertised routes to make DC1 preferred
B.Change the VPC routing mode from auto to custom to force route re-evaluation
C.Disable the BGP session on DC2's Cloud Router during normal operation and re-enable it only when DC1 fails
D.On the Google Cloud Router for DC1, apply a route policy to set a higher local preference for routes learned from DC1
AnswerA

Lower MED makes DC1 preferred; after failover, when DC1 recovers, its lower MED will cause traffic to return.

Why this answer

Option A is correct because with equal MED values from both on-premises routers, Google Cloud's Cloud Routers will prefer the first learned route and stick to it due to the default BGP best-path selection behavior (no tie-breaking based on router ID or other attributes when routes are identical). When DC1's interconnect fails, the route is withdrawn, and traffic fails over to DC2. After DC1 recovers, the route is re-advertised, but Cloud Router does not automatically preempt the existing DC2 route because the BGP best-path selection is stable and does not re-evaluate unless the current best path is withdrawn.

Setting a lower MED on DC1's advertised routes makes DC1's route more preferred, ensuring traffic returns to DC1 after recovery.

Exam trap

Google Cloud often tests the misconception that BGP automatically re-evaluates the best path when a new route is received, but in practice, BGP is stable and only switches to a new path if the current best path is withdrawn, which is why adjusting MED (or other attributes) is necessary to force traffic back to the primary link after recovery.

How to eliminate wrong answers

Option B is wrong because changing the VPC routing mode from auto to custom does not affect BGP route re-evaluation or failover behavior; it only changes how subnets are created and managed, not how dynamic routes are selected. Option C is wrong because manually disabling the BGP session on DC2's Cloud Router during normal operation defeats the purpose of having redundant connectivity and active-active load balancing; it also introduces operational complexity and potential for longer failover times. Option D is wrong because setting a higher local preference on the Google Cloud Router for DC1 would make DC1's routes more preferred, but local preference is an inbound attribute applied to routes received from BGP peers; however, Cloud Router does not support applying local preference to routes learned from on-premises—it is typically set on the on-premises side or via route policies on the Cloud Router, but the correct approach is to adjust MED on the on-premises router to influence the path selection from Google Cloud's perspective.

101
MCQhard

A large enterprise has multiple on-premises data centers connected to Google Cloud via a combination of Dedicated Interconnect and Cloud VPN. They have a VPC with subnets in us-east1 and us-west1. The on-premises network advertises a prefix 10.0.0.0/8 to both Cloud Routers (each in different regions) via BGP. The Cloud Routers are configured with 'global' dynamic routing mode. The network team notices that traffic from Google Cloud instances in us-west1 to on-premises destinations in 10.0.0.0/8 is always taking the path to the closest on-premises data center (west coast) even though the west coast data center is currently under high load, causing performance degradation. The east coast data center is underutilized. They want to influence the path selection so that the west coast instances prefer the east coast data center during peak times. They are using BGP. What is the most effective method to achieve this?

A.Set a higher local preference on the west coast Cloud Router for routes received from the east coast data center.
B.Set a higher MED on the west coast data center's BGP advertisements to increase its desirability.
C.Configure the east coast data center to prepend one additional AS path hop to its advertised routes.
D.Use BGP communities to tag routes from the west coast data center under load, and configure Cloud Router to match these communities and adjust the route priority (MED) accordingly.
AnswerD

This allows dynamic adjustment: when the west coast is loaded, it tags routes with a community, and Cloud Router increases MED for those routes, making east coast more preferred.

Why this answer

Option D is correct because BGP communities allow the west coast data center to tag its routes with a community value indicating high load. The Cloud Router can then be configured to match this community and adjust the route priority by lowering the MED (or local preference) for those routes, making the east coast data center's routes more preferred. This dynamic, policy-based approach directly addresses the need to shift traffic away from the overloaded west coast data center without manual reconfiguration.

Exam trap

The trap here is that candidates often confuse MED and local preference, thinking MED influences outbound path selection from the local AS, when in fact MED is used to influence inbound traffic from a neighboring AS, while local preference is used for outbound path selection within the AS.

How to eliminate wrong answers

Option A is wrong because setting a higher local preference on the west coast Cloud Router for routes from the east coast data center would make those routes more preferred globally (since local preference is propagated within the AS), but the question specifies influencing path selection for west coast instances specifically; local preference is an AS-wide attribute and would affect all regions, not just us-west1. Option B is wrong because MED is used to influence inbound traffic from a neighbor AS, not outbound traffic from Google Cloud to on-premises; increasing MED on the west coast data center's advertisements would make its routes less desirable for inbound traffic from Google Cloud, but the issue is about outbound path selection from Google Cloud instances. Option C is wrong because AS path prepending makes a route less preferred by artificially lengthening the AS path; prepending on the east coast data center would make its routes less attractive, which is the opposite of what is needed (we want to make east coast routes more preferred).

102
MCQhard

A large e-commerce company has a hybrid cloud setup with a Dedicated Interconnect between their on-premises data center in Dallas and Google Cloud us-central1 region. They have a single VLAN attachment with a Cloud Router that uses BGP to exchange routes. The on-premises network uses 10.0.0.0/8, and Google Cloud VPC uses 172.16.0.0/16. They recently deployed a new application in us-west1 that uses IP range 172.17.0.0/16. They created a VPC peering between the us-central1 VPC and the us-west1 VPC. On-premises users can reach the us-central1 workloads but cannot reach the us-west1 application. There are no firewall rules blocking traffic. The on-premises router has a default route pointing to the Interconnect. What is the most likely cause of the issue?

A.The Cloud Router does not have routes for 172.17.0.0/16 because VPC peering does not automatically propagate routes to Cloud Router
B.BGP is not configured between Cloud Router and us-west1 VPC
C.Firewall rules in us-west1 are blocking traffic from the on-premises IP range
D.The Dedicated Interconnect is only available in us-central1 and cannot reach us-west1
AnswerA

VPC peering does not propagate routes to on-premises via Cloud Router; you must use a separate VLAN attachment or VPN in us-west1.

Why this answer

The issue is that VPC peering does not automatically propagate routes from the peered VPC (us-west1, 172.17.0.0/16) to the Cloud Router that is used for the Dedicated Interconnect. Cloud Router only learns routes that are present in the VPC’s routing table and that are explicitly advertised via BGP. Since VPC peering routes are not automatically imported into the VPC’s dynamic routing table for Cloud Router, the on-premises router never receives a route for 172.17.0.0/16, even though there are no firewall blocks.

Exam trap

The trap here is that candidates assume VPC peering automatically makes all peered networks reachable from on-premises via the Interconnect, forgetting that Cloud Router only advertises routes that are explicitly in the VPC’s routing table and not those learned through peering unless custom advertisement is set up.

How to eliminate wrong answers

Option B is wrong because BGP is configured between the Cloud Router and the on-premises router, not between Cloud Router and the us-west1 VPC; VPC peering does not involve BGP. Option C is wrong because the question explicitly states there are no firewall rules blocking traffic, so firewall rules in us-west1 are not the cause. Option D is wrong because a Dedicated Interconnect in us-central1 can reach us-west1 via Google’s internal network; the limitation is not geographic but rather the lack of route propagation from the peered VPC to the Cloud Router.

103
MCQhard

An organization is using Cloud VPN with dynamic routing (BGP) to connect their on-premises network to Google Cloud. They notice that traffic from Google Cloud to on-premises is not using the VPN tunnel but instead going through the internet. They have verified that the VPN tunnel is up and BGP sessions are established. Which configuration issue is most likely causing this behavior?

A.The Cloud Router BGP IP address is misconfigured
B.The pre-shared key for the VPN tunnel is mismatched
C.The on-premises BGP ASN is incorrect
D.The on-premises router is not advertising the on-premises CIDR via BGP
AnswerD

Without the route advertisement, Google Cloud cannot route traffic to on-premises via the VPN.

Why this answer

Option D is correct because if the on-premises router does not advertise the on-premises CIDR via BGP, the Cloud Router will not have a route to that network in its routing table. Even though the VPN tunnel is up and BGP sessions are established, without the specific prefix being advertised, Google Cloud will use its default route (0.0.0.0/0) to send traffic to on-premises over the internet instead of through the VPN tunnel.

Exam trap

The trap here is that candidates assume a working VPN tunnel and established BGP session guarantee traffic flows correctly, but they overlook the critical requirement that the on-premises CIDR must be explicitly advertised via BGP for Cloud Router to install a specific route over the VPN.

How to eliminate wrong answers

Option A is wrong because a misconfigured Cloud Router BGP IP address would prevent the BGP session from establishing, but the question states BGP sessions are established. Option B is wrong because a mismatched pre-shared key would cause the IPsec tunnel to fail to come up, but the question confirms the VPN tunnel is up. Option C is wrong because an incorrect on-premises BGP ASN would cause the BGP session to fail to establish or be rejected, but the question explicitly states BGP sessions are established.

104
MCQeasy

A company needs to connect multiple on-premises sites to Google Cloud using a single Cloud VPN gateway. What is the recommended approach?

A.Create a single VPN tunnel and use policy-based routing to direct traffic.
B.Use a single VPN tunnel with multiple BGP sessions.
C.Create multiple VPN tunnels, each with its own BGP session to a Cloud Router.
D.Create a single VPN tunnel and use static routes for each site.
AnswerC

This allows each site to have its own encrypted tunnel and dynamic routing.

Why this answer

When connecting multiple on-premises sites to Google Cloud using a single Cloud VPN gateway, the recommended approach is to create multiple VPN tunnels, each with its own BGP session to a Cloud Router. This allows the Cloud VPN gateway to terminate multiple tunnels, and each tunnel can have a unique BGP session for dynamic route exchange, enabling the gateway to learn and advertise routes for each site independently. Using a single tunnel with multiple BGP sessions or policy-based routing is not supported because a Cloud VPN tunnel is a point-to-point connection that can only have one BGP session per tunnel, and static routes would not provide the redundancy or dynamic failover needed for multiple sites.

Exam trap

Google Cloud often tests the misconception that a single VPN tunnel can support multiple BGP sessions or that policy-based routing can be used to segregate traffic for multiple sites, but in Google Cloud, each tunnel is a point-to-point construct that requires its own BGP session, and policy-based routing is not available for Cloud VPN.

How to eliminate wrong answers

Option A is wrong because policy-based routing is not a supported feature for Cloud VPN tunnels; Cloud VPN uses route-based VPNs (with BGP or static routes) and cannot direct traffic based on policies across multiple sites through a single tunnel. Option B is wrong because a single VPN tunnel can only have one BGP session; multiple BGP sessions cannot be established over a single tunnel as each BGP session requires a separate tunnel interface and peer IP address. Option D is wrong because using a single VPN tunnel with static routes for each site would create a single point of failure and cannot provide the dynamic routing, failover, or load balancing needed for multiple on-premises sites; static routes also require manual updates if site topologies change.

105
Matchingmedium

Match each VPC networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Regional IP range within a VPC

Connection between two VPCs for private IP communication

VPC from one project shared with other projects

Outbound internet access for private instances

Access Google APIs from on-premises or other clouds

Why these pairings

These concepts are fundamental to VPC design in Google Cloud.

106
MCQeasy

A company is deploying a hybrid cloud solution using Partner Interconnect. They have ordered a 1 Gbps connection from a partner at a colocation facility. The on-premises network uses a 10 Gbps link to the colo, and the partner provides a single 1 Gbps connection to Google Cloud. The company wants to connect two separate VPC networks in Google Cloud (production and development) to their on-premises network. Each VPC requires 500 Mbps of dedicated bandwidth. The company also needs high availability for the connection. What should they do?

A.Create a single VLAN attachment, then use a shared VPC with two subnets. Configure one Cloud Router with two BGP sessions, one for each subnet.
B.Create one VLAN attachment with 1 Gbps capacity, attach it to both VPCs using a single Cloud Router with two BGP sessions.
C.Create two VLAN attachments on the same interconnect, each with 500 Mbps capacity. Configure a separate Cloud Router for each VPC, each with a BGP session on its respective VLAN attachment. Use BGP metrics for active/passive failover.
D.Order two separate 1 Gbps Partner Interconnect connections, one for each VPC, and configure each with a single VLAN attachment.
AnswerC

Correct. This meets bandwidth and HA requirements.

Why this answer

Option C is correct because Partner Interconnect supports multiple VLAN attachments on a single connection, each with its own capacity allocation. By creating two VLAN attachments with 500 Mbps each, you can dedicate bandwidth to each VPC while meeting the 500 Mbps requirement. Using separate Cloud Routers with BGP sessions on each VLAN attachment and adjusting BGP metrics (e.g., local preference) allows active/passive failover for high availability, satisfying both the bandwidth and HA needs without requiring additional physical connections.

Exam trap

The trap here is that candidates assume a single VLAN attachment can serve multiple VPCs or that multiple physical connections are required for multiple VPCs, but Partner Interconnect allows multiple VLAN attachments on one connection, each dedicated to a different VPC with its own bandwidth and BGP session.

How to eliminate wrong answers

Option A is wrong because a single VLAN attachment cannot be shared across two separate VPC networks; VLAN attachments are per-VPC resources, and using a shared VPC with subnets does not provide dedicated bandwidth per VPC or proper isolation. Option B is wrong because a single VLAN attachment cannot be attached to two VPCs simultaneously; each VLAN attachment is associated with exactly one VPC and one Cloud Router, and a single Cloud Router with two BGP sessions cannot route traffic to two different VPCs over the same attachment. Option D is wrong because ordering two separate 1 Gbps connections is unnecessary and cost-prohibitive; a single 1 Gbps Partner Interconnect connection can support multiple VLAN attachments (up to 8 per connection) to serve multiple VPCs with dedicated bandwidth.

107
Multi-Selectmedium

An organization needs low-latency connectivity between their on-premises data center and Google Cloud, supporting up to 20 Gbps throughput. They already have a Partner Interconnect connection but need to increase capacity. Which two actions should they take? (Choose two.)

Select 2 answers
A.Work with the service provider to upgrade the existing interconnect to a higher capacity
B.Create additional Cloud VPN tunnels to the same region
C.Provision a new Dedicated Interconnect to bypass the partner
D.Provision additional VLAN attachments on the existing Partner Interconnect
AnswersA, D

Partner Interconnect bandwidth can be upgraded with provider.

Why this answer

Option A is correct because Partner Interconnect connections can be upgraded to higher capacity by working with the service provider, as the provider manages the underlying physical circuit. This allows increasing throughput up to 20 Gbps without replacing the existing connection, leveraging the existing Layer 2 or Layer 3 handoff.

Exam trap

Google Cloud often tests the misconception that adding Cloud VPN tunnels can scale throughput to match Interconnect speeds, but VPN tunnels have lower bandwidth limits and higher latency, making them unsuitable for high-throughput, low-latency requirements.

108
MCQeasy

A company is deploying a Dedicated Interconnect with a 10 Gbps circuit to Google Cloud. They need to ensure high availability. Which configuration is required by Google Cloud to meet the high availability SLA?

A.Combine Dedicated Interconnect with a Cloud VPN tunnel for failover
B.Use Partner Interconnect instead of Dedicated Interconnect
C.Provision two VLAN attachments on two separate Cloud Routers in different zones
D.Provision a single VLAN attachment on one Cloud Router
AnswerC

Two VLAN attachments in different zones provide redundancy and meet the HA SLA.

Why this answer

To meet the high availability SLA for Dedicated Interconnect, Google Cloud requires at least two VLAN attachments, each on a separate Cloud Router in different zones. This ensures that if one zone or Cloud Router fails, traffic can still flow through the other attachment, providing redundancy. A single VLAN attachment or a single Cloud Router does not meet the 99.99% availability SLA because it creates a single point of failure.

Exam trap

The trap here is that candidates often think a single Cloud Router with multiple VLAN attachments is sufficient, but Google Cloud requires the Cloud Routers themselves to be in different zones to avoid a single point of failure at the zone level.

How to eliminate wrong answers

Option A is wrong because combining Dedicated Interconnect with a Cloud VPN tunnel is not a required configuration for the high availability SLA; while it can provide a backup path, the SLA specifically requires redundant VLAN attachments on separate Cloud Routers in different zones. Option B is wrong because Partner Interconnect is an alternative connectivity option, not a requirement for high availability; the SLA for Dedicated Interconnect is met with redundant VLAN attachments, not by switching to Partner Interconnect. Option D is wrong because a single VLAN attachment on one Cloud Router creates a single point of failure and does not meet the high availability SLA, which mandates at least two attachments in different zones.

109
MCQmedium

A company needs to connect their on-premises data center to Google Cloud using Dedicated Interconnect. They have a service level agreement that requires 99.99% availability for the connection. What is the minimum number of VLAN attachments they must provision, and how should they be configured to meet this SLA?

A.One VLAN attachment with a single Interconnect
B.Two VLAN attachments, each on a different Interconnect
C.Four VLAN attachments on two Interconnects
D.Two VLAN attachments on the same Interconnect
AnswerB

Two VLAN attachments on redundant Interconnects provide the required availability.

Why this answer

To achieve 99.99% availability for Dedicated Interconnect, you must eliminate single points of failure. A single VLAN attachment on one Interconnect (Option A) provides no redundancy. Google Cloud requires at least two VLAN attachments, each on a different Interconnect (and ideally different edge availability domains), to meet this SLA.

This ensures that if one Interconnect or VLAN attachment fails, traffic can fail over to the other, maintaining connectivity.

Exam trap

Google Cloud often tests the misconception that two VLAN attachments on the same Interconnect provide redundancy, but the trap here is that they share the same physical link and edge availability domain, so a single failure takes down both attachments.

How to eliminate wrong answers

Option A is wrong because a single VLAN attachment on one Interconnect creates a single point of failure; Google Cloud's 99.99% SLA for Dedicated Interconnect requires redundant connections across at least two separate Interconnects. Option C is wrong because four VLAN attachments on two Interconnects exceed the minimum requirement; two VLAN attachments (one per Interconnect) are sufficient to meet the 99.99% SLA, and adding more does not increase availability beyond the SLA. Option D is wrong because two VLAN attachments on the same Interconnect share the same physical link; if that Interconnect fails, both attachments go down, so this configuration does not provide the required redundancy.

110
MCQhard

You have set up a Dedicated Interconnect with two VLAN attachments (each 10 Gbps) and configured ECMP on the Cloud Router. You observe that traffic from on-premises to a specific VM is only using one attachment. What is the most likely cause?

A.Route propagation is disabled on one Cloud Router interface
B.One of the VLAN attachments has a higher route priority
C.BGP ASN mismatch between the two attachments
D.The traffic consists of a single flow that is hashed to one attachment
AnswerD

ECMP per-flow hashing keeps each flow to one path.

Why this answer

D is correct because ECMP (Equal-Cost Multi-Path) relies on hashing of packet headers (e.g., 5-tuple: source/destination IP, protocol, source/destination port) to select a path. A single flow (e.g., a TCP connection between two specific IPs and ports) will always hash to the same attachment, so it cannot use both VLAN attachments simultaneously. This is expected behavior, not a fault.

Exam trap

Google Cloud often tests the misconception that ECMP should load-balance every packet across all links, but the trap here is that ECMP operates on a per-flow basis (not per-packet) to avoid packet reordering, so a single flow will always use only one path.

How to eliminate wrong answers

Option A is wrong because route propagation is a BGP setting that controls whether learned routes are advertised to VPC networks; if disabled on one interface, routes would be missing entirely, not just for a single flow. Option B is wrong because route priority (e.g., MED, local preference) affects which route is preferred for a prefix, but both attachments have equal cost (same bandwidth, same AS path length), so priority does not cause single-flow behavior. Option C is wrong because an ASN mismatch would prevent BGP peering from establishing at all, causing complete loss of connectivity on that attachment, not selective use of one attachment for a single flow.

111
MCQeasy

When setting up a Partner Interconnect, which Google Cloud resource is used to connect to the partner's network?

A.Cloud VPN gateway
B.Cloud Interconnect attachment
C.VLAN attachment
D.Cloud Router
AnswerC

A VLAN attachment is the logical connection between Google Cloud and the partner's network.

Why this answer

When setting up a Partner Interconnect, the correct Google Cloud resource is a VLAN attachment. This attachment is provisioned on a Cloud Interconnect connection that is managed by a supported service provider, and it defines the VLAN and the Cloud Router configuration used to exchange routes via BGP. The VLAN attachment is the logical construct that connects your VPC network to the partner's network through the partner's physical infrastructure.

Exam trap

Google Cloud often tests the distinction between the physical connection (Dedicated Interconnect or Partner Interconnect) and the logical attachment (VLAN attachment), so candidates mistakenly select 'Cloud Interconnect attachment' as a generic term instead of the precise 'VLAN attachment' resource name used in Google Cloud.

How to eliminate wrong answers

Option A is wrong because Cloud VPN gateway is used for IPsec VPN tunnels over the public internet, not for dedicated or partner-managed physical interconnections. Option B is wrong because 'Cloud Interconnect attachment' is not a specific Google Cloud resource; the correct term is 'VLAN attachment' which is the attachment created on a Dedicated or Partner Interconnect connection. Option D is wrong because Cloud Router is a dynamic routing appliance that exchanges BGP routes over the VLAN attachment, but it is not the resource that directly connects to the partner's network—the VLAN attachment is the connection point.

112
MCQhard

A network engineer is troubleshooting connectivity between an on-premises network and Google Cloud. The on-premises router has two BGP sessions configured for redundancy with a Cloud Router. The engineer runs the command above. Which issue does the output indicate?

A.Both BGP sessions are down
B.The BGP session for peer-a is down
C.The on-premises router is not advertising any routes to the Cloud Router
D.The Cloud Router is not advertising any routes to on-premises
AnswerC

learnedRoutes is empty for peer-a, indicating no routes received from on-premises.

Why this answer

The output shows that both BGP sessions are established (state = Established), so options A and B are incorrect. However, the 'Received routes' count is 0 for both peers, meaning the on-premises router is not sending any routes to the Cloud Router. This prevents the Cloud Router from learning the on-premises prefixes, breaking connectivity from Google Cloud to on-premises.

Exam trap

The trap here is that candidates see 'Established' sessions and assume full connectivity, overlooking that BGP session up does not guarantee routes are being exchanged, which is the actual root cause of the connectivity failure.

How to eliminate wrong answers

Option A is wrong because the BGP session state for both peers is 'Established', indicating the TCP connection and BGP session are up, not down. Option B is wrong because peer-a's session state is also 'Established', so it is not down. Option D is wrong because the 'Advertised routes' count is non-zero (e.g., 5 for peer-a), showing the Cloud Router is sending routes; the issue is with received routes, not advertised routes.

113
MCQeasy

A company has a Dedicated Interconnect with one 10 Gbps connection. They need high availability for critical workloads. Which design is the best practice according to Google Cloud recommendations?

A.Provision a second Dedicated Interconnect connection to a different PoP.
B.Add a second connection to the same PoP using the same provider.
C.Rely on the single connection and monitor for failures.
D.Use Cloud VPN as a backup to the Dedicated Interconnect.
AnswerA

Connections to different PoPs provide geographic redundancy and higher availability.

Why this answer

Google Cloud best practice for high availability with Dedicated Interconnect requires at least two physical connections, each to a different edge point of presence (PoP), to eliminate single points of failure at the network edge. A single 10 Gbps connection, even with a backup VPN, does not provide the same SLA or bandwidth guarantees for critical workloads. Option A ensures that if one PoP or provider fails, the other connection can maintain connectivity.

Exam trap

The trap here is that candidates often assume a second connection to the same PoP or a VPN backup is sufficient for high availability, but Google Cloud explicitly requires diverse PoPs to protect against facility-level failures, and VPN backup lacks the bandwidth and SLA for critical workloads.

How to eliminate wrong answers

Option B is wrong because adding a second connection to the same PoP using the same provider still creates a single point of failure at that PoP; both connections share the same physical location and provider infrastructure, so an outage at that PoP or provider will take down both links. Option C is wrong because relying on a single connection with monitoring does not provide high availability; any failure of that single link will cause downtime for critical workloads, and Google Cloud recommends at least two connections for HA. Option D is wrong because Cloud VPN as a backup to Dedicated Interconnect does not provide the same bandwidth (typically limited to 3 Gbps per tunnel) or latency guarantees, and it introduces additional encryption overhead; it is suitable for lower-bandwidth or non-critical failover, not for maintaining 10 Gbps throughput for critical workloads.

114
Multi-Selecteasy

Which TWO of the following are benefits of using Cloud Interconnect over Cloud VPN for hybrid connectivity? (Choose two.)

Select 2 answers
A.Lower and more consistent latency.
B.Always provides encryption for data in transit.
C.Easier to set up as no physical connection is needed.
D.Lower cost for small bandwidth requirements.
E.Higher bandwidth capacity (up to 80 Gbps per circuit).
AnswersA, E

Dedicated connections avoid internet variability.

Why this answer

Cloud Interconnect provides a dedicated, private connection between your on-premises network and Google Cloud, bypassing the public internet. This results in lower and more consistent latency compared to Cloud VPN, which relies on the public internet and is subject to variable network conditions and potential congestion.

Exam trap

Google Cloud often tests the misconception that Cloud Interconnect provides encryption by default, when in fact it does not; the trap is that candidates confuse the private nature of the connection with inherent security, forgetting that encryption must be separately implemented.

115
MCQmedium

A company has a Cloud VPN between their on-premises network and Google Cloud. They want to ensure that traffic flows symmetrically, meaning that traffic from Google Cloud to on-premises uses the same VPN tunnel as traffic from on-premises to Google Cloud. Which best practice should they implement?

A.Use dynamic routing with BGP and ensure that the AS path length is the same on both sides.
B.Implement policy-based routing that forces traffic to and from specific subnets to use the same tunnel.
C.Deploy multiple VPN tunnels and use different priorities for each.
D.Use static routes pointing to the VPN tunnel on both sides.
AnswerB

Policy-based routing can enforce symmetric flows.

Why this answer

Option B is correct because policy-based routing (PBR) allows you to explicitly define forwarding rules based on source/destination IP addresses, ensuring that traffic from Google Cloud to on-premises uses the same VPN tunnel as the reverse direction. This enforces symmetric flow, which is critical for stateful firewalls and NAT devices that expect packets to arrive on the same interface they left. Dynamic routing (BGP) or static routes alone do not guarantee symmetry unless combined with PBR or tunnel interface configurations.

Exam trap

Google Cloud often tests the misconception that dynamic routing protocols like BGP inherently provide symmetric routing, but in reality, BGP only controls the best path selection independently on each router, so without additional configuration (e.g., PBR or tunnel interface binding), traffic can easily become asymmetric.

How to eliminate wrong answers

Option A is wrong because BGP with equal AS path length does not enforce symmetric traffic flow; BGP selects the best path based on multiple attributes, and the return path is determined independently by the remote router, so asymmetry can still occur. Option C is wrong because deploying multiple VPN tunnels with different priorities (e.g., using route metrics) only controls which tunnel is preferred for outbound traffic, but the return path is decided by the remote side, which may not match the priority settings. Option D is wrong because static routes pointing to the VPN tunnel on both sides do not guarantee symmetry; if the on-premises router has multiple equal-cost paths or a different routing table, return traffic could take a different tunnel, breaking symmetry.

116
MCQhard

A network engineer has configured a Dedicated Interconnect with a VLAN attachment and Cloud Router. BGP sessions are up and routes are exchanged. However, traffic from a specific on-premises subnet is not reaching a VPC instance. The route table shows a custom static route with priority 1000 for that subnet pointing to a VPN tunnel, and a BGP learned route with priority 100 for the same subnet via Interconnect. What is the most likely reason for the traffic not using the Interconnect route?

A.The BGP route's next hop is not reachable due to a missing firewall rule on the on-premises side
B.Route propagation is disabled on the Cloud Router
C.VPC firewall rules are blocking traffic on the Interconnect VLAN attachment
D.The BGP route has a lower MED than the static route
AnswerA

If the on-premises next hop is unreachable, Cloud Router cannot forward traffic, causing blackhole.

Why this answer

The BGP route with priority 100 is preferred over the static route with priority 1000. However, if the BGP route's next hop is not reachable (e.g., due to a missing firewall rule on the on-premises side blocking the necessary ICMP or BGP session traffic), the route will be considered invalid and not installed in the routing table. This causes traffic to fall back to the less preferred static route via the VPN tunnel, explaining why the Interconnect path is not used.

Exam trap

Google Cloud often tests the misconception that route priority alone determines path selection, but the trap here is that a BGP route with a lower priority can still be invalid if its next hop is unreachable, causing the router to use a higher-priority static route instead.

How to eliminate wrong answers

Option B is wrong because route propagation is enabled by default on Cloud Router when BGP sessions are up and routes are exchanged, as stated in the scenario. Option C is wrong because VPC firewall rules apply to instances, not to the Interconnect VLAN attachment itself; the attachment operates at Layer 2/3 and is not subject to VPC firewall rules. Option D is wrong because MED is a BGP attribute used for path selection among multiple paths from the same AS, but a static route (priority 1000) is always less preferred than a BGP route (priority 100) regardless of MED values.

117
Multi-Selecthard

A Cloud VPN with dynamic routing (BGP) is established between an on-premises network and Google Cloud. The on-premises BGP router is advertising a default route (0.0.0.0/0). The Cloud Router in Google Cloud is receiving this route, but network traffic from Google Cloud VMs to the internet is not being routed through the VPN. Which THREE troubleshooting steps should you take? (Choose three.)

Select 3 answers
A.Verify that the VPC's dynamic routing mode is set to 'global' if using regional routing.
B.Check VPC firewall rules to ensure they allow egress traffic from VMs.
C.Check the route priority (preference) of the default route learned via BGP compared to the default internet gateway route.
D.Verify that the Cloud Router is configured to advertise the default route to the VPC.
E.Ensure that the on-premises router is sending the default route with a higher local preference.
AnswersA, C, D

Global routing ensures the default route is propagated to all regions.

Why this answer

Option A is correct because the VPC's dynamic routing mode determines the scope of route propagation. If the VPC uses regional dynamic routing, Cloud Router only propagates routes within the region where the VPN tunnel is attached. A global dynamic routing mode is required for the BGP-learned default route to be available across all regions, ensuring VMs in any region can use the VPN for internet egress.

Exam trap

The trap here is that candidates often assume firewall rules are the issue when traffic fails to route, but the core problem is route selection and propagation—specifically, the default internet gateway route competing with the BGP-learned route, and the Cloud Router's advertisement settings.

118
Multi-Selecthard

A company currently uses Cloud VPN with dynamic routing to connect to Google Cloud. They want to migrate to Dedicated Interconnect without downtime. Which THREE steps should they take to achieve a seamless migration? (Choose three.)

Select 3 answers
A.Order and provision the Dedicated Interconnect
B.Configure BGP on the on-premises router for the Interconnect and start advertising routes
C.Create a new VLAN attachment and attach it to the existing Cloud Router to peer with both VPN and Interconnect
D.Decrease the BGP route priority (MED) on the VPN advertisements to make VPN less preferred
E.Update on-premises firewall rules to allow traffic over the new Interconnect
AnswersA, B, C

First, you need to have the physical connection ready.

Why this answer

Option A is correct because ordering and provisioning the Dedicated Interconnect is the foundational step to establish the physical connection between the on-premises network and Google Cloud. Without this, no migration can occur. This involves working with a Google Cloud partner to ensure the cross-connect is completed and the VLAN attachments are created.

Exam trap

Google Cloud often tests the misconception that firewall rules must be updated when migrating connectivity types, but in reality, the migration is driven by BGP route preference adjustments, not firewall changes.

119
MCQhard

An organization uses HA VPN with dynamic routing and active-active BGP sessions. One tunnel fails, but traffic continues to flow through the other tunnel. However, they notice increased latency. What is the most likely explanation?

A.BGP multipath is enabled, causing all traffic to be sent through the remaining tunnel.
B.The remaining tunnel is using a different encryption algorithm.
C.The BGP timers are misconfigured.
D.The failed tunnel's routes are still in the routing table.
AnswerA

With multipath, traffic is normally split; after failure, all traffic goes through one tunnel, potentially causing congestion.

Why this answer

When BGP multipath is enabled on an HA VPN with active-active BGP sessions, the router can load-balance traffic across multiple tunnels. If one tunnel fails, all traffic is redirected through the remaining tunnel, which can cause increased latency due to congestion or suboptimal path selection. The correct answer is A because this behavior directly explains the latency increase after a tunnel failure.

Exam trap

Google Cloud often tests the misconception that increased latency after a tunnel failure is due to routing table issues or encryption changes, when in fact it is the result of BGP multipath concentrating all traffic onto a single tunnel, causing congestion.

How to eliminate wrong answers

Option B is wrong because encryption algorithms (e.g., AES-128 vs AES-256) affect security and CPU overhead, not latency in a way that would suddenly increase after a tunnel failure; the remaining tunnel would have been using the same algorithm before the failure. Option C is wrong because misconfigured BGP timers (e.g., keepalive or hold timers) would cause session instability or flapping, not a gradual latency increase after a single tunnel failure. Option D is wrong because if the failed tunnel's routes were still in the routing table, traffic would attempt to use the failed tunnel and result in packet loss or blackholing, not increased latency; BGP withdraws routes from the failed tunnel upon session loss.

120
MCQmedium

A company has a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They have two VLAN attachments (vlan-100 and vlan-200) connected to two separate Cloud Routers in the same region. Each Cloud Router has a BGP session with the on-premises router. The on-premises router advertises the same prefixes (10.0.0.0/8) over both sessions. In Google Cloud, they have workloads in two different VPCs: VPC-A and VPC-B. They want traffic to VPC-A to use vlan-100, and traffic to VPC-B to use vlan-200. Cloud Router 1 is attached to VPC-A, Cloud Router 2 is attached to VPC-B. Currently, traffic from on-premises to VPC-A sometimes goes through vlan-200, causing asymmetric routing. What configuration change should they make to ensure traffic is symmetric?

A.Set a higher MED on the on-premises router for routes advertised to vlan-200, making vlan-100 preferred for all traffic.
B.Configure static routes on the on-premises router to force traffic to VPC-A via vlan-100 and to VPC-B via vlan-200.
C.Create two separate VPCs and assign each VLAN attachment to a different VPC.
D.Use BGP community tags on the on-premises router to label routes for VPC-A and VPC-B, and configure route priority on Cloud Router to match these communities.
AnswerD

BGP communities allow granular route manipulation, ensuring traffic for each VPC uses the designated attachment.

Why this answer

Option D is correct because BGP community tags allow the on-premises router to tag routes for VPC-A and VPC-B differently. Cloud Router can then use these community tags to influence route priority (e.g., via local preference or MED matching), ensuring that traffic to VPC-A is always routed through vlan-100 and traffic to VPC-B through vlan-200, solving the asymmetric routing issue without relying on static routes or MED manipulation that would affect all traffic.

Exam trap

The trap here is that candidates often assume MED or static routes can solve asymmetric routing, but they overlook that MED affects all routes from a neighbor and static routes on-premises cannot control Google Cloud's return path selection, whereas BGP communities provide the necessary granularity to influence path selection per prefix in both directions.

How to eliminate wrong answers

Option A is wrong because setting a higher MED on the on-premises router for routes advertised to vlan-200 would make vlan-100 preferred for all prefixes, not just those destined for VPC-A; this would force all traffic through vlan-100, breaking the requirement for VPC-B traffic to use vlan-200. Option B is wrong because static routes on the on-premises router cannot override BGP-learned routes on the Google Cloud side; the asymmetric routing occurs because Google Cloud's Cloud Routers may still prefer the alternate path due to equal-cost multi-path (ECMP) or BGP best-path selection, and static routes on-premises do not control return path selection in Google Cloud. Option C is wrong because the two VLAN attachments are already connected to separate VPCs (VPC-A and VPC-B) via their respective Cloud Routers; creating two separate VPCs again would not change the routing behavior—the issue is that both Cloud Routers receive the same prefix (10.0.0.0/8) and Google Cloud may load-balance or choose the wrong path, not a VPC attachment problem.

121
MCQhard

A large enterprise has two on-premises data centers (DC1 and DC2) connected to Google Cloud via two separate VPN tunnels to the same VPC. Each tunnel terminates on a different Cloud VPN gateway (gateway1 in us-east1, gateway2 in us-west1). The on-premises routers advertise the same CIDR 172.16.0.0/12 from both DCs. Cloud Router is configured with BGP and uses default route priority. You notice that after a failover event where one tunnel goes down, traffic continues to flow, but there is a significant increase in latency for traffic coming from GCP to on-premises. You verify that both tunnels have re-established. What is the most likely cause of the increased latency?

A.The on-premises routers are using site-to-site VPN between themselves causing a routing loop
B.The on-premises routers do not use AS path prepending to prefer the local DC's path for the prefix
C.The Cloud VPN tunnels are using different preshared keys
D.Bidirectional Forwarding Detection (BFD) is not enabled on the Cloud VPN tunnels
AnswerB

Without AS path prepending, GCP may choose a suboptimal path (e.g., sending DC1 traffic via DC2) if the routes have equal AS path length, causing increased latency.

Why this answer

When both on-premises routers advertise the same CIDR (172.16.0.0/12) to Google Cloud via BGP, Cloud Router selects the path with the shorter AS path length by default. Without AS path prepending on the backup DC's router, both routes have equal AS path length, causing Cloud Router to load-balance or pick a suboptimal path after failover. After the tunnel re-establishes, traffic from GCP may still be routed to the remote DC (e.g., DC2) instead of the local DC (DC1), resulting in higher latency due to cross-country or inter-DC transit.

Exam trap

Google Cloud often tests the misconception that increased latency after failover is due to a routing loop or BFD misconfiguration, when the real issue is the lack of AS path prepending to influence BGP path selection for the same prefix advertised from multiple locations.

How to eliminate wrong answers

Option A is wrong because site-to-site VPN between on-premises routers would not cause a routing loop in this scenario; the increased latency is due to suboptimal path selection, not a loop. Option C is wrong because different preshared keys would prevent the VPN tunnels from establishing at all, not cause increased latency after re-establishment. Option D is wrong because BFD is used for fast failure detection, not for influencing path selection or latency after tunnels are up; its absence would delay failover detection, not increase latency post-failover.

122
Multi-Selectmedium

A company is using Cloud Interconnect with multiple VLAN attachments. They want to implement traffic shaping to prioritize real-time traffic over bulk transfers. Which THREE actions should they take?

Select 3 answers
A.Set up Cloud Router with BGP QoS policies to match DSCP values
B.Enable Cloud NAT to handle traffic shaping
C.Create VPC firewall rules to classify traffic based on source/destination
D.Configure DSCP markings on the on-premises routers for different traffic types
E.Use VPC flow logs to identify heavy traffic flows
AnswersA, C, D

Cloud Router can apply QoS based on DSCP.

Why this answer

Option A is correct because Cloud Router with BGP QoS policies can match DSCP values to prioritize traffic. By configuring BGP QoS policies, you can map specific DSCP values to different traffic classes, allowing Cloud Interconnect to apply traffic shaping that prioritizes real-time traffic (e.g., VoIP) over bulk transfers. This leverages BGP community attributes to signal QoS requirements across the hybrid connection.

Exam trap

The trap here is that candidates confuse monitoring tools (VPC flow logs) or unrelated services (Cloud NAT) with traffic shaping mechanisms, overlooking that DSCP marking and BGP QoS policies are the correct approach for prioritizing traffic on Cloud Interconnect.

123
MCQeasy

A company needs private connectivity between its on-premises data center and Google Cloud with consistent low latency and high throughput. The on-premises location is close to a Google Cloud point of presence that supports Dedicated Interconnect. The company expects to use more than 10 Gbps of bandwidth in the near future. Which connectivity solution should they choose?

A.Dedicated Interconnect
B.Partner Interconnect
C.HA VPN with dynamic routing
D.Cloud VPN with static routing
AnswerA

Dedicated Interconnect provides a direct, private connection with low latency and high bandwidth (10/100 Gbps) suitable for growing needs.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between the on-premises data center and Google Cloud, offering consistent low latency and high throughput. Since the on-premises location is near a Google Cloud point of presence that supports Dedicated Interconnect and the bandwidth requirement exceeds 10 Gbps (Dedicated Interconnect supports up to 10 Gbps per circuit, with multiple circuits for higher aggregate bandwidth), this is the optimal solution.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect is equivalent to Dedicated Interconnect for high-bandwidth needs, but the key trap is that Partner Interconnect introduces a third-party provider's network, which cannot guarantee the same consistent low latency and throughput as a direct physical connection.

How to eliminate wrong answers

Option B is wrong because Partner Interconnect relies on a third-party service provider's network, which introduces additional latency and potential throughput variability, and typically supports lower bandwidths (up to 10 Gbps per VLAN attachment) compared to Dedicated Interconnect's direct physical links. Option C is wrong because HA VPN with dynamic routing uses the public internet or a third-party network, cannot guarantee consistent low latency or high throughput, and is limited to bandwidths far below 10 Gbps (typically up to 3 Gbps per tunnel). Option D is wrong because Cloud VPN with static routing also uses the public internet, lacks the performance guarantees needed for >10 Gbps, and static routing does not provide the redundancy or dynamic failover required for enterprise-grade hybrid connectivity.

124
MCQmedium

An engineer is configuring Dedicated Interconnect between an on-premises data center and Google Cloud. Cloud Router is set up with BGP sessions. The BGP session remains in Idle state. Which of the following is the most likely cause?

A.The Cloud Router's BGP IP address is not in the same subnet as the on-premises router's interface.
B.The on-premises router is not advertising the Google Cloud VPC subnet routes.
C.The interconnect is not configured with redundant links.
D.The VLAN attachment is not in the same region as the Cloud Router.
AnswerA

IP mismatch is a common cause of BGP Idle state.

Why this answer

The BGP session remains in Idle state because the Cloud Router's BGP IP address is not in the same subnet as the on-premises router's interface. For BGP peering over Dedicated Interconnect, the two routers must be directly connected at Layer 3, meaning their BGP peer IP addresses must belong to the same /30 or /31 subnet. If they are in different subnets, the TCP connection for BGP cannot be established, keeping the session in Idle state.

Exam trap

The trap here is that candidates often confuse BGP session states with route advertisement issues, assuming missing routes cause Idle state, when in fact Idle state is a Layer 3 connectivity problem, not a routing policy problem.

How to eliminate wrong answers

Option B is wrong because the on-premises router not advertising the Google Cloud VPC subnet routes would not cause the BGP session to remain in Idle state; it would instead cause routes to be missing from the routing table after the session is established. Option C is wrong because redundant links are not required for a single BGP session to transition out of Idle state; redundancy affects high availability, not the initial BGP peering process. Option D is wrong because the VLAN attachment must be in the same region as the Cloud Router for the interconnect to function, but if it were not, the BGP session would not even be configured or would fail at a lower layer, not specifically remain in Idle state.

125
Multi-Selecthard

A company has a Hybrid Connectivity setup using Cloud VPN with BGP. They want to migrate to Dedicated Interconnect for better performance. During the migration, they need to avoid downtime. Which THREE steps should they take?

Select 3 answers
A.Set a lower local preference on the Interconnect BGP session
B.Remove the VPN tunnels immediately after Interconnect is up
C.Provision the Dedicated Interconnect and VLAN attachments
D.Configure BGP on the Interconnect with a higher local preference than the VPN
E.Gradually withdraw VPN routes after verifying Interconnect traffic
AnswersC, D, E

Must have the Interconnect physical path ready.

Why this answer

Option C is correct because provisioning the Dedicated Interconnect and VLAN attachments is the foundational step to establish the new high-performance connection. Without this, there is no physical or logical path to migrate traffic onto. This must be done before any BGP configuration or route manipulation can occur.

Exam trap

Google Cloud often tests the misconception that you should immediately remove the old connection (VPN tunnels) once the new one (Interconnect) is up, but the correct approach is to gracefully shift traffic using BGP attributes and then decommission the old path only after verification.

126
Multi-Selectmedium

Which TWO of the following are required steps to set up a Dedicated Interconnect?

Select 2 answers
A.Create an interconnect (physical connection) in the colocation facility
B.Establish a VPN tunnel as a backup
C.Create a Cloud Router and VLAN attachment
D.Deploy a Google-provided router in the colocation facility
E.Configure MD5 authentication on the BGP session
AnswersA, C

The physical cross-connect is necessary.

Why this answer

Creating an interconnect (physical connection) in the colocation facility is a required step because Dedicated Interconnect requires a direct, physical cross-connect between your on-premises router and a Google Cloud edge router at a colocation facility. This physical link is the foundation of the dedicated, high-bandwidth connection, and without it, no Layer 2 or Layer 3 connectivity can be established.

Exam trap

Google Cloud often tests the misconception that you must deploy a Google-provided router in the colocation facility, but in reality, you use your own router and Google provides only the edge router in their network.

127
MCQhard

A Dedicated Interconnect VLAN attachment is in ACTIVE state. The Cloud Router has learned routes from on-premises, and the on-premises router has learned routes from GCP. However, traffic from on-premises to a GCP VM fails. What should the engineer check first?

A.Check firewall rules on the GCP VPC for ingress from the on-premises range.
B.Confirm that the Cloud Router is advertising the on-premises subnets back to the VPC.
C.Verify that the VPC subnet routes exist in the routing table.
D.Both A and C.
AnswerD

Both firewall rules and Cloud Router advertisement must be verified.

Why this answer

The correct answer is D because both firewall rules and VPC subnet routes must be in place for traffic to reach a GCP VM. Even if the VLAN attachment is ACTIVE and routes are exchanged, the VPC firewall must permit ingress from the on-premises range, and the VPC subnet routes must exist in the routing table for the VM's subnet. Without both, traffic will be dropped or not forwarded.

Exam trap

Google Cloud often tests the misconception that route exchange alone guarantees connectivity, but in GCP, both firewall rules and subnet routes are mandatory for traffic to reach a VM, even when the interconnect is ACTIVE and BGP sessions are established.

How to eliminate wrong answers

Option A is wrong because checking only firewall rules is insufficient; the VPC subnet routes must also exist for the traffic to be routed to the VM. Option B is wrong because the Cloud Router advertising on-premises subnets back to the VPC is not required for traffic from on-premises to GCP; the on-premises router already learned GCP routes, and the Cloud Router's job is to advertise GCP routes to on-premises, not the reverse. Option C is wrong because verifying only subnet routes ignores the firewall rules that control ingress traffic; both are necessary.

128
Multi-Selectmedium

Which TWO statements about HA VPN are correct?

Select 2 answers
A.Both VPN gateways must be in the same region.
B.It uses IKEv1 by default.
C.It supports both active-active and active-passive modes.
D.It supports static routing as well as dynamic routing.
E.It requires two Cloud VPN gateways.
AnswersC, E

HA VPN can be configured in either mode depending on redundancy needs.

Why this answer

Option C is correct because HA VPN supports both active-active and active-passive modes. In active-active mode, both tunnels forward traffic simultaneously, while in active-passive mode, one tunnel is used as a standby. This flexibility allows HA VPN to meet different high-availability and load-balancing requirements.

Exam trap

Google Cloud often tests the misconception that HA VPN requires both gateways in the same region or that it supports static routing, but the correct understanding is that HA VPN uses dynamic routing (BGP) and allows gateways in different regions.

129
Multi-Selectmedium

Which THREE factors can affect the throughput of a Cloud VPN tunnel? (Choose three.)

Select 3 answers
A.VM instance types
B.Number of tunnels
C.Tunnel type (route-based vs policy-based)
D.Encryption algorithm
E.On-premises router CPU capacity
AnswersC, D, E

Different tunnel types have different overheads.

Why this answer

Tunnel type (route-based vs policy-based) affects throughput because route-based tunnels (e.g., using BGP or static routes) can leverage ECMP and do not require per-flow policy lookups, reducing CPU overhead. Policy-based tunnels require the VPN gateway to evaluate each packet against a security policy, which adds latency and can limit throughput, especially under high traffic loads.

Exam trap

Google Cloud often tests the misconception that VM instance types or the number of tunnels directly control VPN throughput, when in reality the tunnel type, encryption algorithm, and on-premises router CPU are the primary factors that limit or enhance throughput.

130
MCQeasy

A company requires a dedicated connection from their on-premises data center to Google Cloud with a guaranteed SLA of 99.99% and bandwidth starting at 10 Gbps. Which connectivity option meets these requirements?

A.Direct Peering
B.Cloud VPN
C.Dedicated Interconnect
D.Partner Interconnect
AnswerC

Offers 10 Gbps or higher and 99.99% SLA.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between your on-premises network and Google Cloud, supporting bandwidths of 10 Gbps or 100 Gbps per circuit. It offers a 99.99% or 99.999% SLA depending on the configuration (e.g., dual connections with diverse paths), meeting the guaranteed SLA and bandwidth requirements specified in the question.

Exam trap

Google Cloud often tests the misconception that Partner Interconnect can match Dedicated Interconnect's SLA and bandwidth guarantees, but Partner Interconnect's SLA is typically limited to the partner's network and does not meet the 99.99% requirement without additional redundancy from the partner.

How to eliminate wrong answers

Option A is wrong because Direct Peering is a public peering arrangement that does not provide a dedicated connection, offers no SLA, and bandwidth is not guaranteed at 10 Gbps. Option B is wrong because Cloud VPN uses the public internet with IPsec tunnels, providing no SLA and typically supporting lower bandwidth (up to 3 Gbps per tunnel with HA VPN). Option D is wrong because Partner Interconnect relies on a third-party service provider and does not guarantee a 99.99% SLA or 10 Gbps bandwidth directly from Google; the SLA and bandwidth depend on the partner's infrastructure.

131
MCQeasy

Your organization has a site-to-site Cloud VPN connection between an on-premises network with CIDR 10.0.0.0/8 and a VPC in us-central1 with subnet 192.168.1.0/24. The VPN tunnel is established, but you cannot reach a Compute Engine instance with internal IP 192.168.1.10 from a server on-premises with IP 10.0.0.50. Cloud VPN logs show no errors. On-premises firewall rules allow all outbound traffic. What is the most likely cause of the problem?

A.A firewall rule on the VPC blocking inbound traffic from 10.0.0.0/8
B.Missing a static route on the on-premises router for 192.168.1.0/24 pointing to the VPN gateway
C.The Compute Engine instance's OS firewall blocking ICMP
D.Incorrect IAM permissions on the Cloud VPN gateway
AnswerB

Without a proper route on-premises, traffic to GCP may not be forwarded to the VPN peer.

Why this answer

The VPN tunnel is established and Cloud VPN logs show no errors, indicating the cloud side is configured correctly. However, the on-premises server at 10.0.0.50 cannot reach 192.168.1.10 because the on-premises router lacks a static route for the VPC subnet 192.168.1.0/24 pointing to the VPN gateway. Without this route, the on-premises router does not know to send traffic destined for 192.168.1.0/24 through the VPN tunnel, so packets are dropped or sent to the default gateway instead.

Exam trap

Google Cloud often tests the misconception that a successful VPN tunnel establishment implies full bidirectional connectivity, when in fact routing must be explicitly configured on both sides for traffic to flow.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules are stateful and by default allow inbound traffic from any source unless explicitly denied; the question states no errors in Cloud VPN logs, and a VPC firewall rule blocking 10.0.0.0/8 would generate logged denies, not a silent failure. Option C is wrong because the problem is about reachability at the network layer (IP routing), not the application layer; even if the instance's OS firewall blocks ICMP, the traffic would still reach the instance (the OS would receive it and drop it), but the symptom here is no connectivity at all, indicating a routing issue. Option D is wrong because IAM permissions control management of the VPN gateway (e.g., creating/modifying tunnels), not the data-plane forwarding of traffic through an established tunnel; the tunnel is up and logs show no errors, so IAM is irrelevant.

132
MCQeasy

A small company is moving their on-premises application to Google Cloud. They have a single on-premises office with a small router that supports IPsec VPN. They need a simple and low-cost connectivity solution that provides encryption and a consistent experience. They anticipate low bandwidth needs (under 100 Mbps). They also want the ability to use BGP for dynamic routing to avoid manual route updates. Which Google Cloud service should they use?

A.Partner Interconnect
B.Cloud HA VPN with dynamic routing (BGP)
C.Cloud Classic VPN with static routes
D.Direct Peering
AnswerB

HA VPN supports dynamic routing, provides encryption, and is cost-effective for low bandwidth.

Why this answer

Cloud HA VPN with dynamic routing (BGP) is the correct choice because it provides an encrypted IPsec tunnel, supports BGP for automatic route exchange, and is a low-cost, simple solution for sub-100 Mbps bandwidth needs. It meets the requirement for a consistent experience without the complexity or cost of dedicated interconnect services.

Exam trap

The trap here is that candidates often confuse Cloud Classic VPN with static routes as sufficient for dynamic routing, but Cisco tests the distinction that static routes require manual updates while BGP provides automatic route exchange, making Cloud HA VPN the only correct option for dynamic routing with encryption at low cost.

How to eliminate wrong answers

Option A is wrong because Partner Interconnect is a dedicated, high-bandwidth connection (typically >1 Gbps) that requires a service provider and incurs higher costs, making it overkill for low bandwidth under 100 Mbps. Option C is wrong because Cloud Classic VPN with static routes does not support BGP for dynamic routing, requiring manual route updates which contradicts the requirement for dynamic routing. Option D is wrong because Direct Peering is a non-encrypted, direct connection to Google's network that does not provide IPsec encryption and is intended for high-volume traffic, not simple low-cost connectivity with encryption.

133
MCQeasy

A network engineer is setting up Dedicated Interconnect and sees the output above. What does the 'encryption: IPSEC' field indicate about this VLAN attachment?

A.Traffic over this VLAN attachment is encrypted using IPsec
B.The attachment is using Cloud VPN as the underlying transport
C.The attachment requires a Cloud VPN tunnel in addition to the Interconnect
D.The attachment is using MACsec encryption at layer 2
AnswerA

IPsec encryption is enabled on this attachment.

Why this answer

The 'encryption: IPSEC' field in the VLAN attachment output for Dedicated Interconnect indicates that traffic traversing this attachment is encrypted using IPsec. This is a feature of Google Cloud's Dedicated Interconnect that allows you to enable IPsec encryption on the VLAN attachment itself, providing confidentiality and integrity for data in transit without requiring a separate Cloud VPN tunnel.

Exam trap

Google Cloud often tests the misconception that IPsec encryption on a VLAN attachment requires a separate Cloud VPN tunnel, but in reality, the encryption is a built-in feature of the attachment itself.

How to eliminate wrong answers

Option B is wrong because Cloud VPN is not the underlying transport; Dedicated Interconnect uses a direct physical connection between your on-premises network and Google's network, and IPsec encryption is applied on top of that direct link, not via a VPN tunnel. Option C is wrong because the IPsec encryption is configured directly on the VLAN attachment, so no additional Cloud VPN tunnel is required; the attachment itself handles the encryption. Option D is wrong because MACsec operates at Layer 2 (Ethernet) and uses different encryption mechanisms (IEEE 802.1AE), while the output explicitly states 'IPSEC', which is a Layer 3 protocol (RFC 4301).

134
Multi-Selecteasy

Which TWO situations are most appropriate for using Partner Interconnect instead of Dedicated Interconnect?

Select 2 answers
A.When you need IPSec encryption
B.When 99.99% SLA is required
C.When data center space is limited and you cannot host a Google edge router
D.When bandwidth requirements exceed 10 Gbps per connection
E.When you want to leverage existing service provider connectivity
AnswersC, E

Partner handles the physical connection.

Why this answer

Option B and D are correct. B: When colocation space is limited, partner can provide connectivity. D: When using a service provider that already connects to Google.

A: High SLA is better with Dedicated. C: Bandwidth over 10 Gbps is better with Dedicated. E: HA VPN already provides encryption.

135
MCQhard

A network engineer configured a Cloud Router with the BGP configuration shown. The on-premises router (AS 64512) is peering with the Cloud Router (AS 65001) over a Dedicated Interconnect VLAN attachment. The engineer notices that traffic from on-premises to Google Cloud is not being routed via this interconnect as expected. What is the most likely cause?

A.The route-map SET-MED sets the MED attribute incorrectly
B.The ebgp-multihop 2 command is not supported on Cloud Router
C.The update-source loopback0 command is invalid for Cloud Router BGP sessions
D.The local-preference is set in the outbound direction, which is not allowed
AnswerC

Cloud Router requires the BGP session to use the link-local IP address, not a loopback.

Why this answer

Option C is correct because Cloud Router does not support the `update-source loopback0` command. BGP sessions on Cloud Router must use the primary IP address of the interface that is directly connected to the VLAN attachment; loopback interfaces are not supported for BGP peering. This command would cause the Cloud Router to attempt to source BGP packets from a loopback address that is not reachable by the on-premises router, breaking the BGP session.

Exam trap

Google Cloud often tests the misconception that Cloud Router supports the same BGP commands as a physical Cisco router, leading candidates to overlook the fact that Cloud Router is a managed service with a restricted feature set, particularly regarding interface sourcing and multihop capabilities.

How to eliminate wrong answers

Option A is wrong because the MED attribute is typically used to influence inbound traffic from a peer, and while a route-map SET-MED could affect path selection, it would not prevent traffic from being routed via the interconnect; the issue is that traffic is not being routed at all, not that it is taking a suboptimal path. Option B is wrong because `ebgp-multihop` is not a command used on Cloud Router; Cloud Router does not support ebgp-multihop, but the absence of this command would not cause the described issue—the session would simply require direct connectivity. Option D is wrong because setting local-preference in the outbound direction is allowed and is a common practice to influence inbound traffic; however, local-preference is a well-known mandatory attribute that is sent to eBGP peers by default, and setting it outbound does not break routing.

136
MCQmedium

Refer to the exhibit. An engineer has configured HA VPN with two tunnels (tunnel-a and tunnel-b) to an on-premises network. The BGP session for peer-b is in IDLE state. What is the most likely cause?

A.The Cloud Router is not in the same region as the VPN gateway.
B.The on-premises router is not advertising any routes.
C.The pre-shared key for tunnel-b is incorrect.
D.The on-premises router's BGP configuration for peer-b has a wrong IP address.
AnswerD

IP mismatch causes BGP IDLE state; tunnel status indicates VPN is up, so BGP configuration is likely the issue.

Why this answer

The BGP session for peer-b is in IDLE state, which typically indicates a TCP connection failure. Since tunnel-a is working, the Cloud Router and VPN gateway are correctly configured, and the issue is specific to peer-b. The most likely cause is that the on-premises router's BGP configuration for peer-b has the wrong IP address (e.g., the wrong BGP peer IP or the wrong Cloud Router interface IP), preventing the TCP handshake from completing.

Exam trap

Google Cloud often tests the distinction between BGP session states and tunnel/encryption failures; the trap here is that candidates assume any BGP issue is caused by route advertisement problems, when in fact the IDLE state points to a TCP connectivity issue, such as a wrong peer IP address.

How to eliminate wrong answers

Option A is wrong because the Cloud Router must be in the same region as the VPN gateway for HA VPN to function; if it were not, tunnel-a would also fail, but it is working. Option B is wrong because the BGP session being in IDLE state is a transport-layer issue (TCP connection not established), not a routing advertisement issue; even if no routes are advertised, the BGP session would reach Established state with no prefixes. Option C is wrong because an incorrect pre-shared key would cause IKE/IPsec authentication failure, not a BGP IDLE state; the BGP session would not even attempt to start if the tunnel is down.

137
MCQeasy

A company wants to connect its on-premises data center to Google Cloud. They have a single VPN appliance on-premises and need high availability for the connection. Which architecture provides the most cost-effective high availability solution?

A.Deploy Cloud HA VPN with two interfaces, each with its own external IP address, and configure two tunnels to the on-premises VPN appliance.
B.Use a single Cloud Classic VPN tunnel with a static route.
C.Deploy two Cloud Classic VPN gateways in the same region, each with one tunnel to the on-premises VPN appliance.
D.Deploy Cloud HA VPN with one interface and one external IP address, and configure a single tunnel to the on-premises appliance.
AnswerA

HA VPN uses two external IPs and two tunnels, providing automatic failover and high availability.

Why this answer

Option D is correct because Cloud HA VPN uses two external IP addresses per tunnel and automatically provides high availability by using two VPN gateways in different regions. Option A is incorrect because using two Cloud VPN gateways in the same region does not protect against zonal failure. Option B is incorrect because a single Classic VPN tunnel is not highly available.

Option C is incorrect because HA VPN with a single IP per tunnel is not supported; HA VPN requires at least two IPs.

138
Multi-Selecteasy

Which TWO configurations provide high availability for Dedicated Interconnect? (Choose two.)

Select 2 answers
A.Two connections to different PoPs.
B.A single circuit with L2 redundancy.
C.Using Cloud NAT for failover.
D.A single connection from one provider.
E.Two connections to the same PoP.
AnswersA, E

Geographic redundancy for higher availability.

Why this answer

Option A is correct because connecting to two different Points of Presence (PoPs) provides geographic redundancy; if one PoP fails, traffic can be rerouted through the other. Option E is correct because two connections to the same PoP provide link-level redundancy; if one circuit fails, the other can continue carrying traffic, and BGP can be used to load-balance or failover between them.

Exam trap

Google Cloud often tests the misconception that a single circuit with L2 redundancy (like LACP) is sufficient for high availability, but for Dedicated Interconnect, true HA requires multiple physical circuits (either to the same PoP or different PoPs) with BGP-based failover.

139
MCQhard

A company is designing an HA VPN to connect their on-premises data center to Google Cloud VPC. The on-premises router supports two independent interfaces with public IPs. They want to achieve 99.99% availability for the VPN connection, understanding that HA VPN uses two tunnels and two Cloud Router instances. Which configuration meets this goal?

A.Two tunnels: both tunnels from the same on-premises interface to two different Cloud Router instances
B.Two tunnels: each tunnel from a separate on-premises interface to the same Cloud Router instance
C.Four tunnels: two tunnels from each on-premises interface to the same Cloud Router instance
D.Four tunnels: one tunnel from each on-premises interface to each Cloud Router instance, totaling four BGP sessions
AnswerD

This provides full device and path redundancy suitable for 99.99% availability.

Why this answer

Option D is correct because HA VPN requires at least two Cloud Router instances and two tunnels from each on-premises interface to each Cloud Router instance to achieve 99.99% availability. This configuration creates four BGP sessions, ensuring that if one on-premises interface, one Cloud Router, or one tunnel fails, traffic can still flow through the remaining paths. The design leverages both redundancy of interfaces and redundancy of Cloud Routers to meet the high availability SLA.

Exam trap

The trap here is that candidates often think two tunnels (one per interface) to the same Cloud Router is sufficient, but they overlook that the Cloud Router itself is a single point of failure, and HA VPN requires redundancy at both the on-premises and Cloud Router layers to achieve 99.99% availability.

How to eliminate wrong answers

Option A is wrong because using the same on-premises interface for both tunnels creates a single point of failure at the on-premises side; if that interface fails, both tunnels go down, violating the 99.99% availability goal. Option B is wrong because both tunnels terminate on the same Cloud Router instance, which is a single point of failure in the Google Cloud side; if that Cloud Router fails, all BGP sessions are lost. Option C is wrong because four tunnels from two interfaces to the same Cloud Router instance still leaves the Cloud Router as a single point of failure, and the BGP sessions are not fully redundant across Cloud Routers.

140
MCQeasy

A network engineer is configuring Cloud Router for Dedicated Interconnect. The on-premises router is advertising a route to 10.1.0.0/16. The engineer wants to ensure that Google Cloud always prefers this route over other routes learned from different on-premises routers. Which BGP attribute should be set on the on-premises router?

A.NEXT_HOP
B.AS_PATH
C.LOCAL_PREF
D.MED
AnswerD

Lower MED makes the route more preferred for inbound traffic from on-premises.

Why this answer

MED (Multi-Exit Discriminator) is the correct BGP attribute to influence inbound traffic from Google Cloud to prefer a specific on-premises router when multiple paths exist. By setting a lower MED value on the on-premises router, the Cloud Router will select that route over others with higher MED values, ensuring Google Cloud always prefers this path for traffic destined to 10.1.0.0/16.

Exam trap

The trap here is that candidates often confuse LOCAL_PREF (used for outbound path selection within an AS) with MED (used for inbound path selection between ASes), leading them to incorrectly choose LOCAL_PREF when the question asks about influencing Google Cloud's route preference from on-premises routers.

How to eliminate wrong answers

Option A is wrong because NEXT_HOP is a mandatory BGP attribute that specifies the IP address of the next-hop router, not a metric for path selection; it cannot influence route preference. Option B is wrong because AS_PATH is used for loop prevention and path selection (shorter AS_PATH is preferred), but it is not the attribute to force preference for a specific on-premises router; modifying AS_PATH artificially is not the intended mechanism. Option C is wrong because LOCAL_PREF is a well-known discretionary attribute used to influence outbound traffic from an AS, not inbound traffic; it is set within the local AS and not exchanged between peers, so it cannot be set on the on-premises router to affect Google Cloud's path selection.

141
MCQeasy

Which Google Cloud hybrid connectivity option can be configured without using BGP?

A.Partner Interconnect
B.Dedicated Interconnect
C.HA VPN
D.Classic VPN with static routes
AnswerD

Classic VPN supports static routes, eliminating the need for BGP.

Why this answer

Option A is correct because Classic VPN can use static routes and does not require BGP. Options B, C, and D all require BGP for route exchange (Dedicated Interconnect, HA VPN, and Partner Interconnect all support or require dynamic routing with BGP).

142
MCQmedium

An enterprise is using a 10 Gbps Dedicated Interconnect between their on-premises data center and Google Cloud. They measure throughput and find it is only 5 Gbps even though there is no congestion. The on-premises router is configured with a single VLAN attachment. What is the most likely cause?

A.BGP is not configured, causing routing loop
B.The on-premises router does not support full line rate
C.MTU mismatch between on-premises and Google Cloud
D.QoS policy is limiting throughput on Google Cloud side
AnswerB

The on-premises router may be the bottleneck.

Why this answer

A single VLAN attachment on a 10 Gbps Dedicated Interconnect means the on-premises router must handle all traffic through one physical interface. If the router lacks the forwarding capacity to process packets at 10 Gbps line rate, throughput will be capped at its maximum switching or routing performance, which in this case is 5 Gbps. This is a common hardware limitation, not a configuration or congestion issue.

Exam trap

Google Cloud often tests the misconception that throughput issues are always caused by configuration errors (e.g., MTU, BGP, QoS) rather than hardware limitations, leading candidates to overlook the router's actual forwarding capacity.

How to eliminate wrong answers

Option A is wrong because BGP is required for Dedicated Interconnect to exchange routes; without BGP, the interconnect would not establish connectivity at all, not just limit throughput to 5 Gbps. Option C is wrong because an MTU mismatch would cause packet fragmentation or drops, not a consistent 50% throughput reduction, and would typically manifest as packet loss or connectivity issues rather than a steady 5 Gbps cap. Option D is wrong because Google Cloud does not apply QoS policies that throttle throughput on Dedicated Interconnect attachments; throughput is limited by the on-premises router's capacity or the interconnect's bandwidth, not by cloud-side QoS.

143
MCQhard

An organization has a Dedicated Interconnect with two VLAN attachments connected to two different edge availability domains (EADs). They want to use a single Cloud Router for both attachments. How many BGP sessions should be established on the Cloud Router?

A.It depends on the redundancy requirements; typically two per attachment for active-active.
B.Four: two per VLAN attachment.
C.Two: one per VLAN attachment.
D.One: one session per Cloud Router.
AnswerA

For HA, each VLAN attachment should have two BGP sessions from two different on-premises routers, totaling four sessions.

Why this answer

Option A is correct because with a Dedicated Interconnect using two VLAN attachments in different edge availability domains (EADs), the recommended best practice for high availability is to establish two BGP sessions per VLAN attachment (one active and one redundant) on the same Cloud Router, resulting in four sessions total. However, the question asks 'how many BGP sessions should be established' and the correct answer acknowledges that it depends on the redundancy requirements; typically two per attachment for active-active, but if active-passive is acceptable, fewer sessions may suffice. This flexibility makes 'It depends' the most accurate choice.

Exam trap

The trap here is that candidates assume a fixed number of BGP sessions (e.g., two or four) without considering that the redundancy model (active-active vs. active-passive) dictates the session count, leading them to pick a definitive number rather than the flexible 'it depends' answer.

How to eliminate wrong answers

Option B is wrong because stating 'Four: two per VLAN attachment' is too rigid; while four sessions are common for active-active redundancy, the requirement may vary based on design choices (e.g., active-passive could use two sessions total). Option C is wrong because 'Two: one per VLAN attachment' assumes a single BGP session per attachment, which provides no redundancy and violates best practices for high availability across EADs. Option D is wrong because 'One: one session per Cloud Router' ignores the need for per-attachment BGP sessions and fails to account for the separate VLAN attachments in different EADs, which require distinct sessions to maintain path diversity.

144
Multi-Selectmedium

A company has a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They are experiencing intermittent connectivity issues on a specific VLAN attachment. The VLAN attachment is configured with a single Cloud Router and BGP sessions are established. Which two steps should they take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Verify the BGP session status on the Cloud Router.
B.Check the MTU configuration on the on-premises router.
C.Verify the physical interconnect location and cable connections.
D.Review the VLAN attachment status in the Google Cloud Console.
E.Review the Cloud NAT configuration for the VPC network.
AnswersA, D

Correct. BGP session flapping can cause intermittent connectivity.

Why this answer

Option A is correct because BGP session status on the Cloud Router directly indicates whether the routing protocol is functioning correctly between the on-premises router and Google Cloud. Intermittent connectivity on a VLAN attachment often stems from BGP flapping or session drops, which can be verified by checking the BGP state (e.g., Established, Idle, or Active) and associated error counters in the Google Cloud Console or via gcloud commands.

Exam trap

The trap here is that candidates often confuse physical layer issues (Option C) with logical layer problems, but the question specifies a single VLAN attachment, which points to a logical configuration error rather than a physical interconnect fault.

← PreviousPage 2 of 2 · 144 questions total

Ready to test yourself?

Try a timed practice session using only Implementing hybrid interconnectivity questions.