CCNA Gcp Network Design Questions

28 of 103 questions · Page 2/2 · Gcp Network Design topic · Answers revealed

76
MCQmedium

An organization is deploying a global application and wants to use an Internal Load Balancer (ILB) across multiple regions. What is the correct configuration?

A.Use a cross-region ILB by enabling global access
B.Use an Internal TCP/UDP Load Balancer in one region and route traffic via Cloud VPN
C.Deploy ELB in each region and use DNS to route traffic
D.Use a global External Load Balancer with internal backend
AnswerC

Regional ILBs combined with DNS provide global internal load balancing.

Why this answer

Option C is correct because Google Cloud does not support a native cross-region Internal Load Balancer (ILB). To distribute traffic across multiple regions, you must deploy a separate Internal TCP/UDP Load Balancer in each region and use DNS-based routing (e.g., Cloud DNS with geo-routing or weighted record sets) to direct clients to the appropriate regional ILB. This approach provides regional high availability and global reach without exposing internal IPs externally.

Exam trap

Google Cloud often tests the misconception that 'global access' can make an Internal Load Balancer cross-region, but in Google Cloud, global access only allows clients from any region within the same VPC to reach a regional ILB, not to load balance across regions.

How to eliminate wrong answers

Option A is wrong because there is no 'cross-region ILB' in Google Cloud; Internal Load Balancers are regional resources and cannot be made global by enabling 'global access' (that feature applies only to external load balancers). Option B is wrong because routing traffic via Cloud VPN from a single-region ILB to other regions adds latency, complexity, and defeats the purpose of a global application; it does not provide native multi-region load balancing. Option D is wrong because a global External Load Balancer with internal backends is not supported; external load balancers require backends with external connectivity or specific hybrid connectivity, and using them for internal-only traffic violates the requirement for an internal load balancer.

77
Drag & Dropmedium

Drag and drop the steps to create a VPC with custom subnet mode in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Custom subnet mode requires manual subnet creation. The steps include naming the VPC, selecting custom mode, and defining subnets.

78
MCQeasy

A company has a VPC with three subnets and multiple firewall rules. They want to ensure that the most specific firewall rule takes precedence when there is a conflict. What is the default evaluation order of firewall rules?

A.Egress rules are evaluated before ingress rules.
B.The rule with the highest priority (lowest priority number) is evaluated first.
C.The more restrictive rule (with smaller IP range) is applied first.
D.Rules are evaluated in the order they were created.
AnswerB

Lower priority number = higher priority; rules are evaluated from high to low priority.

Why this answer

In Google Cloud Platform (GCP) VPC firewall rules, the default evaluation order is based on priority. Each rule is assigned a priority number from 0 to 65535 (lower number = higher priority), and rules are evaluated from highest priority (lowest number) to lowest priority. When multiple rules match traffic, the rule with the highest priority (lowest priority number) is applied first, and its action (allow/deny) is definitive; lower-priority rules are not evaluated for that traffic.

Exam trap

Google Cloud often tests the misconception that firewall rules are evaluated based on specificity (most restrictive wins) or creation order, but GCP explicitly uses a numeric priority system where lower numbers take precedence, not the breadth of the rule's match criteria.

How to eliminate wrong answers

Option A is wrong because GCP firewall rules do not have a default evaluation order based on direction (ingress vs. egress); both ingress and egress rules are evaluated independently using their priority numbers, and there is no inherent precedence of one direction over the other. Option C is wrong because GCP does not use rule restrictiveness (e.g., smaller IP range) as the default tiebreaker; instead, the priority number explicitly determines evaluation order, and if two rules have the same priority, the behavior is undefined (conflict resolution is not based on range size). Option D is wrong because GCP firewall rules are not evaluated in the order they were created; creation order has no effect on evaluation—only the priority field dictates the sequence.

79
MCQmedium

A company is designing a hybrid network between their on-premises data center and Google Cloud. They need high availability for traffic between the two environments and want to use Cloud VPN with dynamic routing. Which configuration ensures that if one VPN tunnel fails, traffic automatically fails over to the other tunnel without manual intervention?

A.Create one VPN tunnel and a static route with next hop set to the VPN gateway.
B.Use Cloud Interconnect instead of VPN, and configure two VLAN attachments.
C.Create two VPN tunnels to two separate peer VPN gateways on-premises, and use Cloud Router with BGP to advertise routes from both tunnels.
D.Create two VPN tunnels to the same peer VPN gateway, and configure equal-cost multi-path (ECMP) routing with static routes.
AnswerC

Cloud Router with BGP enables dynamic routing; with two tunnels, BGP will withdraw routes for the failed tunnel, and traffic will use the remaining tunnel automatically.

Why this answer

Option C is correct because it uses two VPN tunnels to separate on-premises peer gateways with Cloud Router and BGP. BGP automatically handles failover by withdrawing routes from the failed tunnel and advertising routes via the healthy tunnel, ensuring traffic fails over without manual intervention. This meets the high availability and dynamic routing requirements specified in the question.

Exam trap

The trap here is that candidates assume two tunnels to the same peer gateway (Option D) provide high availability, but they fail to recognize that the peer gateway itself is a single point of failure, and static routes with ECMP do not support automatic failover without BGP.

How to eliminate wrong answers

Option A is wrong because a single VPN tunnel with a static route provides no redundancy; if the tunnel fails, traffic is blackholed and requires manual route changes. Option B is wrong because Cloud Interconnect with VLAN attachments is a dedicated connection, not Cloud VPN, and the question explicitly requires Cloud VPN with dynamic routing. Option D is wrong because creating two VPN tunnels to the same peer VPN gateway creates a single point of failure; if that gateway goes down, both tunnels fail, and using static routes with ECMP does not provide dynamic failover without manual intervention.

80
Multi-Selecthard

Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?

Select 3 answers
A.The backend must be configured with Private Google Access.
B.The backend must support health checks from the load balancer's health check IP ranges.
C.The backend must have an SSL certificate installed.
D.Firewall rules must allow traffic from the load balancer's IP ranges.
E.The backend must have a public IP address or be accessible via internet.
AnswersB, D, E

Health checks are required for proper traffic routing.

Why this answer

Option B is correct because Global External HTTP(S) Load Balancers use Google's frontend (proxying) IP ranges to send health checks to backends. The backend must allow inbound traffic from these specific health check IP ranges (e.g., 35.191.0.0/16 and 130.211.0.0/22) to receive health probes; otherwise, the load balancer will mark the backend as unhealthy and stop forwarding traffic.

Exam trap

Google Cloud often tests the distinction between health check IP ranges and load balancer forwarding IP ranges, causing candidates to confuse which IP ranges must be allowed in firewall rules for external backends.

81
MCQhard

A company has deployed a Global External HTTP(S) Load Balancer with a backend service that points to an instance group in us-central1. The load balancer's frontend uses a reserved static external IP address. Users in Europe report high latency, while users in Asia cannot reach the application at all. The application works fine when accessed directly via the instance group's internal IPs from within us-central1. Which action should be taken to resolve the issue?

A.Change the load balancer to a regional load balancer and deploy additional instance groups in other regions.
B.Enable Cloud CDN on the backend service to cache content closer to users.
C.Configure a DNS A record for the load balancer's IP address with a low TTL.
D.Ensure the backend service's 'Enable Global Access' checkbox is selected in the instance group's network settings.
AnswerD

Global access allows the load balancer's global IP to reach the backend instance group even though it's in a single region. Without it, traffic from other regions may be blocked.

Why this answer

Option D is correct because for a Global External HTTP(S) Load Balancer, the backend service must have the 'Enable Global Access' checkbox selected on the instance group's network settings. This setting allows the load balancer's global anycast IP to reach the backend instances across regions. Without it, the load balancer can only forward traffic to instances within the same region as the load balancer's frontend, causing high latency for European users and complete failure for Asian users.

Exam trap

The trap here is that candidates often assume a global load balancer automatically routes to any backend region, but they overlook the explicit 'Enable Global Access' checkbox that must be enabled for cross-region backend connectivity.

How to eliminate wrong answers

Option A is wrong because changing to a regional load balancer would limit the load balancer to a single region, worsening the issue for users outside that region; the correct solution is to keep the global load balancer and enable global access. Option B is wrong because Cloud CDN caches static content, but the problem is connectivity and routing, not content delivery speed; CDN does not fix the inability of Asian users to reach the application. Option C is wrong because configuring a DNS A record with a low TTL does not affect how the load balancer routes traffic to backend instances; the issue is at the network layer, not DNS resolution.

82
MCQmedium

A company wants to deploy an HTTP application on Compute Engine instances in us-east1 and europe-west1, and use a global external HTTP(S) load balancer. How should they configure the backend?

A.Create a regional load balancer in each region and use DNS round-robin.
B.Create one backend service and add two instance groups, one from each region.
C.Create one backend service and add one instance group with instances in both regions.
D.Create two backend services, one per region, and attach to the same URL map.
AnswerB

This allows the load balancer to distribute traffic globally.

Why this answer

A global external HTTP(S) load balancer requires a single backend service that can span multiple regions. By adding one instance group from us-east1 and another from europe-west1 to the same backend service, the load balancer automatically routes traffic to the closest healthy backend based on the client's geographic location and the load balancer's anycast IP. This configuration leverages Google's global network infrastructure for optimal latency and failover.

Exam trap

The trap here is that candidates mistakenly think instance groups can span multiple regions (Option C) or that multiple backend services are needed for multi-region deployments (Option D), when in fact a single backend service with multiple regional instance groups is the correct and simplest design for a global load balancer.

How to eliminate wrong answers

Option A is wrong because creating two regional load balancers with DNS round-robin does not provide true global load balancing; DNS round-robin cannot account for backend health or geographic proximity, and it lacks the anycast IP and automatic failover capabilities of a global load balancer. Option C is wrong because an instance group cannot span multiple regions; instance groups are zonal or regional resources, and you must use separate instance groups per region. Option D is wrong because creating two backend services per region and attaching them to the same URL map would require a multi-backend setup, but for a single HTTP application you need one backend service that aggregates both regional instance groups; using two backend services would require separate URL paths or host rules, which is unnecessary and adds complexity.

83
Multi-Selectmedium

Which TWO of the following are advantages of using the Premium Tier of Google Cloud's Network Service Tiers? (Choose TWO.)

Select 2 answers
A.Reduced cost compared to Standard Tier.
B.Global load balancing with a single anycast IP address.
C.Lower latency and egress costs for traffic originating in regions far from users.
D.Supports regional load balancers only.
E.Public IP addresses are assigned from a regional pool.
AnswersB, C

Premium Tier enables global anycast IP for load balancers.

Why this answer

Options B and D are correct. Premium Tier offers lower latency by leveraging Google's global network. Option A is wrong because Premium Tier costs more.

Option C is wrong because Premium Tier allows global load balancing with anycast IP. Option E is wrong because Premium Tier supports both global and regional load balancers, but the advantage is global.

84
Multi-Selecthard

Which TWO statements about VPC Network Peering are correct?

Select 2 answers
A.VPC peering supports global load balancing with internal IPs
B.VPC peering is supported within the same organization
C.VPC peering supports transitivity across multiple peerings
D.VPC peering allows overlapping CIDR ranges
E.VPC peering can be used to connect VPCs in different regions
AnswersB, E

Peering can be established between VPCs in the same organization.

Why this answer

Option B is correct because VPC Network Peering is designed to connect VPCs within the same organization (or across different organizations) without requiring a VPN or gateway. It allows private RFC 1918 IP communication between VPCs, and when both VPCs belong to the same organization, the peering setup is straightforward and does not involve cross-organization trust policies. This is a fundamental use case for peering in Google Cloud.

Exam trap

The trap here is that candidates often assume VPC peering supports transitivity (Option C) because they confuse it with traditional router-based networking, but Google Cloud explicitly enforces non-transitive peering to maintain security and simplicity.

85
Multi-Selecteasy

Which TWO statements about VPC Network Peering are correct? (Choose TWO.)

Select 2 answers
A.Transitive peering is not supported; if Network A is peered with Network B and Network A is peered with Network C, Network B cannot communicate with Network C through Network A.
B.Peered networks can use globally distributed routing to communicate across regions without additional configuration.
C.Default routes (0.0.0.0/0) are automatically exported and imported between peered networks.
D.Firewall rules from one network are automatically applied to the peered network.
E.The subnet IP ranges of peered VPC networks must not overlap.
AnswersA, E

VPC peering is non-transitive; traffic must be directly peered.

Why this answer

Option A is correct because VPC Network Peering is non-transitive by design. This means that if Network A is peered with both Network B and Network C, traffic cannot flow from Network B to Network C through Network A. Each peering connection is a direct, point-to-point link, and routing is not propagated across multiple peering hops.

This behavior is enforced by the GCP networking stack to prevent complex and unintended routing topologies.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering supports transitive routing, similar to how traditional router-based networks work, but GCP explicitly disallows this to enforce network segmentation and prevent unintended traffic flows.

86
Matchingmedium

Match each Google Cloud networking service to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides outbound connectivity for private instances

Securely connects on-premises to VPC via IPsec

Delivers content from edge caches globally

Translates domain names to IP addresses

Manages service mesh traffic with global load balancing

Why these pairings

These are core Google Cloud networking services with distinct roles.

87
MCQmedium

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth of at least 10 Gbps. Which connectivity option meets these requirements?

A.Cloud VPN with two tunnels to different gateways
B.Dedicated Interconnect with two circuits (each 10 Gbps) to different edge locations
C.Direct Peering with multiple BGP sessions
D.Partner Interconnect with 1 Gbps VLAN attachments
AnswerB

Dedicated Interconnect offers 10 Gbps per circuit and with two circuits provides HA and meets bandwidth requirement.

Why this answer

Dedicated Interconnect with two 10 Gbps circuits to different edge locations meets the 10 Gbps bandwidth requirement and provides high availability through diverse physical paths. Cloud VPN maxes out at 3 Gbps per tunnel, Direct Peering does not offer SLA-backed bandwidth or support for 10 Gbps single connections, and Partner Interconnect typically caps at 1 Gbps per VLAN attachment.

Exam trap

Google Cloud often tests the misconception that Cloud VPN can achieve 10 Gbps by using multiple tunnels, but the per-tunnel and per-VPN gateway throughput limits (typically 3 Gbps) make it unsuitable for sustained 10 Gbps traffic, while Dedicated Interconnect provides dedicated physical circuits with guaranteed bandwidth.

How to eliminate wrong answers

Option A is wrong because Cloud VPN tunnels have a maximum throughput of approximately 3 Gbps per tunnel (even with two tunnels, aggregate throughput is limited by the VPN gateway capacity and does not guarantee 10 Gbps). Option C is wrong because Direct Peering is a bilateral arrangement without a Google SLA, does not support dedicated bandwidth guarantees, and is not designed for single-connection 10 Gbps throughput to a VPC. Option D is wrong because Partner Interconnect VLAN attachments are typically offered at 1 Gbps or lower, and even with multiple attachments, they do not provide the dedicated 10 Gbps circuit required.

88
MCQeasy

A company needs to connect their on-premises data center to Google Cloud using a VPN with high availability. They have two VPN appliances on-premises in different locations. What is the best design on the GCP side?

A.Deploy one Cloud VPN gateway with two tunnels to both on-premises appliances, using one Cloud Router.
B.Deploy two Cloud VPN gateways in the same region, each with a tunnel to a different on-premises appliance, using separate Cloud Routers.
C.Deploy one Cloud VPN gateway with a single tunnel to one on-premises appliance.
D.Deploy two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises appliance, using separate Cloud Routers.
AnswerD

Provides regional redundancy and full HA.

Why this answer

Option D is correct because it provides true high availability by using two Cloud VPN gateways in different regions, each with a tunnel to a different on-premises appliance. This design ensures that if one region or gateway fails, traffic can still flow through the other region, meeting the requirement for high availability. Using separate Cloud Routers allows for dynamic routing with BGP, enabling automatic failover and load balancing across the two tunnels.

Exam trap

The trap here is that candidates often assume two tunnels from a single gateway provide high availability, but they overlook that the gateway itself is a single point of failure; true high availability requires redundancy at both the gateway and region level.

How to eliminate wrong answers

Option A is wrong because deploying one Cloud VPN gateway creates a single point of failure in the GCP region; if that gateway or region fails, both tunnels are lost, even though they connect to different on-premises appliances. Option B is wrong because deploying two Cloud VPN gateways in the same region still leaves the design vulnerable to a regional outage; if the entire region goes down, both gateways and their tunnels are unavailable. Option C is wrong because a single tunnel provides no redundancy at all; if the tunnel, gateway, or on-premises appliance fails, connectivity is completely lost.

89
Multi-Selectmedium

Which TWO factors should be considered when selecting a Google Cloud region for deploying a globally distributed application to minimize latency for users?

Select 2 answers
A.Availability of required Google Cloud services in the region
B.Compliance with data residency requirements
C.Proximity to the majority of users
D.Number of zones in the region
E.Cost of resources in the region
AnswersA, C

The region must support the services needed (e.g., Compute Engine, Cloud Load Balancing).

Why this answer

Option A is correct because the availability of required Google Cloud services in a region is a fundamental constraint: if a service (e.g., Cloud Spanner, BigQuery, or a specific machine series) is not offered in a region, you cannot deploy that component there, regardless of latency benefits. Option C is correct because minimizing latency for a globally distributed application requires placing compute and data resources as close as possible to the majority of users, reducing round-trip time (RTT) and improving user experience. Google Cloud's global network and edge caching locations (e.g., Cloud CDN) further amplify the benefit of proximity.

Exam trap

Google Cloud often tests the misconception that compliance or cost are primary factors for latency minimization, when in fact they are separate design constraints that may conflict with latency goals.

90
MCQhard

A network engineer runs the gcloud command above for a Cloud NAT configured in us-central1. The VPC has 20 instances without external IPs in us-central1. They notice that only three instances have NAT mappings displayed. What could explain this?

A.Only instances with active outbound connections are shown.
B.The NAT gateway is configured only for a specific subnet.
C.Only instances with external IPs are mapped.
D.The other instances are using a different NAT gateway.
AnswerA

NAT gateway info displays only active NAT mappings; idle instances have no mapping.

Why this answer

The `gcloud compute nat-gateways list-mappings` command only displays NAT mappings for instances that currently have active outbound connections traversing the Cloud NAT gateway. Cloud NAT uses dynamic port address translation (PAT) and only creates a mapping entry when an instance sends traffic that requires source NAT. Instances without active sessions will not appear in the listing, even though they are configured to use the NAT gateway.

Exam trap

The trap here is that candidates assume the `list-mappings` command shows all instances configured to use the NAT gateway, rather than understanding it only shows instances with currently active NAT sessions.

How to eliminate wrong answers

Option B is wrong because even if the NAT gateway is configured for a specific subnet, all 20 instances in that subnet would still be eligible for NAT mappings; the command would show mappings for any instance with active connections, not just three. Option C is wrong because Cloud NAT is specifically designed for instances without external IPs; instances with external IPs do not use NAT and would not appear in NAT mappings at all. Option D is wrong because if the other 17 instances were using a different NAT gateway, the command would show zero mappings for the queried gateway, not exactly three; the question states only three instances have mappings, implying the others simply have no active connections.

91
MCQmedium

A company needs to ensure that all traffic between GCP VMs in different regions is encrypted in transit. What is the recommended approach?

A.Use VPC peering with encryption enabled
B.By default, traffic between GCP VMs is encrypted
C.Use Cloud VPN between the two regions
D.Enable IPsec on the VPC
AnswerB

Google encrypts all inter-region traffic at the physical layer.

Why this answer

Google Cloud encrypts all traffic between VMs at the hypervisor level, regardless of region, using application-layer encryption (e.g., TLS) and network-layer encryption (e.g., IPSec) by default. This encryption is transparent, always-on, and does not require any configuration, making option B the correct answer. The encryption covers all VM-to-VM traffic within the same VPC or across VPCs, including inter-region communication.

Exam trap

The trap here is that candidates assume inter-region traffic requires explicit encryption configuration (like VPN or IPsec), but Google Cloud encrypts all VM-to-VM traffic by default, making those options unnecessary and incorrect.

How to eliminate wrong answers

Option A is wrong because VPC peering does not have an 'encryption enabled' toggle; traffic over VPC peering is already encrypted by default at the Google network layer, and there is no separate encryption setting for peering. Option C is wrong because Cloud VPN is used to connect on-premises networks or other cloud providers to GCP, not for encrypting traffic between GCP VMs in different regions, as that traffic is already encrypted by default. Option D is wrong because IPsec cannot be 'enabled on the VPC' as a whole; IPsec is a protocol used for site-to-site VPNs, and applying it to VPC-level traffic is unnecessary and not supported as a VPC-wide feature.

92
MCQhard

A company runs a Kubernetes cluster on GKE with a VPC-native cluster (alias IP ranges). They have pods that need to communicate with on-premises services via a Cloud VPN tunnel. Which networking configuration is required to enable pod-to-on-premises communication?

A.Enable VPC Flow Logs for the subnets to allow traffic to be routed.
B.Advertise the pod IP ranges over the Cloud Router BGP session to the on-premises router.
C.Configure a firewall rule allowing traffic from pod CIDR to on-premises subnets.
D.Create a VPC peering connection between the VPC and the on-premises network.
AnswerB

BGP advertising ensures on-premises knows how to route back to pods.

Why this answer

Option B is correct because VPC-native clusters assign alias IP ranges to pods directly from the VPC subnet's secondary CIDR ranges. To enable on-premises routing to these pods, the pod IP ranges must be advertised over the Cloud Router BGP session to the on-premises router. This ensures the on-premises network learns the routes to the pod CIDRs and can forward traffic back through the Cloud VPN tunnel.

Exam trap

The trap here is that candidates often confuse firewall rules with routing, assuming that allowing traffic in a firewall rule is sufficient for connectivity, when in fact the on-premises router must have a route to the pod CIDRs via BGP advertisement for bidirectional communication.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only capture metadata about network flows for monitoring and troubleshooting; they do not influence routing or enable traffic to be forwarded. Option C is wrong because firewall rules control which traffic is allowed or denied, but they do not create routes; without route advertisement, the on-premises router has no path to the pod CIDRs. Option D is wrong because VPC peering is used for connectivity between two VPC networks within Google Cloud, not for connecting a VPC to an on-premises network; on-premises connectivity requires Cloud VPN or Dedicated Interconnect with Cloud Router BGP sessions.

93
MCQhard

A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?

A.Cloud VPN with two tunnels each using 1 Gbps
B.Dedicated Interconnect with two 10 Gbps connections
C.Direct Peering
D.Partner Interconnect with two 10 Gbps connections
AnswerB

Dedicated Interconnect provides 99.99% SLA with redundant connections.

Why this answer

Dedicated Interconnect provides direct, private connections between your on-premises network and Google Cloud, supporting up to 10 Gbps per circuit. By using two 10 Gbps connections in an active-active or active-passive configuration, you can achieve the required 20 Gbps aggregate bandwidth and meet the 99.99% SLA, as Google guarantees this SLA when you have at least two redundant connections.

Exam trap

The trap here is that candidates often confuse Partner Interconnect with Dedicated Interconnect, assuming that two 10 Gbps connections from a partner automatically provide a 99.99% SLA from Google, but only Dedicated Interconnect offers a Google-backed SLA when using redundant connections.

How to eliminate wrong answers

Option A is wrong because Cloud VPN is limited to a maximum of 3 Gbps per tunnel (using IPsec over the public internet) and cannot provide a 99.99% SLA, as it relies on best-effort internet connectivity. Option C is wrong because Direct Peering is an exchange of traffic at an internet exchange point, does not offer an SLA, and is limited to a maximum of 10 Gbps per session, with no guarantee of bandwidth or availability. Option D is wrong because Partner Interconnect, while offering up to 10 Gbps per connection via a service provider, does not provide a 99.99% SLA from Google; the SLA is only offered by the partner, and the aggregate bandwidth of 20 Gbps would require two 10 Gbps connections, but the SLA requirement is not met by Google's commitment.

94
MCQeasy

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They have deployed Compute Engine instances that need to communicate with an on-premises database via a Cloud VPN tunnel using BGP. The on-premises network advertises the database subnet 192.168.0.0/16. The instances can reach the database for a few minutes after reboot, but then connectivity drops. The Cloud VPN logs show no errors. The BGP session remains established. What is the most likely issue?

A.The on-premises firewall has an idle timeout that kills the TCP session.
B.The GCP route to the on-premises database is being preempted by a more specific route.
C.The VPN tunnel's IKE session expires.
D.The BGP session is flapping.
AnswerA

After a period of inactivity, the firewall drops the session; reboot resets it.

Why this answer

The on-premises firewall is likely configured with an idle timeout that terminates TCP sessions when no traffic is exchanged for a certain period. After the instances reboot, they initiate new connections that work briefly, but once the session becomes idle (e.g., no keepalives or application traffic), the firewall drops the stateful session, causing connectivity loss. The Cloud VPN and BGP session remain up, indicating the issue is at the application or firewall layer, not the tunnel or routing.

Exam trap

The trap here is that candidates often focus on routing or VPN tunnel issues (B, C, D) because the problem involves BGP and Cloud VPN, but the key clue is that connectivity drops after a few minutes while the tunnel and BGP remain healthy, pointing to a session timeout at the firewall layer rather than a network-layer failure.

How to eliminate wrong answers

Option B is wrong because GCP routes are not preempted by more specific routes in this scenario; the on-premises database subnet 192.168.0.0/16 is advertised via BGP and would be installed as a dynamic route, and no other conflicting route is mentioned. Option C is wrong because the IKE session expiring would cause the VPN tunnel to drop, but the Cloud VPN logs show no errors and the BGP session remains established, indicating the tunnel is stable. Option D is wrong because the BGP session is not flapping; the question explicitly states the BGP session remains established, so routing updates are not disrupted.

95
MCQmedium

A company uses Shared VPC with multiple service projects. They need to allow certain service projects to create internal load balancers (ILBs) that are accessible from all projects in the organization. What is the best practice?

A.Deploy ILB in each service project and use global access
B.Create the ILB in the host project and share the backend
C.Use Cloud NAT for outbound connectivity
D.Use VPC peering between each service project and the host project
E.Enable Private Service Connect
AnswerB

ILB in host project is accessible to all service projects in the Shared VPC.

Why this answer

In a Shared VPC architecture, the host project owns the VPC network and its resources, including internal load balancers (ILBs). By creating the ILB in the host project and sharing its backend (e.g., instance groups from service projects), the ILB becomes accessible from all projects in the organization without additional connectivity. This approach centralizes network control and ensures the ILB's IP address is routable within the shared VPC, meeting the requirement for cross-project access.

Exam trap

The trap here is that candidates often assume 'global access' on an ILB enables cross-project access, but global access only allows clients from any region within the same VPC network to reach the ILB, not clients from different projects.

How to eliminate wrong answers

Option A is wrong because deploying an ILB in each service project with global access only allows access from any region within that same project, not from other projects; global access does not enable cross-project connectivity. Option C is wrong because Cloud NAT provides outbound internet connectivity for private instances, not inbound load balancing or cross-project access. Option D is wrong because VPC peering between each service project and the host project would create separate peering connections, but ILBs in service projects are not automatically accessible across peering links without additional configuration (e.g., custom routes or Private Service Connect), and this approach adds complexity and management overhead.

Option E is wrong because Private Service Connect is designed for exposing managed services privately to consumers, not for creating internal load balancers accessible across all projects in an organization; it is typically used for service producers and consumers, not for internal load balancing within a shared VPC.

96
MCQhard

A network engineer is designing a Google Cloud network for a financial services company that requires strict compliance with PCI DSS. They need to isolate development, staging, and production environments. Which approach should they use to meet these requirements?

A.Use a single VPC with separate subnets for each environment and firewall rules to restrict traffic
B.Use a single VPC with separate firewall rules for each environment
C.Use a Shared VPC with separate service projects for each environment
D.Use separate VPCs for each environment, connected via VPC Network Peering
AnswerD

Separate VPCs provide strong isolation, and peering can be used if controlled communication is needed.

Why this answer

Option D is correct because PCI DSS requires strict network segmentation between environments handling cardholder data. Separate VPCs provide complete isolation at the network layer, preventing any accidental cross-environment traffic. VPC Network Peering allows controlled, encrypted communication between these isolated VPCs without reducing the security boundary, as peering does not merge routing domains or security policies.

Exam trap

The trap here is that candidates often confuse logical segmentation (subnets and firewall rules) with physical or hard segmentation, assuming that firewall rules alone can enforce PCI DSS isolation, but the exam expects a design that creates separate administrative and routing domains.

How to eliminate wrong answers

Option A is wrong because using a single VPC with separate subnets does not provide true network isolation; all subnets share the same VPC routing table and can potentially communicate if firewall rules are misconfigured, violating PCI DSS segmentation requirements. Option B is wrong because relying solely on firewall rules within a single VPC is insufficient for PCI DSS; firewall rules are stateful and can be bypassed by misconfiguration or internal routing, and they do not create a hard network boundary. Option C is wrong because Shared VPC still uses a single VPC network; service projects share the same host project's VPC, meaning all environments reside in the same routing domain, which fails to meet the strict isolation required by PCI DSS.

97
MCQhard

An organization has two VPC networks in different Google Cloud organizations. They need to allow private IP communication between instances in these VPCs without using public IPs or VPNs. Which solution should they use?

A.Cloud NAT
B.Shared VPC
C.Cloud VPN
D.VPC Network Peering
AnswerD

Supports cross-organization peering.

Why this answer

VPC Network Peering allows private IP connectivity between two VPC networks across different organizations without requiring public IPs, VPNs, or gateways. It uses the Google Cloud internal infrastructure to route traffic directly between instances, leveraging RFC 1918 addresses and supporting global peering.

Exam trap

Google Cloud often tests the distinction between Shared VPC (same org) and VPC Network Peering (cross-org), leading candidates to mistakenly choose Shared VPC when the question specifies different organizations.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private instances, not private inter-VPC communication. Option B is wrong because Shared VPC requires both VPCs to be in the same organization, not across different organizations. Option C is wrong because Cloud VPN uses public internet tunnels (IPsec) and is not a private IP-only solution, violating the requirement to avoid VPNs.

98
MCQmedium

A company has Compute Engine instances without external IP addresses that need to access external APIs. The instances are in multiple zones within a region, and each zone has a subnet. The company wants a cost-effective and highly available solution that does not require manual failover. What should they do?

A.Create a Cloud NAT gateway in each zone and configure region-specific NAT rules.
B.Create a Cloud NAT gateway in one zone and configure an instance tag-based route to the gateway.
C.Enable Private Google Access on the subnets and configure a Cloud NAT gateway in one zone.
D.Assign external IP addresses to each instance and create appropriate firewall rules.
AnswerA

Regional NAT with gateways per zone provides automatic failover and high availability.

Why this answer

A Cloud NAT gateway per zone provides highly available outbound connectivity for instances without external IPs. By placing a gateway in each zone, traffic from instances in that zone uses the local gateway, avoiding cross-zone hops and ensuring automatic failover if a zone fails. This meets the cost-effective and no-manual-failover requirements without needing instance-level external IPs.

Exam trap

The trap here is that candidates assume a single Cloud NAT gateway is sufficient for high availability, but the PCNE exam expects zone-level redundancy to avoid a single point of failure and to meet the 'no manual failover' requirement.

How to eliminate wrong answers

Option B is wrong because a single Cloud NAT gateway in one zone creates a single point of failure; if that zone goes down, all outbound connectivity is lost, and instance tag-based routes do not provide automatic failover. Option C is wrong because Private Google Access only enables access to Google APIs and services, not external APIs; adding a single Cloud NAT gateway still lacks zone-level high availability. Option D is wrong because assigning external IPs to each instance is not cost-effective (each IP incurs cost) and does not provide a managed, highly available solution; it also requires manual failover if an instance fails.

99
MCQhard

A company has a complex on-premises network with multiple BGP AS numbers. They are connecting to GCP using Cloud VPN and wish to advertise specific prefixes. They want to ensure that only selected on-prem prefixes are advertised to GCP and no other prefixes leak. What is the best approach?

A.Use route advertisements from on-prem routers and rely on GCP's route import policy
B.Configure Cloud Router with custom advertised route maps to filter prefixes
C.Use VPC firewall rules to restrict incoming traffic
D.Set up a separate Cloud Router for each prefix
AnswerB

Cloud Router can be configured to accept only specific BGP prefixes.

Why this answer

Cloud Router with custom advertised route maps allows you to explicitly define which on-premises prefixes are advertised to GCP via Cloud VPN. This ensures only the selected prefixes are propagated, preventing route leaks. Unlike relying on GCP's import policy, this approach gives you direct control over outbound advertisements from your on-premises network.

Exam trap

The trap here is that candidates confuse route advertisement control with traffic filtering, assuming firewall rules can solve a routing protocol issue, or they overcomplicate the solution by creating multiple Cloud Routers instead of using a single router with proper filtering.

How to eliminate wrong answers

Option A is wrong because relying on GCP's route import policy only controls which routes GCP accepts, not which prefixes your on-premises routers advertise; this can still allow unintended prefixes to be sent to GCP. Option C is wrong because VPC firewall rules control traffic flow based on IP addresses and ports, not BGP route advertisement; they cannot prevent prefix leaks at the routing protocol level. Option D is wrong because setting up a separate Cloud Router for each prefix is unnecessary and inefficient; a single Cloud Router with custom advertised route maps can filter multiple prefixes without additional overhead.

100
MCQeasy

A network engineer is designing a VPC in Google Cloud with multiple subnets across different regions. The application requires low-latency communication between instances in the same region but not across regions. Which VPC network configuration should be used?

A.Auto mode VPC with global subnets
B.Legacy network
C.Auto mode VPC with regional subnets
D.Custom mode VPC with regional subnets
AnswerD

Custom mode allows you to create subnets only in required regions, reducing complexity and latency.

Why this answer

Custom mode VPC with regional subnets (D) is correct because it allows you to explicitly define subnets in specific regions, ensuring that instances within the same region communicate over low-latency paths without cross-region traffic. This design avoids the automatic creation of subnets in every region (as in auto mode) and prevents the use of deprecated legacy networks, giving you full control over regional placement for latency-sensitive applications.

Exam trap

Google Cloud often tests the misconception that auto mode VPCs can be configured with regional subnets, but in reality, auto mode automatically creates subnets in every region, and only custom mode gives you the granularity to define subnets per region for low-latency designs.

How to eliminate wrong answers

Option A is wrong because auto mode VPC with global subnets automatically creates subnets in every GCP region, which would introduce unnecessary cross-region subnets and potential latency if instances are inadvertently placed in different regions. Option B is wrong because legacy networks are deprecated and do not support regional subnets or modern VPC features like custom subnetting, making them unsuitable for a multi-region design with low-latency requirements. Option C is wrong because auto mode VPC with regional subnets is a misnomer—auto mode VPCs always create subnets globally (one per region) and cannot be restricted to only regional subnets; the correct approach for regional control is custom mode.

101
MCQeasy

Which GCP service provides a dedicated, low-latency connection from an on-premises data center to Google Cloud?

A.Cloud Router
B.Cloud Interconnect
C.Cloud VPN
D.VPC Network
AnswerB

Provides dedicated bandwidth and lower latency.

Why this answer

Cloud Interconnect provides a dedicated, low-latency connection from an on-premises data center to Google Cloud, bypassing the public internet. It offers two options: Dedicated Interconnect (a direct physical connection via a colocation facility) and Partner Interconnect (via a supported service provider). This ensures consistent bandwidth and lower latency compared to VPN-based solutions.

Exam trap

The trap here is that candidates often confuse Cloud Router (which handles routing) with the actual connection service, or assume Cloud VPN provides dedicated bandwidth, when in fact only Cloud Interconnect offers a dedicated, low-latency link that bypasses the public internet.

How to eliminate wrong answers

Option A is wrong because Cloud Router is a managed BGP-based router that dynamically exchanges routes between a Cloud VPN or Cloud Interconnect and a VPC network, but it does not provide the physical or dedicated connection itself. Option C is wrong because Cloud VPN uses the public internet with IPsec tunnels, which introduces variable latency and bandwidth, and does not offer a dedicated, low-latency connection. Option D is wrong because VPC Network is a virtual private cloud networking construct that defines the network topology within GCP, not a service for connecting on-premises data centers to Google Cloud.

102
Multi-Selectmedium

A company uses Shared VPC. They want to restrict which service project's VMs can use a specific subnet. Which TWO methods can achieve this? (Choose TWO.)

Select 2 answers
A.Use VPC network peering.
B.Use IAM roles on the subnet resource to grant 'compute.subnetUser' to specific service projects.
C.Use firewall rules to deny traffic from other service projects.
D.Use network tags on VMs and associate the subnet with those tags.
E.Use organizational policy constraints like 'compute.restrictVpcSubnetworks'.
AnswersB, E

This IAM role controls which projects can use the subnet.

Why this answer

Option B is correct because IAM roles on a subnet resource allow you to grant the `compute.subnetUser` role to specific service projects, which controls which projects can create VM instances in that subnet. This is a direct method to restrict subnet usage within a Shared VPC environment, as the role grants permission to use the subnet without granting broader network access.

Exam trap

Google Cloud often tests the misconception that firewall rules or network tags can control subnet access, when in fact they only control traffic flow or VM-level attributes, not the authorization to use a subnet resource.

103
MCQeasy

A company has an external HTTP(S) load balancer with a backend service pointing to an instance group in us-east1. They enable Cloud CDN to improve performance for global users. After enabling, they observe that users in Asia still experience high latency. They verify that the backend instances respond with Cache-Control headers that allow caching. What is the most likely reason for the high latency?

A.The cache TTL is too short.
B.Cloud CDN is not enabled on the correct backend.
C.The load balancer is a regional load balancer, not a global one.
D.The backend instances are in us-east1, too far from Asia.
AnswerC

Regional load balancers do not have global anycast IP, so users far away experience high latency.

Why this answer

Option C is correct because an external HTTP(S) load balancer that is regional (e.g., a regional external HTTP(S) load balancer) cannot serve traffic globally with low latency; it is confined to a single region. Cloud CDN caches content at edge locations, but if the load balancer itself is regional, the cache points are also regional, so users in Asia still route to us-east1 for cache misses or even for cache hits if the edge is not globally distributed. Only a global external HTTP(S) load balancer (with a global anycast IP) can leverage Cloud CDN's global edge cache locations to serve users from the nearest point of presence.

Exam trap

The trap here is that candidates assume Cloud CDN automatically provides global low latency regardless of the load balancer type, but Cisco tests the distinction between regional and global external HTTP(S) load balancers and their impact on CDN edge placement.

How to eliminate wrong answers

Option A is wrong because the cache TTL being too short would cause frequent cache misses but not inherently high latency for all users; it would increase origin load but not prevent caching entirely. Option B is wrong because Cloud CDN is enabled on the backend service, which is the correct place; the issue is not about enabling it on the wrong backend but about the load balancer type. Option D is wrong because while backend instances in us-east1 are far from Asia, Cloud CDN is designed to mitigate that distance by caching at edge locations; the high latency persists because the load balancer is regional, so the edge caches are also regional and not globally distributed.

← PreviousPage 2 of 2 · 103 questions total

Ready to test yourself?

Try a timed practice session using only Gcp Network Design questions.