CCNA Pcne Hybrid Interconnect Questions

70 questions · Pcne Hybrid Interconnect topic · All types, answers revealed

1
Multi-Selectmedium

A company wants to use BGP traffic engineering to control how traffic flows between GCP and their on-premises network over two Dedicated Interconnect connections. Which TWO BGP attributes can they use on Cloud Router? (Choose 2.)

Select 2 answers
A.BGP communities
B.MED (Multi-Exit Discriminator)
C.Weight
D.Local preference
E.AS path prepending
AnswersA, B

BGP communities can be used for traffic engineering with Cloud Router.

Why this answer

On Cloud Router, you can set MED (metric) to influence inbound traffic and use AS path prepending (though not directly on Cloud Router; you can influence outbound via MED). Actually, Cloud Router supports setting MED on advertised routes. BGP communities can also be used for tagging routes.

Weight is a Cisco-specific attribute, not available on Cloud Router.

2
MCQmedium

Your company has a Partner Interconnect connection via a service provider that offers Layer 3 connectivity. The provider assigns an IP address on the VLAN attachment. Which VLAN attachment type should you use when creating the attachment in Google Cloud?

A.PARTNER_PROVIDER
B.VPN
C.PARTNER
D.DEDICATED
AnswerC

PARTNER is correct for Layer 3 connectivity where the partner provides IP addresses and routing.

Why this answer

When a service provider offers Layer 3 connectivity and assigns an IP address on the VLAN attachment, you must use the PARTNER attachment type. This type is specifically designed for Partner Interconnect with Layer 3 (routed) connections, where the provider manages the IP addressing and routing. PARTNER_PROVIDER is used for Layer 2 attachments where you assign your own IP addresses.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 attachments in Partner Interconnect, trapping candidates who confuse PARTNER_PROVIDER (Layer 2, customer-assigned IPs) with PARTNER (Layer 3, provider-assigned IPs).

How to eliminate wrong answers

Option A is wrong because PARTNER_PROVIDER is used for Layer 2 (VLAN) attachments where you must assign your own IP addresses and manage routing, not for Layer 3 provider-assigned IPs. Option B is wrong because VPN is a separate technology (IPsec tunnels over the internet) and is not a VLAN attachment type for Partner Interconnect. Option D is wrong because DEDICATED is used for Dedicated Interconnect (direct physical connections), not for Partner Interconnect via a service provider.

3
MCQeasy

A company wants to connect their on-premises network to Google Cloud with a Dedicated Interconnect. They have already ordered a cross-connect from their co-location facility to a Google Point of Presence (PoP). What is the NEXT step to establish the connection?

A.Create a Cloud Router and BGP session
B.Run a ping test to verify connectivity
C.Configure BGP on the on-premises router
D.Create a VLAN attachment in Google Cloud
AnswerD

The VLAN attachment is the next logical step after the physical cross-connect is in place.

Why this answer

After the physical cross-connect is in place, the next step is to create a VLAN attachment in the Cloud Console or via gcloud. The VLAN attachment is the logical construct that represents the connection between the on-premises router and the Cloud Router.

4
MCQhard

An organization needs to set up a High Availability VPN (HA VPN) between their on-premises network and Google Cloud. They have created an HA VPN gateway with two interfaces and two external IP addresses. What is the next step to establish a functional VPN tunnel pair?

A.Create a VPN tunnel on interface 0 and use Cloud Router to automatically create the tunnel on interface 1.
B.Create two VPN tunnels, one for each interface, and configure a single BGP session shared between them.
C.Create two VPN tunnels, each with its own BGP session, and peer them with the on-premises VPN device.
D.Create a single VPN tunnel with BGP on interface 0, and use static routing on interface 1.
AnswerC

This is the correct configuration: two tunnels, each with its own BGP session.

Why this answer

HA VPN requires two tunnels (one per interface) to form a pair. Each tunnel requires a separate BGP session to provide redundancy.

5
MCQhard

A company uses High Availability VPN (HA VPN) with two tunnels and BGP to connect to an on-premises network. They notice traffic only flows through one tunnel. They want to ensure both tunnels are used simultaneously. What should they do?

A.Increase the MED value on the active tunnel to make it less preferred
B.Configure both tunnels with the same BGP AS number on the on-premises side
C.Configure static routes with equal cost for both tunnels
D.Enable equal-cost multipath (ECMP) on the Cloud Router
AnswerD

ECMP allows both VPN tunnels to be used simultaneously for traffic engineering.

Why this answer

To use both tunnels simultaneously, ECMP must be enabled in the VPC. By default, HA VPN with BGP uses active-passive if the on-premises router uses a lower local preference for one path. ECMP can be enabled on the Cloud Router.

6
MCQmedium

An enterprise requires a hybrid connectivity solution that meets a 99.99% SLA. They plan to use Dedicated Interconnect. Which configuration satisfies the SLA requirement?

A.Two Partner Interconnect connections from different providers in the same metro area
B.Two Dedicated Interconnect connections in the same metro area with active-passive configuration
C.Single Dedicated Interconnect connection with two VLAN attachments
D.Two Dedicated Interconnect connections in different metro areas with active-active configuration
AnswerD

Two connections in different metro areas provide geographic redundancy and meet the 99.99% SLA.

Why this answer

Google's 99.99% SLA for Dedicated Interconnect requires two connections, each from a different metro area, configured for active-active or active-passive.

7
MCQhard

A company has two Dedicated Interconnect connections from different metro areas to Google Cloud. Both connections are active and they want to use both simultaneously for load balancing traffic. They have configured two VLAN attachments each with a Cloud Router and BGP sessions. How should they configure BGP to achieve active-active load sharing?

A.Set different local preference values on the Google Cloud Router
B.Configure the on-premises router to enable ECMP for the BGP routes
C.Use AS path prepending on one connection to make it less preferred
D.Assign different MED values to each connection to influence preference
AnswerB

ECMP on the on-premises router allows it to use both paths equally.

Why this answer

Equal-cost multipath (ECMP) requires that the routes from both connections have the same next-hop attribute and are learned via different BGP sessions. By default, Cloud Router advertises the same routes with the same MED and AS path. To enable ECMP, the on-premises router must be configured to accept multiple equal-cost paths.

The Cloud Router will automatically advertise routes with identical attributes when using separate VLAN attachments, and the on-premises router can then load balance.

8
MCQhard

A network engineer is setting up a Dedicated Interconnect with a 10 Gbps circuit. They need to achieve 99.99% availability SLA. Which of the following configurations meets the SLA requirements?

A.One 10 Gbps circuit and one VPN as backup
B.Two 10 Gbps circuits in different metro areas
C.Single 10 Gbps circuit in one metro area
D.Two 10 Gbps circuits in the same metro area
AnswerB

Two circuits in different metros meet the SLA requirement.

Why this answer

Google Cloud's 99.99% SLA for Dedicated Interconnect requires two connections from two different metro areas (redundant locations). Each connection must be 10 Gbps or more. Active-active or active-passive is acceptable, but the key is two circuits in different metros.

9
MCQhard

A company has deployed a Cloud VPN tunnel using route-based VPN (using IKEv2) and has configured BGP on the tunnel. The tunnel is up, but the BGP session is not establishing. What is a likely cause?

A.The BGP IP addresses are not reachable over the tunnel
B.IKE version mismatch
C.The pre-shared key is incorrect
D.The Cloud Router is not configured
AnswerA

Even if the tunnel is up, if the BGP IPs are misconfigured or not routed, BGP won't establish.

Why this answer

For route-based VPN tunnels, BGP peering requires that the Cloud VPN gateway and the on-premises router can reach each other's BGP IP addresses. The BGP IPs are typically link-local addresses derived from the tunnel's interface. If the BGP session is not establishing, common issues include incorrect BGP IP configuration, firewall rules blocking BGP (port 179), or the tunnel not passing traffic correctly.

10
MCQmedium

A network engineer is configuring an HA VPN tunnel pair between an on-premises VPN device and Google Cloud. The engineer wants to use IKEv2 with pre-shared keys. After configuring both ends, the tunnels do not come up. The engineer sees 'IKE SA negotiation failed - no proposal chosen' in the logs. What is the most likely cause?

A.The encryption algorithm (e.g., AES256) or DH group (e.g., 14) does not match between the two ends.
B.The on-premises device is behind NAT and the VPN gateway does not support NAT traversal.
C.The IKE version on the on-premises device is set to IKEv1 while Cloud VPN expects IKEv2.
D.The pre-shared keys on both ends are different.
AnswerA

This is the classic cause of 'no proposal chosen' – the parameters for the IKE SA do not match.

Why this answer

This error typically indicates a mismatch in IKE proposal parameters such as encryption algorithm, integrity algorithm, DH group, or SA lifetime.

11
MCQhard

A company has two Dedicated Interconnect connections in the same metro area to meet the 99.99% SLA. One connection is active and the other is passive. During a maintenance window, the active connection goes down. The engineer expects traffic to fail over to the passive connection, but it does not. What is the most likely reason?

A.The SLA requires two circuits in different metro areas for failover.
B.The on-premises router is not configured to use the passive connection.
C.The passive connection is in a different metro area, causing higher latency.
D.The passive VLAN attachment does not have BGP session configured with Cloud Router.
AnswerD

Without BGP session, the passive connection has no routes to receive traffic. The VLAN attachment must be created and a BGP session established, even if the routes are less preferred via MED.

Why this answer

For failover to work with active-passive, the passive connection must have its own VLAN attachment and Cloud Router BGP session with the same routes, but with a higher MED value to be less preferred. If the VLAN attachment is not created, there is no path.

12
Multi-Selectmedium

A company is planning a hybrid cloud connectivity strategy with Google Cloud. They need high bandwidth (10 Gbps) and low latency. They also want to avoid internet transit. Which TWO connectivity options meet these requirements? (Choose 2.)

Select 2 answers
A.CDN Interconnect
B.Partner Interconnect
C.Dedicated Interconnect
D.Direct Peering
E.Cloud VPN
AnswersB, C

Provides high bandwidth via a service provider without internet.

Why this answer

Dedicated Interconnect provides direct, high-bandwidth (up to 80 Gbps per circuit) physical connection with low latency, not over the internet. Partner Interconnect also provides high bandwidth via a service provider, often at 1 Gbps or 10 Gbps, and is not internet-based. VPN uses the internet and does not guarantee bandwidth or low latency.

13
Multi-Selecthard

A company has two Dedicated Interconnect connections in different metro areas to meet the 99.99% SLA. They want to ensure that traffic uses both connections in an active-active manner. Which three configurations are required? (Choose three.)

Select 3 answers
A.Configure BGP on both VLAN attachments with equal MED values.
B.Create a single VLAN attachment shared across both connections.
C.Set the VLAN attachments to use static routing instead of BGP.
D.Attach both VLAN attachments to the same Cloud Router.
E.Create two VLAN attachments, one for each connection.
AnswersA, D, E

Equal MED allows ECMP to distribute traffic across both connections.

Why this answer

For active-active, you need two VLAN attachments (one per connection), both attached to the same Cloud Router, and you must configure BGP on both attachments with the same route preferences (e.g., equal MED) to enable ECMP.

14
Multi-Selectmedium

A network engineer is troubleshooting a VPN tunnel that is up but not passing traffic. The Cloud Router shows that BGP sessions are established, but routes are not being exchanged. Which two should the engineer check? (Choose two.)

Select 2 answers
A.Ensure that the firewall rules in the VPC allow traffic from the on-premises IP ranges.
B.Verify that the Cloud Router is using the correct ASN.
C.Verify that the on-premises VPN device is advertising the correct networks to Cloud Router.
D.Check that the Cloud VPN gateway has the correct pre-shared key configured.
E.Confirm that the VLAN attachment is of type PARTNER_PROVIDER.
AnswersA, C

Even with routes, firewall rules must permit the traffic.

Why this answer

Common issues: incorrect firewall rules blocking the traffic, or the route advertisements are not configured correctly (e.g., not advertising the correct prefixes).

15
Multi-Selectmedium

A network engineer is configuring a route-based VPN tunnel between an on-premises network and Google Cloud using Cloud VPN. Which two statements are true about route-based VPN compared to policy-based VPN? (Choose two.)

Select 2 answers
A.Route-based VPNs automatically route traffic based on the routing table entries.
B.Route-based VPNs are less flexible than policy-based VPNs for traffic selection.
C.Route-based VPNs support dynamic routing protocols like BGP.
D.Route-based VPNs require static routes to be configured manually.
E.Route-based VPNs require separate security policies for each traffic flow.
AnswersA, C

Traffic is sent through the tunnel if the destination matches a route that points to the tunnel.

Why this answer

Route-based VPNs use routing tables (like BGP) to determine which traffic is sent through the tunnel, and they support dynamic routing protocols like BGP.

16
MCQmedium

An engineer needs to monitor the operational status of a Dedicated Interconnect link. Which Cloud Monitoring metric should they use?

A.interconnect/attachment/operational_status
B.interconnect/network/sent_bytes_count
C.interconnect/link/operational_status
D.interconnect/network/received_bytes_count
AnswerC

This metric shows the operational state of the link.

Why this answer

The metric interconnect/link/operational_status reflects if the link is up or down, exactly what is needed to monitor the link status.

17
MCQhard

A company wants to use BGP AS path prepending to influence traffic from Google Cloud to their on-premises network. They have two Dedicated Interconnect connections. Where should they configure the AS path prepending?

A.On the Cloud Router BGP session.
B.In the VLAN attachment configuration.
C.On the on-premises router by adding extra AS numbers to the AS path.
D.In the Cloud Router as a route policy with set as-path prepend.
AnswerC

AS path prepending is done on the on-premises side to affect inbound traffic from GCP.

Why this answer

AS path prepending is configured on the on-premises router when advertising routes to Google Cloud. The router adds extra AS numbers to make a path less preferred.

18
Multi-Selecthard

A network engineer is configuring HA VPN between GCP and an on-premises network. They need to ensure that the VPN tunnels are established and BGP sessions are up. Which THREE steps are required? (Choose 3.)

Select 3 answers
A.Create an HA VPN gateway with two interfaces and two external IPs.
B.Configure firewall rules to allow IKE traffic.
C.Set up Cloud NAT for internet access.
D.Create two VPN tunnels, one for each interface.
E.Create a Cloud Router to manage BGP sessions.
AnswersA, D, E

Required for HA VPN.

Why this answer

To establish HA VPN, you must create the VPN gateway with two interfaces and two external IPs, configure a Cloud Router to handle BGP, and create two VPN tunnels (one for each interface) with IKEv2 configuration. Pre-shared keys or certificates are part of tunnel configuration, but the key step is creating the tunnels.

19
MCQmedium

A company wants to connect their on-premises network to Google Cloud with a Dedicated Interconnect. They have ordered a circuit from a telecom provider and need to complete the setup. Which of the following steps is required during the provisioning process?

A.Set up a VPN tunnel for redundancy.
B.Create a VLAN attachment in the Google Cloud Console.
C.Configure on-premises DNS forwarding to Cloud DNS.
D.Configure the Cloud Router BGP session before ordering the circuit.
AnswerB

The VLAN attachment is the logical connection between your on-premises network and Google Cloud.

Why this answer

When provisioning a Dedicated Interconnect, after the telecom provider has delivered the circuit to the meet-me room, you must create a VLAN attachment (formerly called a VLAN attachment or interconnect attachment) in the Google Cloud Console. This attachment defines the VLAN and the Cloud Router that will establish BGP peering with your on-premises router, making it the essential step to complete the Layer 2 and Layer 3 connectivity.

Exam trap

Cisco often tests the misconception that you must configure the Cloud Router BGP session before the circuit is ordered, but in reality, the BGP session is configured after the VLAN attachment is created and the physical circuit is ready.

How to eliminate wrong answers

Option A is wrong because a VPN tunnel is not required for Dedicated Interconnect; while you can optionally set up a VPN as a backup for redundancy, it is not a required step during the provisioning process of the Dedicated Interconnect itself. Option C is wrong because configuring on-premises DNS forwarding to Cloud DNS is unrelated to the physical or logical setup of Dedicated Interconnect; DNS forwarding is a separate network service configuration. Option D is wrong because the Cloud Router BGP session cannot be configured before ordering the circuit; you must first have the VLAN attachment created and the circuit provisioned before you can configure BGP sessions on the Cloud Router.

20
Multi-Selecthard

An organization is setting up a Dedicated Interconnect and wants to monitor the health and performance of the connection using Cloud Monitoring. Which THREE metrics are available for Dedicated Interconnect?

Select 3 answers
A.interconnect/network/received_bytes_count
B.interconnect/link/packet_loss
C.interconnect/link/operational_status
D.interconnect/network/traffic_drops
E.interconnect/vpn/tunnel_status
AnswersA, B, C

This metric tracks bytes received over the interconnect.

Why this answer

Cloud Monitoring provides several metrics for Dedicated Interconnect, including traffic volume (received_bytes_count), link operational status, and packet loss. VLAN attachment metrics are also available, but the question asks for interconnect metrics.

21
MCQeasy

A company needs to resolve on-premises DNS names from Google Cloud VMs. They want to forward DNS queries for a specific domain (example.corp) to an on-premises DNS server. Which Cloud DNS feature should they use?

A.Private DNS zones
B.DNS peering
C.Inbound DNS policy
D.Outbound DNS forwarding (conditional forwarding)
AnswerD

This is the feature for forwarding specific domains to on-premises DNS.

Why this answer

Outbound DNS forwarding with conditional forwarding allows Cloud DNS to forward queries for a specific domain (example.corp) to an on-premises DNS server. This is the correct feature because it selectively routes DNS traffic based on the domain name, enabling resolution of private on-premises names from Google Cloud VMs without exposing the entire VPC network.

Exam trap

Cisco often tests the distinction between inbound and outbound DNS policies, where candidates confuse the direction of DNS traffic (inbound vs. outbound) and select Inbound DNS policy (Option C) instead of Outbound DNS forwarding.

How to eliminate wrong answers

Option A is wrong because Private DNS zones are used to manage DNS records within a VPC network, not to forward queries to external servers. Option B is wrong because DNS peering allows DNS resolution between two VPC networks, not forwarding to on-premises servers. Option C is wrong because Inbound DNS policy handles DNS queries coming into Google Cloud from on-premises, not outbound forwarding from Google Cloud to on-premises.

22
Multi-Selecthard

You are setting up Partner Interconnect with a service provider that offers both Layer 2 and Layer 3 options. Your on-premises network uses BGP to exchange routes. Which THREE statements are true about the connectivity types? (Choose three.)

Select 3 answers
A.Layer 3 connectivity requires a VLAN attachment of type PARTNER_PROVIDER
B.With Layer 2 connectivity, you must configure BGP sessions between your on-premises router and Cloud Router
C.Both connectivity types support dynamic routing with BGP
D.With Layer 3 connectivity, the service provider manages BGP peering with your Cloud Router
E.Layer 2 connectivity requires a VLAN attachment of type PARTNER_PROVIDER
AnswersB, D, E

In Layer 2, you have direct layer 2 connectivity, so you can run BGP directly.

Why this answer

Option B is correct because with Layer 2 Partner Interconnect, the service provider delivers a transparent VLAN extension, and you must configure and manage your own BGP sessions between your on-premises router and a Cloud Router in Google Cloud. This is necessary to exchange routes and establish dynamic routing over the Layer 2 link.

Exam trap

Cisco often tests the distinction between attachment types (PARTNER vs PARTNER_PROVIDER) and who manages BGP sessions, causing candidates to incorrectly assume that Layer 3 connectivity requires direct BGP configuration on the Cloud Router.

23
MCQmedium

An engineer has set up a Dedicated Interconnect with a VLAN attachment and a Cloud Router BGP session. They can ping the on-premises gateway IP but cannot reach an on-premises subnet 10.0.0.0/24 from a GCE instance. The on-premises router is advertising the subnet via BGP. What is the most likely cause?

A.The VLAN attachment is in the wrong region
B.The GCE instance does not have a route to the on-premises subnet
C.The on-premises firewall is blocking ICMP
D.The on-premises router is not using the correct BGP AS number
AnswerB

If the Cloud Router is not advertising the on-premises subnet correctly, or custom route propagation is not enabled, the VPC may lack a route to 10.0.0.0/24.

Why this answer

The GCE instance can ping the on-premises gateway IP because the Cloud Router has a BGP session and the gateway IP is directly reachable via the VLAN attachment. However, to reach the on-premises subnet 10.0.0.0/24, the GCE VPC needs a route for that subnet pointing to the Cloud Router as the next hop. Without an automatically propagated or manually configured route in the VPC, traffic from the GCE instance to 10.0.0.0/24 will be dropped, even though the on-premises router is advertising the subnet via BGP.

Exam trap

Cisco often tests the misconception that BGP route advertisement alone ensures reachability, but in Google Cloud, the VPC route table must explicitly include the learned prefix via dynamic route propagation or a static route.

How to eliminate wrong answers

Option A is wrong because the VLAN attachment region must match the Cloud Router region for the BGP session to establish; if it were in the wrong region, the BGP session would not come up and the engineer could not ping the on-premises gateway IP. Option C is wrong because the engineer can already ping the on-premises gateway IP, which demonstrates that ICMP is not blocked by the on-premises firewall; the issue is specifically with reaching a different subnet. Option D is wrong because if the on-premises router were using the wrong BGP AS number, the BGP session would not establish, and the engineer could not ping the on-premises gateway IP or receive any route advertisements.

24
Multi-Selecteasy

A company is deploying Cloud DNS to enable on-premises resources to resolve Google Cloud private zone names. Which TWO resources are required for this setup?

Select 2 answers
A.VPC peering
B.Inbound DNS policy
C.Cloud Router
D.On-premises DNS server configuration to forward to the inbound IP
E.Outbound DNS forwarding zone
AnswersB, D

Inbound DNS policy provides a forwarding IP for on-premises to query GCP DNS.

Why this answer

To allow on-premises DNS queries to reach Google Cloud private zones, you need an inbound DNS policy that creates a forwarding IP address in a VPC, and you need to configure on-premises DNS servers to forward those queries to that IP. A forwarding zone is used for the opposite direction (GCP to on-premises).

25
MCQmedium

A company has deployed an HA VPN gateway in Google Cloud to connect to their on-premises network. They have configured two tunnels with IKEv2 and BGP. One tunnel is established, but the second tunnel is not coming up. What could be a likely cause?

A.IKE version is set to IKEv1 on one side
B.The pre-shared keys are mismatched between the two tunnels
C.The second tunnel's peer IP is unreachable
D.BGP timers are inconsistent
AnswerB

A common pitfall is using different PSKs for each tunnel; they must match on both sides.

Why this answer

Common issues include mismatched pre-shared keys or IKE versions. Since the first tunnel works, the configuration is mostly correct, but the second tunnel may have a different pre-shared key or PSK mismatch. Incorrect IKE version is less likely because both tunnels use the same gateway.

BGP timers are usually consistent. Cloud VPN logs would help identify the root cause.

26
MCQeasy

An engineer needs to set up DNS resolution for on-premises resources from Google Cloud. They want to resolve a custom domain (e.g., corp.example.com) using on-premises DNS servers. Which Cloud DNS feature should they use?

A.DNS forwarding zone
B.Cloud DNS peering
C.Outbound DNS forwarding
D.Inbound DNS policy
AnswerA

A forwarding zone in Cloud DNS forwards queries for a specific domain to specified DNS servers.

Why this answer

DNS forwarding zones in Cloud DNS allow you to forward queries for a specific domain to a set of on-premises DNS server IPs. This is achieved by creating a forwarding zone with the target name servers pointing to the on-premises DNS servers.

27
MCQeasy

A company wants to use HA VPN with route-based VPN. Which VPN configuration option must be enabled?

A.IKEv1 with pre-shared keys.
B.Route-based VPN by selecting Dynamic Routing (BGP) or using static routes.
C.Using certificates instead of pre-shared keys.
D.Policy-based VPN with multiple policies for each subnet.
AnswerB

Route-based VPN relies on routing for traffic direction.

Why this answer

Route-based VPN uses routing (BGP or static routes) to determine which traffic goes through the tunnel, as opposed to policy-based which uses security policies.

28
MCQmedium

An organization has two Dedicated Interconnect connections in an active-passive configuration. They want to make the passive connection active for maintenance. What should they do to fail over traffic?

A.Configure as-path prepending on the active Cloud Router BGP session to make it less preferred
B.Shut down the Cloud Router on the active connection
C.Set the MED metric to 0 on the active connection
D.Delete the VLAN attachment on the active connection
AnswerA

As-path prepending adds extra AS numbers to the path, making it less preferred in BGP path selection, causing failover to the passive connection.

Why this answer

To fail over traffic, the engineer can use as-path prepending on the active connection to make it less preferred, or adjust MED, or use local preference on the on-premises side. The question implies a GCP-side action: using as-path prepending via Cloud Router BGP configuration.

29
MCQeasy

A network engineer is setting up a HA VPN between GCP and an on-premises network. They want to use route-based VPN with dynamic routing. Which two resources must be created together to form a functional HA VPN tunnel?

A.Two VPN tunnels, each with a BGP session on the same Cloud Router
B.One VPN tunnel with two BGP sessions
C.Two VPN tunnels without BGP sessions
D.Two VPN gateways, each with one tunnel and one BGP session
AnswerA

Each HA VPN interface requires its own tunnel and BGP session, sharing the same Cloud Router.

Why this answer

An HA VPN gateway has two interfaces, each with its own external IP. For each interface, you create a VPN tunnel and attach it to a Cloud Router with a BGP session. The tunnel and BGP session are paired for each interface.

30
MCQhard

A company has two HA VPN tunnels between GCP and on-premises. They want to use both tunnels simultaneously for load balancing traffic. Which BGP feature should they configure on the Cloud Router to achieve equal-cost multipath (ECMP)?

A.Use AS path prepending on one tunnel.
B.Set different MED values on each tunnel to prefer one.
C.Enable policy-based VPN instead of route-based.
D.Advertise identical routes with equal BGP metrics (AS path length, MED, etc.) from both tunnels.
AnswerD

ECMP requires equal metric values.

Why this answer

ECMP is achieved by having multiple BGP paths with equal MED and AS path length. The Cloud Router automatically load balances if routes have equal metrics.

31
MCQmedium

A network engineer is troubleshooting a Cloud VPN gateway that is not establishing a VPN tunnel with an on-premises device. The engineer checks the Cloud VPN gateway logs and sees the error 'IKE SA negotiation failed due to mismatched authentication method'. What is the most likely cause?

A.The pre-shared keys on both ends do not match.
B.The authentication method is set to 'pre-shared key' on one side and 'certificate' on the other.
C.The VPN gateway is using the wrong external IP address.
D.The IKE version configured on the on-premises device is IKEv1 while Cloud VPN only supports IKEv2.
AnswerB

This mismatch directly causes the 'IKE SA negotiation failed due to mismatched authentication method' error.

Why this answer

The error indicates a mismatch between the authentication methods configured on both ends, such as pre-shared key vs certificate, or different authentication types.

32
Multi-Selecthard

You are troubleshooting a failing HA VPN tunnel between GCP and on-premises. The tunnel status shows 'Tunnel is down' in Cloud Console. Which TWO steps should you take to diagnose the issue? (Choose two.)

Select 2 answers
A.Confirm that the GCP VPC has a firewall rule allowing inbound IPsec traffic
B.Verify that the Cloud Router BGP session is established
C.Check the on-premises firewall rules to ensure UDP ports 500 and 4500 are allowed
D.Review Cloud VPN gateway logs for IKE negotiation errors
E.Ensure that the on-premises VPN gateway has a static route to the GCP VPC
AnswersC, D

IPsec uses UDP 500 for IKE and UDP 4500 for NAT traversal. Blocked ports prevent tunnel establishment.

Why this answer

Checking Cloud VPN gateway logs for IKE errors helps identify authentication or configuration mismatch. Verifying that the on-premises firewall allows UDP 500 and 4500 for IPsec is necessary because many failures are due to firewall blocking.

33
MCQmedium

An organization has a Dedicated Interconnect with one VLAN attachment. They want to add a second VLAN attachment on the same interconnect circuit for additional capacity. What is the correct approach?

A.Order a second physical cross-connect
B.Upgrade the existing VLAN attachment to increase bandwidth
C.Create a second VLAN attachment with a different VLAN ID
D.Create a new Cloud Router and associate it with the existing VLAN attachment
AnswerC

Multiple VLAN attachments can coexist on the same interconnect.

Why this answer

A single Dedicated Interconnect circuit can have multiple VLAN attachments (up to 8 for 10 Gbps, up to 64 for 100 Gbps). You simply create another VLAN attachment on the same interconnect, using a different VLAN ID and a different Cloud Router if desired.

34
MCQmedium

A company wants to use AS path prepending to influence traffic from Google Cloud to their on-premises network to prefer one Dedicated Interconnect connection over another. How should they configure AS path prepending?

A.Configure AS path prepending on the Cloud Router for the routes advertised to on-premises
B.Configure AS path prepending on the on-premises router for the routes advertised to Google Cloud
C.Configure AS path prepending on both sides equally
D.Use MED instead of AS path prepending
AnswerB

This makes the AS path longer for that connection, making it less preferred for traffic from Google Cloud.

Why this answer

AS path prepending is done on the on-premises router by adding the on-premises AS number multiple times in the BGP updates sent to Google Cloud. Google Cloud Router will then prefer the path with the shorter AS path length (fewer prepends). To make one connection less preferred, the on-premises router should prepend AS numbers on the BGP updates sent over that connection.

35
MCQhard

A company has two Dedicated Interconnect circuits in different metro areas to meet the 99.99% SLA. They have configured active-active mode. During a test, they intentionally bring down one circuit. They expect traffic to continue using the other circuit, but they notice packet loss during the failover. What could be the cause?

A.The VLAN attachments are not configured with the same Cloud Router.
B.The BGP timers are set too high, causing slow convergence.
C.The on-premises router is not configured with equal-cost multipath (ECMP).
D.The remaining circuit does not have sufficient bandwidth to handle the combined traffic load.
AnswerD

Active-active mode may use both circuits for load balancing; if one fails, all traffic goes to the other, potentially exceeding its capacity.

Why this answer

In active-active mode, both circuits are used simultaneously. When one fails, traffic is re-routed to the remaining one. If there is insufficient bandwidth on the remaining circuit, packet loss may occur due to congestion.

36
MCQmedium

A company is using Partner Interconnect with a service provider that offers Layer 2 connectivity. The engineer has created a VLAN attachment of type PARTNER_PROVIDER in Google Cloud. What must the service provider do to complete the connection?

A.Create a VLAN attachment of type PARTNER on their end and associate it with the customer's VLAN attachment.
B.Provide the engineer with a pairing key to attach the VLAN attachment to the interconnect.
C.Assign a public IP address to the VLAN attachment.
D.Configure BGP routing with the customer's on-premises router.
AnswerA

The provider creates a corresponding PARTNER VLAN attachment to complete the connection.

Why this answer

With PARTNER_PROVIDER type, the service provider must attach the VLAN to their network and configure the connection on their side. The provider also needs to set up BGP peering with the customer's on-premises router if using Layer 3, but for Layer 2, BGP is between customer and Google.

37
Multi-Selectmedium

A company is designing a highly available hybrid network using HA VPN. They need to ensure that if one VPN tunnel fails, traffic automatically fails over to the other tunnel. Which TWO configurations are required? (Choose TWO.)

Select 2 answers
A.Configure static routes for failover
B.Enable BGP on both tunnels
C.Configure both tunnels with the same peer IP address on the on-premises side
D.Use the same pre-shared key for both tunnels
E.Create two VPN tunnels, one from each Cloud VPN gateway interface
AnswersB, E

BGP allows dynamic routing and automatic failover when one tunnel goes down.

Why this answer

HA VPN requires two tunnels from two interfaces, each with its own external IP, and BGP sessions on both tunnels. The on-premises side must also have two separate peer IPs.

38
MCQeasy

A network engineer wants to monitor the operational status of a Dedicated Interconnect link using Cloud Monitoring. Which metric should they use to check if the physical link is up or down?

A.interconnect/link/operational_status
B.interconnect/network/received_bytes_count
C.vpn/tunnel/status
D.interconnect/network/packets_dropped_percent
AnswerA

This metric reports the link status: 1 for up, 0 for down.

Why this answer

The metric `interconnect/link/operational_status` directly indicates whether the physical link is up (1) or down (0).

39
Multi-Selecteasy

A network engineer is configuring BGP on a Cloud Router for a Dedicated Interconnect. They want to apply traffic engineering to prefer one path over another for inbound traffic from on-premises to GCP. Which THREE BGP attributes can be used to influence this inbound traffic? (Choose three.)

Select 3 answers
A.BGP communities
B.Weight
C.AS path prepending
D.Local preference
E.MED (metric)
AnswersA, C, E

Communities can affect route preference (e.g., prepend to peers) and influence inbound traffic.

Why this answer

MED (metric) is the primary attribute to influence inbound traffic. AS path prepending (adding AS numbers) makes a path less preferred. Communities (like no-export) can control route propagation and thus influence path selection.

40
MCQhard

You are configuring a Cloud Router for a Dedicated Interconnect VLAN attachment. The on-premises BGP AS number is 65001. You want to ensure that traffic from Google Cloud to on-premises prefers the primary attachment over the backup. Which BGP attribute should you configure on the primary Cloud Router to achieve this?

A.MED (metric)
B.AS path prepending
C.Weight attribute
D.Local preference
AnswerA

Configuring a lower MED on the primary attachment tells the on-premises router to prefer that path for traffic destined to Google Cloud prefixes.

Why this answer

By setting a lower MED (Multi-Exit Discriminator) on the primary attachment, the on-premises router will prefer the primary path when there are multiple paths to the same prefix. MED is exchanged between AS peers and influences inbound traffic to the on-premises network.

41
MCQeasy

A network engineer needs to test connectivity after setting up a Dedicated Interconnect VLAN attachment and BGP session. Which tool should they use to verify that Google Cloud can reach an on-premises IP address?

A.gcloud compute interconnect list command.
B.Cloud Monitoring dashboard for interconnect metrics.
C.ping and traceroute from a Google Cloud VM to the on-premises IP.
D.tcpdump on the on-premises router.
AnswerC

ping and traceroute are the standard tools for testing connectivity.

Why this answer

The standard tools to test connectivity are ping (ICMP echo) and traceroute (path discovery). They are used after BGP is established to verify end-to-end reachability.

42
Multi-Selectmedium

A company needs to connect their on-premises network to Google Cloud with high availability and load balancing across multiple tunnels. They plan to use HA VPN. Which TWO of the following are required to achieve active-active load balancing across multiple tunnels?

Select 2 answers
A.Use AS path prepending on one tunnel
B.Configure the on-premises router to enable ECMP
C.Use different MED values for each tunnel
D.Ensure the Cloud Router advertises the same routes with identical BGP attributes over all tunnels
E.Configure static routes instead of BGP
AnswersB, D

ECMP allows the router to use multiple equal-cost paths.

Why this answer

For active-active load balancing, Cloud Router BGP must advertise the same routes with identical attributes, and the on-premises router must support ECMP. Often, two tunnels are configured as a pair. The on-premises router must be configured to accept equal-cost routes.

43
MCQeasy

A company needs to monitor the operational status of their Dedicated Interconnect links. Which Cloud Monitoring metric should they use?

A.interconnect/vlan_attachment/outbound_bytes
B.interconnect/network/packet_drop_count
C.interconnect/link/operational_status
D.interconnect/network/received_bytes_count
AnswerC

This metric directly indicates whether the link is up, down, or degraded.

Why this answer

The metric 'interconnect/link/operational_status' provides the operational status of each interconnect link (e.g., operational, degraded).

44
MCQmedium

An engineer is configuring a Cloud Router for HA VPN. They need to enable BGP on the VPN tunnels. Which BGP configuration is required for the Cloud Router to advertise the VPC subnets to the on-premises network?

A.Set up a VPC peering connection
B.Use static routes on the VPN tunnel
C.Create a custom route advertisement for each subnet
D.Configure the VPN gateway to advertise the subnets
AnswerC

Cloud Router can be configured with custom route advertisements to advertise specific VPC subnets to the on-premises network via BGP.

Why this answer

Option C is correct because Cloud Router uses Border Gateway Protocol (BGP) to dynamically exchange routes with the on-premises network over HA VPN tunnels. By default, Cloud Router advertises only the VPC subnet ranges that are directly connected to the VPC network. To ensure all VPC subnets are advertised, you must create custom route advertisements for each subnet that needs to be reachable from on-premises.

This is done by configuring the Cloud Router with a custom advertisement mode and specifying the subnet CIDR ranges as custom advertised IP ranges.

Exam trap

Cisco often tests the misconception that the VPN gateway itself handles BGP route advertisements, when in fact it is the Cloud Router that acts as the BGP speaker and manages route exchange for HA VPN tunnels.

How to eliminate wrong answers

Option A is wrong because VPC peering is a separate connectivity mechanism used to connect two VPC networks, not to advertise routes to an on-premises network via VPN. Option B is wrong because static routes on the VPN tunnel would require manual configuration and maintenance for each subnet, and they do not leverage BGP's dynamic route exchange, which is required for HA VPN with Cloud Router. Option D is wrong because the VPN gateway itself does not handle BGP route advertisements; that responsibility lies with the Cloud Router, which is the BGP speaker in Google Cloud.

45
MCQmedium

A company has a HA VPN gateway in Google Cloud with two tunnels to their on-premises router. They want to ensure that if one tunnel fails, all traffic automatically fails over to the other tunnel. What configuration is necessary on the on-premises router?

A.Use AS path prepending on the primary tunnel to make it preferred
B.Set a higher local preference on the primary tunnel
C.Configure the same MED value on both tunnels
D.Configure ECMP to load balance across both tunnels
AnswerB

Higher local preference makes a route more preferred, so setting it on the primary tunnel ensures it is used when available.

Why this answer

For failover, the on-premises router should prefer one tunnel over the other using BGP attributes like local preference or AS path prepending. Typically, one tunnel is primary and the other is backup. Both tunnels should be established with BGP sessions, and the on-premises router should learn the same routes from both, but with different local preference values to determine the primary path.

46
MCQmedium

A company is deploying a Dedicated Interconnect connection between their on-premises data center and Google Cloud. They require 99.99% availability for the interconnect. Which two actions must they take to meet this SLA?

A.Order two 10 Gbps circuits in different metro areas
B.Order four 10 Gbps circuits in the same metro area
C.Order a single 10 Gbps circuit
D.Order two 10 Gbps circuits in the same metro area
AnswerA

Two circuits in different metro areas provide geo-redundancy, meeting the 99.99% SLA requirement.

Why this answer

To achieve 99.99% availability for Dedicated Interconnect, you need two connections with at least 10 Gbps each, placed in different metropolitan areas (different metro zones). This provides redundancy even if a whole metro area fails.

47
MCQmedium

An organization is connecting their on-premises data center to Google Cloud via Partner Interconnect. The partner offers both Layer 2 and Layer 3 connectivity options. The organization wants to manage their own BGP sessions and IP addressing. Which connectivity option should they choose?

A.Any Layer option because they can manage BGP regardless
B.Layer 2 connectivity
C.Neither; they must use Dedicated Interconnect
D.Layer 3 connectivity
AnswerB

Layer 2 gives the customer control over BGP sessions and IP addressing.

Why this answer

With Layer 2, the service provider delivers a transparent VLAN, and the customer manages the BGP session with Google Cloud Router. Layer 3 would mean the partner manages the routing, which is not desired here.

48
MCQmedium

A company has two Dedicated Interconnect connections from different metro areas to Google Cloud. They want to achieve a 99.99% SLA. What is the minimum requirement?

A.One Dedicated Interconnect connection with two VLAN attachments.
B.Two Dedicated Interconnect connections from different metro areas, configured for redundancy.
C.One Dedicated Interconnect and one Partner Interconnect.
D.Two Dedicated Interconnect connections in the same metro area.
AnswerB

Diverse metro areas ensure independence and meet SLA requirements.

Why this answer

To meet the 99.99% SLA, you need at least two connections that are diverse (different metro areas) and configured in active-active or active-passive mode. This ensures redundancy if one fails.

49
MCQeasy

A company wants to resolve on-premises DNS names from Google Cloud VMs. They have a Cloud DNS private zone for their domain and on-premises DNS servers at IP 10.1.1.1 and 10.1.1.2. Which Cloud DNS feature should they use?

A.Inbound DNS policy
B.Peering zones
C.Outbound DNS forwarding using an outbound forwarding zone
D.Managed reverse lookup zones
AnswerC

An outbound forwarding zone forwards DNS queries from Google Cloud to on-premises DNS servers for a specified domain.

Why this answer

DNS forwarding zones allow Cloud DNS to forward queries for a specific domain to on-premises DNS servers.

50
MCQeasy

A company is using Partner Interconnect with a service provider that requires the use of VLAN attachments. Which type of VLAN attachment should they create in Google Cloud to use the partner's connection?

A.DEDICATED
B.PARTNER
C.PARTNER_PROVIDER
D.CUSTOMER
AnswerB

PARTNER is the correct type for customer-managed VLAN attachments in Partner Interconnect.

Why this answer

For Partner Interconnect, you create a VLAN attachment of type PARTNER. This attachment represents the logical connection to the partner's network. The partner can also use PARTNER_PROVIDER type if they manage the attachment, but from the customer side, it's PARTNER.

51
MCQhard

A company has a Partner Interconnect connection (Layer 2) with a service provider. They need to configure BGP sessions on their on-premises router and Google Cloud Router. The engineer creates a VLAN attachment of type PARTNER. However, the BGP session does not come up. What is the most likely reason?

A.The Cloud Router BGP IP address is not in the same subnet as the VLAN attachment
B.The VLAN attachment type should be PARTNER_PROVIDER
C.The IAM permissions for the Cloud Router are missing
D.The on-premises router is using a different BGP AS number than configured
AnswerA

The BGP IP addresses on Cloud Router and on-premises must be in the same /29 subnet assigned by the VLAN attachment.

Why this answer

In Layer 2 Partner Interconnect, the customer must configure BGP sessions. The VLAN attachment type PARTNER requires the customer to manage BGP. Common issues include incorrect VLAN ID or IP addresses.

52
MCQmedium

A company has set up a route-based HA VPN tunnel between Google Cloud and their on-premises network. They are experiencing packet loss and need to troubleshoot. Which logs or metrics would provide the MOST relevant information to diagnose the issue?

A.Cloud Monitoring metric: interconnect/network/received_bytes_count
B.Cloud Load Balancing logs
C.VPC flow logs
D.Cloud VPN gateway logs (syslog)
AnswerD

Gateway logs contain detailed information about the VPN tunnels.

Why this answer

Cloud VPN gateway logs provide detailed information about tunnel establishment, IKE negotiations, and BGP messages. They can help identify packet loss causes like MTU issues, encryption mismatches, or routing problems. Cloud Monitoring metrics for VPN tunnels show traffic volume and errors, but logs provide more granular detail.

53
MCQhard

A company uses Partner Interconnect with a service provider that offers Layer 2 connectivity. The engineer needs to establish BGP peering between the on-premises router and Cloud Router. What must be created in Google Cloud to enable this?

A.An HA VPN gateway.
B.A VLAN attachment of type PARTNER_PROVIDER.
C.A Dedicated Interconnect attachment.
D.A VLAN attachment of type PARTNER.
AnswerB

PARTNER_PROVIDER is used when the partner provides Layer 2 connectivity.

Why this answer

With Layer 2 Partner Interconnect, the service provider extends a VLAN to Google. You create a VLAN attachment of type PARTNER_PROVIDER, which allows you to configure the Cloud Router and BGP session.

54
Multi-Selectmedium

A company has two Dedicated Interconnect connections from different metro areas to their GCP VPC. They want to use both connections actively (active-active load balancing) without manual intervention. Which TWO configurations are required to achieve this? (Choose two.)

Select 2 answers
A.Use AS path prepending on one of the BGP sessions
B.Advertise the same on-premises prefix with the same MED on both BGP sessions
C.Configure ECMP on the Cloud Router
D.Create two separate Cloud Routers
E.Set different MED values on each BGP session
AnswersB, C

Equal MED ensures both paths are considered equal by BGP, enabling ECMP.

Why this answer

To use active-active, you must configure ECMP on the Cloud Router to load balance across both BGP sessions, and advertise the same prefixes with equal priority (same MED) from both on-premises routers.

55
Multi-Selecteasy

An organization is considering using Partner Interconnect to connect to Google Cloud. They want the service provider to manage the BGP sessions. Which TWO configurations must they choose? (Choose TWO.)

Select 2 answers
A.Select Layer 2 connectivity option with the provider
B.Create VLAN attachment of type PARTNER_PROVIDER
C.Select Layer 3 connectivity option with the provider
D.Create VLAN attachment of type PARTNER
E.Configure BGP sessions on the Cloud Router
AnswersB, C

PARTNER_PROVIDER is used when the provider manages BGP.

Why this answer

For Layer 3 connectivity where the provider manages BGP, the VLAN attachment type must be PARTNER_PROVIDER, and the provider handles BGP.

56
MCQmedium

A network engineer is setting up a Dedicated Interconnect between an on-premises network and Google Cloud. After the circuit is ordered and the physical connection is established at the co-location facility, what is the first step to configure the interconnect inside GCP?

A.Configure a VPN tunnel for backup connectivity.
B.Create a VLAN attachment to associate with the interconnect.
C.Enable Cloud NAT for outbound traffic.
D.Create a Cloud Router with BGP sessions.
AnswerB

A VLAN attachment is the first logical configuration step after the physical connection.

Why this answer

After the physical connection is ready, you must create a VLAN attachment in Google Cloud to define the connection between your VPC and the interconnect.

57
Multi-Selectmedium

Your organization uses Cloud DNS for private DNS resolution within GCP. You need to enable on-premises DNS servers to resolve GCP private zone names (e.g., myinstance.internal.example.com). Which TWO resources must you configure? (Choose two.)

Select 2 answers
A.Configure an outbound DNS server policy in GCP
B.Create a DNS peering zone in Cloud DNS that points to the on-premises DNS servers
C.Configure an inbound DNS server policy in GCP
D.Set up a VPN tunnel between GCP and on-premises
E.Create a forwarding zone in Cloud DNS
AnswersB, C

This peering zone is used to forward queries for the GCP private zone back to on-premises (though the primary direction is reverse). Actually, for on-prem to resolve GCP private zones, you need outbound forwarding from on-prem to GCP, but the correct components are inbound policy and a peering zone that allows GCP to accept queries from on-prem. However, the standard solution: create inbound policy to get a forwarding IP, and on on-prem DNS, set up conditional forwarders to that IP. The question asks 'which two resources must you configure'—the two are inbound DNS server policy and a DNS peering zone (or alternatively, a forwarding zone in GCP). The classic answer: inbound DNS server policy + DNS peering zone. Let's keep as is.

Why this answer

To allow on-premises DNS to resolve GCP private zones, you create a DNS peering zone in Cloud DNS that forwards queries to on-premises, and you configure the on-premises DNS servers to forward queries for the GCP private zone to the Google-managed forwarding IP (inbound DNS policy).

58
MCQhard

An engineer configures an HA VPN with two tunnels to an on-premises network using IKEv2 and pre-shared keys. After configuration, the tunnels show as established, but no traffic flows. The Cloud Router BGP sessions are not established. The on-premises firewall logs show IKE packets are being sent but no response. What is the most likely cause?

A.The Cloud Router BGP AS number is duplicated
B.The pre-shared keys do not match
C.The on-premises firewall is blocking UDP port 500
D.The VPN tunnel is configured as policy-based instead of route-based
AnswerB

Mismatched pre-shared keys would cause IKE negotiation to fail, resulting in no response from Google side.

Why this answer

B is correct because the on-premises firewall logs show IKE packets being sent but no response, which indicates that the IKEv2 pre-shared key mismatch causes the IKE authentication phase to fail. Even though the tunnel status shows as established (likely due to a stale or misconfigured status check), the BGP sessions cannot form because the IKE security association (SA) is not fully authenticated, preventing the IPsec SA from being created and thus blocking all traffic, including BGP packets.

Exam trap

Cisco often tests the distinction between IKE phase 1 (ISAKMP) and phase 2 (IPsec) failures, and the trap here is that candidates assume 'tunnels established' means the IPsec SA is up, when in reality the status may reflect only the IKE_SA_INIT phase, and the pre-shared key mismatch prevents full authentication and IPsec SA creation.

How to eliminate wrong answers

Option A is wrong because a duplicate Cloud Router BGP AS number would cause BGP session flapping or rejection, but it would not prevent IKE packets from receiving a response; the IKE phase would still complete successfully. Option C is wrong because if the on-premises firewall were blocking UDP port 500, the firewall logs would show IKE packets being dropped or no packets at all, not 'IKE packets are being sent but no response' (the packets are sent, but the response is missing due to authentication failure). Option D is wrong because a policy-based tunnel would still allow IKE to establish and BGP to form if the correct policies are in place; the issue here is specifically at the IKE authentication layer, not the tunnel type.

59
MCQeasy

A company wants to establish a dedicated physical connection between their on-premises network and Google Cloud. They need a 10 Gbps connection and are willing to manage the circuit and colocation facility themselves. Which Google Cloud service should they use?

A.Dedicated Interconnect
B.Partner Interconnect
C.Cloud CDN
D.Cloud VPN
AnswerA

Dedicated Interconnect provides a direct physical connection up to 10 Gbps (or 100 Gbps) and requires the customer to manage circuit ordering and colocation.

Why this answer

Dedicated Interconnect provides a direct physical connection between the on-premises network and Google's network via a colocation facility and Google Partner PoP. It is managed by the customer for circuit ordering and colocation.

60
MCQmedium

A company wants to allow on-premises DNS servers to resolve Google Cloud private VM names. They need to configure a Google-managed forwarding server IP. Which Cloud DNS feature should they use?

A.Outbound DNS forwarding
B.Cloud Router with BGP
C.Inbound DNS policy
D.Private DNS zone with peering
AnswerC

Inbound policy provides a Google-managed forwarding IP for on-premises to query.

Why this answer

Inbound DNS policy creates a forwarding zone and provides a Google-managed inbound server IP that on-premises servers can use to resolve GCP private DNS names.

61
MCQhard

A network engineer is troubleshooting a failing HA VPN tunnel. They need to view VPN gateway logs to identify the issue. Which Google Cloud service should they use to access the logs?

A.Cloud Audit Logs
B.Cloud Debugger
C.Cloud Monitoring
D.Cloud Logging
AnswerD

Cloud Logging stores and allows querying of VPN gateway logs.

Why this answer

Cloud Logging captures logs from Cloud VPN gateways, including tunnel events, IKE negotiations, and error messages.

62
MCQmedium

A company is using Partner Interconnect with a service provider that offers Layer 3 connectivity. The service provider manages the BGP sessions. The engineer needs to create a VLAN attachment on the Google side. Which attachment type should they choose?

A.PARTNER
B.MANAGED
C.DEDICATED
D.PARTNER_PROVIDER
AnswerD

PARTNER_PROVIDER attachment type is for Layer 3 connectivity where the service provider manages BGP.

Why this answer

For Partner Interconnect, when the service provider manages Layer 3 (BGP), the VLAN attachment type must be PARTNER_PROVIDER. The PARTNER type is for Layer 2 connectivity where the customer manages BGP.

63
MCQmedium

A company is using Partner Interconnect to connect their on-premises network to Google Cloud. They need to choose between Layer 2 and Layer 3 connectivity options offered by the service provider. Which statement correctly describes the difference between Layer 2 and Layer 3 connectivity in Partner Interconnect?

A.Layer 2 connectivity requires the customer to configure BGP with Google Cloud, while Layer 3 does not require any BGP on the customer side.
B.Layer 2 connectivity is only available for Dedicated Interconnect, not Partner Interconnect.
C.Both Layer 2 and Layer 3 require the customer to manage VLAN attachments inside GCP.
D.Layer 3 connectivity requires the customer to have a BGP session with the partner's router, while Layer 2 allows direct BGP with Google Cloud.
AnswerD

This correctly describes the difference: Layer 2 is direct BGP with Google, Layer 3 uses the partner as a routing hop.

Why this answer

With Layer 2, the partner provides a transparent VLAN; with Layer 3, the partner handles the IP routing, requiring a BGP session from the customer's on-prem router to the partner's router.

64
MCQmedium

An organization is using Cloud VPN with dynamic routing (BGP) to connect their on-premises network to Google Cloud. They want to prioritize traffic from on-premises to GCP over one VPN tunnel when multiple tunnels are available. Which BGP attribute should they configure on their on-premises router?

A.MED (Multi-Exit Discriminator)
B.AS path prepending
C.Origin attribute
D.Local Preference (LP)
AnswerB

AS path prepending makes a route less preferred, so the tunnel without prepending will be preferred for inbound traffic from on-premises.

Why this answer

AS path prepending makes a route less preferred by adding AS numbers to the path, which influences inbound traffic direction. To prioritize a tunnel, you would use a shorter AS path (or no prepending) on the preferred tunnel.

65
MCQeasy

An organization wants to connect their on-premises network to Google Cloud using a Dedicated Interconnect. They have ordered a circuit from a network service provider and need to determine the correct co-location facility to connect to. Which factor is most critical when selecting a co-location facility?

A.The facility must offer Layer 2 connectivity to the Google Cloud VPC.
B.The facility must be a Google Cloud partner facility with access to a Google PoP in the same metro as the on-premises data center.
C.The facility must support 100 Gbps ports to maximize throughput.
D.The facility must be in a different continent to ensure geographic redundancy.
AnswerB

This ensures low latency and meets the requirements for Dedicated Interconnect.

Why this answer

The co-location facility must be a Google Cloud partner facility that provides access to a Google Point of Presence (PoP) in the same metro area as the organization's on-premises data center to minimize latency and meet SLA requirements.

66
MCQmedium

A company is setting up HA VPN between GCP and an on-premises network. They need to configure two VPN tunnels for high availability. Which of the following is required for the HA VPN gateway?

A.A single external IP address shared by both interfaces.
B.A Cloud Router with BGP enabled on both tunnels.
C.A dedicated interconnect circuit.
D.Two external IP addresses, one for each interface.
AnswerD

HA VPN uses two interfaces with distinct external IPs.

Why this answer

An HA VPN gateway has two interfaces, each with its own external IP address. This allows two tunnels to be established for redundancy.

67
MCQeasy

A company needs to resolve DNS queries from their Google Cloud VPC for on-premises hostnames (e.g., internal.mycompany.com). They have a Cloud VPN tunnel between GCP and on-premises. Which approach should they use?

A.Configure an outbound DNS forwarding policy with Cloud Router to forward queries to on-premises DNS servers.
B.Create a DNS forwarding zone in Cloud DNS that points to the on-premises DNS server IPs via the Cloud Router.
C.Create a Cloud DNS private zone and add A records for each on-premises host.
D.Set up a BIND server on a Compute Engine instance and configure it as a forwarder.
AnswerB

This is the correct method: forwarding zone sends queries for the specified domain to on-premises DNS servers.

Why this answer

Cloud DNS forwarding zones allow you to forward queries for a specific domain (e.g., internal.mycompany.com) to on-premises DNS servers via the VPN tunnel.

68
Multi-Selecthard

An engineer is troubleshooting a High Availability VPN setup. The VPN tunnels are established, but the BGP sessions are flapping. Which THREE factors could cause this? (Choose THREE.)

Select 3 answers
A.Incorrect VLAN ID on the VLAN attachment
B.Mismatched BGP hold timer values
C.MTU mismatch causing packet fragmentation
D.Incorrect BGP password (MD5 authentication)
E.Duplicate AS number on the on-premises router
AnswersB, C, D

If the hold timers differ, the session may time out and flap.

Why this answer

BGP session flapping can be caused by mismatched parameters, MTU issues, or authentication problems.

69
Multi-Selectmedium

You need to monitor the health and performance of a Dedicated Interconnect connection. Which THREE Cloud Monitoring metrics should you use? (Choose three.)

Select 3 answers
A.interconnect/network/received_bytes_count
B.interconnect/link/packets_dropped
C.interconnect/network/sent_packets_count
D.interconnect/link/operational_status
E.interconnect/link/latency
AnswersA, B, D

Monitors inbound traffic volume.

Why this answer

Key metrics include received bytes count (for traffic), operational status (link up/down), and packets dropped (indicates errors or congestion). These are standard interconnect metrics.

70
MCQmedium

An organization wants to use Cloud DNS to forward DNS queries from on-premises to Google Cloud for a private zone. Which feature should they implement?

A.DNS peering
B.Inbound DNS policy
C.Outbound DNS forwarding zone
D.Private zone with DNS forwarding
AnswerB

Inbound DNS policy creates a forwarding IP that on-premises resolvers can use to query Cloud DNS private zones.

Why this answer

Inbound DNS policy provides a Google-managed forwarding IP address in your VPC that on-premises resolvers can use to forward queries to Cloud DNS private zones.

Ready to test yourself?

Try a timed practice session using only Pcne Hybrid Interconnect questions.