CCNA Pcne Designing Network Questions

75 of 131 questions · Page 1/2 · Pcne Designing Network topic · Answers revealed

1
MCQhard

A company uses Cloud Router with BGP for dynamic routing between on-premises and GCP. They need to ensure that a specific subnet in GCP is preferred over a less specific learned route from on-premises. Which BGP attribute should they adjust on the Cloud Router?

A.Local preference
B.MED (Multi-Exit Discriminator)
C.AS path prepend
D.Weight
AnswerB

MED is used to indicate preference for a route when multiple paths exist. A lower MED value is preferred, so setting a lower MED for the specific subnet will make it preferred over the less specific route.

Why this answer

MED (Multi-Exit Discriminator) is used to influence inbound route preference. A lower MED value is preferred. Setting a lower MED for the specific subnet will make it preferred over the less specific route.

2
MCQmedium

A company has multiple VPCs in different projects that need to resolve DNS names across projects. They want a centralized DNS architecture without transferring zone ownership. Which Cloud DNS feature should they implement?

A.DNS forwarding (inbound)
B.Managed zone with cross-project binding
C.DNS peering
D.Global DNS configuration
AnswerC

DNS peering enables cross-project DNS resolution by forwarding queries to a target VPC.

Why this answer

DNS peering allows forwarding DNS queries from one VPC to another VPC's DNS for resolution, without zone transfer.

3
MCQmedium

You are designing DNS resolution for a hybrid cloud. On-premises DNS servers must resolve GCP private VM hostnames, and GCP VMs must resolve on-premises hostnames. Which Cloud DNS feature should you use?

A.DNS peering
B.Cloud DNS public zones
C.DNS forwarding (inbound and outbound)
D.Split-horizon DNS
AnswerC

Inbound forwarding allows on-prem to forward queries to Cloud DNS; outbound forwards GCP queries to on-prem.

Why this answer

DNS forwarding with inbound and outbound policies is the correct choice because it enables bidirectional resolution between on-premises and GCP VMs. Outbound forwarding sends queries from GCP to on-premises DNS servers, while inbound forwarding allows on-premises clients to resolve GCP private VM hostnames by forwarding queries to Cloud DNS. This creates a seamless hybrid DNS namespace without exposing private zones to the internet.

Exam trap

The trap here is that candidates confuse DNS peering (which only works between GCP VPCs) with the forwarding capabilities needed for hybrid on-premises-to-cloud resolution, leading them to select option A instead of C.

How to eliminate wrong answers

Option A is wrong because DNS peering allows two VPC networks within GCP to resolve each other's private zones, but it does not extend resolution to on-premises DNS servers. Option B is wrong because Cloud DNS public zones are used to publish DNS records to the internet, not to resolve private hostnames in a hybrid cloud environment. Option D is wrong because split-horizon DNS is a design pattern that returns different responses based on the source IP, but it is not a Cloud DNS feature; it would require custom configuration and does not inherently provide the forwarding mechanism needed for hybrid resolution.

4
MCQmedium

A financial services company requires a dedicated, low-latency connection between their on-premises data center and Google Cloud. They need a 99.99% SLA and bandwidth of 10 Gbps. Which connectivity option should they choose?

A.HA VPN
B.Partner Interconnect
C.Classic VPN
D.Dedicated Interconnect
AnswerD

Correct. Dedicated Interconnect offers 10 Gbps links and a 99.99% SLA.

Why this answer

Dedicated Interconnect provides 10 Gbps or 100 Gbps links with a 99.99% SLA when configured with two connections.

5
MCQmedium

A company has two VPCs connected via VPC peering. They want resources in VPC A to be able to reach a service in VPC B that uses a custom static route. What must be configured on the VPC peering connection?

A.Enable VPC Flow Logs on both VPCs
B.Use a VPN between the VPCs
C.Create a Cloud Router in VPC A
D.Enable export of custom routes in VPC B and import of custom routes in VPC A
AnswerD

Correct. VPC B must export custom routes, and VPC A must import them.

Why this answer

By default, custom static routes are not exchanged across VPC peering. You must export custom routes from VPC B and import them into VPC A.

6
MCQhard

An organization uses Dedicated Interconnect with VLAN attachments in multiple regions. They need to ensure that traffic from one region to another flows over the interconnect backbone instead of the internet. Which configuration is required?

A.Use Partner Interconnect instead
B.Configure Network Connectivity Center
C.Enable global routing mode on the VPC
D.Set BGP MED values on Cloud Router
AnswerC

Global routing mode ensures routes are propagated to all regions, allowing cross-region traffic over backbone.

Why this answer

C is correct because enabling global routing mode on the VPC allows the VPC to use the same Dedicated Interconnect VLAN attachments across all regions. With global routing, routes learned via BGP over the interconnect are propagated to every region, ensuring that inter-region traffic is forwarded through the interconnect backbone rather than the public internet. Without global routing, each region would have its own VPC and would not share the interconnect routes, causing traffic to egress via the internet.

Exam trap

The trap here is that candidates often assume Network Connectivity Center is required for inter-region traffic over interconnect, but the actual requirement is simply enabling global routing mode on the VPC, which is a per-VPC setting that controls route propagation scope.

How to eliminate wrong answers

Option A is wrong because Partner Interconnect is a different connectivity option that relies on a third-party provider and does not inherently force inter-region traffic over the interconnect backbone; the same VLAN attachment and routing configuration would be needed. Option B is wrong because Network Connectivity Center is a hub-and-spoke topology manager for on-premises and cloud networks, but it does not directly control how inter-region traffic within a single VPC is routed; global routing mode on the VPC is the specific setting required. Option D is wrong because BGP MED values influence inbound traffic path selection from on-premises to Google Cloud, not the routing of traffic between regions within Google Cloud; MED does not affect VPC internal routing decisions.

7
MCQeasy

A company wants to use Cloud DNS to resolve DNS queries from their on-premises network for a private zone that contains internal GCP resource names. They do not want to manage DNS servers on-premises. Which Cloud DNS feature should they use?

A.Private DNS zone
B.Inbound DNS server policy
C.Outbound DNS server policy
D.DNS peering
AnswerB

Inbound policy allows on-premises resolvers to forward queries to Cloud DNS private zones, meeting the requirement.

Why this answer

Cloud DNS inbound server policy allows on-premises DNS resolvers to forward queries to Cloud DNS private zones, enabling resolution without managing on-premises DNS servers.

8
MCQmedium

A company has two VPCs in different projects that need to communicate. They want to avoid using VPC peering due to the limit on the number of peerings and the need for transitive routing. Which GCP service can provide a hub-and-spoke topology to connect multiple VPCs and on-premises networks?

A.VPC Network Peering
B.Shared VPC
C.Network Connectivity Center
D.Cloud VPN
AnswerC

NCC provides hub-and-spoke connectivity with transitive routing across VPCs and on-premises.

Why this answer

Network Connectivity Center (NCC) allows you to create a hub-and-spoke model that connects multiple VPCs (spokes) through a common hub, enabling transitive routing without VPC peering limitations.

9
Multi-Selectmedium

An engineer is configuring a Cloud Router for a Dedicated Interconnect VLAN attachment. They want to control which on-premises subnets are advertised to GCP. Which TWO methods can they use?

Select 2 answers
A.Change the Cloud Router ASN
B.Use route priority in the VPC
C.Set MED on the on-premises router
D.Apply BGP filters on the on-premises router to limit advertised prefixes
E.Configure custom learned routes on the Cloud Router
AnswersD, E

On-premises filters can restrict which prefixes are advertised to GCP.

Why this answer

Custom learned routes can be configured to filter prefixes, and BGP filters can be applied on the on-premises side.

10
MCQmedium

An organization is planning a hybrid network between an on-premises data center and Google Cloud. They require a dedicated, high-bandwidth connection with 99.99% availability SLA and the ability to scale up to 100 Gbps. They have a co-location facility that is connected to a Google Cloud region. Which connectivity option should they choose?

A.HA VPN
B.Partner Interconnect
C.Dedicated Interconnect
D.Classic VPN
AnswerC

Dedicated Interconnect offers dedicated 10 Gbps or 100 Gbps links, supports up to 100 Gbps, and has a 99.99% SLA when deployed with redundant connections.

Why this answer

Dedicated Interconnect provides direct physical connections between on-premises and GCP, offering 10 Gbps or 100 Gbps per link, with a 99.99% SLA when configured with redundant links. It is the best fit for high-bandwidth, high-availability requirements when co-location is available.

11
MCQmedium

A company needs a hybrid connectivity solution with a bandwidth of 500 Mbps and a 99.9% SLA. They do not have a presence in a colocation facility that supports Dedicated Interconnect. Which GCP service should they use?

A.Classic VPN
B.HA VPN
C.Partner Interconnect
D.Dedicated Interconnect
AnswerC

Suitable for 500 Mbps, 99.9% SLA, no colocation needed.

Why this answer

Partner Interconnect provides connectivity through a supported service provider with bandwidth from 50 Mbps to 10 Gbps and offers 99.9% or 99.99% SLA. It does not require colocation facility access.

12
Multi-Selecthard

An organization wants to isolate development and production environments using separate VPC networks within the same project. They need the development VPC to have access to a shared service, such as a Cloud SQL instance, which resides in a separate project. Which THREE actions are required to achieve this? (Choose THREE.)

Select 3 answers
A.Configure Shared VPC with the Cloud SQL project as the host project
B.Create a firewall rule allowing ingress from the Cloud SQL instance to the development VPC
C.Configure VPC Network Peering between the development VPC and the Cloud SQL VPC
D.Enable Private Services Access on the host VPC
E.Attach the development project as a service project to the shared VPC host project
AnswersA, D, E

This allows the host project to share its VPC with service projects.

Why this answer

Shared VPC allows a host project to share subnets with service projects. In this case, the shared service project can be the host project, and the development VPC can be attached to it. Alternatively, VPC peering can connect the development VPC to the service project's VPC.

Cloud SQL private services access requires a VPC peering between the Cloud SQL VPC and the client VPC. However, the simplest approach is to use Shared VPC: the service project (with Cloud SQL) becomes the host project, and the development VPC is created in a service project attached to it. But the question says 'within the same project' for development and production VPCs, so those VPCs are in the same project.

The shared service is in a separate project. So to access Cloud SQL privately, they need to either use Private Services Access (which requires VPC peering) or use Shared VPC where the host project contains the Cloud SQL VPC. Since the VPCs are in the same project, they can use a single VPC with subnets, but to isolate, they prefer separate VPCs.

The correct combination: create the development VPC as a service project of the shared VPC host project (which contains the Cloud SQL), enable Private Services Access between the host project VPC and the Cloud SQL VPC (which is in a separate project), and configure firewall rules. However, Private Services Access is configured once per VPC. The three actions: 1.

Configure the shared VPC host project to include the Cloud SQL VPC (actually Private Services Access is set up on the host VPC). 2. Attach the development VPC's project as a service project to the shared VPC host project. 3. Set up VPC Network Peering between the host VPC and the Cloud SQL VPC (if Cloud SQL is in a separate project).

But Private Services Access automatically creates a peering. Alternatively, using Cloud SQL private services access requires the VPC to be in the same project or connected via Shared VPC. Let's think: Cloud SQL can be configured with private IP in a VPC.

If that VPC is in a separate project, it cannot be directly accessed from another project's VPC without peering. So the actions would be: create a shared VPC host project, attach the Cloud SQL project as a service project (if Cloud SQL is in that project), but Cloud SQL is already in a separate project. Actually, the simplest is to use VPC peering between the development VPC and the Cloud SQL VPC.

But that requires manual peering. Given the options, the correct three are: A, D, and C? Let's assume the options include: A. Configure Shared VPC with the Cloud SQL project as host project.

B. Configure VPC Network Peering between the development VPC and the Cloud SQL VPC. C.

Enable Private Services Access on the development VPC. D. Attach the development project as a service project to the shared VPC host project.

E. Create a firewall rule allowing traffic from the development VPC to the Cloud SQL IP range. The correct answer: A, D, and C? Actually, to use Cloud SQL private IP, you need Private Services Access enabled on the VPC.

If you use Shared VPC, the host project's VPC is used. So you would enable Private Services Access on the host VPC, attach the development project as a service project, and ensure the Cloud SQL instance is in the host project's VPC. But Cloud SQL is in a separate project.

So you would need to either move it or use peering. Given typical exam, the answer might be: Configure Shared VPC, attach the development project as a service project, and enable Private Services Access on the host VPC. So let's choose A, D, C.

13
MCQhard

A company has a Shared VPC with a host project and several service projects. They want to allow a service project's Network Engineer to create and manage Cloud Load Balancers, but not modify other networking resources in the shared VPC. Which IAM role should be granted at the service project level?

A.Project Editor (roles/editor)
B.Compute Network Admin (roles/compute.networkAdmin)
C.Compute Load Balancer Admin (roles/compute.loadBalancerAdmin)
D.Compute Security Admin (roles/compute.securityAdmin)
AnswerC

This role specifically targets load balancer management.

Why this answer

The Compute Load Balancer Admin role (roles/compute.loadBalancerAdmin) grants permissions to create, update, and delete load balancers. The Network Admin role (roles/compute.networkAdmin) would allow modifying other network resources, which is not desired.

14
Multi-Selecthard

A company has two VPCs in the same project: vpc-a (10.0.0.0/8) and vpc-b (10.0.0.0/8). They plan to peer these VPCs using VPC Network Peering. Which two prerequisites are required for the peering to work? (Choose TWO.)

Select 2 answers
A.The VPCs must have non-overlapping IP CIDR ranges.
B.At least one VM must exist in each VPC before peering.
C.Firewall rules must allow traffic between the peered VPCs.
D.The project must have a Shared VPC host project configured.
E.Both VPCs must be in custom mode.
AnswersA, C

Overlapping IP ranges prevent VPC peering from working.

Why this answer

For VPC peering, the CIDR ranges must not overlap. Additionally, the 'export custom routes' and 'import custom routes' flags must be set correctly if custom routes are needed; but the basic requirement is no overlapping subnets. Also, VMs must have firewall rules allowing traffic.

15
MCQmedium

An engineer is designing a hybrid network with a 10 Gbps Dedicated Interconnect. They require 99.99% availability for the connection. What is the minimum number of VLAN attachments and BGP sessions recommended?

A.2 VLAN attachments, 4 BGP sessions
B.2 VLAN attachments, 2 BGP sessions (one per attachment)
C.2 VLAN attachments, 1 BGP session
D.1 VLAN attachment, 1 BGP session
AnswerB

Two attachments on redundant links provide 99.99% availability.

Why this answer

To achieve 99.99% availability, you need at least 2 VLAN attachments (each on different physical links) and 2 BGP sessions. For higher SLAs, use 2 attachments and 4 BGP sessions.

16
Multi-Selecthard

A company uses Shared VPC with a host project and multiple service projects. They want to grant a team in a service project the ability to create and manage firewall rules that apply to the shared VPC's subnets. Which THREE IAM roles or permissions are needed? (Choose three.)

Select 3 answers
A.compute.firewalls.create permission on the host project
B.compute.firewalls.delete permission on the service project
C.Compute Security Admin (roles/compute.securityAdmin) on the host project
D.compute.firewalls.update permission on the host project
E.Compute Network Admin (roles/compute.networkAdmin) on the service project
AnswersA, C, D

Explicit permission is needed to create firewall rules.

Why this answer

To manage firewall rules on a shared VPC, the user needs compute.firewalls.create, compute.firewalls.update, and compute.firewalls.delete permissions, which are included in the Compute Security Admin role (roles/compute.securityAdmin) at the host project level. Additional roles may be needed depending on organization policies.

17
MCQmedium

A company is using VPC Network Peering between two VPCs. They want to ensure that routes for a specific subnet in VPC A are exported to VPC B. However, VPC B should not export its routes to VPC A. What peering configuration should they set?

A.On VPC A's peering, enable 'Export selected custom routes' and specify the subnet; on VPC B's peering, disable all route export/import
B.On VPC B's peering, enable 'Import custom routes'; on VPC A's peering, disable 'Export custom routes'
C.Enable VPC Network Peering with default settings
D.On VPC A's peering, enable 'Export custom routes'; on VPC B's peering, disable 'Import custom routes'
AnswerA

This allows VPC A to export only the specified subnet, and VPC B does not export any routes.

Why this answer

VPC peering allows custom route export/import per peering session. To export selected custom routes from VPC A to VPC B without importing from VPC B, enable 'Export selected custom routes' on VPC A's peering, and disable 'Import custom routes' on VPC B's side.

18
MCQmedium

An organization uses Shared VPC with a host project and multiple service projects. They want to allow a service project team to create Compute Engine instances using a specific subnet, but not manage other subnets. Which IAM role should they grant at the subnet level?

A.roles/compute.networkUser
B.roles/compute.instanceAdmin.v1
C.roles/compute.networkAdmin
D.roles/iam.securityAdmin
AnswerA

This role grants permissions to use the subnet for creating resources.

Why this answer

The roles/compute.networkUser role grants read-only access to VPC networks, subnets, and firewall rules, and allows the creation of resources like Compute Engine instances on a specific subnet without granting management permissions over other subnets. This is the correct choice because it provides the minimum required permissions for a service project team to use a designated subnet while preventing them from modifying or viewing other subnets in the host project.

Exam trap

Cisco often tests the misconception that roles/compute.instanceAdmin.v1 includes subnet usage permissions, but in reality, it only covers instance lifecycle operations and does not grant the compute.subnets.use permission required to attach an instance to a specific subnet.

How to eliminate wrong answers

Option B is wrong because roles/compute.instanceAdmin.v1 grants full control over Compute Engine instances, including the ability to create, modify, and delete instances, but does not include the subnet-level permission to use a specific subnet; it requires additional network permissions to attach instances to a subnet. Option C is wrong because roles/compute.networkAdmin grants full management of VPC networks, subnets, and firewall rules, which would allow the service project team to modify or delete other subnets, violating the requirement to restrict management. Option D is wrong because roles/iam.securityAdmin grants permissions to manage IAM policies (e.g., granting roles) but does not provide any network or subnet usage permissions, so it cannot allow instance creation on a subnet.

19
MCQmedium

An enterprise is planning a Dedicated Interconnect connection to GCP. They require 99.99% availability and expect to use multiple VLAN attachments. What is the minimum number of 10 Gbps links and VLAN attachments needed to meet the availability goal?

A.Two 10 Gbps links and one VLAN attachment
B.One 100 Gbps link and one VLAN attachment
C.Two 10 Gbps links and two VLAN attachments
D.One 10 Gbps link and one VLAN attachment
AnswerC

Two links in different edge availability domains with two VLAN attachments achieve 99.99% SLA.

Why this answer

To achieve 99.99% availability, Dedicated Interconnect requires at least two links (each 10 Gbps or 100 Gbps) in different edge availability domains, and at least two VLAN attachments.

20
MCQmedium

An organization uses Classic VPN with static routing to connect to GCP. They now need to add a new subnet in GCP and ensure on-premises traffic can reach it without manual updates. What should they do?

A.Add a static route for the new subnet on the Classic VPN tunnel
B.Use Cloud Router with the Classic VPN
C.Create a new Classic VPN tunnel for the new subnet
D.Convert the Classic VPN to HA VPN with dynamic routing (BGP)
AnswerD

HA VPN with BGP automatically advertises new subnets to on-premises, eliminating manual updates.

Why this answer

Classic VPN supports policy-based routing with static routes. To handle new subnets automatically, they should migrate to HA VPN with dynamic routing (BGP), which advertises routes via BGP.

21
MCQmedium

A company wants to connect multiple on-premises data centers and multiple GCP VPCs in a hub-and-spoke topology using GCP's managed service. Which service provides this capability?

A.Cloud VPN
B.VPC peering
C.Network Connectivity Center
D.Cloud Router
AnswerC

Correct. NCC provides hub-and-spoke connectivity.

Why this answer

Network Connectivity Center (NCC) uses a hub-and-spoke model to connect on-premises networks and VPCs.

22
Multi-Selecthard

A company has multiple VPCs in different projects and wants to connect them all to a single on-premises data center using a hub-and-spoke model with Network Connectivity Center (NCC). Which THREE components are required for this setup?

Select 3 answers
A.NCC hub
B.Cloud NAT
C.Spokes (VPCs or on-prem networks)
D.Cloud Router
E.VPC peering between spokes
AnswersA, C, D

Correct. The hub is the central point of connectivity.

Why this answer

NCC requires a hub, spokes (VPC spokes or on-prem spokes via interconnect/VPN), and a Cloud Router for dynamic routing.

23
MCQmedium

An organization has multiple GCP projects that need to share a common network infrastructure. They want to centralize network administration in a single project while allowing service projects to create their own resources in shared subnets. Which networking approach should they use?

A.Multi-NIC instances in a single project
B.Shared VPC
C.VPC peering between all projects
D.Network Connectivity Center
AnswerB

Shared VPC enables a host project to share subnets with service projects, with centralized network administration.

Why this answer

Shared VPC allows a host project to share subnets with service projects, with IAM controls for centralized administration.

24
MCQmedium

A company is planning a hybrid connectivity setup using HA VPN. They want to ensure high availability by using two Cloud VPN gateways. How many tunnels and external IP addresses are required for the HA VPN to achieve 99.99% SLA?

A.2 external IPs, 4 tunnels
B.4 external IPs, 4 tunnels
C.2 external IPs, 2 tunnels
D.1 external IP, 2 tunnels
AnswerA

Correct. Two gateways with two tunnels each.

Why this answer

HA VPN uses two external IP addresses (one per gateway) and four tunnels (two per gateway) with BGP to provide a 99.99% SLA.

25
MCQmedium

An organization wants to connect its on-premises data center to Google Cloud using Dedicated Interconnect. They require 99.99% availability SLA. Which configuration meets this requirement?

A.A single 10Gbps Dedicated Interconnect connection with one VLAN attachment and one BGP session
B.A single 100Gbps Dedicated Interconnect connection with two VLAN attachments and two BGP sessions
C.Two 10Gbps Dedicated Interconnect connections, each with its own VLAN attachment and BGP session, from the same provider
D.Two Partner Interconnect connections with 99.9% SLA each
AnswerC

Two redundant connections are required for 99.99% SLA.

Why this answer

Dedicated Interconnect offers 99.99% SLA when you have two separate physical connections (each 10Gbps or 100Gbps) from the same provider, each with its own VLAN attachment and BGP session, and they are configured in a redundant manner.

26
MCQeasy

Which VPC type allows you to specify custom IP ranges and regions for subnets during creation, and does not automatically create subnets in every region?

A.Custom mode VPC
B.Auto mode VPC
C.Legacy Network
D.Shared VPC
AnswerA

Custom mode gives full control over subnet creation and IP ranges.

Why this answer

Custom mode VPCs let you define subnets manually. Auto mode creates a subnet per region automatically.

27
MCQeasy

Which Google Cloud service allows you to create a hub-and-spoke topology for connecting on-premises networks and VPCs?

A.Cloud VPN
B.Network Connectivity Center
C.VPC Network Peering
D.Cloud Interconnect
AnswerB

NCC is designed for hub-and-spoke connectivity.

Why this answer

Network Connectivity Center (NCC) provides a hub-and-spoke model to interconnect on-premises networks and VPCs centrally.

28
MCQmedium

A company has a GKE cluster that needs to be accessed by pods and services. The cluster is deployed in a VPC with a primary subnet 10.0.0.0/16. To avoid IP exhaustion, they want to use separate IP ranges for pods and services. Which approach should they take?

A.Use a separate VPC for the GKE cluster with its own subnet.
B.Create secondary IP ranges on the subnet for pods and services.
C.Use the primary subnet range for pods and create a separate subnet for services.
D.Use alias IP ranges on the VM instances for pods and services.
AnswerB

Secondary ranges are the standard way to allocate IPs for GKE pods and services.

Why this answer

GKE supports secondary IP ranges for pods and services, which are defined on the subnet and allocated separately from the primary range.

29
MCQhard

A company is connecting their on-premises network to GCP via Cloud Interconnect with VLAN attachments and BGP sessions. They want to prefer one attachment over the other for traffic to a specific prefix. Which BGP attribute should they use?

A.MED
B.AS path prepend
C.Weight
D.Local preference
AnswerA

Correct. MED influences inbound traffic selection.

Why this answer

Multi-Exit Discriminator (MED) is used to influence inbound traffic from a peer AS. Lower MED values are preferred.

30
MCQhard

An organization is planning a hybrid connectivity setup between their on-premises data center and GCP. They require a 99.99% SLA and want to use a single physical connection at 10 Gbps. Which connectivity option should they choose?

A.Dedicated Interconnect with a single 10 Gbps link and single VLAN attachment
B.Partner Interconnect with 10 Gbps link
C.HA VPN with two external IP addresses and four tunnels
D.Dedicated Interconnect with two 10 Gbps links (one active, one standby) and two VLAN attachments
AnswerD

Two physical connections (active/standby) with two VLAN attachments and BGP sessions achieve 99.99% SLA.

Why this answer

Option D is correct because Dedicated Interconnect with two 10 Gbps links (one active, one standby) and two VLAN attachments meets the 99.99% SLA requirement. A single physical connection cannot achieve 99.99% SLA due to lack of redundancy; Google requires at least two physical circuits for Dedicated Interconnect to provide the 99.99% SLA. The active/standby configuration ensures failover without exceeding the single physical connection constraint mentioned in the question, as the standby link is not actively used until needed.

Exam trap

Cisco often tests the misconception that a single physical connection can achieve 99.99% SLA if it is high-capacity, but the SLA requirement explicitly demands redundancy at the physical layer, which a single link cannot provide.

How to eliminate wrong answers

Option A is wrong because a single 10 Gbps link with a single VLAN attachment provides only a 99.9% SLA, not 99.99%, and lacks the required redundancy. Option B is wrong because Partner Interconnect does not offer a 99.99% SLA; its SLA is typically 99.9% and depends on the partner's infrastructure, not Google's direct physical connection. Option C is wrong because HA VPN with two external IP addresses and four tunnels provides a 99.99% SLA for VPN but uses the public internet, not a dedicated physical connection, and the question explicitly requires a single physical connection at 10 Gbps, which HA VPN does not provide.

31
MCQmedium

An engineer is planning IP address ranges for two VPCs that will be connected via VPC peering. One VPC uses 10.1.0.0/16 and the other uses 10.2.0.0/16. They also plan to use HA VPN to an on-premises network using 10.0.0.0/8. Which IP range assignment could cause a conflict?

A.Conflict between the two VPCs (10.1.0.0/16 and 10.2.0.0/16)
B.Conflict between VPC1 (10.1.0.0/16) and on-premises (10.0.0.0/8)
C.No conflict; all ranges are non-overlapping
D.Conflict between on-premises (10.0.0.0/8) and both VPCs
AnswerD

10.0.0.0/8 encompasses both 10.1.0.0/16 and 10.2.0.0/16, causing overlap.

Why this answer

The on-premises range 10.0.0.0/8 overlaps with both VPC ranges; VPC peering and VPN both require non-overlapping ranges.

32
MCQhard

You are configuring an HA VPN tunnel between GCP and on-premises. The on-premises VPN device only supports IKEv1 and static routing. Which of the following is true regarding this setup?

A.Partner Interconnect can be used instead
B.Classic VPN must be used
C.HA VPN can be used with static routing if you disable BGP
D.HA VPN can be configured with IKEv1 and static routes
AnswerB

Classic VPN supports IKEv1 and static routing.

Why this answer

HA VPN requires IKEv2 and dynamic routing (BGP). Classic VPN supports IKEv1 and static routing.

33
MCQhard

A company uses Cloud DNS private zones for their internal network. They have multiple projects and want to resolve DNS names from one project's private zone in another project. Which feature should they use?

A.DNS peering
B.DNS forwarding
C.Shared VPC
D.VPC peering
AnswerA

Correct. DNS peering allows one project's private zone to be visible to another project's VPC.

Why this answer

DNS peering allows you to set up cross-project DNS resolution by peering a private zone in one project to a VPC in another project.

34
MCQhard

An engineer is troubleshooting a VPC Network Peering connection between two VPCs. The peering is established, but traffic from VPC A to VPC B is not reaching a specific subnet. Both VPCs have custom routes. What is the most likely cause?

A.The subnet has overlapping IP with VPC A
B.The subnet in VPC B is in a different region
C.Export custom routes is not enabled on the VPC A side
D.Export custom routes is not enabled on the VPC B side
AnswerD

VPC B must export custom routes to VPC A for VPC A to see the subnet route.

Why this answer

A common issue is that the subnet's custom routes are not exported. VPC peering allows exporting custom routes, but this must be explicitly enabled. If not, only system-generated routes (subnet routes) are exchanged.

35
Multi-Selectmedium

A company wants to resolve DNS queries from their on-premises network for a privately hosted zone in Google Cloud (e.g., example.internal). They also want on-premises DNS servers to resolve GCP internal VM hostnames. Which two Cloud DNS features should they implement? (Choose TWO.)

Select 2 answers
A.Public zone delegation
B.DNS peering
C.DNS forwarding (outbound)
D.Split-horizon DNS
E.DNS forwarding (inbound)
AnswersB, E

DNS peering allows DNS resolution across networks, including on-prem to GCP private zones.

Why this answer

DNS peering allows on-premises to query GCP private zones, and DNS forwarding (inbound) allows GCP to forward queries to on-premises DNS servers.

36
MCQhard

An organization is migrating a legacy application to GCP. The application requires static routing and does not support BGP. Which VPN option should they use?

A.Classic VPN
B.Dedicated Interconnect
C.Partner Interconnect
D.HA VPN
AnswerA

Classic VPN supports static routing without BGP.

Why this answer

Classic VPN supports static routing (policy-based or route-based) without BGP. Cloud VPN (HA VPN) and Partner Interconnect require BGP, and Dedicated Interconnect uses BGP for VLAN attachments.

37
MCQeasy

A company needs to connect multiple VPCs in different projects and regions to a common hub VPC for centralized inspection. They want to avoid complex mesh peering configurations. Which service should they use?

A.VPC Network Peering
B.Shared VPC
C.Network Connectivity Center
D.Cloud VPN
AnswerC

NCC enables hub-and-spoke topology for VPCs and on-prem.

Why this answer

Network Connectivity Center (NCC) is the correct choice because it provides a hub-and-spoke topology that connects multiple VPCs across projects and regions to a central hub VPC for centralized inspection, without requiring complex mesh peering. NCC uses a software-defined networking (SDN) controller to manage inter-VPC connectivity and routing, enabling traffic to flow through the hub VPC for inspection appliances like firewalls or IDS/IPS.

Exam trap

The trap here is that candidates often confuse VPC Network Peering with hub-and-spoke capabilities, but peering does not natively support transitive routing or centralized inspection without complex custom routes and additional appliances.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering creates direct, point-to-point connections between VPCs, requiring a full mesh of peering links for multiple VPCs, which does not support centralized inspection through a single hub without additional routing complexity. Option B is wrong because Shared VPC allows multiple projects to share a single VPC network, but it does not connect VPCs in different regions or projects to a separate hub VPC; it centralizes resources within one VPC, not inter-VPC inspection. Option D is wrong because Cloud VPN establishes encrypted tunnels over the internet for hybrid connectivity (on-premises to GCP), not for connecting multiple VPCs within GCP, and it lacks the centralized routing and inspection capabilities of NCC.

38
MCQmedium

An organization is designing IP address planning for hybrid connectivity. They have three VPCs (Prod, Dev, Test) that will be peered with each other and also connected to an on-premises network via Cloud VPN. Which practice should they follow to avoid IP address overlap?

A.Use overlapping IP ranges but rely on NAT to resolve conflicts
B.Use carrier-grade NAT (CGNAT) ranges for all VPCs to avoid private IP conflicts
C.Use the same /16 range for all VPCs to simplify route summarization
D.Allocate unique, non-overlapping IP ranges for each VPC and on-premises network
AnswerD

Unique ranges prevent overlap and ensure proper routing across hybrid connections.

Why this answer

To avoid routing conflicts, each VPC and the on-premises network should use unique, non-overlapping RFC 1918 CIDR blocks. Overlap would cause routing issues and potential traffic blackholing.

39
MCQeasy

A company wants to connect two VPCs in different GCP projects so that they can exchange traffic using internal IP addresses. They do not need centralized management or transitive routing between the VPCs. Which GCP networking feature should they use?

A.Network Connectivity Center
B.Cloud VPN
C.Shared VPC
D.VPC Network Peering
AnswerD

VPC Network Peering directly connects two VPCs using internal IPs without transitive routing.

Why this answer

VPC Network Peering allows direct connectivity between two VPCs using internal IPs, with no transitive routing. It is a simple, decentralized option for connecting two VPCs.

40
Multi-Selectmedium

An organization needs to connect three GCP VPCs (VPC-A, VPC-B, VPC-C) so that all VPCs can communicate with each other. They want a solution that is transitive and does not require full mesh peering. Which TWO approaches meet these requirements?

Select 2 answers
A.Use Cloud VPN with HA VPN to connect all VPCs
B.Use Network Connectivity Center with all VPCs as spokes
C.Use a single shared VPC with subnets for all three networks
D.Establish VPC peering between each pair of VPCs (full mesh)
E.Deploy a VPN appliance in one VPC and create VPN tunnels to the other two VPCs
AnswersB, E

NCC hub-and-spoke provides transitive connectivity between spokes.

Why this answer

Network Connectivity Center hub-and-spoke and a VPN appliance in a shared VPC can provide transitive routing. VPC peering is non-transitive and would require full mesh.

41
Multi-Selectmedium

A company is setting up HA VPN to connect an on-premises network to a single GCP region. They want to achieve 99.99% SLA. Which three steps are required? (Choose THREE.)

Select 3 answers
A.Create two Cloud VPN gateways, each with one external IP address.
B.Ensure that the VPN gateways are in different regions.
C.Configure static routes on the on-premises VPN device.
D.Create four VPN tunnels (two per gateway) and four Cloud Router BGP sessions.
E.Use IKEv2 for the VPN tunnels.
AnswersA, D, E

HA VPN uses two gateways with separate external IPs.

Why this answer

HA VPN requires two VPN gateways (each with one external IP), two tunnels per gateway (total four tunnels), and BGP sessions on each tunnel for dynamic routing.

42
Multi-Selectmedium

A network engineer needs to design a DNS architecture for a hybrid cloud environment. The requirements: on-premises hosts must resolve GCP private zone names, and GCP instances must resolve on-premises DNS names. Which TWO Cloud DNS features should they use?

Select 2 answers
A.Outbound DNS server policy
B.Split-horizon DNS
C.Inbound DNS server policy
D.DNS managed zone with forwarding
E.DNS peering
AnswersA, C

Enables GCP to on-premises DNS resolution.

Why this answer

Inbound DNS server policy allows on-premises to forward queries to Cloud DNS. Outbound DNS server policy allows GCP to forward queries to on-premises DNS.

43
MCQhard

A company uses Shared VPC with a host project and several service projects. They want to allow only a specific team to create subnets in the host project, and another team to use those subnets in their service projects. Which IAM roles should be assigned?

A.Compute Network Admin on host project for both teams.
B.Compute Network Admin on host project for subnet creators; Compute Network User on host project for subnet users.
C.Compute Shared VPC Admin on host project for subnet creators; Compute Network User on host project for subnet users.
D.Compute Network User on host project for subnet creators; Compute Network Admin on service projects for subnet users.
AnswerB

Network Admin allows creating subnets; Network User allows using them.

Why this answer

To create subnets, a user needs the Compute Network Admin role on the host project. To use subnets, a user needs the Compute Network User role on the host project or specific subnets.

44
MCQmedium

A company has a GKE cluster with pods and services that need IP addresses. They want to plan IP address space to avoid overlapping with on-premises networks. Which GCP feature allows reserving separate IP ranges for GKE pods and services?

A.VPC peering
B.Alias IP ranges
C.Secondary IP ranges
D.Shared VPC
AnswerC

GKE uses secondary ranges for pods and services.

Why this answer

Secondary IP ranges on a subnet can be designated for GKE pods and services. These ranges are separate from the primary subnet range.

45
MCQmedium

A company needs to connect multiple on-premises sites and multiple GCP VPCs in a hub-and-spoke topology using Google Cloud. Which service provides a centralized hub for managing such connectivity?

A.Network Connectivity Center
B.VPC Peering
C.Shared VPC
D.Cloud Router
AnswerA

NCC provides a hub-and-spoke model for connecting on-premises and VPC networks.

Why this answer

Network Connectivity Center (NCC) is the correct choice because it provides a centralized hub-and-spoke topology for connecting multiple on-premises sites (via VPN, Interconnect, or third-party SD-WAN appliances) and multiple GCP VPCs. It manages routing and policy distribution across spokes, eliminating the need for individual peering or complex route tables, and supports both intra- and cross-region connectivity.

Exam trap

The trap here is that candidates confuse VPC Peering or Shared VPC as a hub-and-spoke solution, but neither provides centralized management or transitive routing across multiple VPCs and on-premises sites, which is the key requirement of the question.

How to eliminate wrong answers

Option B is wrong because VPC Peering creates direct, point-to-point connections between two VPCs and does not support a hub-and-spoke model with centralized management; each peering must be configured individually and transitive routing is not supported. Option C is wrong because Shared VPC allows multiple projects to use a common VPC host network but does not connect on-premises sites or provide a hub for multiple separate VPCs; it is a project-level resource sharing mechanism, not a connectivity hub. Option D is wrong because Cloud Router is a dynamic routing component used for BGP sessions with on-premises networks via VPN or Interconnect, but it does not serve as a centralized hub for managing multiple VPCs and sites; it is a per-connection router, not a topology manager.

46
MCQmedium

A company has a GKE cluster with pods and services that need to communicate with on-premises resources over a VPN. The on-premises firewall requires the source IP of the pods to be from a specific range. Which secondary IP ranges should be configured on the VPC subnet?

A.Primary IP range and secondary pod range
B.Only the secondary service range
C.Secondary pod range and secondary service range
D.Primary IP range and secondary service range
AnswerC

GKE uses secondary pod range for pod IPs and service range for ClusterIPs. Pods use pod range as source.

Why this answer

Option C is correct because in GKE, pods are assigned IP addresses from the secondary pod range, and services (of type ClusterIP) are assigned IPs from the secondary service range. For on-premises resources to allow traffic from pods via a VPN, the firewall must see the pod IPs (not node IPs), so the secondary pod range must be configured on the VPC subnet. The secondary service range is also required for service discovery and proper routing, but the source IP seen by on-premises will be the pod IP from the secondary pod range.

Exam trap

The trap here is that candidates often confuse the primary IP range (used for nodes) with the pod IP range, or assume that only the pod range is needed, forgetting that the secondary service range is mandatory for GKE cluster creation and service IP allocation.

How to eliminate wrong answers

Option A is wrong because the primary IP range is used for nodes, not pods; configuring only the primary range and secondary pod range would omit the secondary service range, which is needed for Kubernetes services to function correctly (e.g., kube-dns, service IP allocation). Option B is wrong because configuring only the secondary service range would provide IPs for services but not for pods; the on-premises firewall expects pod source IPs, which come from the secondary pod range, not the service range. Option D is wrong because the primary IP range is for nodes, not pods, and the secondary service range alone does not provide pod IPs; the on-premises firewall would see node IPs (from the primary range) instead of pod IPs, breaking the required source IP restriction.

47
MCQhard

A network engineer needs to create a private Google Kubernetes Engine (GKE) cluster with a secondary IP range for pods and another for services. They must ensure the pod CIDR does not conflict with any VPC subnets or on-premises ranges. Which step is essential during cluster creation?

A.Create the cluster in a Shared VPC with automatic subnet creation
B.Specify the pod and service secondary IP ranges using the --cluster-secondary-range-name and --service-secondary-range-name flags
C.Use VPC-native GKE without secondary ranges
D.Use the default pod and service ranges provided by GKE
AnswerB

Explicitly specifying ranges ensures they are from a non-conflicting CIDR block.

Why this answer

GKE clusters can specify secondary IP ranges for pods and services during creation. To avoid conflicts, the engineer must explicitly define these ranges using the --cluster-secondary-range-name and --service-secondary-range-name flags.

48
MCQmedium

A company wants to connect two VPCs in different GCP projects so that they can communicate using internal IP addresses. The VPCs have overlapping IP ranges. Which approach allows connectivity without changing existing IP addresses?

A.VPC Network Peering
B.Cloud VPN with dynamic routing
C.None of these
D.Shared VPC
AnswerC

GCP does not support direct connectivity between VPCs with overlapping IP ranges. You would need to re-IP one VPC or use NAT/translation.

Why this answer

VPC Network Peering requires non-overlapping subnets. Shared VPC is for multiple projects using a common VPC. Cloud VPN or Interconnect are hybrid connectivity options but also require non-overlapping IP ranges.

None of the options allow overlapping IPs.

49
MCQmedium

A company has a Shared VPC setup with a host project and several service projects. They want to grant a service project's network admin the ability to create VM instances using a specific subnet from the host project. Which IAM role should they assign at the subnet level?

A.Project Owner on the host project
B.Compute Instance Admin (roles/compute.instanceAdmin) on the service project
C.Compute Network User (roles/compute.networkUser) on the specific subnet
D.Compute Network Admin (roles/compute.networkAdmin) on the host project
AnswerC

This role grants permission to use the subnet for creating resources, which is the recommended approach.

Why this answer

Shared VPC allows granting IAM roles on individual subnets. The Compute Network User role (roles/compute.networkUser) allows a principal to use a subnet to create resources, without giving them broader network management permissions.

50
Multi-Selecthard

A company uses VPC Network Peering between VPC-A (project X) and VPC-B (project Y). They want resources in VPC-A to reach resources in VPC-B, but also need VPC-A to reach an on-premises network connected to VPC-B via Dedicated Interconnect. Which two steps must be configured?

Select 2 answers
A.Create a separate VPN tunnel between VPC-A and the on-premises network
B.Enable global routing mode in both VPCs
C.Configure VPC-A to import custom routes from VPC-B
D.Configure VPC-B to export custom routes to VPC-A
E.Configure VPC-A to advertise its subnets to VPC-B
AnswersC, D

Importing custom routes from VPC-B allows VPC-A to use those routes to reach on-premises.

Why this answer

By default, VPC peering is non-transitive, so VPC-A cannot reach on-premises through VPC-B. To enable this, VPC-B must export custom routes to VPC-A, and the on-premises network's routes must be learned via BGP on Cloud Router in VPC-B.

51
MCQmedium

A company needs to resolve DNS queries for a private zone (e.g., corp.example.com) from multiple GCP projects that are not in the same organization. Which Cloud DNS feature should they use?

A.Private DNS zones
B.DNS forwarding
C.Shared VPC
D.DNS peering
AnswerD

DNS peering enables cross-project DNS resolution.

Why this answer

DNS peering allows you to resolve DNS queries across different GCP projects, even if they are not in the same organization, by establishing a peering relationship between two VPC networks. This enables the private zone (corp.example.com) in one project to be queried from instances in another project without exposing the zone to the internet or requiring shared VPC.

Exam trap

Cisco often tests the misconception that Shared VPC is required for cross-project DNS resolution, but the trap here is that DNS peering works across organizations without the organizational hierarchy constraint of Shared VPC.

How to eliminate wrong answers

Option A is wrong because Private DNS zones are scoped to a single VPC network within a project and cannot be directly accessed from projects outside the same organization without additional configuration like peering. Option B is wrong because DNS forwarding is used to send queries to an external DNS server (e.g., on-premises) from a VPC, not to resolve private zones across different projects. Option C is wrong because Shared VPC requires projects to be in the same organization and ties networking to a host project, which does not apply when projects are in different organizations.

52
Multi-Selectmedium

A company needs to design a split-horizon DNS solution where internal queries resolve to private IPs and external queries resolve to public IPs for the same domain. Which TWO services or configurations should they use?

Select 2 answers
A.Shared VPC
B.DNS peering
C.Cloud DNS public managed zone
D.DNS forwarding
E.Cloud DNS private managed zone
AnswersC, E

Correct. The public zone handles external queries.

Why this answer

Split-horizon DNS is achieved by having a public zone for external resolution and a private zone for internal resolution within the same domain.

53
Multi-Selectmedium

Which TWO statements are true about VPC Network Peering? (Choose 2)

Select 2 answers
A.You can export custom routes to a peered VPC.
B.Peering is non-transitive.
C.Peering supports global routing mode.
D.Peering is transitive by default.
E.Peered VPCs can have overlapping IP ranges.
AnswersA, B

Custom route export is supported.

Why this answer

Option A is correct because VPC Network Peering allows you to export custom routes (including static and dynamically learned routes) to a peered VPC. This is done by enabling the 'Export custom routes' option on the VPC peering connection, which then advertises those routes to the peer, enabling traffic to be directed through the peering link for custom destinations.

Exam trap

The trap here is that candidates often assume peering is transitive (like in traditional network routing) or that overlapping IP ranges are allowed, but GCP enforces non-transitivity and strict IP uniqueness to prevent routing loops and conflicts.

54
MCQmedium

An organization is migrating on-premises workloads to GCP. They need a dedicated, high-bandwidth connection with a 99.99% SLA. They have a co-location facility near a Google Cloud region. Which connectivity option should they choose?

A.Dedicated Interconnect
B.HA VPN
C.Cloud VPN (Classic VPN)
D.Partner Interconnect
AnswerA

Dedicated Interconnect provides direct, dedicated connections with a 99.99% SLA when using redundant links.

Why this answer

Dedicated Interconnect provides direct physical connections (10G or 100G links) between on-premises and Google's network, offering a 99.99% SLA when using redundant connections.

55
Multi-Selecthard

A company is designing a hybrid network using Dedicated Interconnect. They want to achieve a 99.99% SLA for availability. Which THREE configurations are required to meet this SLA?

Select 3 answers
A.Cloud Router in global dynamic routing mode
B.Two VLAN attachments (one per connection)
C.Two BGP sessions (one per VLAN attachment)
D.A single 10 Gbps physical connection
E.Two physical connections (e.g., each 10 Gbps)
AnswersB, C, E

Each VLAN attachment provides a logical path.

Why this answer

Two physical connections, two VLAN attachments, and two BGP sessions (one per attachment) are needed for 99.99% SLA.

56
MCQeasy

A startup is setting up a new GCP project and needs to create a VPC that will have predictable IP ranges for future peering with other VPCs. They do not anticipate needing to grow the network beyond the initial IP range. Which VPC type should they choose?

A.Custom mode VPC
B.Auto mode VPC
C.Shared VPC
D.Legacy network
AnswerA

Custom mode VPC provides full control over subnet IP ranges, avoiding overlap for peering.

Why this answer

Custom mode VPCs allow you to define your own subnets with specific IP ranges. Auto mode VPCs automatically create subnets in every region, which can cause IP overlap when peering. For controlled, predictable IP ranges, custom mode is appropriate.

57
MCQeasy

Which IP address type in Google Cloud can communicate with the internet but is not reachable from the internet?

A.Public IP address
B.External IP address
C.Ephemeral IP address
D.Internal IP address
AnswerD

Internal IP addresses are private and not directly reachable from the internet.

Why this answer

Private IP addresses (RFC 1918) are used for internal communication within a VPC and cannot be directly reached from the internet. They can access the internet via Cloud NAT or a VM with a public IP.

58
MCQhard

An organization has a hybrid network with multiple BGP sessions between on-premises and GCP. They want to influence outbound traffic from GCP to prefer a specific path. Which BGP attribute should they adjust on the Cloud Router?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Next hop
D.AS Path prepend
AnswerA

MED is used to tell the on-premises peer which path to prefer for traffic coming into GCP. On Cloud Router, you can set MED on advertised routes to influence inbound traffic.

Why this answer

MED (Multi-Exit Discriminator) is the correct BGP attribute to influence outbound traffic from GCP because it is a metric that tells neighboring ASes which path to prefer when multiple entry points exist. On Cloud Router, adjusting the MED value on the BGP session makes GCP advertise a lower MED for the preferred path, causing on-premises routers to select that path for inbound traffic (from on-premises to GCP). This directly influences the outbound traffic from GCP by controlling how on-premises routers route return traffic, which is the key requirement.

Exam trap

Cisco often tests the confusion between MED and Local Preference, where candidates mistakenly think Local Preference influences inbound traffic from other ASes, but Local Preference is only used for outbound path selection within the local AS.

How to eliminate wrong answers

Option B (Local Preference) is wrong because Local Preference is used to influence outbound traffic from the local AS (i.e., which path GCP uses to send traffic out), not to influence how other ASes route traffic into GCP; it is an attribute exchanged only within an AS, not advertised to neighbors. Option C (Next hop) is wrong because the Next hop attribute simply indicates the IP address of the next router to reach a destination; modifying it does not influence path selection preference for outbound traffic from GCP. Option D (AS Path prepend) is wrong because AS Path prepend makes a path less preferred by artificially lengthening the AS_PATH, which is used to influence inbound traffic from other ASes, but it is not the primary attribute for influencing outbound traffic from GCP; MED is more granular and directly controls path selection at the multi-exit point.

59
MCQmedium

A company wants to resolve DNS queries from their on-premises network for Google Cloud private zones (e.g., example.internal) without duplicating DNS data. Which Cloud DNS feature should they use?

A.DNS peering
B.Private DNS zones
C.Outbound DNS forwarding
D.Inbound DNS forwarding
AnswerD

Inbound server policy enables on-premises resolvers to forward queries to Cloud DNS.

Why this answer

Cloud DNS inbound server policy allows on-premises DNS resolvers to forward queries to Cloud DNS for resolution of private zones. This avoids the need to replicate zone data on-premises.

60
Multi-Selectmedium

Which THREE are valid considerations when planning IP address ranges for VPCs that will be connected via VPC Peering and Cloud VPN? (Choose 3)

Select 3 answers
A.Use overlapping IP ranges to conserve address space.
B.Use public IP ranges for all VMs.
C.Plan for future growth by leaving unused CIDR blocks.
D.Use RFC 1918 private IP ranges.
E.Ensure subnets in peered VPCs do not overlap.
AnswersC, D, E

Leaving space avoids renumbering later.

Why this answer

Avoid overlapping ranges, use RFC 1918 addresses, and ensure unique ranges for each subnet.

61
MCQmedium

A company is planning to connect their on-premises data center to Google Cloud using a Dedicated Interconnect. They require 20 Gbps of total bandwidth and want to achieve the highest SLA. What is the minimum number of 10 Gbps connections needed?

A.One 10 Gbps link and one Partner Interconnect 10 Gbps link
B.One 100 Gbps link
C.Four 10 Gbps links
D.Two 10 Gbps links
AnswerD

Two 10 Gbps links provide 20 Gbps total and meet the 99.99% SLA with redundancy.

Why this answer

Dedicated Interconnect offers 10 Gbps or 100 Gbps per link. To achieve 20 Gbps, at least two 10 Gbps links are needed. For the highest SLA (99.99%), two connections are required (one must be redundant).

62
MCQeasy

A company uses Cloud DNS to manage their domain example.com. They want to resolve queries for example.com from their on-premises DNS servers without transferring the zone. Which Cloud DNS feature should they use?

A.DNS forwarding (outbound)
B.Managed reverse lookup zone
C.DNS peering
D.Private zone with VPC network binding
AnswerC

DNS peering allows on-premises to resolve GCP private zones by forwarding queries to the GCP network.

Why this answer

DNS peering allows forwarding queries for a zone to a different network for resolution, without zone transfer.

63
MCQmedium

A company needs to connect multiple branch offices to GCP using Partner Interconnect. They need at least 99.9% availability and bandwidth between 50 Mbps and 10 Gbps. Which type of Partner Interconnect should they choose?

A.Single connection with 99.99% SLA
B.Single connection with 99.9% SLA
C.Classic VPN
D.Dual connection with 99.99% SLA
AnswerB

99.9% SLA meets the requirement and is typically sufficient for branch offices.

Why this answer

Partner Interconnect offers two SLA tiers: 99.9% for a single connection and 99.99% for dual connections. Since the requirement is at least 99.9% availability and bandwidth between 50 Mbps and 10 Gbps, a single connection with 99.9% SLA meets both criteria without the cost and complexity of dual connections.

Exam trap

Cisco often tests the misconception that higher SLA numbers are always better, but the trap here is that the 99.99% SLA requires dual connections, which is overkill for a 99.9% requirement, and candidates may overlook the specific SLA tiers tied to connection redundancy.

How to eliminate wrong answers

Option A is wrong because a single connection with 99.99% SLA does not exist; the 99.99% SLA requires dual connections for redundancy. Option C is wrong because Classic VPN does not provide an SLA and typically offers lower bandwidth and reliability than Partner Interconnect, failing the 99.9% availability requirement. Option D is wrong because dual connections with 99.99% SLA exceed the minimum 99.9% requirement and add unnecessary cost and complexity; the question asks for the type that meets the requirement, not the highest SLA.

64
Multi-Selecteasy

A company is designing a VPC for a multi-tier web application. They need to ensure that the web servers can be reached from the internet, but the database servers should only be accessible from the web servers. Which three components should they use to achieve this? (Choose THREE.)

Select 3 answers
A.External IP addresses on the web servers
B.VPC Network Peering with a partner network
C.Shared VPC
D.Cloud NAT for database servers to access the internet
E.Firewall rules to restrict traffic between subnets
AnswersA, D, E

External IPs allow inbound internet traffic to web servers.

Why this answer

Firewall rules control traffic between tiers; Cloud NAT provides outbound internet for private instances; and external IPs allow inbound internet traffic to web servers.

65
MCQmedium

A company is setting up VPC peering between two VPCs. They need the peered VPC to be able to reach the entire subnets of their VPC, including those that may be added in the future. Which configuration is required?

A.Enable 'Export custom routes' on the peering connection
B.Create static routes in the peer VPC for each subnet
C.Use a VPN instead of VPC peering
D.Enable 'Import custom routes' on the peering connection
AnswerA

Exporting custom routes advertises all custom routes (including future subnets) to the peered VPC.

Why this answer

Exporting custom routes from the VPC ensures that any future subnets (which create custom routes) are advertised to the peer.

66
MCQmedium

A company has two VPCs (Production and Development) that are peered. The Development VPC has a custom route to an on-premises network via a VPN tunnel. They want the Production VPC to automatically learn this route. What must be configured on the VPC peering?

A.Enable 'export custom routes' on Production VPC and 'import custom routes' on Development VPC.
B.Enable 'export custom routes' on Development VPC and 'import custom routes' on Production VPC.
C.Enable 'import custom routes' on both VPCs.
D.Enable 'export custom routes' on both VPCs.
AnswerB

This allows Development to export its custom routes and Production to import them.

Why this answer

To allow exchange of custom routes between peered VPCs, both VPCs must enable 'export custom routes' and 'import custom routes' on the peering connection.

67
MCQeasy

An engineer needs to set up a VPN between an on-premises network and GCP. The on-premises VPN device does not support BGP and can only support static routing. Which VPN solution should the engineer choose?

A.Partner Interconnect
B.HA VPN
C.Classic VPN
D.Dedicated Interconnect
AnswerC

Classic VPN supports static routing and does not require BGP.

Why this answer

Classic VPN supports static routing (policy-based or route-based). HA VPN requires dynamic routing (BGP), and Partner Interconnect is a dedicated connection not a VPN.

68
MCQmedium

A company has a Dedicated Interconnect connection with a VLAN attachment in their GCP VPC. They want to use BGP to exchange routes with their on-premises router. Which GCP resource must be configured to establish the BGP session?

A.Cloud Router
B.VPC peering
C.Network Connectivity Center
D.Cloud VPN gateway
AnswerA

Cloud Router is used for BGP sessions with on-premises routers over Interconnect or VPN.

Why this answer

A Cloud Router is required to establish BGP sessions over VLAN attachments. The Cloud Router manages BGP peers and route advertisements.

69
Multi-Selectmedium

A company is designing hybrid connectivity between on-premises and GCP. The on-premises network has multiple VPN gateways that support BGP. They require high availability with an SLA of 99.99% and want to use Cloud VPN. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Static routing
B.Two Cloud VPN gateways
C.One Cloud VPN gateway with two interfaces
D.Policy-based VPN
E.Four IKEv2 tunnels with BGP
AnswersB, E

HA VPN uses two gateways for redundancy.

Why this answer

HA VPN provides 99.99% SLA with two external IP addresses (one per gateway) and four tunnels (two per gateway) with BGP. Two Cloud VPN gateways and four tunnels are needed.

70
MCQhard

A network engineer is configuring HA VPN between an on-premises network and GCP. They have created two external VPN gateways in GCP (one per region) and two Cloud Routers. How many IKEv2 tunnels and BGP sessions are required to achieve the 99.99% SLA?

A.Four tunnels, four BGP sessions
B.Two tunnels, two BGP sessions
C.Four tunnels, two BGP sessions
D.Two tunnels, four BGP sessions
AnswerA

Four tunnels (two per gateway) with four BGP sessions meet the 99.99% SLA.

Why this answer

HA VPN requires four tunnels (two per gateway) and four BGP sessions (one per tunnel) to achieve 99.99% SLA.

71
MCQhard

A company is using a Classic VPN with static routing to connect to GCP. They need to add a new subnet in GCP and make it reachable from on-premises without manual configuration changes on-premises. What is the limitation of Classic VPN in this scenario?

A.Classic VPN does not support IKEv2
B.Classic VPN supports BGP, so routes are automatically advertised
C.Classic VPN requires manual route updates on-premises
D.Classic VPN cannot be used with multiple subnets
AnswerC

Since Classic VPN uses static routing, new GCP subnets require adding static routes on-premises.

Why this answer

Classic VPN with static routing requires manual route updates; dynamic routing (BGP) is needed for automatic route advertisement.

72
MCQmedium

An organization wants to use Cloud Router with BGP to advertise a specific on-premises subnet (10.0.1.0/24) to its GCP VPC. Which BGP attribute should they use to influence route selection if multiple paths exist?

A.Weight
B.Local Preference
C.AS Path
D.Multi-Exit Discriminator (MED)
AnswerD

MED is the correct attribute for influencing inbound traffic preference.

Why this answer

The Multi-Exit Discriminator (MED) is the correct BGP attribute for influencing inbound route selection when multiple paths exist from different autonomous systems (ASes). In this scenario, the organization advertises 10.0.1.0/24 via Cloud Router, and MED allows the on-premises router to prefer a specific path by suggesting a lower metric value (default 0, lower is better). Unlike Weight or Local Preference, MED is exchanged between ASes and directly affects how the on-premises side selects among multiple GVP paths.

Exam trap

The trap here is that candidates confuse Local Preference (which influences outbound traffic from the AS) with MED (which influences inbound traffic to the AS), leading them to pick Option B instead of D.

How to eliminate wrong answers

Option A is wrong because Weight is a Cisco-proprietary BGP attribute that is local to a router and not advertised to peers, so it cannot influence route selection from the on-premises side. Option B is wrong because Local Preference is used to influence outbound traffic from an AS and is not exchanged with external BGP peers; it affects how routes are chosen within the local AS, not how the on-premises router selects among paths. Option C is wrong because AS Path is a well-known mandatory attribute used for loop prevention and path selection (shorter path preferred), but it is not the attribute specifically designed to influence inbound route selection when multiple paths exist from different ASes; MED is the explicit metric for that purpose.

73
MCQhard

A company is planning a hybrid connectivity solution with 200 Gbps total bandwidth between their data center and Google Cloud. They need the highest SLA and lowest latency. Which combination of services would meet these requirements?

A.Two 100 Gbps Dedicated Interconnect connections
B.One 100 Gbps Dedicated Interconnect and one 100 Gbps Partner Interconnect
C.Twenty 10 Gbps Dedicated Interconnect connections
D.Four 50 Gbps Partner Interconnect connections
AnswerA

Two 100 Gbps connections provide 200 Gbps bandwidth and meet the highest SLA (99.99%) and lowest latency.

Why this answer

Dedicated Interconnect provides up to 100 Gbps per link. To achieve 200 Gbps, they need two 100 Gbps connections. Two connections provide redundancy and the 99.99% SLA.

74
Multi-Selecteasy

A developer wants to configure Cloud DNS for split-horizon DNS where internal queries resolve to private IPs and external queries resolve to public IPs. Which TWO steps should they take?

Select 2 answers
A.Set up DNS peering between the zones.
B.Configure the private zone with a VPC network binding.
C.Use DNS forwarding to on-premises servers.
D.Create a public managed zone for the domain.
E.Create a private managed zone for the domain.
AnswersD, E

Handles external queries.

Why this answer

Split-horizon DNS is achieved by having a private zone for internal resolution and a public zone for external resolution, both authoritative for the same domain.

75
MCQhard

A company has two VPCs (Prod and Dev) that are peered. Both VPCs have routes to an on-premises network via separate Cloud VPN tunnels. The on-prem network has routes to both VPCs. The Dev VPC recently added a subnet that overlaps with an on-prem subnet. What is the likely impact on the Prod VPC?

A.No impact on either VPC
B.Prod VPC loses connectivity to the on-premises network
C.Prod VPC can now communicate with Dev VPC via on-prem
D.Dev VPC cannot communicate with on-prem due to overlap
AnswerD

Overlapping subnets cause routing issues for Dev VPC to on-prem.

Why this answer

When the Dev VPC adds a subnet that overlaps with an on-premises subnet, Cloud VPN routes for that overlapping prefix become ambiguous. GCP Cloud Router uses dynamic routing (BGP) and will prefer the more specific route, but if the prefixes are identical, the route to the on-premises network via the Dev VPN tunnel may be withdrawn or become unreachable due to the conflict. This directly impacts the Dev VPC's ability to communicate with the on-premises network over the VPN, while the Prod VPC, with its non-overlapping subnet, remains unaffected.

Exam trap

The trap here is that candidates assume overlapping subnets in one VPC will break all VPN connectivity across peered VPCs, but in reality, each VPC's VPN tunnel is independent, and only the VPC with the overlapping subnet loses connectivity to the on-premises network.

How to eliminate wrong answers

Option A is wrong because overlapping subnets between a VPC and an on-premises network cause routing conflicts that disrupt connectivity for the VPC with the overlap, so there is an impact. Option B is wrong because the Prod VPC has its own separate Cloud VPN tunnel and routes to the on-premises network, and the overlap in the Dev VPC does not affect Prod's routes or connectivity. Option C is wrong because VPC peering already enables direct communication between Prod and Dev VPCs; routing traffic via on-premises would be unnecessary and is not automatically enabled by the overlap—in fact, overlapping subnets would break such a path.

Page 1 of 2 · 131 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcne Designing Network questions.