You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You need to minimize data transfer costs when deploying VLAN attachments. What should you do?

A. Keep the existing Dedicated interconnect. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.

B. Keep the existing Dedicated Interconnect. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.

C. Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC global routing to access workloads in us-central1.

D. Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

You have a storage bucket that contains the following objects:
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?

A. Add an appropriate lifecycle rule on the storage bucket.

B. Issue a cache invalidation command with pattern /folder-a/*.

C. Make sure that all the objects with prefix folder-a are not shared publicly.

D. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.

Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
✑ Your ISP is a Google Partner Interconnect provider.
✑ Your on-premises VPN device's internet uplink and downlink speeds are 10 Gbps.
✑ A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.
✑ Most of the data transfer will be from GCP to the on-premises environment.
✑ The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
✑ Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?

A. Provision a Partner Interconnect through your ISP.

B. Provision a Dedicated Interconnect instead of a VPN.

C. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

D. Use network compression over your VPN to increase the amount of data you can send over your VPN.

Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path?

A. Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

B. Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

C. Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

D. Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)

A. Enable Private Google Access on all the subnets.

B. Enable Private Google Access on the VPC.

C. Enable Private Services Access on the VPC.

D. Create network peering between your VPC and BigQuery.

E. Create a Cloud NAT, and route the application traffic via NAT gateway.

You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

A. Use Network Load Balancing

B. Use TCP Proxy Load Balancing with PROXY protocol enabled

C. Use External HTTP(S) Load Balancing with URL Maps and custom headers

D. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

A. Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

C. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

D. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

A. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

C. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

D. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

You have two VPCs: VPC A in Project A and VPC B in Project

A. The VPCs are peered, and each VPC has VM instances in four zones. You are using the Network Intelligence Center Performance Dashboard to investigate the packet loss for traffic flows that start in VPC A and terminate in VPC

B. You need the reported packet loss metric to have at least a 90% confidence level. What should you do?

C. Ensure that each zone in each of the VPC networks has at least 10 compute instances. Look in Project A for the reported metric.

D. Ensure that each zone in each of the VPC networks has at least 9 compute instances. Look in Project B for the reported metric.

E. Ensure that each zone in each of the VPC networks has at least 9 compute instances. Look in Project A for the reported metric.

F. Ensure that each zone in each of the VPC networks has at least 10 compute instances. Look in Project B for the reported metric.

You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid
What should you do?

A. Add the resourcemanager.projects.get permission, and try again.

B. Try again with a different role with a new name but the same permissions.

C. Remove the resourcemanager.projects.list permission, and try again.

D. Add the resourcemanager.projects.setIamPolicy permission, and try again.

You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a
Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

A. Grant the compute.instanceAdmin to your user account.

B. Grant the iam.serviceAccountUser to your user account.

C. Grant the read-only privilege to the service account for the Cloud Storage bucket.

D. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.

In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)

A. Connect both projects using Cloud VPN.

B. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.

C. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.

D. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.

E. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.

You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?

A. Cloud NAT

B. An instance with IP forwarding enabled

C. An instance configured with iptables DNAT rules

D. An instance configured with iptables SNAT rules

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

A. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

B. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

C. Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

D. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend.
You want to use a GCP-native solution when possible.
How should you deploy this service in GCP?

A. Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.

B. Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.

C. Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.

D. Use GCP’s ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.

You are planning to use Terraform to deploy the Google Cloud infrastructure for your company. The design must meet the following requirements:
•	Each Google Cloud project must represent an internal project that your team will work on.
•	After an internal project is finished, the infrastructure must be deleted.
•	Each internal project must have its own Google Cloud project owner to manage the Google Cloud resources.
•	You have 10-100 projects deployed at a time.
While you are writing the Terraform code, you need to ensure that the deployment is simple and the code is reusable with centralized management.
What should you do?

A. Create a single project and single VPC for each internal project.

B. Create a single Shared VPC and attach each Google Cloud project as a service project.

C. Create a single project and additional VPCs for each internal project.

D. O Create a Shared VPC and service project for each internal project.

You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?

A. gcloud dns record-sets import ZONE_FILE –zone MANAGED_ZONE

B. gcloud dns record-sets import ZONE_FILE –replace-origin-ns –zone MANAGED_ZONE

C. gcloud dns record-sets import ZONE_FILE –zone-file-format –zone MANAGED_ZONE

D. gcloud dns record-sets import ZONE_FILE –delete-all-existing –zone MANAGED ZONE

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

A. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

B. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters, Re-use the secondary address range for the services across multiple private GKE clusters.

C. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: –enable-ip-alias and –enable-private-nodes.

D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: –disable-default-snat, –enable-ip-alias, and –enable-private-nodes.

Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)

A. VPC flow logs

B. Firewall logs

C. Cloud Audit logs

D. Stackdriver Trace

E. Compute Engine instance system logs

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM

A. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

B. Firewall rule direction: ingressAction: allow -Target: VM B service account -Source ranges: VM A service accountPriority: 1000

C. Firewall rule direction: ingressAction: allow -Target: specific VM B tag -Source ranges: VM A tag and VM A source IP addressPriority: 1000

D. Firewall rule direction: ingressAction: allow -Target: VM A service account -Source ranges: VM B service account and VM B source IP addressPriority: 100

E. Firewall rule direction: ingressAction: allow -Target: specific VM A tag -Source ranges: VM B tag and VM B source IP addressPriority: 100

You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.
•	Always allow Secure Shell (SSH) from your corporate IP address.
•	Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?

A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

B. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

C. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.

D. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 12. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?

A. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.

B. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.

C. Create two hierarchical firewall policies per department’s folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.

D. Create two hierarchical firewall policies per department’s folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.

You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling. Which configuration should you use?

A. Use global SSL Proxy Load Balancing with backends in both regions.

B. Use global TCP Proxy Load Balancing with backends in both regions.

C. Use global external HTTP(S) Load Balancing with backends in both regions.

D. Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

A. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.3. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24

B. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.2. Configure your on-premises firewall to accept traffic from 35.199.192.0/193. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

C. 1. Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.3. Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88

D. 1. Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.2. Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.3. Configure your on-premises firewall to accept traffic from 35.199.192.0/19.4. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

You work for a multinational enterprise that is moving to GCP.
These are the cloud requirements:
"¢ An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary
HQ) and us-east4 (backup)
"¢ Multiple regional offices in Europe and APAC
"¢ Regional data processing is required in europe-west1 and australia-southeast1
"¢ Centralized Network Administration Team
Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us- west1.
What should you do?

A. “¢ Create 2 VPCs in a Shared VPC Host Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Host Project. “¢ Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. “¢ Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

B. “¢ Create 2 VPCs in a Shared VPC Host Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Service Project. “¢ Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. “¢ Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

C. “¢ Create 1 VPC in a Shared VPC Host Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Host Project. “¢ Attach NIC0 in us-west1 subnet of the Host Project. “¢ Attach NIC1 in us-west1 subnet of the Host Project “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

D. “¢ Create 1 VPC in a Shared VPC Service Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Service Project. “¢ Attach NIC0 in us-west1 subnet of the Service Project. “¢ Attach NIC1 in us-west1 subnet of the Service Project “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

A. Enable firewall logs, and view the logs in Firewall Insights.

B. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

C. Enable VPC Flow Logs, and view the logs in Cloud Logging.

D. Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.

You have the following private Google Kubernetes Engine (GKE) cluster deployment:

You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

A. Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.

B. Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

C. Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

D. Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 35.224.37.17.

You have the networking configuration shown in the diagram. Two VLAN attachments associated with two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BGP) sessions associated with each of the VLAN attachments.
You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?

A. From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results.

B. From the Cloud CLI, run gcloud compute –-project PROJECT_ID routers get-status mycloudrouter –-region REGION and review the results.

C. From the Google Cloud console, navigate to the Hybrid Connectivity, select the Cloud Router, and view BGP sessions.

D. From the Cloud CLI, run gcloud compute routers describe mycloudrouter –-region REGION and review the results.

Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

A. 1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.2. In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.

B. 1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.2. In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.

C. 1. Configure a Cloud DNS private zone in the host project of the Shared VPC.2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project3. In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.

D. 1.Configure a Cloud DNS private zone in the host project of the Shared VPC.2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.3. Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.

You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements:
•	Your on-premises resources should resolve your Google Cloud zones.
•	Your Google Cloud resources should resolve your on-premises zones.
•	You need the ability to resolve “.internal” zones provisioned by Google Cloud.
What should you do?

A. Configure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google’s public DNS 8.8.8.8.

B. Configure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud’s DNS resolver.

C. Configure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud’s DNS resolver.

D. Configure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google’s public DNS 8.8.8.8.

You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.
What should you do?

A. Configure global load balancing to point 172.16.45.0/24 to the correct instance.

B. Create unique DNS records for each service that sends traffic to the desired IP address.

C. Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.

D. Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
"¢ Each on-premises router is configured with a unique ASN.
"¢ Each on-premises router is configured with the same routes and priorities.
"¢ Both on-premises routers are configured with a VPN connected to a single Cloud Router.
"¢ BGP sessions are established between both on-premises routers and the Cloud Router.
"¢ Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

A. The on-premises routers are configured with the same routes.

B. A firewall is blocking the traffic across the second VPN connection.

C. You do not have a load balancer to load-balance the network traffic.

D. The ASNs being used on the on-premises routers are different.

You have the following Shared VPC design. VPC Flow Logs is configured for Subnet-1 in the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?

A. Configure a VPC Flow Logs filter for Subnet-2 in the host project VPC.

B. Configure VPC Flow Logs in the service project VPC for Subnet-2.

C. Configure Packet Mirroring in both the host and service project VPCs.

D. Configure a firewall rule to permit Subnet-2 IP addresses outbound in the host project VPC.

Your company’s on-premises network is connected to a VPC using a Cloud VPN tunnel. You have a static route of 0.0.0.0/0 with the VPN tunnel as its next hop defined in the VPC. All internet bound traffic currently passes through the on-premises network. You configured Cloud NAT to translate the primary IP addresses of Compute Engine instances in one region. Traffic from those instances will now reach the internet directly from their VPC and not from the on-premises network. Traffic from the virtual machines (VMs) is not translating addresses as expected. What should you do?

A. Lower the TCP Established Connection Idle Timeout for the NAT gateway.

B. Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority value higher than the priority value of the default route to the VPN gateway.

C. Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.

D. Increase the default min-ports-per-vm setting for the Cloud NAT gateway.

You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access. The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

A. 1. Create a default route in the hub VPC that points to IP address 10.0.0.5.2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.3. Export the custom routes in the hub.4. Import the custom routes in the spokes.

B. 1. Create a default route in the hub VPC that points to IP address 10.0.0.5.2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.3. Export the custom routes in the hub. Import the custom routes in the spokes.4. Delete the default internet gateway route of the spokes.

C. 1. Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.3. Export the custom routes in the hub. Import the custom routes in the spokes.

D. 1. Create a default route in the hub VPC that points to IP address 10.0.0.5.2. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.3. Create a new route in the spoke VPC that points to IP address 10.0.0.5.

You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

A. “¢ Create a Cloud VPN instance. “¢ Create a policy-based VPN tunnel per subnet. “¢ Configure the appropriate local and remote traffic selectors to match your local and remote networks. “¢ Create the appropriate static routes.

B. “¢ Create a Cloud VPN instance. “¢ Create a policy-based VPN tunnel. “¢ Configure the appropriate local and remote traffic selectors to match your local and remote networks. “¢ Configure the appropriate static routes.

C. “¢ Create a Cloud VPN instance. “¢ Create a route-based VPN tunnel. “¢ Configure the appropriate local and remote traffic selectors to match your local and remote networks. “¢ Configure the appropriate static routes.

D. “¢ Create a Cloud VPN instance. “¢ Create a route-based VPN tunnel. “¢ Configure the appropriate local and remote traffic selectors to 0.0.0.0/0. “¢ Configure the appropriate static routes.

Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments: Sales and Finance. The Sales department's VPC network already has connectivity to on-premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on-premises locations. What should you do?

A. Peer the two VPCs, and use the default configuration for the Cloud Routers.

B. Peer the two VPCs, and use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

C. Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance’s VPC network. Use Cloud Router’s custom route advertisements to announce a default route to the on-premises locations.

D. Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance’s VPC network. Use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.
What should you do?

A. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-

C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-

D. Move instance-B to another VPC and, using multi-NIC, connect instance-B’s interface to instance-A’s network. Configure the appropriate routes to force traffic through to instance-

E.

You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
How should you design this topology?

A. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.

B. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.

C. Use gcloud container clusters create [CLUSTER NAME]–enable-ip-alias to create a VPC-native cluster.

D. Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.

You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.
Which type of load balancer should you use?

A. HTTP(S) load balancer

B. Network load balancer

C. Internal load balancer

D. TCP/SSL proxy load balancer

After a network change window one of your company's applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.
What is the most likely cause of this problem?

A. The less specific VPC subnet route is taking priority.

B. The more specific VPC subnet route is taking priority.

C. The on-premises router is not advertising a route for the database server.

D. A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do?

A. Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.

B. Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices.

C. Deploy your serverless services to the existing VPConfigure firewall rules to allow traffic between the serverless services and your existing microservices.

D. Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?

A. None

B. Client IP

C. Client IP and protocol

D. Client IP, port and protocol

Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?

A. 1. Configure your VPC routing in regional mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

B. 1. Configure your VPC routing in global mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

C. 1. Configure your VPC routing in global mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.

D. 1. Configure your VPC routing in regional mode.2. Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.

You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules.
Your organization requires using the least privilege necessary.
Which level of permissions should you request?

A. Security Admin privileges from the Shared VPC Admin.

B. Service Project Admin privileges from the Shared VPC Admin.

C. Shared VPC Admin privileges from the Organization Admin.

D. Organization Admin privileges from the Organization Admin.

You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations. What should you do?

A. Use multiple VPC networks with a transit network using VPC Network Peering.

B. Use overlapping RFC 1918 ranges with multiple isolated VPC networks.

C. Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.

D. Use non-RFC 1918 ranges with a single global VPC.

You are responsible for designing a new connectivity solution between your organization's on-premises data center and your Google Cloud Virtual Private Cloud (VPC) network. Currently, there is no end-to-end connectivity. You must ensure a service level agreement (SLA) of 99.99% availability. What should you do?

A. Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

B. Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router.

C. Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

D. Use HA VPN. Configure one tunnel from each interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?

A. Direct Peering

B. Dedicated Interconnect

C. Partner Interconnect with a layer 2 partner

D. Partner Interconnect with a layer 3 partner

You are designing a Partner Interconnect hybrid cloud connectivity solution with geo-redundancy across two metropolitan areas. You want to follow Google-recommended practices to set up the following region/metro pairs:
•	(region 1/metro 1)
•	(region 2/metro 2)
What should you do?

A. Create a Cloud Router in region 1 with two VLAN attachments connected to metro1-zone1-x.Create a Cloud Router in region 2 with two VLAN attachments connected to metro1-zone2-x.

B. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x.Create a Cloud Router in region 2 with two VLAN attachments connected to metro2-zone2-x.

C. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone2-x.Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone2-x.

D. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x.Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone1-x and one VLAN attachment to metro2-zone2-x.

You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) instances. What two prerequisite tasks must be completed before creating the load balancer? (Choose two.)

A. Choose a region.

B. Create firewall rules for health checks.

C. Reserve a static IP address for the load balancer.

D. Determine the subnet mask for a proxy-only subnet.

E. Determine the subnet mask for Serverless VPC Access.