Question 33 of 497
Configuring network serviceshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to configure each Cloud VPN tunnel with a separate Cloud Router and assign different BGP priorities. This resolves the asymmetric routing issue because when both tunnels share the same Cloud Router, BGP learns identical routes for the on-premises subnets, creating equal-cost multi-path (ECMP) scenarios that cause traffic from DC2 to DC1 or to subnet-a to be intermittently black-holed or routed through the wrong tunnel. On the Google Professional Cloud Network Engineer exam, this question tests your understanding of how BGP tie-breaking and route priority interact with hybrid connectivity; a common trap is assuming that simply having learned routes guarantees symmetric traffic flow. The key insight is that without distinct BGP metrics—such as MED or local preference—the VPC cannot prefer one tunnel over another for specific destinations, leading to the described failures. Memory tip: think of BGP priorities as traffic cops—without assigning different ranks, all tunnels look equal, and packets take the wrong exit.

PCNE Configuring network services Practice Question

This PCNE practice question tests your understanding of configuring network services. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Your company has a hybrid cloud architecture with two on-premises data centers: DC1 and DC2. Each DC is connected to Google Cloud via separate Cloud VPN tunnels (tunnel1 from DC1, tunnel2 from DC2) to a VPC in us-west1. The VPC has two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). DC1 has a subnet 192.168.1.0/24 and DC2 has 192.168.2.0/24. You configure BGP on both tunnels with the VPC dynamic routing, and each on-premises router advertises its local subnet. The VPC automatically imports the learned routes. You notice that traffic from DC1 to an instance in subnet-a (10.0.1.5) works, but traffic from DC2 to the same instance fails intermittently. Additionally, traffic from DC2 to DC1 (192.168.1.0/24) fails completely. You check the route tables and see that both tunnels have learned the routes for the remote subnets. What is the most likely cause and solution?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Open the full BGP breakdown →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure each Cloud VPN tunnel with a separate Cloud Router and assign different BGP priorities to influence route selection, or use distinct regions for the VPN gateways.

The issue is that both Cloud VPN tunnels are using the same Cloud Router, causing BGP to learn identical routes for the on-premises subnets from both tunnels. This leads to asymmetric routing and potential black-holing, especially when traffic from DC2 to DC1 or to subnet-a is routed via DC1's tunnel due to equal-cost multi-path (ECMP) or default BGP tie-breaking. By configuring separate Cloud Routers with different BGP priorities (MED or local preference), you can force traffic from each DC to use its own tunnel, ensuring symmetric routing and consistent connectivity.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create a new VPN tunnel from DC2 to a different VPC and use VPC peering.

    Why it's wrong here

    Adding another VPC complicates architecture and does not fix the root cause.

  • Increase the MTU on the VPN tunnels to avoid fragmentation.

    Why it's wrong here

    MTU is not the cause of routing issues.

  • Configure each Cloud VPN tunnel with a separate Cloud Router and assign different BGP priorities to influence route selection, or use distinct regions for the VPN gateways.

    Why this is correct

    Separate Cloud Routers allow fine-grained control over route priority, preventing asymmetric routing.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Disable dynamic routing on both tunnels and use static routes instead.

    Why it's wrong here

    Static routes would require manual configuration and still may not solve the routing issue.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Google Cloud often tests the misconception that VPN tunnels inherently provide symmetric routing, when in fact BGP route propagation without proper priority configuration can cause ECMP or suboptimal path selection, leading to intermittent failures.

Detailed technical explanation

How to think about this question

When multiple BGP sessions advertise the same prefix to the same Cloud Router, Google Cloud uses BGP tie-breaking rules (e.g., weight, local preference, AS path length, MED) to select the best path. If both tunnels have identical BGP attributes, the VPC may route traffic for 192.168.1.0/24 or 10.0.1.0/24 via either tunnel, causing asymmetric routing where return traffic from subnet-a to DC2 goes through DC1's tunnel, which may not have a route back. Using separate Cloud Routers with distinct BGP priorities (e.g., setting a higher MED on one tunnel) ensures deterministic path selection per DC.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNE question test?

Configuring network services — This question tests Configuring network services — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Configure each Cloud VPN tunnel with a separate Cloud Router and assign different BGP priorities to influence route selection, or use distinct regions for the VPN gateways. — The issue is that both Cloud VPN tunnels are using the same Cloud Router, causing BGP to learn identical routes for the on-premises subnets from both tunnels. This leads to asymmetric routing and potential black-holing, especially when traffic from DC2 to DC1 or to subnet-a is routed via DC1's tunnel due to equal-cost multi-path (ECMP) or default BGP tie-breaking. By configuring separate Cloud Routers with different BGP priorities (MED or local preference), you can force traffic from each DC to use its own tunnel, ensuring symmetric routing and consistent connectivity.

What should I do if I get this PCNE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNE exam.