CCNA Network Services Config Questions

22 of 97 questions · Page 2/2 · Network Services Config topic · Answers revealed

76
Matchingmedium

Match each Cloud Load Balancing type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Global, proxy-based, for HTTP/S traffic from internet

Regional, pass-through, for traffic within VPC

Regional, proxy-based, for non-HTTP/S internet traffic

Regional, proxy-based, for internal HTTP/S traffic

Global, terminates SSL, for non-HTTPS SSL traffic

Why these pairings

Google Cloud offers various load balancers for different use cases.

77
Multi-Selectmedium

Which TWO considerations are important when designing a VPC peering strategy between multiple projects in Google Cloud?

Select 2 answers
A.Peering is transitive by default
B.Subnet IP ranges in peered VPCs must not overlap
C.Firewall rules in one VPC automatically apply to peered VPCs
D.VPC peering can only be used within the same project
E.Custom routes can be exchanged between peered VPCs if configured
AnswersB, E

Overlapping ranges cause routing issues.

Why this answer

Option B is correct because VPC peering requires that subnet IP ranges in peered VPCs do not overlap. This is a fundamental constraint of VPC peering in Google Cloud: if two VPCs have overlapping CIDR blocks, routes cannot be exchanged unambiguously, and the peering connection will fail to establish or will cause routing conflicts. Overlapping ranges would break the ability to route traffic correctly between the VPCs, as there would be no way to determine which subnet a packet should be delivered to.

Exam trap

Google Cloud often tests the misconception that VPC peering is transitive by default, leading candidates to incorrectly select Option A, when in fact transitivity must be explicitly engineered.

78
MCQhard

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

A.Yes, if they use a global load balancer in front of the endpoint.
B.No, unless the VPC is peered with another VPC that contains the endpoint.
C.Yes, because the endpoint is accessible from any region in the VPC.
D.No, because the endpoint is only accessible from the same region.
AnswerD

Private Service Connect endpoints are regional; instances must be in the same region to access the endpoint.

Why this answer

Private Service Connect (PSC) endpoints are regional resources. An endpoint created in us-central1 is only accessible from Compute Engine instances within the same region (us-central1) of the VPC. Instances in europe-west1 cannot directly reach the endpoint because traffic would need to cross regional boundaries, which PSC does not support for producer endpoints.

Option D correctly identifies this regional restriction.

Exam trap

The trap here is that candidates assume a VPC is a global construct and therefore any resource within it is globally accessible, but Cisco tests the specific regional nature of Private Service Connect endpoints, which are not globally routable within the VPC without additional configuration.

How to eliminate wrong answers

Option A is wrong because a global load balancer does not extend the regional scope of a PSC endpoint; the endpoint itself remains regional, and the load balancer would still need to forward traffic to the endpoint in us-central1, which does not change the regional access limitation. Option B is wrong because VPC peering does not enable cross-region access to a PSC endpoint; the endpoint is tied to the region where it is created, and peering does not override that regional constraint. Option C is wrong because PSC endpoints are not globally accessible within a VPC; they are regional resources, and instances in other regions cannot reach them directly without additional constructs like inter-region VPC peering or VPN, which still do not make the endpoint itself global.

79
MCQeasy

A company wants to forward DNS queries from their on-premises network to Google Cloud for resolution of private zone names. Which configuration is required?

A.DNS peering
B.DNS inbound server policy
C.DNS forwarding zone
D.Managed private zone
AnswerB

DNS inbound server policy allows on-premises resolvers to forward queries to Cloud DNS over VPN/Interconnect.

Why this answer

Option B is correct because a DNS inbound server policy allows an on-premises DNS resolver to forward queries to Google Cloud, enabling resolution of private zone names. This policy creates a forwarding path from on-premises to Cloud DNS using a specific inbound endpoint, which is required for hybrid cloud DNS resolution.

Exam trap

The trap here is that candidates confuse the direction of DNS forwarding—assuming a forwarding zone (which sends queries from Cloud to on-premises) is the same as an inbound policy (which receives queries from on-premises)—and overlook that the question specifies forwarding from on-premises to Google Cloud.

How to eliminate wrong answers

Option A is wrong because DNS peering is used to enable resolution between two Google Cloud VPC networks, not for forwarding queries from an on-premises network. Option C is wrong because a DNS forwarding zone is a Cloud DNS configuration that forwards queries from Google Cloud to an on-premises resolver, not the reverse direction required here. Option D is wrong because a managed private zone only hosts DNS records within Google Cloud and does not provide any mechanism to receive or forward queries from external networks.

80
MCQmedium

A company is deploying an internal HTTP application on Compute Engine instances. The application must be load-balanced across multiple instances in different regions, but only accessible from within the same VPC. Which load balancer type meets these requirements?

A.Internal HTTP(S) Load Balancer
B.External TCP/UDP Load Balancer
C.External HTTP(S) Load Balancer
D.Internal TCP/UDP Load Balancer
AnswerA

Internal HTTP(S) LB can be configured with backends in multiple regions and is internal to the VPC.

Why this answer

An Internal HTTP(S) Load Balancer is a regional, internal-only load balancer that distributes HTTP/HTTPS traffic among Compute Engine instances within the same VPC network. It uses an internal IP address and is not accessible from outside the VPC, meeting the requirement for internal-only access while providing cross-region load balancing via a multi-region backend service.

Exam trap

Google Cloud often tests the misconception that any 'internal' load balancer can handle HTTP traffic, but the Internal TCP/UDP Load Balancer (option D) operates at layer 4 and cannot inspect or route HTTP application-layer data, making it unsuitable for an HTTP application.

How to eliminate wrong answers

Option B is wrong because an External TCP/UDP Load Balancer is designed for traffic originating from the internet, using external IP addresses, and does not support internal-only VPC access. Option C is wrong because an External HTTP(S) Load Balancer also uses external IP addresses and is intended for internet-facing applications, not for traffic confined to a VPC. Option D is wrong because an Internal TCP/UDP Load Balancer handles non-HTTP traffic (TCP/UDP) and cannot perform HTTP-level content-based routing or terminate TLS, which is required for an HTTP application.

81
MCQeasy

A company has a Cloud VPN tunnel to on-premises. They want on-premises clients to resolve private DNS names in the VPC. Which service should they configure?

A.Inbound DNS policy
B.Outbound DNS policy
C.Cloud NAT
D.Private Google Access
AnswerA

An inbound DNS policy allows on-premises DNS servers to forward queries to Cloud DNS.

Why this answer

Option C is correct: An inbound DNS policy forwards DNS queries from on-premises DNS servers to Cloud DNS, enabling resolution of private zone names. Option A is for outbound internet; Option B only gives VMs access to Google APIs; Option D is for VMs to forward queries to on-premises.

82
Multi-Selectmedium

Which THREE components are required when configuring an internal TCP/UDP load balancer? (Choose THREE.)

Select 3 answers
A.Health check
B.Backend service
C.External IP address
D.SSL certificate
E.Forwarding rule
AnswersA, B, E

Health checks determine which backends receive traffic.

Why this answer

An internal load balancer requires a backend service (Option A) to define the instance group and port mapping, a health check (Option B) to monitor backend health, and a forwarding rule (Option C) to assign the internal VIP. Option D is incorrect because internal LBs use internal IP addresses. Option E is only needed for HTTPS external LBs.

83
Multi-Selecteasy

Which TWO network services can be used to provide secure connectivity between a VPC and an on-premises data center without traversing the public internet? (Choose two.)

Select 2 answers
A.Cloud VPN with IPsec
B.Cloud NAT
C.Dedicated Interconnect
D.VPC Network Peering
E.Partner Interconnect
AnswersC, E

Interconnect provides direct private connection.

Why this answer

Dedicated Interconnect (C) provides a direct, private physical connection between your on-premises network and Google's VPC, bypassing the public internet entirely. This ensures low latency, high bandwidth, and consistent network performance for secure hybrid cloud connectivity.

Exam trap

Google Cloud often tests the distinction between 'secure connectivity' and 'private connectivity' — candidates mistakenly choose Cloud VPN (IPsec) because it is encrypted, but the question explicitly requires no traversal of the public internet, which only Dedicated or Partner Interconnect can guarantee.

84
MCQeasy

A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?

A.169.254.0.1
B.10.0.0.1
C.The tunnel's external IP address
D.The on-premises router's external IP address
AnswerA

Google requires BGP peer IPs to be in the 169.254.0.0/16 range for Cloud VPN tunnels.

Why this answer

The correct BGP peer IP is 169.254.0.1 because Cloud Router uses the first IP in the 169.254.0.0/16 link-local range for BGP peering over a VPN tunnel. This is required by Google Cloud's implementation, where the on-premises router must use a link-local address from the 169.254.0.0/16 range, and Cloud Router automatically assigns 169.254.0.1 as its own BGP peer IP. The on-premises router typically uses 169.254.0.2 as its BGP peer IP, ensuring a point-to-point link-local BGP session.

Exam trap

Google Cloud often tests the misconception that BGP peering over a VPN tunnel uses the tunnel's external IP addresses or private RFC 1918 addresses, but the correct answer requires knowledge that Google Cloud mandates link-local 169.254.x.x addresses for BGP sessions.

How to eliminate wrong answers

Option B is wrong because 10.0.0.1 is a private RFC 1918 address, not a link-local address, and Cloud Router requires a 169.254.x.x address for BGP peering over VPN tunnels. Option C is wrong because the tunnel's external IP address is the public IP of the VPN gateway, which is used for the tunnel establishment itself, not for BGP peering; BGP peering uses link-local addresses within the tunnel. Option D is wrong because the on-premises router's external IP address is its public-facing IP, which is used for the VPN tunnel endpoint, not for the BGP session; BGP peering must use link-local addresses from the 169.254.0.0/16 range.

85
Multi-Selecthard

Which THREE components are necessary to configure a global external HTTP(S) load balancer with Cloud CDN and an origin backend that requires authentication? (Choose three.)

Select 3 answers
A.A TCP or SSL proxy for protocol optimization.
B.A regional external HTTP(S) load balancer as the entry point.
C.An origin access identity (e.g., service account) to authenticate to the backend.
D.A backend bucket configured with Cloud CDN enabled.
E.Cloud Armor security policies to protect against attacks.
AnswersC, D, E

To access authenticated backends, you need a service account or signed URLs.

Why this answer

Option C is correct because when the origin backend (e.g., an external HTTP server or a custom origin) requires authentication, you must configure an origin access identity, typically a Google-managed service account, to authenticate requests from Cloud CDN to the origin. This ensures that only authorized CDN edge caches can fetch content from the backend, preventing direct unauthenticated access.

Exam trap

Google Cloud often tests the misconception that a regional load balancer can be used with Cloud CDN, but Cloud CDN requires a global external HTTP(S) load balancer to leverage the global anycast IP and edge cache infrastructure.

86
MCQmedium

A DevOps team is configuring a VPC with a subnet in us-east1. They need to allow a specific VM (source IP 10.0.1.2) to access a database VM (destination IP 10.0.2.3) on port 3306, but only from that specific source. All other traffic should be denied. Which firewall rule configuration should they use?

A.Create an egress rule on the source VM's network interface allowing traffic to 10.0.2.3/32 on port 3306.
B.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol all, target service account = db-sa.
C.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol tcp:3306, target tags = db, and assign the 'db' tag to the database VM.
D.Create an ingress rule with priority 1000, action allow, source 10.0.1.2/32, protocol tcp:3306, target 10.0.2.3/32.
AnswerC

Ingress rule with specific source and port allows the required traffic when tag is assigned to destination VM.

Why this answer

Option C is correct because it creates an ingress firewall rule with the highest priority (1000 is the default for custom rules) that explicitly allows TCP traffic on port 3306 from source IP 10.0.1.2/32 to any VM tagged with 'db'. By assigning the 'db' tag to the database VM, the rule applies only to that target, and since VPC firewall rules are stateful, the corresponding return traffic is automatically allowed. All other traffic is denied by the implied deny-all rule (priority 65535), meeting the requirement.

Exam trap

The trap here is that candidates often confuse ingress vs. egress rules or try to target a specific destination IP in a firewall rule, but GCP firewall rules only support targets via tags, service accounts, or the entire network, not by IP address.

How to eliminate wrong answers

Option A is wrong because egress rules control outbound traffic from the source VM, but the requirement is to allow inbound traffic to the database VM; egress rules cannot permit ingress connections. Option B is wrong because it specifies 'protocol all', which would allow all protocols (including non-TCP) on all ports, violating the requirement to restrict to port 3306 only. Option D is wrong because firewall rules cannot target a specific IP address as a destination; they target VMs via tags, service accounts, or the entire VPC, and the destination IP is not a valid target specifier in GCP firewall rules.

87
MCQmedium

A multinational corporation has deployed a multi-region application on Google Kubernetes Engine (GKE) clusters in us-central1 and europe-west1. The application serves global users and requires low-latency access to a shared database hosted on Cloud SQL in us-central1. The network team has configured Cloud VPN tunnels between each region and the on-premises data center for administrative access. The application instances in europe-west1 are experiencing high latency when connecting to the Cloud SQL instance in us-central1. The team wants to reduce latency without migrating the database. The team has already verified that the Cloud SQL instance has private IP enabled and is peered to a shared VPC that spans both regions. The GKE clusters are in the same shared VPC. What should the team do?

A.Configure Private Service Connect to expose the Cloud SQL instance from us-central1 and access it via a service attachment from europe-west1.
B.Configure a global external HTTP(S) load balancer in front of the Cloud SQL instance.
C.Create a Cloud Interconnect connection from europe-west1 to the on-premises data center and route traffic through the on-premises network to reach us-central1.
D.Enable Cloud SQL public IP and allow the GKE nodes in europe-west1 to connect over the internet using Cloud NAT.
AnswerA

Private Service Connect provides low-latency, private cross-region access to Cloud SQL without traversing the internet or on-premises.

Why this answer

Option A is correct because Private Service Connect (PSC) allows the Cloud SQL instance in us-central1 to be accessed from europe-west1 via a service attachment and a private endpoint, enabling traffic to traverse Google's internal network without backhauling through the on-premises data center. This reduces latency by keeping the traffic within Google's backbone, avoiding the longer path through the Cloud VPN and on-premises network. PSC supports cross-region connectivity with private IP, which aligns with the requirement to not migrate the database.

Exam trap

Google Cloud often tests the misconception that cross-region private connectivity must go through a VPN or on-premises network, when in fact Private Service Connect can provide direct, low-latency access within Google's network without additional infrastructure.

How to eliminate wrong answers

Option B is wrong because a global external HTTP(S) load balancer is designed for HTTP/HTTPS traffic to application backends, not for proxying database connections like Cloud SQL, and it would introduce unnecessary overhead and protocol incompatibility. Option C is wrong because creating a Cloud Interconnect to the on-premises data center and routing traffic through it would add additional latency and complexity, as traffic would still need to traverse the on-premises network to reach us-central1, defeating the purpose of reducing latency. Option D is wrong because enabling Cloud SQL public IP and connecting over the internet via Cloud NAT would expose the database to public internet risks and increase latency due to internet routing, while also violating the requirement to use private IP.

88
MCQhard

A company has a VPC with multiple subnets. They want to restrict traffic between two specific subnets (10.0.1.0/24 and 10.0.2.0/24) while allowing all other traffic. They create a firewall rule with priority 1000 denying ingress from 10.0.1.0/24 to 10.0.2.0/24. However, traffic is still allowed. What is the most likely reason?

A.The rule is incorrectly applied to the wrong network tag
B.The traffic is going through the metadata server
C.There is a higher priority allow rule that matches the traffic
D.Firewall rules are stateless, so return traffic is blocked
AnswerC

Higher priority allow rule can override deny.

Why this answer

Option C is correct because in Google Cloud VPC firewall rules, lower priority numbers indicate higher precedence. A rule with priority 1000 is evaluated after any rule with a priority lower than 1000 (e.g., priority 65535 is the default allow rule). If a higher priority (lower number) allow rule exists that matches the same traffic, it will override the deny rule.

The default VPC firewall rules include an implicit allow rule for egress and an ingress allow rule for traffic within the same VPC, which may have a higher priority than 1000, thus permitting the traffic despite the deny rule.

Exam trap

Google Cloud often tests the misconception that a deny rule with a higher priority number (e.g., 1000) will override allow rules with lower priority numbers, when in fact lower numbers have higher precedence.

How to eliminate wrong answers

Option A is wrong because network tags are used to apply firewall rules to specific VM instances, not to subnets; the rule is applied to the subnet via the source and destination IP ranges, not tags. Option B is wrong because the metadata server (169.254.169.254) is used for instance metadata and does not route traffic between subnets; traffic between subnets goes through the VPC's internal routing, not the metadata server. Option D is wrong because Google Cloud VPC firewall rules are stateful by default, meaning return traffic is automatically allowed; the issue is not about statelessness but about rule priority.

89
MCQmedium

A company has two VPC networks (VPC-A and VPC-B) in the same project. They are connected via VPC peering. VPC-A contains an internal TCP load balancer with IP 10.1.2.3 serving on port 80. VPC-B needs to access this load balancer. The network engineer has verified that the firewall rules allow traffic from VPC-B to the load balancer's IP and port. However, instances in VPC-B cannot connect to 10.1.2.3:80. What is the most likely reason for this failure?

A.Internal load balancers are regional; clients must be in the same region as the load balancer when using VPC peering.
B.The VPC peering connection does not propagate routes for the load balancer IP.
C.The backend instances are unhealthy and the load balancer is not serving traffic.
D.Firewall rules in VPC-B are not allowing egress to the load balancer IP.
AnswerA

Internal TCP/UDP LBs are regional and only accept connections from VPCs in the same region via peering.

Why this answer

Option C is correct: Internal TCP/UDP load balancers are regional and only accept traffic from clients in the same region when using VPC peering. The load balancer is in a specific region (e.g., us-central1), but if VPC-B's instances are in a different region (e.g., us-west1), they will not be able to reach the internal LB via peering unless the LB has global access enabled (which is only available for external LBs). Option A is incorrect because firewall rules are already verified.

Option B is irrelevant; VPC peering does not insert a default route for load balancer IPs. Option D is incorrect because health checks are for the load balancer to backends, not client connectivity.

90
Multi-Selecthard

A company uses Cloud VPN with dynamic routing (BGP). The on-premises network advertises a prefix that overlaps with a subnet in the VPC. Which TWO actions can resolve this conflict? (Choose TWO.)

Select 2 answers
A.Delete the conflicting subnet in the VPC.
B.Modify the on-premises BGP advertisement to use a more specific prefix (longer subnet mask) that does not overlap.
C.Use route propagation with a filter in the VPC route table.
D.Create a static route in the VPC with the same prefix as the overlapping route.
E.Use Cloud Router custom route advertisements to control which routes are learned or advertised.
AnswersB, E

A more specific prefix will be preferred for traffic destined to that subnet, eliminating the conflict.

Why this answer

Option A: Advertise a more specific prefix from on-premises (e.g., a smaller CIDR block) to differentiate traffic. Option C: On Cloud Router, configure custom route advertisements to filter or modify the overlapping route. Option B would not work because a static route cannot override a dynamic route with the same prefix length; the more specific route wins.

Option D is too drastic and unnecessary. Option E is not a native feature.

91
Multi-Selecteasy

A network engineer is designing a hybrid cloud architecture connecting an on-premises data center to Google Cloud via Dedicated Interconnect. The on-premises network uses BGP for dynamic routing. The engineer needs to configure Cloud Router to exchange routes with the on-premises router. Which two configuration steps are required? (Choose two.)

Select 2 answers
A.Enable the BGP session on the Cloud Router and configure the peer IP address and ASN.
B.Create a VLAN attachment for the Interconnect connection.
C.Configure a static route in Google Cloud VPC with the on-premises prefix.
D.Assign a primary and secondary IP range to the Cloud Router interface.
E.Configure the Cloud Router with the same ASN as the on-premises router.
AnswersA, B

A BGP session is needed to exchange routes with the on-premises router.

Why this answer

Option A is correct because Cloud Router uses BGP to dynamically exchange routes with the on-premises router over Dedicated Interconnect. Enabling the BGP session requires configuring the peer IP address (the on-premises router's interface IP) and the on-premises ASN, which allows the two routers to establish a BGP peering and exchange prefixes.

Exam trap

Google Cloud often tests the misconception that Cloud Router must use the same ASN as the on-premises router, but eBGP requires different ASNs, and Cloud Router does not support iBGP for Dedicated Interconnect.

92
MCQeasy

You want to manage DNS records for a domain that you own in Google Cloud DNS. You create a public managed zone and add A records. After waiting several hours, the domain does not resolve. What is the most likely missing step?

A.Update the registrar's name servers to the Google Cloud DNS name servers.
B.Create a private zone for the domain.
C.Enable DNSSEC for the zone.
D.Set up DNS forwarding to Google's public DNS.
AnswerA

The domain will not resolve until the registrar points to Google's name servers.

Why this answer

Option B is correct because after creating a public zone, you must update the domain's registrar name servers to point to the Google Cloud DNS name servers assigned to the zone. Option A is wrong because DNSSEC is optional. Option C is wrong because a private zone is for internal DNS.

Option D is wrong because forwarding is not required for public resolution.

93
MCQmedium

A company has two VPC networks in the same project: Network A (hosting a private zone for 'example.internal.') and Network B. They are connected via VPC peering. The network engineer created a DNS peering zone in Network B for 'example.internal.' pointing to Network A. However, instances in Network B cannot resolve 'host.example.internal.' which is defined in Network A's private zone. The engineer verified that the peering zone is active and the networks are properly peered. What is the most likely reason for the resolution failure?

A.An inbound server policy must be created in Network A.
B.The peering zone should be a forwarding zone instead.
C.An outbound server policy must be created in Network B.
D.The private zone in Network A is not configured to allow resolution from peered networks.
AnswerD

Private zones must explicitly list which VPC networks can query them via peering.

Why this answer

Option D is correct because Cloud DNS private zones do not automatically allow resolution from peered VPC networks unless explicitly configured. Even though VPC peering and DNS peering are active, the private zone in Network A must have its 'Allow resolution from peered networks' setting enabled. Without this, queries from Network B via the DNS peering zone are rejected, causing resolution failures for records like 'host.example.internal.'.

Exam trap

Google Cloud often tests the distinction between VPC peering connectivity and DNS resolution permissions, trapping candidates who assume that active VPC peering and a DNS peering zone are sufficient without checking the private zone's peering settings.

How to eliminate wrong answers

Option A is wrong because an inbound server policy is used to allow DNS queries from on-premises or external networks into a VPC, not for VPC peering scenarios. Option B is wrong because a forwarding zone is used to send queries to a specific target (e.g., on-premises DNS), whereas a peering zone is the correct type for recursively resolving from another VPC's private zone. Option C is wrong because an outbound server policy controls DNS queries leaving a VPC to on-premises or external targets, not for resolving via a peering zone within the same project.

94
MCQmedium

A company uses Cloud NAT to allow private instances to reach the internet. They notice that egress traffic from Compute Engine VMs is intermittently failing. The VMs are in us-central1-a and use the default VPC network. Cloud NAT is configured with a single NAT IP address. What is the most likely cause?

A.Missing default route to Internet gateway
B.Port exhaustion due to insufficient NAT IP addresses
C.Cloud NAT not configured in the correct region
D.Firewall rule blocking egress traffic from VM
AnswerB

A single NAT IP provides limited ports; many VMs can exhaust them.

Why this answer

Cloud NAT uses source network address translation (SNAT) to map private VM IPs to a public NAT IP. With only a single NAT IP address, the available port range (typically 64,512 ephemeral ports per NAT IP per VM) can be exhausted under high egress traffic, causing intermittent failures. This is the most likely cause given the symptom of intermittent failures and the single IP configuration.

Exam trap

Google Cloud often tests the misconception that Cloud NAT automatically scales with traffic or that a single NAT IP is sufficient for any workload, when in reality port exhaustion is a common scaling bottleneck.

How to eliminate wrong answers

Option A is wrong because the default VPC network already includes a default route (0.0.0.0/0) pointing to the internet gateway, so a missing default route is not the issue. Option C is wrong because Cloud NAT is regionally scoped, and the VMs are in us-central1-a, which is within the us-central1 region; if the NAT were misconfigured for a different region, no traffic would work at all, not just intermittently. Option D is wrong because firewall rules in VPC are stateful and allow return traffic; an egress firewall rule blocking traffic would cause consistent failure, not intermittent, and the default VPC allows all egress by default.

95
MCQeasy

A startup is deploying a microservices application on Google Kubernetes Engine (GKE). They want to expose a service to the internet using a load balancer that provides SSL termination and supports WebSocket. Which type of Service should they use?

A.Create a Service of type ClusterIP and use an Ingress resource with a backendConfig.
B.Create a Service of type LoadBalancer with an HTTP(S) load balancer.
C.Create a Service of type NodePort and configure an external TCP/UDP load balancer.
D.Create a Headless Service with an external DNS A record pointing to the pod IPs.
AnswerB

GKE integrates with Cloud Load Balancing; HTTP(S) LB supports SSL and WebSocket.

Why this answer

A Service of type LoadBalancer with an HTTP(S) load balancer is correct because it provides a public IP address, handles SSL termination at the load balancer level, and natively supports WebSocket connections without additional configuration. This is the simplest and most direct way to expose a microservice to the internet with these requirements on GKE.

Exam trap

Google Cloud often tests the misconception that an Ingress resource is always required for SSL termination and WebSocket support, but in GKE, a LoadBalancer Service with an HTTP(S) load balancer directly provides these features without the complexity of Ingress.

How to eliminate wrong answers

Option A is wrong because a ClusterIP Service is only reachable within the cluster, and while an Ingress with a backendConfig can provide SSL termination, it does not inherently support WebSocket without additional annotations and configuration, making it less straightforward. Option C is wrong because a NodePort Service exposes a static port on each node, but an external TCP/UDP load balancer does not provide SSL termination (which requires an HTTP/HTTPS layer) and is not the recommended approach for HTTP-based WebSocket traffic. Option D is wrong because a Headless Service is used for stateful workloads and DNS-based service discovery, not for exposing a service to the internet with SSL termination and load balancing.

96
MCQmedium

A company has a VPC with subnets in us-east1 and europe-west1. They have deployed a global external HTTP(S) load balancer with backend services in both regions. Users in Europe report high latency. What is the most likely cause?

A.Incorrect health check configuration causing backends to be marked unhealthy
B.Firewall rules blocking traffic from the load balancer's health check probes
C.The load balancer is not enabled for global access
D.Session affinity set to CLIENT_IP, causing sticky sessions to a distant backend
AnswerD

Traffic might be pinned to us-east1 even for European users.

Why this answer

Option D is correct because CLIENT_IP session affinity causes the load balancer to hash the client's IP address to a specific backend instance. If a user in Europe is hashed to a backend in us-east1, all their requests will be forwarded to that distant region, resulting in high latency. This occurs even though a healthy backend exists in europe-west1, because the affinity overrides the load balancer's normal least-latency or proximity-based routing.

Exam trap

Google Cloud often tests the misconception that high latency is always caused by health check or firewall issues, when in fact session affinity can override geographic routing and force traffic to a distant backend.

How to eliminate wrong answers

Option A is wrong because incorrect health checks would cause backends to be marked unhealthy, leading to 502 errors or failover to healthy backends, not consistently high latency to a distant region. Option B is wrong because firewall rules blocking health check probes would also cause backends to be marked unhealthy, not sustained high latency; the load balancer would stop sending traffic to those backends. Option C is wrong because global external HTTP(S) load balancers are inherently global by design; there is no 'global access' toggle to enable—they always route traffic to the closest healthy backend based on the client's location and backend capacity.

97
MCQeasy

A company uses Cloud NAT to enable outbound connectivity for private VMs. They notice that some VMs are not able to reach a specific external IP range. The VMs have no tags or service accounts. What is the most likely cause?

A.Cloud NAT requires each VM to have a unique external IP address.
B.The VMs need a default route pointing to the NAT gateway.
C.A static route must be created for the external IP range via the NAT gateway.
D.The VMs might be in a different subnet than the one where Cloud NAT is configured.
AnswerD

Cloud NAT is applied per subnet; VMs in other subnets won't use it unless also configured.

Why this answer

Option C is correct because Cloud NAT uses the source IP address of the VM to determine which NAT IP to use, and if the VM is not in the subnet where Cloud NAT is configured, it won't use that NAT. Option A is wrong because Cloud NAT does not require a default route via the NAT gateway; it works with dynamic routes. Option B is wrong because there is no static route requirement.

Option D is wrong because Cloud NAT does use unique external IPs per VM if configured, but that wouldn't block traffic.

← PreviousPage 2 of 2 · 97 questions total

Ready to test yourself?

Try a timed practice session using only Network Services Config questions.