CCNA Pcne Designing Network Questions

56 of 131 questions · Page 2/2 · Pcne Designing Network topic · Answers revealed

76
MCQmedium

A company wants to resolve DNS queries from their on-premises DNS servers for a private zone hosted in Cloud DNS. They also need GCP resources to resolve on-premises hostnames. Which combination of Cloud DNS features should they configure?

A.Outbound DNS server policy only
B.DNS peering with the on-premises network
C.Inbound DNS server policy only
D.Both inbound and outbound DNS server policies
AnswerD

Inbound allows on-premises to query Cloud DNS; outbound allows GCP to query on-premises DNS.

Why this answer

Inbound DNS server policy allows on-premises to forward queries to Cloud DNS private zones. Outbound DNS server policy allows GCP to forward queries to on-premises DNS servers.

77
Multi-Selectmedium

A company is planning a hybrid connectivity strategy between their on-premises data center and GCP. They require at least 99.9% availability and are open to using a third-party service provider. Which TWO options meet these requirements? (Choose TWO.)

Select 2 answers
A.Dedicated Interconnect (single 10 Gbps connection)
B.VPC Network Peering
C.Classic VPN (static routing)
D.HA VPN (single tunnel)
E.Partner Interconnect (single 1 Gbps connection)
AnswersA, E

Dedicated Interconnect offers 99.9% SLA for a single connection, but it does not use a third-party provider. However, the scenario says 'open to using' but not required. So it still meets the SLA requirement.

Why this answer

Partner Interconnect with two connections offers 99.99% SLA, but a single connection offers 99.9%. HA VPN with two tunnels offers 99.99% SLA, but the scenario requires at least 99.9%, so any option meeting that is acceptable. Dedicated Interconnect with one connection offers 99.9% SLA, but it's not via a third-party provider.

Classic VPN does not have a 99.9% SLA.

78
Multi-Selectmedium

A company has multiple GCP projects that need to resolve DNS queries for a private zone (e.g., example.internal) that is hosted in a central project. They want to avoid copying zone data. Which TWO features can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Outbound DNS forwarding
B.Creating duplicate private zones in each project
C.DNS peering
D.Shared VPC
E.Inbound DNS forwarding
AnswersC, D

DNS peering allows a source project to resolve queries from a target project's private zone.

Why this answer

DNS peering allows a zone to be shared from one project to another. Shared VPC can also enable DNS resolution if the private zone is attached to the shared VPC host project and service projects use that VPC. However, DNS peering is more direct.

Outbound forwarding is for on-premises resolution, not cross-project. Inbound forwarding is for on-premises to Cloud DNS. Private zones are per-project and don't automatically resolve cross-project.

79
Multi-Selecteasy

A company is planning to use Partner Interconnect to connect their on-premises network to GCP. Which TWO of the following are characteristics of Partner Interconnect?

Select 2 answers
A.Requires colocation facility presence
B.Supports up to 100 Gbps
C.Uses VLAN attachments
D.Supports bandwidth from 50 Mbps to 10 Gbps
E.Provides 99.99% SLA with a single connection
AnswersC, D

Correct. Like Dedicated Interconnect, Partner Interconnect uses VLAN attachments.

Why this answer

Partner Interconnect supports bandwidth from 50 Mbps to 10 Gbps and provides a 99.9% or 99.99% SLA depending on configuration. It does not require colocation facility presence; the partner handles that.

80
Multi-Selectmedium

A company is planning to connect multiple VPCs in different projects to a common on-premises network using a hub-and-spoke topology. They want to use Network Connectivity Center (NCC). Which TWO components are required to set up this topology?

Select 2 answers
A.VPC Network Peering
B.NCC hub
C.Dedicated Interconnect VLAN attachments
D.Cloud Router
E.VPC spokes
AnswersB, E

The hub is the central routing entity in NCC.

Why this answer

NCC uses a hub (NCC hub) and spokes (VPC spokes). Spokes are VPCs that connect to the hub. The hub acts as a central point for routing.

81
MCQmedium

An organization wants to design IP addresses for their GCP VPC that will be peered with an on-premises network using 10.0.0.0/8. Which subnet IP range should they avoid to prevent overlap?

A.10.1.0.0/16
B.192.168.0.0/16
C.10.0.0.0/8
D.172.16.0.0/12
AnswerA

This overlaps with 10.0.0.0/8.

Why this answer

Option A (10.1.0.0/16) is correct because the on-premises network uses 10.0.0.0/8, which encompasses all IPs from 10.0.0.0 to 10.255.255.255. The subnet 10.1.0.0/16 falls entirely within this range, so peering would cause an IP address overlap, breaking routing between the VPC and on-premises. GCP VPC peering requires non-overlapping CIDR blocks to avoid conflicts.

Exam trap

The trap here is that candidates assume only exact CIDR matches cause overlap, but any subnet that is a subset of the on-premises range (like 10.1.0.0/16 within 10.0.0.0/8) also overlaps and must be avoided.

How to eliminate wrong answers

Option B (192.168.0.0/16) is wrong because it is a private IPv4 range (RFC 1918) that does not overlap with 10.0.0.0/8, so it is safe to use for the VPC. Option C (10.0.0.0/8) is wrong because it is the exact same range as the on-premises network, causing a complete overlap and making peering impossible. Option D (172.16.0.0/12) is wrong because it is another RFC 1918 private range (172.16.0.0 to 172.31.255.255) that does not intersect with 10.0.0.0/8, so it is also safe.

82
MCQmedium

An organization needs DNS resolution for on-premises hosts to resolve GCP private zone names (e.g., myinstance.gcp.internal). They have Cloud DNS private zones in GCP. Which Cloud DNS feature should they configure to forward queries from on-premises to GCP?

A.Inbound DNS forwarding
B.Split-horizon DNS
C.DNS peering
D.Outbound DNS forwarding
AnswerA

Inbound DNS server policy allows on-premises resolvers to forward queries to Cloud DNS.

Why this answer

Cloud DNS inbound server policy enables on-premises DNS resolvers to forward queries to Cloud DNS for resolution of private zones. This is the appropriate feature for on-premises to GCP DNS resolution.

83
MCQeasy

Which Cloud DNS zone type is used to resolve DNS names for resources within a VPC network, and is not accessible from the internet?

A.Peering zone
B.Forwarding zone
C.Private managed zone
D.Public managed zone
AnswerC

Private zones are internal to VPC networks.

Why this answer

Private managed zones are associated with one or more VPC networks and are used for internal DNS resolution. Public managed zones are for internet-facing DNS.

84
MCQmedium

A company uses Shared VPC to grant separate teams access to subnets in a host project. They want to allow Team A to create VM instances in subnet-1, but not delete the subnet itself. Which IAM role should be granted to Team A on subnet-1?

A.roles/owner
B.roles/compute.networkAdmin
C.roles/compute.instanceAdmin.v1
D.roles/compute.networkUser
AnswerD

networkUser allows using the subnet without full administrative rights.

Why this answer

The Compute Network User role (roles/compute.networkUser) grants permissions to use existing networks and subnets (create VMs, attach disks, etc.) but not to delete or modify network resources.

85
Multi-Selecthard

A company is migrating workloads to Google Cloud and wants to use Cloud Interconnect for low-latency connectivity. They have two on-premises locations and need to connect to multiple GCP regions. Which two statements are true about using VLAN attachments with Dedicated Interconnect? (Choose TWO.)

Select 2 answers
A.Multiple VLAN attachments can be created over a single physical interconnect link.
B.VLAN attachments support both Dedicated and Partner Interconnect.
C.A VLAN attachment can span multiple geographic regions.
D.Each VLAN attachment connects to a single Cloud Router.
E.A single VLAN attachment can connect to multiple VPCs.
AnswersA, D

You can create multiple VLAN attachments over one Dedicated Interconnect link.

Why this answer

VLAN attachments are used to create logical connections over a Dedicated Interconnect link. Each VLAN attachment connects to a single VPC and region. Multiple attachments can be created over one physical link to connect multiple VPCs or regions.

86
MCQmedium

An organization wants to use Cloud DNS to resolve queries for a custom domain 'example.internal' across multiple projects in the same organization. They have a private zone in project A and want project B to be able to resolve records in that zone. Which feature should they use?

A.Shared VPC
B.Public zone with visibility
C.DNS forwarding
D.DNS peering
AnswerD

DNS peering enables cross-project DNS resolution by allowing a target project to query the source project's private zone.

Why this answer

DNS peering allows a private zone in one project to be shared with other projects for DNS resolution.

87
MCQmedium

A company needs to advertise a specific prefix from their on-premises network to GCP via Cloud Router. They do not want to advertise all connected networks. What should they configure on the Cloud Router's BGP peer?

A.Use a static route instead
B.Export custom routes
C.Global routing mode
D.Route advertisements with custom learned routes
AnswerD

Correct. You can set custom learned routes to control advertised prefixes.

Why this answer

Custom learned routes allow you to specify which prefixes are advertised to GCP via BGP.

88
MCQeasy

A startup is deploying its first application on Google Cloud and needs to create a VPC network. They want to avoid manual subnet planning and prefer that Google automatically creates subnets in each region as they expand. Which VPC type should they choose?

A.Shared VPC
B.Auto mode VPC
C.VPC Network Peering
D.Custom mode VPC
AnswerB

Auto mode VPCs automatically create subnets in each region, which is ideal for avoiding manual subnet planning.

Why this answer

Auto mode VPCs automatically create subnets in each region with predetermined IP ranges, simplifying initial setup. Custom mode VPCs require manual subnet creation.

89
MCQeasy

A startup is creating a new VPC for their production environment. They want to minimize management overhead and plan to use multiple regions. Which VPC type should they choose?

A.Auto mode VPC
B.Custom mode VPC
C.Shared VPC
D.VPC Network Peering
AnswerA

Auto mode creates subnets in each region automatically, suitable for multi-region setups with minimal management.

Why this answer

Auto mode VPCs automatically create subnets in each region and manage IP ranges, reducing management overhead. Custom mode requires manual subnet creation.

90
Multi-Selecthard

A company is setting up HA VPN between GCP and on-premises. They want 99.99% SLA. Which TWO configurations are required? (Choose 2)

Select 3 answers
A.One external IP address on the Cloud VPN gateway
B.Four IKEv2 tunnels with BGP
C.Cloud Router configured with BGP
D.Two external IP addresses on the Cloud VPN gateway
E.Static routing
AnswersB, C, D

Four tunnels (two per gateway) with BGP for HA.

Why this answer

To achieve a 99.99% SLA for HA VPN, Google Cloud requires two Cloud VPN gateways, each with a unique external IP address, and two tunnels per gateway (four tunnels total) using IKEv2. BGP must be configured on a Cloud Router to provide dynamic routing and failover, ensuring that traffic is redirected if a tunnel or gateway fails.

Exam trap

Cisco often tests the misconception that a single VPN gateway with two tunnels is sufficient for high availability, but the 99.99% SLA specifically requires two gateways (two external IPs) and four tunnels with BGP.

91
Multi-Selectmedium

A company uses Shared VPC to centralize network management. The host project contains subnets for production and development environments. Which two statements accurately describe the capabilities of Shared VPC? (Choose TWO.)

Select 2 answers
A.Service project VMs can use internal IP addresses from the shared subnets.
B.Shared VPC supports transitive peering across service projects.
C.IAM policies on shared subnets can be delegated to service project administrators.
D.Service project administrators can create subnets in the host project.
E.Service projects cannot have their own VPCs when using Shared VPC.
AnswersA, C

VMs in service projects are assigned internal IPs from the shared subnets.

Why this answer

Shared VPC allows a host project to share subnets with service projects. IAM on shared subnets can be delegated to service project administrators, and VMs in service projects can use internal IPs from the shared subnets.

92
Multi-Selectmedium

An engineer needs to plan IP address ranges for a new GCP environment that will connect to an on-premises network via Dedicated Interconnect. The on-premises network uses 10.0.0.0/8. The GCP VPC must support GKE pods and services and future expansion. Which THREE best practices should the engineer follow? (Choose three.)

Select 3 answers
A.Plan secondary IP ranges for GKE pods and services
B.Use the same IP range as on-premises for simplicity
C.Use a public IP range for the VPC to avoid overlap
D.Select a CIDR block that does not overlap with the on-premises network
E.Use a RFC 1918 private IP range for the VPC
AnswersA, D, E

Secondary ranges are required for GKE.

Why this answer

Best practices: Use RFC 1918 private ranges, avoid overlapping with on-premises, plan secondary ranges for GKE (pods and services), and use non-overlapping ranges for future expansion.

93
Multi-Selectmedium

An organization is designing a hybrid connectivity architecture using Cloud Router and BGP. They need to advertise a specific prefix from an on-premises network to GCP, and they want to control the route priority. Which two BGP features should they configure? (Choose TWO.)

Select 2 answers
A.Global dynamic routing mode
B.Custom route exchange
C.Custom learned routes
D.BGP route aggregation
E.Route advertisement with MED
AnswersB, E

Custom route exchange allows advertising specific prefixes via BGP.

Why this answer

Cloud Router can advertise custom routes, and BGP allows setting MED values to influence route priority.

94
Multi-Selecthard

An organization needs to design a hybrid connectivity solution with 99.99% availability for a mission-critical application. They have a co-location facility near a GCP region. Which THREE components are required to meet this SLA?

Select 3 answers
A.Two VLAN attachments
B.Two Dedicated Interconnect links in different edge availability domains
C.One Dedicated Interconnect link with multiple VLAN attachments
D.Cloud Router with BGP sessions
E.Classic VPN as a backup
AnswersA, B, D

Each link typically has its own VLAN attachment.

Why this answer

For 99.99% SLA with Dedicated Interconnect, you need two links in different edge availability domains, two VLAN attachments, and BGP sessions with Cloud Router.

95
MCQeasy

A startup is setting up their first GCP VPC. They want minimal manual configuration and need subnets in multiple regions. Which VPC creation mode should they use, and why?

A.Auto mode, because it allows overlapping IP ranges with on-premises networks.
B.Auto mode, because it automatically creates subnets in all regions with predefined IP ranges.
C.Custom mode, because it is the only mode that supports Shared VPC.
D.Custom mode, because it provides full control over IP ranges.
AnswerB

Auto mode creates subnets automatically in each region, which is ideal for minimal manual setup.

Why this answer

Auto mode VPCs automatically create a subnet in each region with predefined IP ranges, reducing manual effort. Custom mode requires manual subnet creation.

96
MCQeasy

An organization needs to create a VPC that automatically creates subnets in every region as new regions become available. Which VPC type should they use?

A.VPC Network Peering
B.Shared VPC
C.Auto mode VPC
D.Custom mode VPC
AnswerC

Correct. Auto mode VPCs automatically create subnets in each region.

Why this answer

Auto mode VPCs create subnets in all regions automatically and expand to new regions as they become available.

97
Multi-Selectmedium

A company is designing a Shared VPC environment with a host project and several service projects. Which two steps are required to allow a service project team to create Compute Engine instances with internal IP addresses from a shared subnet?

Select 2 answers
A.Create a VPC peering connection between the host and service projects
B.Ensure the host project and service project are in the same organization
C.Grant the service project's network team the roles/compute.networkAdmin role on the host project
D.Grant the service project's Compute Engine service account the roles/compute.networkUser role on the host project's subnet
E.Assign the roles/compute.securityAdmin role to the service project team
AnswersB, D

Shared VPC requires projects to be in the same organization.

Why this answer

To use a shared subnet, the host project must grant the service project's Compute Engine service account the necessary IAM role on the subnet. The service project team must also have permissions to use the subnet.

98
Multi-Selecthard

A company uses Network Connectivity Center (NCC) to connect multiple on-premises sites and VPCs. They have a hub in us-central1 and spokes including two on-premises networks and three VPCs. Which two statements about NCC are accurate? (Choose TWO.)

Select 2 answers
A.NCC requires a Dedicated Interconnect for on-premises spokes.
B.Each spoke can be connected to multiple hubs.
C.Traffic between spokes must traverse the hub.
D.NCC supports both VPC spokes and on-premises spokes.
E.NCC provides transitive routing across all spokes automatically.
AnswersC, D

NCC is hub-and-spoke; all inter-spoke traffic goes through the hub.

Why this answer

NCC uses a hub-and-spoke model; spokes connect to a hub, and the hub can route traffic between spokes. NCC supports multiple types of spokes including VPCs and on-premises networks via Interconnect or VPN.

99
MCQmedium

An organization has two VPCs, VPC-A and VPC-B, in the same project. They need to allow communication between instances in these VPCs without using the public internet. The solution must support dynamic routes and be non-transitive. What should they configure?

A.Add a route in each VPC pointing to the other's subnet via the default internet gateway
B.Create a VPN tunnel between VPC-A and VPC-B
C.Configure VPC Network Peering between the two VPCs
D.Use Shared VPC with a host project and attach both VPCs as service projects
AnswerC

VPC Peering provides direct, non-transitive connectivity with dynamic route exchange, meeting all requirements.

Why this answer

VPC Network Peering allows direct connectivity between two VPCs with non-transitive peering. It supports dynamic routes via custom route exchange and does not use the internet.

100
MCQhard

A network engineer is troubleshooting BGP route propagation between an on-premises network and a GCP VPC via Cloud Router. The on-premises router is advertising a specific subnet (10.1.0.0/16), but GCP is not receiving the route. Cloud Router BGP sessions are established. Which configuration could be the issue?

A.The Cloud Router is configured to only accept routes from a specific set of prefixes
B.The VPC firewall rules are blocking BGP traffic (TCP port 179)
C.The Cloud Router is configured with a higher MED value for the route
D.The on-premises router is not sending the AS_PATH attribute
AnswerA

Cloud Router can be configured with custom route advertisements or filters that limit which prefixes are accepted from a BGP peer.

Why this answer

Cloud Router has an option to set custom route advertisements. If the on-premises route is not being accepted, it could be because the Cloud Router is configured with 'advertised route priority' or 'advertised IP ranges' that exclude the on-premises prefixes. More likely, the BGP peer is configured to accept only specific prefixes via 'advertised route priority' or 'advertised groups'.

Another common issue: the on-premises router needs to advertise the route; Cloud Router must have 'advertise custom routes' enabled or the route must be within the allowed prefixes.

101
MCQeasy

A company wants to use Cloud DNS to resolve queries for a private zone (e.g., example.internal) from multiple VPCs in the same project. They need to ensure that instances in all VPCs can resolve the zone. What is the simplest approach?

A.Configure each VM to use a custom DNS resolver
B.Use Cloud DNS peering to forward queries between VPCs
C.Create a public zone and set visibility to private
D.Create a private zone and associate it with all relevant VPCs
AnswerD

Cloud DNS private zones can be associated with up to 10 VPCs per zone; this allows resolution from those VPCs.

Why this answer

A private managed zone can be associated with one or more VPCs in the same project. By associating the zone with all VPCs that need resolution, instances in those VPCs can resolve the zone without additional peering.

102
MCQhard

A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (10.0.0.0/16). They want to establish VPC Network Peering between them. What is the outcome?

A.Peering succeeds, and only non-overlapping subnets are used
B.Peering succeeds, and routes are exchanged, but traffic may be unpredictable
C.Peering fails because subnets overlap
D.Peering succeeds, but routes are not exchanged
AnswerC

Overlapping IP ranges prevent VPC peering from being established.

Why this answer

VPC Network Peering requires that the subnets in the two VPCs do not overlap. Since both VPCs use the same CIDR block (10.0.0.0/16), peering will fail due to subnet overlap.

103
Multi-Selecthard

A company wants to set up a hybrid network with HA VPN between an on-premises network and GCP. They need a 99.99% SLA. Which THREE conditions must be met to achieve this SLA?

Select 3 answers
A.Cloud Router configured with global dynamic routing mode
B.Two Cloud VPN gateways in GCP, each with one interface
C.Each tunnel uses a unique IKE pre-shared key
D.Two or more tunnels established with BGP sessions
E.On-premises VPN gateway with two distinct public IP addresses
AnswersC, D, E

Unique PSKs per tunnel improve security and are recommended for HA VPN.

Why this answer

HA VPN provides 99.99% SLA when at least two tunnels are up, each using a separate external IP address on the GCP side, and the on-premises VPN gateway is also redundant with two peer IPs.

104
MCQmedium

An organization has multiple VPCs in a Shared VPC setup. They want to allow only certain service projects to use a specific subnet in the host project. What should they configure?

A.Use VPC peering between host and service projects
B.Grant the compute.networkUser role to the service project
C.Create a separate host project for each service project
D.Use shared subnet IAM to grant compute.subnetUser on the specific subnet
AnswerD

Correct. Shared subnet IAM allows fine-grained access.

Why this answer

Shared VPC allows IAM permissions on individual subnets. You can grant the compute.subnetUser role on a specific subnet to a service project.

105
MCQeasy

A developer wants to create a GKE cluster with a separate subnet for pods and services to avoid IP address exhaustion. What type of secondary IP ranges should they configure on the VPC subnet?

A.Primary IP ranges
B.External IP ranges
C.Alias IP ranges
D.Secondary IP ranges for pods and services
AnswerD

Correct. GKE requires secondary ranges for pods and services.

Why this answer

GKE uses secondary IP ranges for pods and services. You specify these ranges when creating the subnet.

106
MCQeasy

A developer needs to create a GKE cluster that uses a secondary IP range for pods and another for services. During VPC subnet creation, they set a primary IP range and two secondary ranges. Which flag must be used when creating the subnet to specify the pods range?

A.--pods-range
B.--secondary-range
C.--additional-ip-range
D.--auxiliary-range
AnswerB

This flag allows specifying secondary IP ranges for pods and services during subnet creation.

Why this answer

When creating a subnet with secondary IP ranges, the '--secondary-range' flag is used to specify the name and range for pods (or services). The CLI command allows multiple secondary ranges.

107
MCQhard

A network engineer is setting up HA VPN between an on-premises network and a GCP VPC. They have configured two Cloud VPN gateways in GCP, each with two interfaces, and four tunnels. They are using BGP with Cloud Router. However, only one of the four tunnels is established. What is the most likely cause?

A.The Cloud Router ASN is not unique to the project
B.The on-premises VPN gateway is using the same peer IP for multiple tunnels
C.The Cloud Router is not advertising the default route
D.The VPC firewall rules are blocking UDP port 500
AnswerB

HA VPN requires distinct peer IPs for each tunnel. Using the same IP for multiple tunnels prevents BGP session establishment.

Why this answer

For HA VPN, each VPN gateway has two external IP addresses. Tunnels should be configured between each GCP IP and the corresponding on-premises peer IP. If the on-premises peer IPs are not unique per tunnel (e.g., both tunnels on-prem use the same IP), BGP sessions may not form correctly.

The issue is often due to duplicate peer IPs or misconfiguration of BGP ASNs.

108
MCQhard

A company is using Partner Interconnect with a 2 Gbps VLAN attachment. They notice that throughput is only about 500 Mbps during peak hours. They have verified that the on-premises link is not saturated. What is the most likely cause?

A.The VLAN attachment is configured with a lower bandwidth cap
B.Cloud Router is not using the partner's ASN
C.The VPC MTU is set to 1500 bytes
D.The on-premises router does not support BGP multipath
AnswerA

VLAN attachments have a configurable bandwidth limit (e.g., 500 Mbps, 1 Gbps). If set lower than the physical link, throughput will be capped.

Why this answer

Partner Interconnect VLAN attachments have a maximum throughput that depends on the partner's capability. If the throughput is lower than expected, it may be due to the partner limiting the bandwidth or the VLAN attachment configuration. However, a common cause is that the BGP session's route advertisement or Cloud Router configuration is not using multiple paths.

Another possibility: the traffic is not using the VLAN attachment because of routing preferences. But given the scenario, the most plausible cause is that the VLAN attachment is configured with a lower bandwidth limit than the physical link.

109
MCQhard

An on-premises DNS server is configured to forward queries for a private zone in GCP. They set up inbound DNS forwarding from on-prem to GCP using Cloud DNS forwarding. What must be configured on the VPC?

A.DNS peering zone
B.Outbound DNS server policy
C.Inbound DNS server policy
D.Private zone with an authoritative name server
AnswerC

Correct. Inbound policy allows on-prem to forward to GCP.

Why this answer

Inbound DNS forwarding requires a Cloud DNS inbound server policy that specifies the VPC and the IP addresses of the on-premises DNS resolvers.

110
MCQeasy

A company needs to connect multiple on-premises sites and cloud VPCs in a hub-and-spoke topology using a fully managed service. Which Google Cloud service should they use?

A.VPC Network Peering
B.Cloud Interconnect
C.Cloud VPN
D.Network Connectivity Center
AnswerD

NCC is designed for hub-and-spoke topologies, connecting VPCs and on-premises networks via a single hub.

Why this answer

Network Connectivity Center (NCC) provides a hub-and-spoke model for connecting on-premises networks and VPCs, reducing configuration complexity.

111
MCQmedium

An engineer needs to configure a Cloud Router for a VPN tunnel to an on-premises network. The on-premises BGP ASN is 64512. Which ASN should the engineer assign to the Cloud Router?

A.64512
B.64513
C.Any public ASN
D.0
AnswerB

A different private ASN avoids conflict and allows BGP peering.

Why this answer

Cloud Router requires a unique ASN (typically a private ASN from 64512-65534) that does not conflict with the on-premises ASN. The default ASN for Cloud Router is 64512, but it must be changed if the on-premises ASN is the same. The engineer should use a different private ASN, such as 64513.

112
MCQeasy

An organization wants to connect multiple on-premises sites to multiple VPCs in GCP using a hub-and-spoke model. Which GCP service provides a centralized hub for managing such connectivity?

A.Cloud Router
B.Network Connectivity Center
C.VPC Peering
D.Cloud VPN
AnswerB

NCC provides hub-and-spoke connectivity.

Why this answer

Network Connectivity Center (NCC) is designed for hub-and-spoke topologies, connecting on-premises networks and VPCs through a hub.

113
MCQmedium

You are configuring Cloud Router for BGP sessions with an on-premises router. You need to ensure that the on-premises network can reach Google Cloud services using the advertiser’s IP addresses. Which option should you configure on the Cloud Router?

A.Set the global routing mode
B.Configure custom route exchange in VPC Peering
C.Enable VPC Flow Logs
D.Advertise all subnets visible by the Cloud Router
AnswerD

This ensures on-premises knows the VPC subnets.

Why this answer

Option D is correct because Cloud Router must advertise all subnets visible to it to ensure that the on-premises router learns the IP prefixes for Google Cloud services (e.g., Google APIs, GKE control planes) that are reachable via Private Google Access or Private Service Connect. By default, Cloud Router only advertises VPC subnet routes; enabling 'Advertise all subnets visible by the Cloud Router' includes custom IP ranges and service producer ranges, allowing the on-premises network to route traffic to those services using the advertiser's IP addresses.

Exam trap

The trap here is that candidates often confuse 'advertising all subnets' with 'global routing mode' or 'VPC peering route exchange,' thinking that enabling global routing or peering will automatically propagate service IPs to on-premises, when in fact Cloud Router's BGP advertisement settings are the specific mechanism required.

How to eliminate wrong answers

Option A is wrong because global routing mode is a VPC-level setting that controls whether dynamic routes are applied globally or per-region, but it does not affect which IP prefixes are advertised to on-premises via BGP. Option B is wrong because custom route exchange in VPC Peering is used to exchange routes between peered VPCs, not to advertise routes to an on-premises network via Cloud Router. Option C is wrong because VPC Flow Logs capture network traffic metadata for monitoring and troubleshooting; they have no role in BGP route advertisement or enabling on-premises reachability to Google Cloud services.

114
Multi-Selecteasy

A company is planning IP address ranges for a new VPC that will be peered with an existing VPC (10.1.0.0/16) and connected to an on-premises network (172.16.0.0/12). Which three considerations should they follow to avoid IP overlap? (Choose THREE.)

Select 3 answers
A.Use an RFC 1918 private IP range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).
B.Use a subnet size of /16 or larger to provide ample IP addresses.
C.Avoid using the same IP range used by other VPCs in the organization.
D.Ensure the new VPC's CIDR does not overlap with 10.1.0.0/16 or 172.16.0.0/12.
E.Allocate public IP addresses for private use to ensure uniqueness.
AnswersA, C, D

Private ranges are required for internal communication.

Why this answer

IP addresses must be unique across connected networks; using RFC 1918 private ranges is standard; avoiding overlapping with on-premises and peered VPC ranges is critical.

115
MCQeasy

An organization needs to connect two VPCs in different projects so that all subnets can communicate using internal IPs, but the connection must not be transitive (i.e., VPC A cannot use VPC B's connection to reach VPC C). Which GCP networking feature should they use?

A.Cloud VPN
B.VPC Network Peering
C.Shared VPC
D.Dedicated Interconnect
AnswerB

VPC peering is non-transitive and directly connects two VPCs without routing through a third.

Why this answer

VPC peering is non-transitive and directly connects two VPCs. Shared VPC is transitive; VPN and Interconnect are for hybrid connectivity.

116
MCQmedium

A company is designing a hybrid network using HA VPN with two external IP VPN gateways and four IKEv2 tunnels with BGP dynamic routing. They want to maintain connectivity during a zonal failure. What is the minimum number of Cloud VPN gateways needed in GCP?

A.8 Cloud VPN gateways
B.4 Cloud VPN gateways
C.2 Cloud VPN gateways
D.1 Cloud VPN gateway
AnswerD

One HA VPN gateway provides two external IPs (one per zone) and supports four tunnels, giving zonal redundancy.

Why this answer

HA VPN uses two external IP addresses on a single gateway, one in each zone. One gateway supports two IPs and four tunnels, meeting the requirement with 99.99% SLA.

117
MCQeasy

A company wants to connect two VPCs in the same region so that they can communicate using internal IP addresses without transiting the internet. They have no overlapping IP ranges. Which GCP networking feature should they use?

A.Cloud VPN
B.Cloud NAT
C.Cloud Interconnect
D.VPC peering
AnswerD

Correct. VPC peering enables private connectivity between VPCs using internal IPs.

Why this answer

VPC peering allows two VPCs to communicate using internal IPs without a VPN or internet gateway, as long as there is no IP overlap.

118
MCQmedium

A company is planning a hybrid cloud architecture with GCP. They need a dedicated, high-bandwidth connection from their on-premises data center to GCP with 99.99% SLA and the ability to scale beyond 10 Gbps. Which connection type should they choose?

A.Dedicated Interconnect
B.Classic VPN
C.HA VPN
D.Partner Interconnect
AnswerA

Dedicated Interconnect provides 10G/100G links, 99.99% SLA, and can scale beyond 10 Gbps with multiple connections.

Why this answer

Dedicated Interconnect provides a direct, private physical connection between an on-premises data center and Google Cloud, supporting speeds of 10 Gbps or 100 Gbps per link. It offers a 99.99% SLA when configured with redundant links (two circuits) and can scale beyond 10 Gbps by adding additional 10 Gbps or 100 Gbps connections, meeting the requirement for high bandwidth and high availability.

Exam trap

Cisco often tests the misconception that HA VPN can match Dedicated Interconnect's bandwidth and SLA, but HA VPN is limited to 3 Gbps per tunnel and uses the public internet, making it unsuitable for high-bandwidth, dedicated connectivity needs.

How to eliminate wrong answers

Option B (Classic VPN) is wrong because it uses the public internet with IPsec tunnels, offering no SLA and limited bandwidth (typically up to 3 Gbps per tunnel), and cannot scale beyond 10 Gbps. Option C (HA VPN) is wrong because while it provides a 99.99% SLA for VPN gateways, it still relies on the public internet and is limited to 3 Gbps per tunnel (up to 6 Gbps with two tunnels), failing to meet the >10 Gbps requirement. Option D (Partner Interconnect) is wrong because it relies on a third-party service provider, which may introduce additional latency and does not guarantee the same direct, dedicated high-bandwidth path as Dedicated Interconnect; it also typically offers speeds up to 10 Gbps per connection but scaling beyond that depends on the partner's infrastructure.

119
MCQeasy

A company wants to resolve DNS queries for a private zone (e.g., example.internal) from multiple service projects using the same host project's Cloud DNS private zone. Which feature should they use?

A.Shared VPC
B.DNS peering
C.DNS forwarding
D.Create a public zone
AnswerB

Peering enables cross-project DNS resolution.

Why this answer

DNS peering allows Cloud DNS private zones from one project (the host project) to be resolved by VPCs in other projects (service projects) without requiring Shared VPC or network connectivity. By setting up a DNS peering zone in each service project that targets the host project's private zone, DNS queries for example.internal are forwarded to the host project's authoritative DNS servers. This is the correct approach because it directly enables cross-project DNS resolution for private zones while keeping the zones managed centrally.

Exam trap

The trap here is that candidates often confuse Shared VPC with DNS resolution, assuming that network connectivity automatically enables DNS resolution across projects, but DNS peering is a separate configuration required for private zone resolution.

How to eliminate wrong answers

Option A is wrong because Shared VPC provides network connectivity and resource sharing across projects, but it does not inherently enable DNS resolution of private zones from one project to another; DNS peering is needed for that. Option C is wrong because DNS forwarding is used to send queries to an external DNS server (e.g., on-premises or a custom resolver), not to resolve private zones from another Google Cloud project. Option D is wrong because creating a public zone would expose the internal DNS records to the internet, defeating the purpose of a private zone and introducing security risks.

120
Multi-Selectmedium

A company is designing IP address plans for multiple VPCs that will be connected via VPC Network Peering and to an on-premises network via HA VPN with dynamic routing. Which three practices should be followed to avoid IP address conflicts?

Select 3 answers
A.Use only public IP addresses for all GCP resources
B.Reserve IP ranges for future VPCs and on-premises expansion
C.Use non-overlapping CIDR blocks for each VPC subnet
D.Document the IP address plan and share it across teams
E.Use the same IP range for all VPCs to simplify management
AnswersB, C, D

Planning ahead avoids renumbering later.

Why this answer

To avoid overlap, use unique private IP ranges per VPC, plan for future growth, and document all ranges. Using RFC 1918 addresses and avoiding overlapping CIDRs ensures successful peering and VPN connectivity.

121
MCQhard

An engineer configures a Cloud Router with BGP to advertise a custom learned route for 10.0.0.0/8 to an on-premises router. The on-premises router also receives the same prefix from another path with a lower MED. Which route will the on-premises router prefer?

A.Both routes are used for load balancing
B.The on-premises router will ignore MED and prefer the route with higher local preference
C.The route advertised by Cloud Router
D.The route from the other path with lower MED
AnswerD

Lower MED is preferred.

Why this answer

BGP route selection prefers the lowest MED value among routes received from the same neighboring AS. Since the on-premises router receives 10.0.0.0/8 from two paths, and the other path has a lower MED, that route will be preferred. The Cloud Router's advertisement with a higher MED will be less preferred, making option D correct.

Exam trap

Cisco often tests the misconception that MED is always compared regardless of AS path, but the trap here is that candidates forget MED is only considered when the routes originate from the same neighboring AS, leading them to incorrectly assume the Cloud Router's route is preferred or that both routes are used.

How to eliminate wrong answers

Option A is wrong because BGP does not load-balance by default; it selects a single best path based on its decision process, and MED is compared only when routes are from the same AS. Option B is wrong because local preference is considered before MED in the BGP best-path selection algorithm, but the question does not indicate any difference in local preference; MED is only ignored if the routes are from different ASes, which is not stated. Option C is wrong because the Cloud Router's route is not automatically preferred; the lower MED from the other path takes precedence in the BGP decision process.

122
MCQeasy

A company wants to create a new VPC for a production environment. They need predictable IP addresses and want to avoid any automatic subnet creation. Which type of VPC should they use?

A.Legacy VPC
B.Custom mode VPC
C.Shared VPC
D.Auto mode VPC
AnswerB

Custom mode VPCs allow manual subnet creation, providing predictable IP addresses and full control.

Why this answer

Custom mode VPCs do not create subnets automatically, giving full control over IP ranges.

123
MCQmedium

An organization has multiple VPCs in different projects that need to share subnets to create a common network segment. They want central control over network administration while allowing individual project teams to deploy resources. Which approach should they use?

A.VPN tunnels connecting all VPCs
B.VPC Network Peering between all VPCs
C.Creating a single VPC in one project and granting IAM permissions to other projects
D.Shared VPC with a host project and service projects
AnswerD

Shared VPC allows central administration and subnet sharing, meeting the need for a common network segment.

Why this answer

Shared VPC allows a host project to share subnets with service projects, providing central network administration while allowing teams to deploy resources independently.

124
MCQhard

An engineer is troubleshooting a VPC Network Peering connection between VPC-A and VPC-B. They have verified that the peering is active. However, an instance in VPC-A cannot reach an instance in VPC-B using its internal IP. Both VPCs have firewall rules allowing the traffic. What is the most likely cause?

A.The firewall rules are not applied to the correct tags
B.The subnet IP ranges overlap
C.The instance in VPC-A does not have a default route
D.Custom routes are not being exchanged between the VPCs
AnswerD

By default, custom routes are not exchanged; the export/import custom routes flag must be enabled.

Why this answer

When VPC Network Peering is active but traffic fails, the most common cause is that custom routes are not being exchanged. By default, only subnet routes are exchanged; custom routes (e.g., static routes or routes from VPNs) are not shared unless explicitly configured using the 'export custom routes' option in the peering settings. Without this, the instance in VPC-A has no route to the internal IP of the instance in VPC-B, even if firewall rules allow the traffic.

Exam trap

The trap here is that candidates assume an active peering status guarantees full route exchange, but Cisco tests the nuance that custom routes are not shared by default, requiring explicit configuration to enable them.

How to eliminate wrong answers

Option A is wrong because firewall rules are evaluated after routing; if there is no route to the destination, the packet is dropped before any firewall rule is checked, so tag misapplication would not be the primary cause. Option B is wrong because overlapping subnet IP ranges would prevent the peering from being established or cause routing conflicts, but the question states the peering is active, so overlapping ranges are not the issue. Option C is wrong because a default route (0.0.0.0/0) is used for internet-bound traffic, not for traffic within a VPC peering; the instance needs a specific route to the peered VPC's subnet, not a default route.

125
MCQeasy

An organization wants to connect two VPCs in different projects so that they can communicate using private IPs. The connection must not be transitive. Which solution meets these requirements?

A.Cloud Interconnect
B.Shared VPC
C.VPC Network Peering
D.Cloud VPN
AnswerC

Peering provides direct, non-transitive connectivity between two VPCs.

Why this answer

VPC Network Peering directly connects two VPCs and is non-transitive by default.

126
MCQhard

An organization has multiple VPCs in different projects that need to resolve DNS names across projects. They want to use Cloud DNS without creating a separate managed zone for each VPC. Which feature should they use?

A.Private managed zones
B.Shared VPC
C.DNS peering
D.DNS forwarding
AnswerC

DNS peering enables cross-project DNS resolution by peering zones.

Why this answer

DNS peering allows DNS resolution between projects without creating separate managed zones. DNS forwarding is for forwarding queries to an external DNS server.

127
MCQeasy

A developer needs to create a subnet for GKE pods that will be used by a cluster. They need to specify a secondary IP range for pods. What is the purpose of the 'purpose' field when creating a subnet?

A.It enables private Google access
B.It indicates the subnet is used for GKE pods or services
C.It defines whether the subnet is auto or custom
D.It sets the region for the subnet
AnswerB

When creating a subnet for GKE, the purpose can be set to e.g., 'PRIVATE_RFC_1918' or a secondary range purpose.

Why this answer

The purpose field determines the subnet's usage; for GKE pods, you set purpose to 'PRIVATE_RFC_1918' or use a secondary range with specific purpose.

128
MCQmedium

A team is configuring a Cloud Router for a Dedicated Interconnect VLAN attachment. They need to set up BGP sessions. Which of the following is a required parameter when creating a BGP peer on the Cloud Router?

A.Peer ASN
B.Route priority (MED)
C.VLAN ID
D.Peer IP address
AnswerA

The BGP peer must have a peer ASN configured.

Why this answer

The peer ASN is required to configure the BGP session; the Cloud Router ASN is set at the router level.

129
MCQeasy

A company wants to run a DNS resolution service for their hybrid cloud environment. They need on-premises servers to resolve GCP private VM hostnames, and GCP VMs to resolve on-premises hostnames. Which Google Cloud service should they use?

A.Cloud DNS public zone
B.Cloud DNS private zone with DNS peering
C.Cloud NAT
D.Cloud DNS with inbound and outbound DNS forwarding
AnswerD

Inbound forwarding allows on-prem to query GCP private zones; outbound forwarding allows GCP to query on-prem DNS.

Why this answer

Cloud DNS with inbound and outbound DNS forwarding enables bidirectional DNS resolution between on-premises and GCP.

130
MCQeasy

A company is creating a new VPC to host a set of microservices on Compute Engine. The network architect wants to minimize operational overhead and allow automatic subnet creation as new regions are added. Which VPC mode should be used?

A.Shared VPC
B.VPC Network Peering
C.Auto mode VPC
D.Custom mode VPC
AnswerC

Auto mode creates subnets automatically in each region as Google Cloud adds them, minimizing overhead.

Why this answer

Auto mode VPCs automatically create subnets in each region as they become available, reducing operational overhead. Custom mode requires manual subnet creation.

131
Multi-Selectmedium

A company is using Network Connectivity Center (NCC) to connect multiple on-premises sites and GCP VPCs in a hub-and-spoke topology. Which TWO statements about NCC are correct?

Select 2 answers
A.NCC automatically propagates routes between all spokes.
B.NCC supports direct VPC-to-VPC peering without a hub.
C.NCC can only connect to on-premises networks via Dedicated Interconnect.
D.NCC requires all spokes to be in the same region.
E.NCC can connect VPCs from different projects as spokes.
AnswersA, E

NCC manages route propagation automatically in the hub.

Why this answer

NCC supports both VPC spokes and hybrid spokes (VPN/Interconnect). It does not support direct VPC-to-VPC peering; that's VPC peering. Route propagation is automatic within NCC.

← PreviousPage 2 of 2 · 131 questions total

Ready to test yourself?

Try a timed practice session using only Pcne Designing Network questions.