CCNA VPC Implementation Questions

75 of 77 questions · Page 1/2 · VPC Implementation topic · Answers revealed

1
Multi-Selecthard

An organization is configuring Cloud NAT to allow private instances to access the internet. Which three statements about Cloud NAT are correct? (Choose three.)

Select 3 answers
A.Cloud NAT can be configured per subnet or per region.
B.Cloud NAT requires that the VPC has a default route (0.0.0.0/0) to the internet gateway.
C.Cloud NAT automatically assigns external IP addresses to instances.
D.Cloud NAT can be configured with a manual list of NAT IP addresses.
E.Cloud NAT supports both TCP and UDP protocols.
AnswersB, D, E

Without a default route, traffic cannot reach the internet.

Why this answer

Options A, C, and D are correct. Option A: Cloud NAT supports both TCP and UDP. Option C: Cloud NAT requires a default route (0.0.0.0/0) to the internet gateway to function.

Option D: Cloud NAT can be configured with a manual list of NAT IP addresses. Option B is incorrect because Cloud NAT provides NAT for instances without external IPs; it does not assign external IPs to instances. Option E is incorrect because Cloud NAT is regional, not per subnet; it applies to all subnets in the region that are configured to use it.

2
MCQmedium

An engineer has set up VPC Network Peering between VPC-A and VPC-B. Both VPCs have non-overlapping CIDR ranges. The peering state is ACTIVE. However, instances in VPC-A cannot reach instances in VPC-B. The engineer verified that firewall rules allow the traffic. What should the engineer check next?

A.The subnet routes are exported from VPC-B to VPC-A.
B.The BGP session status on the Cloud Router.
C.The MTU size of the instances.
D.The route tables for the peered network.
AnswerA

Subnet routes must be exported explicitly if default export settings are changed.

Why this answer

Option D is correct because VPC Network Peering requires that subnet routes be exported from the peered VPC. By default, subnet routes are automatically exported, but if the peering configuration was modified (e.g., exportSubnetRoutesWithPublicIp set to false), routes may not be exported. The engineer should verify that VPC-B exports its subnet routes to VPC-A.

Option A is incorrect because MTU mismatch is unlikely to cause complete lack of connectivity. Option B is incorrect because BGP is not used in VPC peering. Option C is incorrect because the route tables themselves are not the issue; the missing routes are due to export settings.

3
MCQmedium

A company needs to connect on-premises to Google Cloud with overlapping IP ranges. The on-premises network uses 10.0.0.0/16 and the VPC uses 10.0.0.0/16. What is the best approach?

A.Use Cloud NAT.
B.Use VPC peering.
C.Use Private Google Access.
D.Use Cloud VPN with source NAT on the on-premises side.
AnswerD

Source NAT allows overlapping IPs by translating them.

Why this answer

Cloud VPN with source NAT on the on-premises side translates overlapping addresses.

4
MCQmedium

Refer to the exhibit. You have two VPCs, vpc-a and vpc-b, with VPC peering configured and custom route import/export enabled. An instance in subnet-a (10.0.1.2) cannot ping an instance in subnet-b (10.0.2.2) using internal IP. Firewall rules are default (deny all ingress). What is the required action?

A.Add a firewall rule allowing ICMP from 10.0.1.0/24 to 10.0.2.0/24.
B.Add a static route for the peer range.
C.Enable Private Google Access.
D.Create a Cloud VPN tunnel.
AnswerA

This rule allows the ping traffic between the subnets.

Why this answer

Even with peering, firewall rules are needed to allow traffic. Default deny all ingress blocks the ping.

5
MCQmedium

A network engineer wants to allow specific instances to use Cloud NAT while others should not. Which configuration step should be taken?

A.Assign external IPs to non-NAT instances.
B.Use firewall rules to allow NAT for tagged instances.
C.Apply a network tag to instances that should use NAT and create a Cloud NAT with that tag.
D.Create separate subnets for NAT instances.
AnswerC

This is the standard method to select which instances are NATed.

Why this answer

Cloud NAT uses network tags to filter which instances use it.

6
MCQhard

A large enterprise has a Google Cloud environment with multiple projects under an organization. They have a Shared VPC host project with a VPC named 'shared-vpc' that has subnets in us-central1 and europe-west1. Several service projects are attached to this host project. One service project, 'proj-analytics', has a Compute Engine instance 'vm-analytics' in us-central1 that needs to connect to a Cloud SQL PostgreSQL instance (private IP) also in us-central1, but within a different service project 'proj-db'. The Cloud SQL instance is configured with a private IP address 10.0.1.5 from a subnet in 'shared-vpc' (the same VPC). The vm-analytics instance has an internal IP 10.0.0.5 from a different subnet in 'shared-vpc'. The two subnets are in the same region, and there is a firewall rule allowing all traffic from 10.0.0.0/16 (the entire VPC range) to the Cloud SQL subnet. However, vm-analytics cannot connect to the Cloud SQL instance. The error on vm-analytics is 'Connection timed out'. There are no firewall rules blocking egress from vm-analytics. What is the most likely cause and solution?

A.Grant the service project's compute engine default service account the Compute Network User role on the host project.
B.Enable Private Google Access on the vm-analytics subnet.
C.Create a firewall rule in the host project allowing ingress from the service project's subnets to the Cloud SQL subnet.
D.Configure a Cloud Router in the service project to advertise routes to the Cloud SQL subnet.
AnswerA

Without this role, the service project's instances cannot use the VPC resources, including the VPC peering routes to Cloud SQL.

Why this answer

Cloud SQL with private IP uses Private Service Access, which requires a VPC peering connection between the VPC and the service producer VPC (Google's). The Cloud SQL instance's private IP is accessible only from the VPC network where the peering is established. However, the issue often arises because the service project does not have the necessary IAM permissions or the VPC peering is set up in the host project but not propagated to service projects.

In this case, vm-analytics is in a service project attached to the Shared VPC, so it should have connectivity to the Cloud SQL private IP because it's in the same VPC. But the timeout suggests no route. One common cause is that the Private Service Access connection (VPC peering) is only set up in the host project's VPC, but the service project's VPC (which is actually the same VPC via Shared VPC) may not have routes to the peered network.

Actually, when using Shared VPC, the service projects use the host project's VPC, so routes from VPC peering are automatically propagated. However, there is a known issue: if the Cloud SQL instance is created in a service project that is attached to the same Shared VPC, the private service access must be configured in the host project. Also, the service project's service accounts may need the compute.networkUser role on the host project's VPC.

The most likely cause is that the VPC peering is set up but the service project's project does not have the necessary IAM role to use the peering. Option C is correct: Grant the service project's compute service account the Compute Network User role on the host project.

7
MCQhard

An organization uses Shared VPC with multiple service projects. They want to allow a service project to create a VM in a subnet that belongs to the host project. The subnet has an IAM policy that grants the compute.instanceAdmin role to the service project's service account. However, the service project is unable to create VMs in that subnet. What is the most likely reason?

A.The subnet IAM policy does not include the service project's service account.
B.The subnet is out of IP addresses.
C.The service project does not have the compute.instanceAdmin role on itself.
D.The service project is missing the compute.networkUser role on the host project.
AnswerD

The compute.networkUser role is required to use the host project's VPC networks.

Why this answer

In addition to subnet-level IAM, the service project must have the compute.networkUser role on the host project to use the Shared VPC. Option A is correct. Option B is wrong because the subnet IAM is sufficient for subnet access once the network user role is granted.

Option C is wrong because service project's own IAM does not grant access to host project resources. Option D is wrong because quota is not the issue here.

8
MCQmedium

A company has a multi-region VPC with subnets in us-central1 (10.0.0.0/24) and europe-west1 (10.0.1.0/24). They have deployed a global Application Load Balancer (ALB) with backend services in both regions. The backends are instance groups with instances in each subnet. The ALB uses internal IP addresses from a subnet in each region for the backend services. The company wants to restrict access to the ALB so that only traffic from a specific list of external IP addresses (e.g., corporate VPN) can reach the load balancer. They have created a firewall rule allowing ingress from those IP addresses to the ALB's forwarding rule IP (which is a global IP). However, external traffic from allowed IPs is still being blocked. What is the most likely reason?

A.The firewall rule should be created with priority lower than 1000 to override default deny.
B.VPC firewall rules do not apply to global load balancer's frontend; use Cloud Armor with IP whitelist.
C.The firewall rule must allow ingress from the allowed IPs to the backend instance's internal IPs.
D.The firewall rule must be applied to the backend instances' tags, not the forwarding rule IP.
AnswerB

Global ALB traffic bypasses VPC firewall; Cloud Armor provides access control at the edge.

Why this answer

The Global Application Load Balancer uses a frontend IP that is a global anycast IP. Firewall rules are applied at the network level and cannot filter traffic to global forwarding rules because the traffic is routed through Google's frontend infrastructure before reaching the VPC. To restrict access to a global ALB, you should use Cloud Armor or IAP, not VPC firewall rules.

Option C is correct: Use Cloud Armor with an IP whitelist to restrict access.

9
MCQhard

A company has deployed a global application on Compute Engine instances in multiple regions. Users are experiencing high latency connecting to the application. The network team wants to use Google Cloud's global network to improve performance. Which approach should they take?

A.Deploy a global HTTP(S) Load Balancer with backend services in each region.
B.Use Cloud DNS with geo-routing to direct users to regional load balancers.
C.Set up Cloud NAT with multiple static IP addresses for each region.
D.Assign a global anycast IP address to all instances and use BGP to advertise it.
AnswerA

Global HTTP(S) LB uses anycast IP and proxies traffic to the closest region, reducing latency.

Why this answer

A global HTTP(S) Load Balancer uses Google Cloud's global anycast IP address and the Google Front End (GFE) infrastructure to route traffic over Google's private network to the closest healthy backend instance. This reduces latency by avoiding the public internet and leveraging Google's global fiber backbone, making it the correct choice for improving performance for a globally distributed application.

Exam trap

Google Cloud often tests the misconception that anycast IPs can be directly assigned to instances or that BGP-based anycast is a viable option in Google Cloud, when in fact only Google-managed load balancers can provide anycast IPs, and customers cannot advertise their own anycast prefixes.

How to eliminate wrong answers

Option B is wrong because Cloud DNS with geo-routing directs users to regional load balancers based on DNS resolution, but DNS-based routing cannot react to real-time network conditions or instance health, and traffic still traverses the public internet after DNS resolution, failing to fully utilize Google's global network. Option C is wrong because Cloud NAT provides outbound internet access for instances without public IPs and does not improve inbound user latency; it is used for egress traffic, not ingress load balancing. Option D is wrong because assigning a global anycast IP address directly to instances and using BGP to advertise it is not supported in Google Cloud; Google Cloud does not allow customers to advertise their own anycast IPs via BGP, and instances cannot share a single anycast IP without a load balancer.

10
MCQmedium

A company is migrating from an on-premises data center to Google Cloud. They have set up a High-Availability VPN (with two tunnels) between their on-premises router and a Cloud VPN gateway in a VPC. They use static routing. The on-premises network uses RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the VPC uses 10.1.0.0/16. They have configured static routes in the VPC for the on-premises ranges pointing to the VPN gateway. However, they notice that traffic from on-premises to the VPC is intermittent: sometimes packets go through tunnel 1, sometimes through tunnel 2, and sometimes they drop. The on-premises router is configured to use both tunnels in an active-active mode with equal-cost multipath (ECMP). What is the most likely cause of the intermittent drops?

A.Increase the number of tunnels to four to distribute traffic better.
B.Change from static routing to dynamic routing (BGP) to allow the Cloud VPN gateway to advertise routes and avoid ECMP issues.
C.Set the on-premises router to active-passive mode using only one tunnel at a time.
D.Configure traffic selector policies on the VPN tunnels to ensure each tunnel only handles specific subnets.
AnswerB

BGP provides better control over path selection and is recommended for HA VPN with multiple tunnels.

Why this answer

Cloud VPN with static routing does not support ECMP for traffic going from the VPC to on-premises, but from on-premises to VPC, ECMP is possible if the on-premises router distributes traffic across multiple tunnels. However, Cloud VPN gateways have a known limitation: when using static routing, the Cloud VPN gateway treats each tunnel as a separate next-hop, and the VPC routes point to the gateway, not individual tunnels. Actually, for incoming traffic from on-premises, the Cloud VPN gateway receives the packets on either tunnel and forwards them to the VPC.

The issue is that the on-premises router may be sending packets out of order due to ECMP, and the Cloud VPN gateway may not reassemble them correctly, causing drops. But more commonly, if the on-premises router uses ECMP across tunnels that terminate on the same Cloud VPN gateway, the gateway may see packets from different flows on different tunnels, but the gateway will forward them correctly. A more likely cause is that the VPN tunnels do not have matching encryption domains or the on-premises router's ECMP algorithm is not consistent.

The correct action is to use BGP dynamic routing to avoid ECMP issues, or to use active-passive mode. Option A is correct: Switch to BGP routing, which allows better path selection and route advertisement.

11
MCQmedium

Refer to the exhibit. A VM in my-subnet without an external IP address cannot access Google APIs. What is the likely missing configuration?

A.Create a Cloud NAT.
B.Add a firewall rule to allow egress to 0.0.0.0/0.
C.Enable Private Google Access on the subnet.
D.Add a default route to the internet gateway.
AnswerC

The setting privateIpGoogleAccess is currently false; enabling it allows access to Google APIs.

Why this answer

The subnet has privateIpGoogleAccess set to false, which must be enabled for VMs without external IPs to access Google APIs via Private Google Access. Option A is correct. Option B is not needed because egress to 0.0.0.0/0 is allowed by default.

Option C is not required for Private Google Access (Cloud NAT is for outbound internet to non-Google destinations). Option D is not missing; a default route exists as indicated by gatewayAddress.

12
MCQmedium

A company is deploying a multi-tier web application on Google Cloud. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier must not have any public IP addresses. Which VPC design should be used?

A.Use a Shared VPC with separate subnets in different projects for each tier.
B.Use three separate VPCs for each tier and connect them using VPC peering.
C.Use a single VPC and connect the database tier via Cloud VPN to on-premises.
D.Use a single VPC with separate subnets for each tier and configure firewall rules to restrict traffic.
AnswerB

Separate VPCs provide full isolation; peering allows controlled communication.

Why this answer

Option B is correct because using three separate VPCs with VPC peering enforces strict network segmentation: the web tier VPC has a public subnet with an internet gateway, the application tier VPC is peered only to the web tier VPC (no internet gateway), and the database tier VPC is peered only to the application tier VPC (no public IPs). This design ensures that the database tier has no public IP addresses and is only reachable through the application tier, meeting all security requirements.

Exam trap

Google Cloud often tests the misconception that firewall rules alone can prevent public IP assignment, but the trap here is that firewall rules control traffic, not the existence of a public IP address on a resource; the database tier must have no public IP at all, which requires a VPC design that prohibits internet gateway routes.

How to eliminate wrong answers

Option A is wrong because Shared VPC with separate subnets in different projects still places all subnets within the same VPC, meaning the database tier could potentially be assigned a public IP (unless explicitly prevented) and traffic between tiers is not isolated at the VPC level, violating the 'no public IP' requirement. Option C is wrong because using a single VPC with Cloud VPN to on-premises does not address the requirement to isolate the database tier from the internet; the database tier would still reside in the same VPC as the web tier, and Cloud VPN is for hybrid connectivity, not for tier isolation. Option D is wrong because a single VPC with separate subnets and firewall rules does not prevent the database tier from having a public IP address (firewall rules control traffic, not IP assignment), and the database tier could still be assigned a public IP via an external IP address on its instances, which violates the explicit requirement.

13
MCQhard

Refer to the exhibit. A VM in the my-vpc network is unable to reach an external HTTPS server. What is the most likely cause?

A.The deny-all-egress firewall rule blocks all outbound traffic.
B.The allow-custom-internal rule only allows inbound traffic.
C.No rule allows outbound traffic to port 443.
D.The default-allow-ssh rule has a low priority.
AnswerA

This egress deny rule with priority 1000 blocks all outbound traffic, including HTTPS.

Why this answer

The default VPC configuration includes a deny-all-egress firewall rule with the lowest priority (65535) that blocks all outbound traffic not explicitly allowed. Since no higher-priority rule permits outbound traffic to the external HTTPS server (port 443), the VM's HTTPS requests are dropped by this implicit deny rule, preventing connectivity.

Exam trap

Google Cloud often tests the misconception that a missing allow rule is the direct cause, rather than recognizing the explicit deny-all-egress rule with lowest priority as the actual blocking mechanism.

How to eliminate wrong answers

Option B is wrong because the allow-custom-internal rule (priority 1000) allows inbound and outbound traffic within the VPC using the 'custom' target tag, but it does not affect external HTTPS traffic; the issue is outbound, not inbound. Option C is wrong because while no rule explicitly allows outbound HTTPS, the deny-all-egress rule is the actual blocking mechanism—the absence of an allow rule alone does not cause the block; the explicit deny rule does. Option D is wrong because the default-allow-ssh rule (priority 65534) allows inbound SSH on port 22, but it has no relevance to outbound HTTPS traffic; priority only matters when rules conflict, and this rule does not apply to the egress direction or port 443.

14
MCQmedium

A company uses Cloud NAT to allow instances without external IPs to access the internet. They have a managed instance group (MIG) in us-central1 with 10 instances, all using the same Cloud NAT configured with a single NAT IP address. They notice that some instances are unable to connect to a specific external API endpoint, while others can. The error on the failing instances is 'Cannot connect to host'. The NAT IP is not blacklisted by the API. The Cloud NAT gateway has default settings with a minimum port per VM of 64 and a maximum of 65536. What is the most likely cause?

A.The instances are using different service accounts, and the NAT is not configured to allow all.
B.The Cloud NAT's idle timeout is set too low, causing connections to be dropped.
C.The external API endpoint has a rate limit that is being hit by the NAT IP.
D.Port exhaustion is occurring; increase the number of NAT IPs or increase the minimum ports per VM.
AnswerD

Port exhaustion affects VMs that make many outbound connections; increasing NAT IPs provides more ports.

Why this answer

Cloud NAT uses source network address translation (SNAT) and maps internal IPs to the NAT IP using ports. By default, Cloud NAT allocates a range of ports per VM. If the instances are making many connections, they may exhaust the allocated ports.

The symptom that only some instances fail suggests that the failing instances may have run out of ephemeral ports. Option D is correct: Increase the number of NAT IP addresses or increase the minimum ports per VM.

15
Multi-Selecteasy

A company is designing a VPC routing strategy. Which three are valid route types in Google Cloud VPC? (Choose three.)

Select 3 answers
A.System-generated routes
B.Dynamic routes learned through BGP
C.VPN tunnel routes
D.Custom static routes
E.Peering routes
AnswersA, B, D

Created automatically for subnets and default internet gateway.

Why this answer

Options A, B, and C are correct. System-generated routes are created automatically (e.g., subnet routes, default internet gateway routes). Custom static routes are manually created.

Dynamic routes are learned through BGP. Option D is incorrect because 'VPN tunnel routes' is not a route type; VPN tunnels use BGP or static routes. Option E is incorrect because 'Peering routes' are not a separate type; they are system-generated routes imported from peered VPCs.

16
MCQeasy

Which of the following is a benefit of using Shared VPC?

A.Centralized network administration and separation from application projects.
B.Lower cost compared to VPC peering.
C.Automatic failover for applications.
D.Reduced latency between instances.
AnswerA

This is the primary benefit of Shared VPC.

Why this answer

Shared VPC allows centralized network administration with separation of application projects.

17
Multi-Selecthard

A company has a VPC with multiple subnets. They want to restrict traffic between two subnets (Subnet-A and Subnet-B) using VPC firewall rules. Which THREE conditions must be met for a firewall rule to block traffic from Subnet-A to Subnet-B?

Select 3 answers
A.The rule must be applied using network tags on instances in Subnet-A.
B.The rule must be an ingress rule with source set to Subnet-A IP range and destination set to Subnet-B IP range.
C.The rule must have action set to 'deny' and apply to all instances in Subnet-B.
D.The rule must also allow return traffic from Subnet-B to Subnet-A.
E.The rule must have a lower priority number (higher priority) than any allow rules between the subnets.
AnswersB, C, E

To block traffic from A to B, the ingress rule on Subnet-B must block source A.

Why this answer

Option B is correct because VPC firewall rules in Google Cloud are stateful and defined as ingress or egress rules. To block traffic from Subnet-A to Subnet-B, you need an ingress rule on Subnet-B (the destination) with the source set to Subnet-A's IP range and the destination set to Subnet-B's IP range. This ensures the rule applies to incoming traffic from Subnet-A, and the action 'deny' will drop the packets.

Exam trap

Google Cloud often tests the misconception that firewall rules must be applied to both subnets or that return traffic requires a separate rule, but Google Cloud's stateful firewall automatically handles return traffic for allowed connections, so only the blocking rule is needed.

18
MCQeasy

A company wants to connect two VPC networks using VPC Network Peering. What is required for this setup?

A.A Cloud VPN tunnel must be established.
B.Both VPCs must belong to the same organization.
C.The VPCs must have non-overlapping IP ranges.
D.Both VPCs must be in the same region.
AnswerC

Overlapping IP ranges cause routing conflicts.

Why this answer

VPC Network Peering requires that the IP ranges of the peered networks do not overlap. Option B is correct. Option A is wrong because peering is not dependent on region.

Option C is wrong because Cloud VPN is a separate technology. Option D is wrong because peering can be within the same organization or across different organizations.

19
MCQeasy

A company uses a VPC with two subnets: subnet-a (10.0.1.0/24) with VMs tagged 'web', and subnet-b (10.0.2.0/24) with VMs tagged 'db'. They have a Cloud VPN tunnel to an on-premises network (172.16.0.0/16). The VPN tunnel is up and BGP is exchanging routes. A custom route for 172.16.0.0/16 with next hop VPN gateway exists, but it has a tag 'web', meaning it applies only to VMs with the 'web' tag. VMs in subnet-a can reach on-premises, but VMs in subnet-b cannot. Which step should be taken to allow subnet-b VMs to reach on-premises?

A.Create a new route for 172.16.0.0/16 with priority 1000 and no tag.
B.Add the 'db' tag to the custom route.
C.Remove the tag from the existing route.
D.Add a firewall rule to allow egress traffic from subnet-b.
AnswerB

Adding the tag will make the route applicable to VMs in subnet-b, allowing them to reach on-premises.

Why this answer

The custom route for 172.16.0.0/16 is tagged with 'web', so it only applies to VMs that have the 'web' tag. Subnet-b VMs are tagged 'db', so they do not match the route and cannot reach on-premises. Adding the 'db' tag to the route makes it apply to both tagged groups, enabling connectivity for subnet-b VMs without affecting existing traffic.

Exam trap

Google Cloud often tests the misconception that firewall rules are the cause of connectivity issues when the real problem is route scope or tag-based route applicability, leading candidates to incorrectly choose a firewall-related option like D.

How to eliminate wrong answers

Option A is wrong because creating a new route with priority 1000 and no tag would introduce a lower-priority route that applies to all VMs, but the existing tagged route (default priority 1000) would still take precedence for 'web' VMs; however, the real issue is that the route must match the 'db' tag, and a new untagged route would work but is unnecessary and could cause confusion. Option C is wrong because removing the tag from the existing route would make it apply to all VMs, including 'db' VMs, but it would also remove the intended restriction for 'web' VMs, potentially breaking security or routing policy. Option D is wrong because the problem is a routing issue, not a firewall issue; egress firewall rules control packet filtering, not route selection, and subnet-b VMs already have implicit egress allowed unless explicitly blocked.

20
Multi-Selectmedium

A company is setting up a VPC with private Google Access enabled for on-premises connectivity via Cloud VPN. Which TWO of the following are required for on-premises hosts to access Google APIs (e.g., Cloud Storage) using private IP addresses?

Select 2 answers
A.Cloud DNS forwarding zone to forward requests to Google APIs' public DNS.
B.Private Google Access enabled on the subnet where the VPN gateway resides.
C.Firewall rule allowing ingress from on-premises to 0.0.0.0/0.
D.Cloud NAT configured in the VPC.
E.A custom route in the VPC that sends traffic to 199.36.153.4/30 and 199.36.153.8/30 to the VPN tunnel.
AnswersB, E

This allows on-premises traffic to reach Google APIs via the VPN.

Why this answer

Private Google Access enables on-premises hosts to reach Google APIs using private IP addresses when connected via Cloud VPN. It must be enabled on the subnet where the VPN gateway resides so that the VPC routes traffic from the VPN tunnel to Google's private API endpoints. This allows the on-premises hosts to use their private IPs without needing public IPs or internet access.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for private access, but Private Google Access and custom routes to the 199.36.153.4/30 and 199.36.153.8/30 ranges are the correct components for on-premises private API access via Cloud VPN.

21
MCQhard

A company is designing a multi-region architecture with Active/Active failover across two regions using Cloud VPN. They want to ensure that traffic from on-premises to a global external HTTPS load balancer is routed to the nearest region based on latency. What should they configure on the on-premises side?

A.Local preference on the on-premises router.
B.Multi-Exit Discriminator (MED) on the Google Cloud side.
C.Static routes pointing to the VPC subnet in each region.
D.BGP AS Path prepending to make one path appear longer.
AnswerD

AS Path prepending can influence outbound routing to prefer the path with shorter AS path, but for latency, you may need other mechanisms like IGP metrics or BGP communities; however, among these options, AS Path prepending is a common technique to influence route selection.

Why this answer

To direct traffic to the nearest region based on latency, on-premises routers should use BGP with AS Path prepending to influence path selection. Option D is correct. Option A is wrong because static routes don't consider latency.

Option B is wrong because MED is used for inbound traffic, not outbound. Option C is wrong because local preference influences outbound traffic from on-premises but is not the primary method for latency-based routing.

22
MCQeasy

A small company has a single VPC with one subnet in us-central1 (10.0.1.0/24). They have a Compute Engine instance that needs to be reachable from the internet via HTTP (port 80) and HTTPS (port 443). The instance has an external IP address (ephemeral). They have created firewall rules allowing ingress on TCP 80 and 443 from 0.0.0.0/0, with target tags 'web-server'. The instance has been assigned the tag 'web-server'. However, external users report that they cannot access the instance's public IP on either port. The instance's OS firewall (iptables) is default allow. What is the most likely cause?

A.The instance's external IP is ephemeral and may have changed, so users should use the new IP or reserve a static IP.
B.The instance's OS firewall is blocking the traffic; check iptables.
C.The VPC needs a custom route for the internet gateway.
D.The firewall rules must be applied to the subnet, not the instance tag.
AnswerA

Ephemeral IPs can change, causing connectivity issues; a static IP is recommended.

Why this answer

The instance likely has an ephemeral external IP that may have changed after a stop/start, or the firewall rules are not properly applied. Since they have a tag, the rule should work. But a common mistake is not having a default route (0.0.0.0/0) in the VPC to allow internet traffic to reach the instance.

Actually, the VPC automatically has a default route that sends traffic to the internet gateway, so that should be fine. Another possibility is that the instance's firewall (iptables) is blocking. But the most likely cause is that the external IP is ephemeral and may have changed, and users are using the old IP.

Option B is correct: The external IP might have changed after a restart.

23
Drag & Dropmedium

Drag and drop the steps to configure a Cloud NAT for private instances to access the internet into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud NAT requires a Cloud Router first. Then create NAT, assign IPs, and apply to subnets. Testing confirms internet access.

24
MCQeasy

A developer needs to allow a VM in subnet A to reach a VM in subnet B in the same VPC. What is the default behavior?

A.A custom route must be added to route between subnets.
B.A firewall rule must be added to allow traffic between subnets.
C.The default firewall rule allows all internal traffic within the VPC.
D.VPC peering is required for communication between subnets.
AnswerC

The default allow-internal firewall rule permits all traffic within the VPC.

Why this answer

By default, VPC networks allow all internal traffic between subnets. Option B correctly states this. Option A is wrong because no firewall rule is needed for internal traffic.

Option C is wrong because VPC peering is for cross-VPC connectivity. Option D is wrong because custom routes are not required for internal subnet communication.

25
MCQmedium

A company has a VPC with subnets in us-central1 and europe-west1. They want to deploy a Cloud NAT to allow VMs in both regions to access the internet. How many Cloud NAT gateways are needed?

A.None; Cloud NAT is not required for internet access.
B.One Cloud NAT gateway per subnet.
C.Two Cloud NAT gateways, one per region.
D.One Cloud NAT gateway covering both regions.
AnswerC

Cloud NAT is regional, so one per region is needed.

Why this answer

Cloud NAT is regional; one gateway is needed per region. Therefore, two Cloud NAT gateways are required. Option A is correct.

Option B is wrong because a single gateway covers only one region. Option C is wrong because each subnet typically uses the regional gateway. Option D is wrong because Cloud NAT is not global.

26
Multi-Selecteasy

Which TWO of the following are required to enable Private Google Access for a subnet?

Select 2 answers
A.Create a private services access connection.
B.Enable Private Google Access on the subnet.
C.Create a Cloud NAT.
D.Configure a default route with next-hop internet gateway.
E.Enable VPC flow logs.
AnswersB, D

This setting is required at the subnet level.

Why this answer

To enable Private Google Access, you must enable the setting on the subnet (A) and have a default route with next-hop internet gateway (C) for traffic to Google APIs. Option B is incorrect because Cloud NAT is not required. Option D is incorrect because private services access is for Google managed services like Cloud SQL.

Option E is incorrect because VPC flow logs are optional.

27
Multi-Selectmedium

A company wants to establish a VPC peering connection between two VPCs in different projects. Which two steps are mandatory to create the peering connection?

Select 2 answers
A.Assign a public IP to the VMs in both VPCs.
B.Ensure the VPCs have non-overlapping subnet IP address ranges.
C.Create a peering connection from each project's VPC to the other.
D.Create a firewall rule allowing all traffic between the VPCs.
E.Configure a Cloud Router with BGP sessions.
AnswersB, C

Overlapping ranges cause routing conflicts and are not allowed in VPC peering.

Why this answer

Option B is correct because VPC peering relies on private IP routing between the two VPCs. If the IP address ranges overlap, the VPC route tables cannot distinguish which VPC a packet belongs to, causing routing conflicts and preventing the peering connection from being established. Google Cloud requires that the VPCs have non-overlapping subnet CIDR blocks for successful peering.

Exam trap

Google Cloud often tests the misconception that firewall rules are mandatory for creating a VPC peering connection, but in reality, the peering is a network-layer connectivity setup that can exist without any firewall rules, which are only needed to allow traffic after the peering is active.

28
MCQeasy

A startup wants to create a VPC with a subnet that can grow automatically as they add more VM instances. Which subnet type should they use?

A.Custom mode subnet
B.Dynamic subnet
C.Legacy network
D.Auto mode subnet
AnswerD

Auto mode subnets automatically allocate IP ranges and expand as needed.

Why this answer

An auto mode subnet automatically creates subnets in each region and assigns IP address ranges from a predefined pool that can expand as you add more VM instances. This allows the subnet to grow without manual intervention, making it ideal for startups that need dynamic scaling.

Exam trap

Google Cloud often tests the distinction between auto mode and custom mode subnets, where candidates mistakenly think 'dynamic subnet' is a real option or assume custom mode can auto-expand, but only auto mode provides automatic regional subnet creation and growth.

How to eliminate wrong answers

Option A is wrong because a custom mode subnet requires manual IP range configuration and does not automatically expand; you must explicitly add new subnets or modify CIDR blocks. Option B is wrong because 'Dynamic subnet' is not a valid VPC subnet type in Google Cloud; the correct terms are auto mode and custom mode. Option C is wrong because a legacy network is a deprecated, flat network model that lacks VPC features like subnets, routing, and firewall rules, and cannot automatically grow with VM instances.

29
Multi-Selecthard

A company has a VPC that is connected to an on-premises network via a Cloud VPN tunnel using dynamic routing (BGP). They have set up a Cloud Router with an advertised IP range of 10.0.0.0/8. The on-premises network advertises 172.16.0.0/12. They also have a custom static route in the VPC for 10.0.0.0/8 that points to a next-hop VPN tunnel (the same tunnel) with priority 100. Recently, they added a new subnet 10.1.0.0/24 in the VPC. Traffic from on-premises to 10.1.0.0/24 is not working. Which THREE steps should they take to troubleshoot and resolve the issue? (Choose 3.)

Select 3 answers
A.Change the static route priority to 1000 to match dynamic routes.
B.Verify that the Cloud Router is advertising the 10.1.0.0/24 subnet to on-premises.
C.Verify that the new subnet's range is allowed in the on-premises firewall and route tables.
D.Delete the static route for 10.0.0.0/8 and rely solely on dynamic routing.
E.Check the BGP session status between the Cloud Router and the on-premises router.
AnswersB, C, E

The Cloud Router may not automatically advertise new subnets unless configured to do so via custom advertisements.

Why this answer

The issue is that the static route for 10.0.0.0/8 with priority 100 may be overwriting the dynamically learned routes for the new subnet. Dynamic routes from Cloud Router have a higher priority (1000) by default, but the static route with lower priority (100) will take precedence. However, since the static route points to the same VPN tunnel, it should still work, but if the static route is for the entire range, it may not be specific enough for the new subnet? Actually, the most specific route wins.

The subnet 10.1.0.0/24 is more specific than 10.0.0.0/8, so a dynamic route for 10.1.0.0/24 should be propagated. But since the static route covers 10.0.0.0/8, it does not prevent more specific routes. The problem might be that the Cloud Router is not advertising the new subnet to on-premises, or the on-premises router is not accepting the update, or the BGP session is down.

Option A is correct: check if the Cloud Router is advertising the subnet. Option B is correct: check the BGP session status. Option E is correct: check on-premises route tables.

Option C is incorrect because changing priority might not help, and Option D is incorrect because you can keep the static route for other subnets.

30
MCQeasy

Refer to the exhibit. Instances in subnet-b cannot access the internet through Cloud NAT. What is the most likely reason?

A.The firewall rules in subnet-b block egress.
B.The NAT IP address pool is exhausted.
C.Subnet-b has overlapping subnets.
D.Subnet-b is not included in the Cloud NAT configuration.
AnswerD

The exhibit shows only subnet-a in the NAT, so subnet-b has no NAT.

Why this answer

The Cloud NAT configuration only includes subnet-a, so subnet-b is not NATed.

31
MCQhard

A company is designing a network for a critical application that requires sub-millisecond latency between two Compute Engine instances. The instances are located in different zones within the same region. Which VPC configuration will provide the lowest latency?

A.Use VPC Network Peering between two different VPCs.
B.Place instances in different VPCs and use a VPN between them.
C.Place both instances in the same VPC, using internal IP addresses.
D.Assign external IP addresses to both instances and communicate over the internet.
AnswerC

Internal IPs stay within Google's network, providing lowest latency.

Why this answer

Option C is correct because placing both Compute Engine instances in the same VPC and using internal IP addresses ensures traffic stays within Google's private network backbone, bypassing any external gateways or internet hops. This configuration leverages Google's internal routing with sub-millisecond latency between zones in the same region, as traffic is forwarded at the hypervisor level without encapsulation or additional network hops.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering provides equivalent latency to a single VPC, but the trap here is that peering adds a logical routing boundary and potential latency overhead, making a single VPC with internal IPs the only option for guaranteed sub-millisecond performance.

How to eliminate wrong answers

Option A is wrong because VPC Network Peering connects two separate VPCs, introducing an additional routing hop and potential latency from peering gateway processing, which cannot match the direct internal path within a single VPC. Option B is wrong because using a VPN between different VPCs adds encapsulation overhead (IPsec) and encryption processing, significantly increasing latency beyond sub-millisecond requirements. Option D is wrong because communicating over the internet via external IP addresses forces traffic through Google's external edge routers and the public internet, adding unpredictable latency and jitter, and is fundamentally slower than internal VPC routing.

32
MCQmedium

A company is migrating its on-premises infrastructure to Google Cloud. They need to connect their VPC to a third-party SaaS provider that only supports IPsec VPN. The company requires high availability and automatic failover. Which solution should they implement?

A.Deploy two Cloud VPN tunnels from two Cloud Routers with BGP sessions to the peer VPN device.
B.Use Dedicated Interconnect with VLAN attachments to the SaaS provider.
C.Deploy a Classic VPN tunnel with policy-based routing.
D.Deploy a single Cloud VPN tunnel and use static routing.
AnswerA

This provides HA with automatic failover via BGP; Cloud Routers enable dynamic routing and fast convergence.

Why this answer

Option A is correct because deploying two Cloud VPN tunnels from two Cloud Routers with BGP sessions provides high availability and automatic failover. The two Cloud Routers in different zones ensure redundancy, and BGP (Border Gateway Protocol) dynamically advertises routes and detects tunnel failures, allowing traffic to automatically switch to the healthy tunnel without manual intervention. This meets the requirement for an IPsec VPN connection to a third-party SaaS provider that only supports IPsec VPN.

Exam trap

The trap here is that candidates often assume Dedicated Interconnect is always superior for high availability, but the question explicitly requires IPsec VPN, and Interconnect does not support IPsec VPN, making it an invalid choice despite its high availability features.

How to eliminate wrong answers

Option B is wrong because Dedicated Interconnect is a direct physical connection to Google Cloud, not an IPsec VPN, and the SaaS provider only supports IPsec VPN, making this incompatible. Option C is wrong because Classic VPN with policy-based routing does not support BGP and cannot provide automatic failover; it relies on static routing and manual intervention for failover, which does not meet the high availability requirement. Option D is wrong because a single Cloud VPN tunnel with static routing lacks redundancy and automatic failover; if the tunnel fails, traffic is dropped until manual recovery, violating the high availability requirement.

33
MCQhard

Two organizations have their own GCP projects with VPCs that are peered. They want to allow a service in VPC-A to be consumed by VPC-B using Private Service Connect. What configuration is required in VPC-A?

A.Create a Private Service Connect endpoint in VPC-A.
B.Enable Private Google Access on the subnet where the service resides.
C.Create a Private Service Connect service attachment and publish the service.
D.Create a VPC peering connection with VPC-B.
AnswerC

The producer publishes the service via a service attachment.

Why this answer

Option C is correct because the producer (VPC-A) must create a Private Service Connect service attachment that publishes the service. This attachment is associated with a load balancer or a service. Option A is incorrect because the endpoint is created in the consumer VPC (VPC-B).

Option B is incorrect because VPC peering is not used with Private Service Connect (the services can be across organizations without peering). Option D is incorrect because Private Google Access is unrelated to publishing services.

34
MCQmedium

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They need to add a new subnet for a Kubernetes cluster that requires a secondary IP range for pods. The primary IP range of the new subnet must be 10.0.2.0/24. What is the correct way to create this subnet?

A.Create the subnet with primary range 10.0.2.0/24 and specify the secondary range at creation time.
B.Create the subnet with primary range 10.0.2.0/24 and then update it to add the secondary range.
C.Create two subnets: one with 10.0.2.0/24 for primary and another for the secondary range.
D.Create an auto mode subnet and let Google Cloud assign the secondary range automatically.
AnswerA

Secondary ranges must be specified at subnet creation.

Why this answer

Option A is correct because in Google Cloud VPC, a subnet can have both a primary IP range and one or more secondary IP ranges, and these secondary ranges must be specified at subnet creation time. For a Kubernetes cluster, the secondary range for pods is required, and it cannot be added after the subnet is created; it must be defined during the initial subnet creation.

Exam trap

Google Cloud often tests the misconception that secondary IP ranges can be added to an existing subnet via an update, but in Google Cloud, they must be specified at subnet creation time and are immutable afterward.

How to eliminate wrong answers

Option B is wrong because Google Cloud does not allow adding a secondary IP range to an existing subnet after creation; secondary ranges must be specified at creation time. Option C is wrong because a single subnet can have both primary and secondary ranges, and creating two separate subnets would not associate the secondary range with the primary subnet as required by Kubernetes. Option D is wrong because auto mode subnets automatically assign primary ranges, but they do not automatically assign secondary ranges; secondary ranges must be explicitly defined, and auto mode does not solve the requirement for a specific primary range.

35
Multi-Selecteasy

A company is planning to migrate its on-premises workloads to Google Cloud. They have a few dedicated servers that need to be reachable from the internet via specific public IPs. Which TWO options should they consider to assign static public IP addresses to their Compute Engine instances? (Choose 2.)

Select 2 answers
A.Promote an existing ephemeral external IP address to static.
B.Reserve a new static external IP address and then assign it to the instance's network interface.
C.Assign a static internal IP address and use it as the public IP via DNS.
D.Configure Cloud NAT to assign a static IP for inbound traffic.
E.Use the instance's internal IP address as the public IP by configuring the VPC firewall.
AnswersA, B

If an instance already has an ephemeral IP, you can promote it to static without changing the address.

Why this answer

Static external IP addresses can be assigned either as regional or global. Option A is correct: reserve a static external IP address and assign it to the instance. Option B is correct: promote an ephemeral external IP to static.

Option C is incorrect because internal IPs are not accessible from internet. Option D is incorrect because you cannot assign an internal IP as an external IP. Option E is incorrect because Cloud NAT is for outbound internet access, not inbound.

36
MCQeasy

An organization needs to connect two VPCs in different regions using Google's backbone. What is the recommended solution?

A.Cloud VPN
B.Dedicated Interconnect
C.Cloud NAT
D.VPC Peering
AnswerD

VPC Peering connects VPCs using Google's private network.

Why this answer

VPC Peering uses Google's backbone to connect VPCs across regions without public internet.

37
MCQeasy

A company has two VPC networks in the same project: 'vpc-a' (us-central1) and 'vpc-b' (us-east1). They are connected via VPC Network Peering. An instance in vpc-a can ping the internal IP of an instance in vpc-b, but cannot reach it on TCP port 8080. The firewall rule in vpc-b allows ingress from the peered network's subnets. What is the most likely cause?

A.The instance in vpc-b has a firewall rule that denies TCP port 8080 explicitly.
B.The subnet in vpc-a is in a different region, so peering does not support cross-region communication.
C.The firewall rule for port 8080 is missing or uses an incorrect target tag or service account.
D.The firewall rule in vpc-b must allow ingress from the entire CIDR of vpc-a's subnet, not just the peered network.
AnswerC

Since ICMP works but TCP 8080 does not, the specific firewall rule for port 8080 is likely missing or misconfigured.

Why this answer

The firewall rule in vpc-b allows ingress from the peered network's subnets, but VPC Network Peering does not automatically allow all traffic; firewalls must be configured explicitly. Since ICMP works, the issue is specific to TCP 8080, likely a firewall rule missing or misconfigured for that port. Option D is correct because even if the rule allows from subnets, it may not have the correct port or target tags.

38
MCQmedium

A company wants to enable VPC Flow Logs for a subnet to troubleshoot connectivity issues. They have enabled flow logs with a sample rate of 1.0 and metadata annotation enabled. After a few hours, they notice that logs are being generated but they are missing flows from a specific application server to a database server in the same subnet. Both servers are Compute Engine instances with internal IPs only. What could be the cause?

A.The instances are using internal DNS names, and flow logs only capture traffic by IP address.
B.The sample rate of 1.0 means all flows are sampled, but metadata annotation may be causing some flows to be dropped.
C.Flow logs must be enabled on the VPC network, not just the subnet.
D.VPC Flow Logs do not capture traffic between instances in the same subnet because it does not traverse the VPC router.
AnswerD

Traffic within the same subnet is sent directly at layer 2, bypassing the router where flow logs are captured.

Why this answer

VPC Flow Logs capture only IP traffic that is logged for both ingress and egress. If the application server and database server are in the same subnet, traffic between them is layer 2 (if they are on the same VPC) and may not be captured because flow logs apply to traffic that traverses the virtual network stack. Traffic within the same subnet is typically forwarded directly without going through the VPC router, so flow logs may not capture it.

Option A is correct.

39
MCQeasy

Refer to the exhibit. A VM in the default VPC with tag 'internal' and IP 10.128.1.2 is unable to communicate with another VM with IP 10.132.0.3 and tag 'internal'. What is the most likely cause?

A.The rule only applies to ingress traffic.
B.The rule only allows TCP and UDP, not ICMP.
C.The rule priority is too low.
D.The source range 10.128.0.0/14 does not include 10.132.0.3.
AnswerD

The source range excludes 10.132.0.3, blocking return traffic.

Why this answer

The firewall rule allows ingress from source range 10.128.0.0/14, which covers 10.128.0.0 to 10.131.255.255. IP 10.132.0.3 is outside this range, so return traffic from VM2 to VM1 is blocked. Option A identifies this.

Option B is incorrect because the rule direction is ingress, which is correct for receiving traffic. Option C is incorrect because ICMP is allowed. Option D is incorrect because priority 1000 is within the valid range and does not cause blocking.

40
Multi-Selecteasy

Which TWO statements about VPC peering are correct?

Select 2 answers
A.VPC peering allows traffic without firewall rules if both VPCs are in the same project.
B.VPC peering automatically exports custom routes.
C.VPC peering can only be established for VPCs in the same region.
D.VPC peering requires that all subnet CIDR ranges be unique across both VPCs.
E.VPC peering can be established between VPCs in different organizations.
AnswersD, E

Overlapping subnets are not allowed.

Why this answer

Peering can be across organizations and requires non-overlapping subnets.

41
MCQhard

An organization is migrating to Google Cloud and requires connectivity between their on-premises network and VPC. They plan to use Cloud VPN with dynamic routing (BGP). Which VPC feature is required for this setup?

A.Cloud NAT
B.VPC peering
C.Cloud Router
D.VPC Flow Logs
AnswerC

Cloud Router manages BGP sessions for dynamic routing with VPN or Interconnect.

Why this answer

Cloud Router is required when using Cloud VPN with dynamic routing (BGP) because it manages the BGP sessions between the on-premises router and the Google Cloud VPN gateway. It exchanges routes dynamically, enabling automatic route propagation and failover without manual static route configuration.

Exam trap

The trap here is that candidates confuse Cloud Router with Cloud NAT or VPC peering, thinking any 'cloud' component or 'peering' term implies connectivity, but only Cloud Router handles the BGP dynamic routing required for Cloud VPN.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private VMs, not connectivity between on-premises and VPC. Option B is wrong because VPC peering connects two VPCs within Google Cloud, not an on-premises network to a VPC. Option D is wrong because VPC Flow Logs capture network metadata for monitoring and troubleshooting, not routing or connectivity.

42
MCQmedium

A network engineer is configuring VPC peering between two VPCs in the same project. The peering status is ACTIVE, but instances in one VPC cannot reach instances in the other VPC using internal IPs. The firewall rules are default (ingress deny all). What is the most likely cause?

A.The VPCs use different routing modes.
B.The IAM permissions for the peering are missing.
C.The VPCs have overlapping subnet CIDR ranges.
D.The engineer forgot to add firewall rules to allow traffic from the peer range.
AnswerD

Firewall rules are required to allow ingress traffic from the peered network.

Why this answer

Default firewall rules deny all ingress, so even with peering, traffic is blocked unless allow rules are added.

43
MCQeasy

A company wants to provide internet access to their Compute Engine instances without assigning external IP addresses. Which Google Cloud service should they use?

A.Cloud NAT
B.Cloud VPN
C.Private Google Access
D.VPC Peering
AnswerA

Cloud NAT provides outbound internet access to instances without external IPs.

Why this answer

Cloud NAT allows instances without external IPs to access the internet. Other options are for different purposes.

44
MCQhard

An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?

A.Ensure the VPC firewall rules allow ingress from the source subnet or instance.
B.Set up VPC peering between the two regions.
C.No additional configuration is needed because internal IPs are routable within the VPC.
D.Enable Cloud NAT for the VPC.
AnswerA

Firewall rules control traffic within a VPC; by default, all internal traffic is allowed, but custom rules could block it.

Why this answer

Option A is correct because VPC firewall rules are stateful and must allow ingress traffic from the source subnet (10.0.1.0/24) or the specific source instance (10.0.1.2) to the destination VM in europe-west1. By default, VPCs have an implied deny-all ingress rule, so explicit firewall rules are required to permit traffic between subnets in different regions within the same VPC. The rule should specify the source IP range or tag and the destination protocol/port (e.g., ICMP, TCP/22) to enable communication.

Exam trap

Google Cloud often tests the misconception that internal IPs are automatically reachable across regions within the same VPC, but the trap is that while routing is global by default, firewall rules are not — candidates forget that an explicit ingress rule is required to allow cross-subnet traffic.

How to eliminate wrong answers

Option B is wrong because VPC peering is used to connect two separate VPC networks, not subnets within the same VPC; instances in different regions of the same VPC are already directly routable via the VPC's internal routing table. Option C is wrong because while internal IPs are routable within the VPC, the default firewall rules only allow traffic from the same subnet (10.0.1.0/24) and block cross-subnet traffic unless explicit ingress rules are configured. Option D is wrong because Cloud NAT provides outbound internet access for private instances, not internal VPC-to-VPC communication; it does not affect routing or firewall rules between subnets.

45
MCQeasy

A company wants to enable Private Google Access for an on-premises network connected via Cloud VPN. Which configuration step is required?

A.Enable Private Google Access on the VPC subnet that hosts the Cloud VPN gateway.
B.Enable VPC Flow Logs for the VPN tunnel.
C.Create a default route with next hop set to the internet gateway.
D.Configure a Cloud NAT gateway for the on-premises network.
AnswerA

Private Google Access allows on-premises hosts to use internal IP addresses for Google APIs.

Why this answer

Option B is correct because Private Google Access must be enabled on the VPC subnet that hosts the Cloud VPN gateway. This allows on-premises hosts to use internal IPs to access Google APIs through the VPN tunnel. Option A is incorrect because a default route to the internet is not required; the traffic goes through the VPN.

Option C is incorrect because Cloud NAT is for outbound internet from private instances, not for on-premises access. Option D is incorrect because VPC Flow Logs are for logging, not enabling access.

46
MCQeasy

A developer created a Compute Engine instance in the default VPC network. The instance needs to communicate with an on-premises server over a Cloud VPN tunnel. The developer configured the VPN tunnel but the instances cannot ping the on-premises server. What is the most likely cause?

A.The subnet IP range overlaps with the on-premises network.
B.The instance has IP forwarding disabled.
C.The default VPC does not have a default route to the internet.
D.The firewall rules in the VPC are blocking ingress traffic from the on-premises network.
AnswerD

Default firewall rules allow only certain ingress; ICMP from on-premises is not allowed by default.

Why this answer

Option D is correct because, by default, the default VPC includes firewall rules that allow outbound traffic but restrict inbound traffic. Even though the Cloud VPN tunnel is established, the VPC firewall rules block ingress traffic from the on-premises network (e.g., ICMP for ping). To allow communication, a firewall rule must explicitly permit ingress traffic from the on-premises IP range or the remote tunnel IP.

Exam trap

Google Cloud often tests the misconception that a configured VPN tunnel automatically allows all traffic, when in reality firewall rules (ingress) and routes must be explicitly configured to permit communication between VPC and on-premises networks.

How to eliminate wrong answers

Option A is wrong because subnet IP range overlap with the on-premises network would cause routing conflicts, but the question states the VPN tunnel is configured and the issue is connectivity, not routing table errors; overlapping ranges typically prevent tunnel establishment or cause asymmetric routing, not just ping failure. Option B is wrong because IP forwarding is only required when the instance acts as a gateway (e.g., NAT instance or VPN gateway), not for a standard instance initiating traffic to an on-premises server over a VPN tunnel; the instance can send packets without IP forwarding enabled. Option C is wrong because the default VPC always includes a default route (0.0.0.0/0) to the internet via the default internet gateway; this route is automatically created and does not affect VPN-based communication.

47
MCQmedium

A company wants to allow their VPC instances to access Google APIs using internal IPs without using a NAT. They have set up Private Google Access on the subnet. What else is required?

A.A default route to the internet must be created.
B.A Cloud NAT must be configured.
C.No additional configuration is needed.
D.The instances must have external IPs.
AnswerC

Private Google Access works out of the box once enabled on the subnet.

Why this answer

Option A is correct because enabling Private Google Access on the subnet allows instances without external IPs to access Google APIs via the automatically generated default route for the private Google access ranges. No additional configuration is needed. Option B is incorrect because an explicit default route to the internet would send traffic to the internet, not to Google APIs via private access.

Option C is incorrect because Cloud NAT is not needed and would override private access. Option D is incorrect because instances should not have external IPs if using private access.

48
MCQhard

An organization uses a custom mode VPC with several subnets. They need to add a new subnet 192.168.1.0/24 for a new workload. After creating the subnet, they find that existing firewall rules with target tags don't apply to instances in the new subnet, even though the tags are applied. What is the most likely reason?

A.Firewall rules are scoped to a VPC, not to subnets.
B.The new subnet was created without enabling firewall rule enforcement.
C.The instances need to be recreated for the new rules to apply.
D.The firewall rules have a source or destination filter that excludes the new subnet's CIDR.
AnswerD

If a rule includes an IP range filter, it will only apply to traffic that matches that range.

Why this answer

Option C is correct because firewall rules may include source or destination IP range filters. Even if tags match, if the rule also specifies a source or destination IP range that does not include 192.168.1.0/24, the rule will not apply. Option A is incorrect because firewall rules are scoped to the VPC, not to subnets, so tags work across subnets.

Option B is incorrect because there is no such concept as firewall rule enforcement on subnets. Option D is incorrect because instances do not need to be recreated; changes to firewall rules apply immediately.

49
Matchingmedium

Match each Cloud Router BGP attribute to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unique autonomous system number for the router

MED value to influence inbound traffic

IP address of the BGP peer

ASN of the BGP peer

Time between BGP keepalive messages

Why these pairings

These are essential BGP configuration parameters on Cloud Router.

50
MCQhard

A company uses Shared VPC with a host project and multiple service projects. A service project administrator wants to create a VM with an internal IP from a specific subnet in the host project. The operation fails with a permission error. What is the most likely missing permission?

A.resourcemanager.projects.get on the host project.
B.compute.subnetworks.use on the host project subnet.
C.compute.instances.create on the service project.
D.compute.networks.use on the host project VPC.
AnswerB

This permission grants use of a specific subnet.

Why this answer

Option D is correct because the service project needs the compute.subnetworks.use permission on the specific subnet in the host project. This permission is part of the roles/compute.networkUser role. Option A is incorrect because compute.networks.use is needed for using the VPC network, but the error is more specific to subnet use.

Option B is incorrect because compute.instances.create is for creating instances, not for using a subnet. Option C is incorrect because resourcemanager.projects.get is not related to subnet usage.

51
MCQhard

A financial services company is deploying a multi-tier application in a custom VPC with three subnets: web (10.0.1.0/24), app (10.0.2.0/24), and db (10.0.3.0/24). They use a Cloud VPN with dynamic routing (BGP) to connect to their on-premises data center (10.1.0.0/16). The on-premises network administrator reports that traffic from the web tier (10.0.1.0/24) to on-premises is working, but traffic from the app tier (10.0.2.0/24) to on-premises is failing. The company uses an Identity-Aware Proxy (IAP) for SSH access. The following configurations are in place: - Cloud Router advertises all VPC subnets via BGP. - On-premises router advertises 10.1.0.0/16. - Firewall rules allow all traffic from 10.0.0.0/16 to 10.1.0.0/16. - The app tier instances have a network tag 'app-tier' and a service account 'app-sa@project.iam.gserviceaccount.com'. - There is a firewall rule with priority 1000 that denies egress from tags 'app-tier' to 10.1.0.0/16. What is the most likely cause of the failure?

A.The service account 'app-sa' does not have permissions to send traffic through the VPN.
B.IAP is blocking traffic from the app tier because it is not configured for that subnet.
C.A firewall egress rule with priority 1000 denies traffic from instances with tag 'app-tier' to 10.1.0.0/16.
D.The Cloud Router is not advertising the 10.0.2.0/24 subnet to on-premises.
AnswerC

This deny rule explicitly blocks the traffic, overriding any lower-priority allow rules.

Why this answer

Option C is correct because the firewall egress rule with priority 1000 explicitly denies traffic from instances tagged 'app-tier' to the on-premises network (10.1.0.0/16). Since firewall rules are evaluated in order of priority (lower numbers are higher priority), and this rule has a relatively low priority number, it will override any higher-numbered (lower priority) allow rules. The fact that web tier traffic works confirms that routing and VPN are functional, isolating the issue to the egress deny rule targeting the app tier.

Exam trap

Google Cloud often tests the misconception that service accounts or IAP control network-level traffic, when in reality firewall rules and routing are the only mechanisms that govern packet flow between VPC subnets and on-premises networks.

How to eliminate wrong answers

Option A is wrong because service accounts do not control network traffic permissions; they control API authorization via IAM roles, not packet-level routing or firewall decisions. Option B is wrong because IAP is used for SSH/RDP access and does not block general application traffic between subnets and on-premises; it operates at the application layer for administrative access, not at the network layer for inter-VPC or VPN traffic. Option D is wrong because the Cloud Router advertises all VPC subnets via BGP, and the web tier (10.0.1.0/24) works, proving that the app subnet (10.0.2.0/24) is also advertised; otherwise, web traffic would also fail.

52
MCQeasy

A company wants to deploy a web application with a public-facing load balancer and a private backend. The backend instances must not have external IPs. Which statement about the VPC configuration is correct?

A.Cloud NAT must be configured for the backend subnet.
B.The backend subnet must have a default route to the internet.
C.Private Google Access must be enabled on the backend subnet.
D.No additional configuration is required beyond creating the subnet.
AnswerD

Backend instances without external IPs can be fronted by a public load balancer without any special network configuration.

Why this answer

Option D is correct because instances without external IPs can still receive traffic from a public load balancer. No additional configuration such as NAT or Private Google Access is needed for this purpose. Option A is incorrect because Private Google Access is for accessing Google APIs, not for load balancer traffic.

Option B is incorrect because Cloud NAT provides outbound internet access, which is not required. Option C is incorrect because the backend subnet does not need a default route; traffic from the load balancer comes through the VPC internal routing.

53
MCQmedium

A company is designing a Shared VPC architecture for multiple projects. The host project hosts three VPC networks: 'prod', 'staging', 'dev'. Each service project needs access to a specific network. Some service projects require access to multiple networks. The security team wants to minimize the number of firewall rules and use IAM for centralized control. Which approach meets these requirements?

A.Attach each service project to one host project network and use IAM roles to grant access to specific subnets in other networks with a cross-project service account.
B.Use VPC Network Peering between each service project's VPC and the host project's networks.
C.Create a separate host project for each environment and attach service projects accordingly.
D.Create a single VPC network that encompasses all environments, and use subnet-level firewall rules to isolate environments.
AnswerA

This allows service projects to access multiple networks by using IAM on subnets and service accounts, minimizing firewall rules.

Why this answer

Shared VPC allows service projects to be attached to a single host project, but a service project can only be attached to one VPC network in the host project. To access multiple networks, the service project must be attached to multiple host projects or use separate networks per project. Using IAM at the subnet level with roles like compute.networkUser allows granular access.

Option C is correct because it limits service projects to one network each and uses IAM to grant cross-network access as needed.

54
MCQhard

Refer to the exhibit. You are troubleshooting an on-premises to Cloud VPN connection with dynamic routing. The BGP session is CONNECTED, but no routes are received from the on-premises router. What is the most likely cause?

A.The firewall rules are blocking BGP traffic.
B.The on-premises router is not configured to advertise routes.
C.The VPN tunnel is down.
D.The cloud router is not advertising any routes.
AnswerB

Since the BGP session is CONNECTED but no routes received, the on-premises side is not advertising.

Why this answer

The BGP session is up, but routesReceived is 0, indicating the on-premises router is not advertising routes.

55
MCQmedium

A network engineer is troubleshooting connectivity from a VM to an on-premises server over a Cloud VPN. The VM can reach the on-premises server, but the return traffic is dropped. What is the most likely cause?

A.The on-premises network does not have a route back to the VPC subnet.
B.A firewall rule is blocking ingress traffic from the on-premises network.
C.The BGP session is down.
D.The Cloud Router is not configured.
AnswerA

Return traffic requires a route on-premises pointing to the VPN gateway.

Why this answer

Option C is correct because on-premises routes must include the VPC subnet to ensure return traffic is sent to the VPN gateway. Option A is wrong because firewall rules can be separate for ingress/egress. Option B is wrong because BGP session being down would cause no connectivity.

Option D is wrong because Cloud Router is needed for dynamic routing, but not having one does not cause asymmetric dropping specifically.

56
Multi-Selectmedium

A company has a VPC with three tiers: web, app, and db. They want to enforce that only the web tier can communicate with the app tier on TCP port 8080, and only the app tier can communicate with the db tier on TCP port 3306. All instances are in the same region but different subnets. Which TWO firewall rules should be created? (Choose 2.)

Select 2 answers
A.An ingress rule on the db tier instances with tag 'db' allowing TCP 3306 from instances with tag 'app'.
B.An egress rule on the web instances with tag 'web' allowing TCP 8080 to the app subnet.
C.An egress rule on the web subnet allowing TCP 8080 to any destination.
D.An ingress rule on the app tier instances with tag 'app' allowing TCP 8080 from instances with tag 'web'.
E.An ingress rule on the web subnet allowing TCP 8080 from the app subnet.
AnswersA, D

This ensures only app tier can reach db tier on port 3306.

Why this answer

To control traffic between tiers, you use firewall rules with source tags. The correct approach is to create ingress rules on the destination tier's subnet, allowing traffic from the source tier's tag. Option B is an egress rule on the web tier to allow to app tier on 8080, but that doesn't prevent other sources from reaching app tier.

Option D is an ingress rule on app tier allowing from web tag on 8080. Option E is an ingress rule on db tier allowing from app tag on 3306. Option A and C are incorrect because they allow traffic from any source or are on the wrong tier.

57
MCQhard

Your company runs a multi-tier web application on Google Cloud. The application consists of frontend instances in a managed instance group (MIG) in us-central1, backend instances in a MIG in us-west1, and a Cloud SQL database in us-central1. The frontend and backend communicate over a VPC network with custom subnet mode (10.0.0.0/16) and use internal IP addresses. Recently, the application experienced intermittent timeouts. You notice that the backend instances in us-west1 have high latency when querying the Cloud SQL database in us-central1. You suspect network congestion or suboptimal routing. You want to minimize latency between the regions for database queries while ensuring the most cost-effective solution. What should you do?

A.Move all resources to a single region, such as us-central1, and use a single VPC.
B.Set up a Cloud VPN tunnel with Cloud Router and use BGP to advertise routes between the two regions.
C.Create a VPC peering connection between the frontend and backend VPCs.
D.Enable Cloud CDN on the backend load balancer to cache database responses.
AnswerB

This provides a dedicated encrypted tunnel and dynamic routing, which can reduce latency by using a more direct path than the public internet.

Why this answer

Option B is correct because Cloud VPN with Cloud Router and BGP enables dynamic route advertisement between the two regions, allowing traffic between the backend instances in us-west1 and the Cloud SQL database in us-central1 to traverse Google's global network with optimal routing. This minimizes latency by using Google's internal backbone rather than the public internet, and it is cost-effective because Cloud VPN charges only for the tunnel hours and egress traffic, with no per-GB data transfer costs for inter-region traffic within the same VPC.

Exam trap

Google Cloud often tests the misconception that VPC peering is needed for inter-region communication within the same VPC, but the trap here is that the frontend and backend are already in the same VPC, so peering is irrelevant, and the real issue is optimizing routing between regions, which Cloud VPN with BGP addresses.

How to eliminate wrong answers

Option A is wrong because moving all resources to a single region would eliminate the multi-region architecture, potentially increasing latency for users in other regions and violating the requirement to minimize latency between regions while maintaining the existing deployment. Option C is wrong because VPC peering connects two separate VPCs, but the frontend and backend are already in the same VPC (custom subnet mode 10.0.0.0/16), so peering is unnecessary and does not address routing optimization between regions. Option D is wrong because Cloud CDN caches static content at edge locations, not database query responses, and it cannot reduce latency for dynamic database queries that require real-time access to Cloud SQL.

58
MCQmedium

A company has an HA VPN tunnel between on-premises and Google Cloud. They want traffic destined to 10.1.0.0/16 (a subnet in their VPC) to go through a specific next-hop VPN tunnel interface, but currently traffic is being dropped. What should they verify?

A.The VPC has a custom route with destination 10.1.0.0/16 and next-hop set to the correct VPN tunnel interface.
B.Cloud NAT is enabled.
C.Firewall rules allow ingress from on-premises IPs.
D.The on-premises router is advertising the route via BGP.
AnswerA

A custom route with the correct next-hop is necessary to direct traffic through the specific VPN tunnel.

Why this answer

Option B is correct because a custom route with destination 10.1.0.0/16 and next-hop set to the specific VPN tunnel interface is required to direct traffic through that interface. Option A is incorrect because firewall rules control access but not routing. Option C is incorrect because on-premises BGP advertisement is for routes from on-premises, not Google Cloud routes.

Option D is incorrect because Cloud NAT is used for outbound internet access, not routing to on-premises.

59
MCQhard

A security team wants to restrict which Google services can be accessed from their VPC without external IPs. They use Private Google Access. What should they use to block access to specific services?

A.VPC Service Controls
B.Firewall rules blocking destination IPs
C.Cloud NAT with a specific IP range
D.Private Google Access with restricted VIPs
AnswerA

This service creates perimeters to control access to Google services.

Why this answer

VPC Service Controls allows creating security perimeters that restrict access to services.

60
MCQeasy

Your company has a VPC with a single subnet in us-central1 (10.0.1.0/24). You have a managed instance group (MIG) of web servers (10.0.1.2-10.0.1.10) and a standalone database instance (10.0.1.100). The web servers need to communicate with the database on TCP port 3306. You have configured a firewall rule allowing ingress from 10.0.1.0/24 to 10.0.1.100 on tcp:3306. However, the web servers cannot connect to the database. You verified that the database is running and listening on port 3306, and that the web servers can ping the database. What should you do to resolve the issue?

A.Create a custom route from the web servers to the database.
B.Check the database instance's OS-level firewall (e.g., iptables) and ensure it allows traffic on port 3306 from the web servers.
C.Add a network tag 'db' to the database instance and update the firewall rule to target 'db'.
D.Configure the firewall rule to use the database's service account as the target.
AnswerB

The VPC firewall allows traffic, but the OS firewall on the database may be blocking the connection.

Why this answer

The firewall rule is correctly configured at the VPC level to allow ingress from the web servers' subnet to the database on TCP port 3306. Since the web servers can ping the database, network connectivity exists, but the application-layer connection fails. This indicates the database instance's OS-level firewall (e.g., iptables on Linux) is blocking the port, as cloud VPC firewall rules and guest OS firewalls operate independently.

Exam trap

Google Cloud often tests the distinction between cloud-level firewall rules and guest OS firewalls, leading candidates to overcomplicate the solution with network tags or routes when the issue is a simple OS-level block.

How to eliminate wrong answers

Option A is wrong because custom routes control packet forwarding paths, not firewall filtering; the web servers and database are in the same subnet, so no routing is needed. Option C is wrong because network tags are used to apply firewall rules to specific instances, but the existing rule already allows traffic from the entire subnet (10.0.1.0/24) to the database IP, so tags are unnecessary and would not fix an OS-level block. Option D is wrong because service accounts are used for authentication and authorization to Google Cloud APIs, not for controlling network traffic within a VPC; firewall rules cannot target service accounts.

61
Multi-Selectmedium

Which THREE of the following are benefits of using VPC Flow Logs?

Select 3 answers
A.Compliance and audit requirements.
B.Troubleshooting connectivity issues.
C.Detecting DDoS attacks.
D.Reducing network latency.
E.Real-time network monitoring.
AnswersA, B, C

Flow logs provide records of network traffic for compliance.

Why this answer

VPC Flow Logs help with compliance and audit (B), troubleshooting connectivity issues (C), and detecting DDoS attacks (E). Option A is incorrect because flow logs are not real-time; there is a delay. Option D is incorrect because flow logs do not reduce latency.

62
Multi-Selecthard

A company has VPC peering between two VPC networks. They want to ensure that traffic from VPC A to VPC B can use a custom route in VPC A that points to a next-hop appliance in VPC A. Which TWO conditions must be met?

Select 2 answers
A.VPC B must have a route back to VPC A.
B.VPC peering must be set up with 'export custom routes' enabled from VPC A.
C.The appliance must be in the same region as VPC A.
D.The appliance must have a firewall rule allowing traffic from VPC B.
E.VPC A must have a route with destination inside VPC B and next-hop set to the appliance.
AnswersB, E

Export of custom routes is required for the peer to see and use them.

Why this answer

Option B is required because custom routes must be exported via peering to be used by the peer network. Option C is required because a route in VPC A with destination in VPC B and next-hop appliance is needed. Option A is not required; the appliance can be in any region.

Option D is not required for the forward path, though return path needs separate configuration. Option E is a general firewall requirement but not specific to the custom route usage.

63
Multi-Selecthard

A company is designing a VPC for a production environment that must meet the following requirements: support multiple projects, centralized network administration, and allow each project to have its own firewall rules. Which THREE components should be used?

Select 3 answers
A.Service projects
B.Host project
C.Cloud VPN
D.VPC peering
E.Shared VPC
AnswersA, B, E

Service projects consume Shared VPC networks.

Why this answer

A is correct because service projects in a Shared VPC architecture allow each project to host its own resources (e.g., Compute Engine instances) while maintaining separate firewall rules and security policies. This enables centralized network administration via the host project while giving each project autonomy over its own firewall configurations, meeting the requirement for multiple projects with independent firewall rules.

Exam trap

Google Cloud often tests the distinction between connectivity solutions (Cloud VPN, VPC peering) and network administration models (Shared VPC), leading candidates to mistakenly choose VPC peering for multi-project setups when Shared VPC is required for centralized control with per-project firewall rules.

64
Multi-Selectmedium

A company has a VPC with a subnet in us-central1 and needs to allow HTTP traffic (port 80) from the internet to a VM instance. Which TWO configurations are required?

Select 2 answers
A.Configure Cloud NAT for the VPC.
B.Assign an external IP address to the VM.
C.Enable Private Google Access on the subnet.
D.Assign a static internal IP address to the VM.
E.Create a firewall rule to allow ingress on TCP port 80 from 0.0.0.0/0.
AnswersB, E

An external IP allows the VM to be reachable from the internet.

Why this answer

Option B is correct because a VM must have an external (public) IP address assigned to be directly reachable from the internet. Without an external IP, the VM cannot receive inbound traffic initiated from outside the VPC, even with proper firewall rules. This is a fundamental requirement for internet-facing workloads in Google Cloud.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or Private Google Access can substitute for an external IP when allowing inbound internet traffic, but these services only support outbound or API-specific connectivity, not inbound internet access.

65
Multi-Selectmedium

A company has a VPC with firewall rules. They want to ensure that only traffic from known IP ranges can access their web server instances. Which two firewall rule configurations are appropriate? (Choose two.)

Select 2 answers
A.Ingress rule with source IP range of the company's public IPs and allow tcp:443
B.Ingress rule with source IP range 0.0.0.0/0 and allow tcp:80
C.Ingress rule with source IP range of the company's public IPs and allow tcp:80
D.Ingress rule with source tag 'web' and allow tcp:80
E.Ingress rule with destination IP range 0.0.0.0/0 and allow tcp:80
AnswersA, C

Restricts HTTPS traffic to company IPs.

Why this answer

Options C and E are correct because ingress rules with source IP ranges from known company IPs on the required ports (HTTP/HTTPS) restrict access appropriately. Option A is incorrect because it allows all traffic. Option B is incorrect because a source tag is not used to identify source IPs; tags are for target instances.

Option D is incorrect because it uses destination IP range, which is not the correct way to restrict incoming traffic.

66
MCQhard

An organization uses Shared VPC with multiple service projects. They want to ensure that only certain service projects can use a specific subnet. How can this be achieved?

A.Use VPC subnet secondary IP ranges.
B.Use IAM roles on the subnet to grant access to specific service projects.
C.Use VPC Network Tags on the VM instances.
D.Use VPC firewall rules with service accounts to restrict access.
AnswerB

Subnet-level IAM allows fine-grained access control to service projects.

Why this answer

Option A is correct because Shared VPC subnet-level IAM allows granting access to specific service projects. Option B is wrong because firewall rules with service accounts control traffic, not subnet access. Option C is wrong because network tags are used for firewall rules, not subnet permissions.

Option D is wrong because secondary IP ranges do not control project access.

67
MCQhard

A company uses VPC Flow Logs for traffic analysis. They notice that logs are missing for a specific Compute Engine instance that handles high traffic. The subnet has Flow Logs enabled. What is the most likely reason?

A.The instance is using Private Google Access.
B.Flow Logs are sampled and may drop high-throughput traffic.
C.The instance's network interface has an external IP.
D.The instance is in a different region from the log sink.
AnswerB

Flow Logs sample traffic, and at high throughput, sampling rate may be reduced or logs dropped.

Why this answer

VPC Flow Logs use sampling; high throughput can lead to sampling reduction or dropped logs.

68
MCQmedium

An engineer is troubleshooting connectivity between an on-premises network and a GCP VPC over a Cloud VPN tunnel with dynamic routing (BGP). The tunnel is established and BGP session is up, but on-premises hosts cannot reach instances in the VPC. What should the engineer check first?

A.The advertised route from the on-premises router is a default route.
B.The MTU size of the VPN tunnel.
C.The Cloud VPN gateway is assigned an external IP address.
D.The firewall rules in the VPC allowing incoming traffic from the on-premises CIDR.
AnswerD

Firewall rules control inbound traffic; without an allow rule, traffic is denied.

Why this answer

Option C is correct because even with BGP routes, the VPC firewall rules must permit incoming traffic from the on-premises CIDR. If no appropriate ingress rule exists, traffic will be blocked. Option A is incorrect because MTU might cause packet loss but not complete failure.

Option B is incorrect because advertised routes from the on-premises router are being learned (BGP is up). Option D is incorrect because the VPN gateway's external IP is necessary for the tunnel but not the immediate cause of connectivity failure.

69
MCQhard

An engineer runs 'gcloud compute networks peerings list' and sees state 'INACTIVE' for a peering connection. Which is the most likely cause?

A.The subnet CIDR ranges overlap.
B.The IAM permissions for the peer are insufficient.
C.The dynamic routing mode differs.
D.The firewall rules are missing.
AnswerA

Overlapping subnets result in an INACTIVE peering state.

Why this answer

Overlapping subnet CIDRs cause the peering to be INACTIVE.

70
MCQhard

A company has an on-premises data center connected to Google Cloud via Dedicated Interconnect. They have a VPC with subnets in us-central1 and us-west1. They want compute instances in us-central1 to access Google APIs (e.g., Cloud Storage) without traversing the internet, but the on-premises network must also be able to access those APIs via the interconnect. They have configured Private Google Access (PGA) on all subnets. However, on-premises users report that they cannot access Cloud Storage buckets using the private IP of a forward proxy in us-central1 (the proxy is configured to use the default internet gateway for egress). What is the most likely reason?

A.Private Google Access is not supported on subnets in us-central1.
B.The forward proxy must use an external IP address to use Private Google Access.
C.There is a custom static route for 199.36.153.4/30 (Google API VIP) that points to the interconnect, overriding the default route for the proxy's outbound traffic.
D.The on-premises network must be configured with a default route pointing to the internet.
AnswerC

A custom route for the Google API VIP would cause the proxy to route traffic to on-premises instead of using the internet gateway, breaking PGA for the proxy.

Why this answer

Private Google Access allows instances with only internal IPs to reach Google APIs via the default internet gateway. However, on-premises traffic coming via interconnect uses the VPC's internal IP range, and if the forward proxy does not have a route for Google API destinations via the internet gateway (default route), it will try to use the interconnect route, which points to on-premises. Since the proxy is configured to use the default internet gateway, but that gateway is only effective for instances with PGA; on-premises traffic does not go through the proxy's default gateway.

The issue is that the proxy's egress traffic to Google APIs is being routed via the on-premises network because the VPC's default route (0.0.0.0/0) points to the internet gateway only for instances with PGA, but for traffic sourced from the proxy that is destined to Google APIs, the proxy itself uses its default gateway which is the internet gateway. Actually, the on-premises users are using the proxy's internal IP as a forward proxy. The proxy will make requests to Google APIs.

For those requests, the proxy's VPC will route based on the most specific route. If there is a custom route for the Google API IP ranges (e.g., 199.36.153.4/30) that points to the interconnect, the proxy will send traffic to on-premises instead of internet. PGA does not create routes; it only allows the default route to be used for Google API destinations.

A common misconfiguration is having a custom route for the Google API IP range (e.g., from a previous VPN setup) that overrides the default route. Option B is correct.

71
MCQeasy

A developer wants to create a VM that can communicate with all Google APIs without requiring an external IP address. Which configuration is necessary?

A.Configure a Cloud NAT.
B.Add a firewall rule to allow egress to 0.0.0.0/0.
C.Set up VPC peering with the Google APIs service producer.
D.Enable Private Google Access on the subnet.
AnswerD

Private Google Access allows VMs without external IPs to reach Google APIs.

Why this answer

To allow communication with Google APIs without an external IP, Private Google Access must be enabled on the subnet. Option B is correct. Option A is wrong because Cloud NAT is for internet access to non-Google destinations.

Option C is wrong because VPC peering is for connecting VPCs. Option D is wrong because firewall rules alone are not sufficient.

72
MCQhard

Refer to the exhibit. A company uses a Cloud Router with two BGP sessions for an HA VPN to on-premises. Traffic is not flowing correctly to the on-premises network. What is the most likely issue?

A.The advertised route priority is too low.
B.The BGP session with vpn-tunnel-2 is down, causing asymmetric routing.
C.The keepalive interval is too high.
D.The ASN 65000 is private and not allowed.
AnswerB

A down BGP session can disrupt proper route advertisement and traffic flow.

Why this answer

One BGP session (vpn-tunnel-2) is down, which can cause asymmetric routing or loss of connectivity. Option A identifies this. Option B is incorrect because ASN 65000 is private and valid for Cloud Router.

Option C is incorrect because priority 100 is fine. Option D is incorrect because keepalive interval 20 seconds is within typical range.

73
Multi-Selecthard

Which THREE statements about VPC Flow Logs are correct?

Select 3 answers
A.Flow logs support sampling with a configurable interval.
B.Flow logs can be sent to BigQuery for analysis.
C.Flow logs record traffic to and from external IP addresses only.
D.Flow logs are enabled by default for all subnets.
E.VPC Flow Logs are enabled at the subnet level.
AnswersA, B, E

Sampling interval can be set to 5 seconds (default) or 1 minute.

Why this answer

Flow logs are subnet-level, can be sent to BigQuery, and support configurable sampling.

74
MCQhard

A company has a VPC with a single subnet in us-central1 (10.0.0.0/24). They have a Compute Engine instance running a database that uses an internal IP address 10.0.0.10. They need to ensure that this database instance can be accessed by a legacy on-premises application via a Cloud VPN tunnel. The on-premises network uses 192.168.0.0/16. They have set up a HA VPN gateway with two tunnels and BGP routing. The Cloud Router is configured to advertise the subnet 10.0.0.0/24. On the on-premises side, the router receives the route for 10.0.0.0/24 and has a static route for 10.0.0.0/24 pointing to the VPN tunnel. However, the on-premises application cannot reach the database. The application's server can ping the on-premises gateway, but not the database IP. The database instance's OS firewall allows all traffic from 0.0.0.0/0. What is the most likely cause?

A.The database instance's OS firewall is blocking the traffic despite the setting.
B.The VPC firewall rules are blocking ingress from on-premises; add a rule allowing traffic from 192.168.0.0/16 to the database IP.
C.The Cloud Router is not advertising the specific database IP 10.0.0.10, only the subnet 10.0.0.0/24.
D.The BGP session is not establishing properly; check the shared secret and IP addresses.
AnswerB

By default, VPC firewall denies ingress; an explicit allow rule is needed.

Why this answer

The issue is likely that the VPC firewall rules are blocking ingress traffic from the on-premises network. Even though the database OS firewall is permissive, the VPC firewall must allow ingress from the on-premises IP range (192.168.0.0/16) to the database's IP. Option B is correct: Create a firewall rule allowing ingress from 192.168.0.0/16 to 10.0.0.10 on the required port.

75
Multi-Selectmedium

A company is designing a VPC with multiple subnets across two regions for high availability. They want to ensure that instances in different regions can communicate using internal IP addresses without traversing the public internet. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Set up VPC peering between the VPCs in each region.
B.Set up Cloud VPN or Dedicated Interconnect between the two VPCs.
C.Create firewall rules allowing all traffic from the other region's subnet CIDR.
D.Configure instances to use external IP addresses for cross-region communication.
E.Use a shared VPC to connect both regions.
AnswersA, B

VPC peering allows using internal IP addresses across regions.

Why this answer

Option A is correct because VPC peering allows direct, private IP connectivity between two VPCs using the AWS global network backbone, without traversing the public internet. This enables instances in different regions to communicate using internal IP addresses, provided the VPCs have non-overlapping CIDR blocks and appropriate route table entries are configured.

Exam trap

Google Cloud often tests the misconception that firewall rules alone can enable cross-VPC communication, but candidates must remember that a Layer 3 path (via peering or VPN) is required first, and that shared VPCs are region-scoped, not cross-region.

Page 1 of 2 · 77 questions totalNext →

Ready to test yourself?

Try a timed practice session using only VPC Implementation questions.