You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

A. Configure a custom route advertisement on the Cloud Router.

B. Enable IP forwarding in the asia-southeast1 region.

C. Change the VPC dynamic routing mode to Global.

D. Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Your company recently migrated to Google Cloud. You configured separate Virtual Private Cloud (VPC) networks for Department A and Department

A. You need to configure both VPC networks to have access to the same on-premises location through separate links with full isolation between the VPC networks. Your design must also query on-premises DNS servers from workloads in Google Cloud using conditional forwarding. You want to minimize operational overhead. What should you do?

B. Customize the operating system DNS configuration files to target the on-premises DNS servers.

C. Keep the different VPC networks from both departments isolated with different on-premises links, and separate Cloud DNS private zones and Cloud DNS forwarding zones.

D. Peer Department A’s and Department B’s VPC networks to have all on-premises connectivity via a single VPC network. Use separate Cloud DNS private zones and Cloud DNS forwarding zones.

E. Configure a Cloud DNS Peering zone in Department A’s VPC network pointing to Department B’s VPC and a Cloud DNS outbound forwarding zone in Department B’s VPC network. Use separate on-premises links in each VPC network.

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?

A. Assign members of the networking team the compute.networkUser role.

B. Assign members of the networking team the compute.networkAdmin role.

C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

A. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

B. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

C. Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

D. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

A. 1. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.2. Configure DNS peering from the spoke VPCs to the hub VPC.

B. 1. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

C. 1. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.2. Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.

D. 1. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?

A. Assign each user the editor role.

B. Assign each user the compute.networkAdmin role.

C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

D. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.
What should you do?

A. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-

C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-

D. Move instance-B to another VPC and, using multi-NIC, connect instance-B’s interface to instance-A’s network. Configure the appropriate routes to force traffic through to instance-

E.

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

A. Carrier Peering

B. Direct Peering

C. Dedicated Interconnect

D. Partner Interconnect

You deployed a hub-and-spoke architecture in your Google Cloud environment that uses VPC Network Peering to connect the spokes to the hub. For security reasons, you deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed. When you attempt to reach the GKE control plane from a different spoke project, you cannot access it. You need to allow access to the GKE control plane from the other spoke projects. What should you do?

A. Add a firewall rule that allows port 443 from the other spoke projects.

B. Enable Private Google Access on the subnet where the GKE nodes are deployed.

C. Configure the authorized networks to be the subnet ranges of the other spoke projects.

D. Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.

You want Cloud CDN to serve the https://www.example.com/images/spacetime.png static image file that is hosted in a private Cloud Storage bucket. You are using the USE_ORIGIN_HEADERS cache mode. You receive an HTTP 403 error when opening the file in your browser, and you see that the HTTP response has a Cache-Control: private, max-age=0 header. How should you correct this issue?

A. Enable negative caching for the backend bucket.

B. Change the cache mode to Force cache all content.C Configure a Cloud Storage bucket permission that gives allUsers the Storage Legacy Object Reader role.

C. Increase the default time-to-live (TTL) for the backend service.

You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.
What should you do?

A. Use a 4-byte private ASN 4200000000-4294967294.

B. Use a 2-byte private ASN 64512-65535.

C. Use a public Google ASN 15169.

D. Use a public Google ASN 16550.

You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

A. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Configure VPC peering in the spoke VPCs to peer with the hub VPC.

B. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.2. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

C. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.

D. 1. Create a private forwarding zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.

You are creating an instance group and need to create a new health check for HTTP(s) load balancing.
Which two methods can you use to accomplish this? (Choose two.)

A. Create a new health check using the gcloud command line tool.

B. Create a new health check using the VPC Network section in the GCP Console.

C. Create a new health check, or select an existing one, when you complete the load balancer’s backend configuration in the GCP Console.

D. Create a new legacy health check using the gcloud command line tool.

E. Create a new legacy health check using the Health checks section in the GCP Console.

You need tofficentralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.
What should you do?

A. Create a Google Group for the WebServices Team.

B. Create a G Suite Domain for the WebServices Team.

C. Create a new Cloud Identity Domain for the WebServices Team.

D. Create a new Custom Role for all members of the WebServices Team.

You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

A. Configure a forwarding rule on the existing load balancer for the application tier.

B. Configure equal cost multi-path routing on the application servers.

C. Configure a new internal HTTP(S) load balancer for the application tier.

D. Configure a URL map on the existing load balancer to route traffic to the application tier.

You are designing a new network infrastructure for your customer in Google Cloud. Your customer requires a connection between two Google Cloud VPCs that must include a VPN tunnel. You want to follow Google-recommended practices while ensuring maximum availability of the connection. Which VPN configuration should you choose?

A. Policy-based VPN using Classic VPN between the two Google Cloud VPCs

B. Border Gateway Protocol (BGP)-based VPN using Classic VPN between the two Google Cloud VPCs

C. Route-based VPN using Classic VPN between the two Google Cloud VPCs

D. Border Gateway Protocol (BGP)-based VPN using HA VPN between the two Google Cloud VPCs

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?

A. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

B. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

C. Tag the backend instances “application,” and create a firewall rule with target tag “application” and the source IP range of the allowed clients and Google health check IP ranges.

D. Label the backend instances “application,” and create a firewall rule with the target label “application” and the source IP range of the allowed clients and Google health check IP ranges.

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
"¢ Each on-premises router is configured with a unique ASN.
"¢ Each on-premises router is configured with the same routes and priorities.
"¢ Both on-premises routers are configured with a VPN connected to a single Cloud Router.
"¢ BGP sessions are established between both on-premises routers and the Cloud Router.
"¢ Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

A. The on-premises routers are configured with the same routes.

B. A firewall is blocking the traffic across the second VPN connection.

C. You do not have a load balancer to load-balance the network traffic.

D. The ASNs being used on the on-premises routers are different.

Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

A. 1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.2. In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.

B. 1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.2. In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.

C. 1. Configure a Cloud DNS private zone in the host project of the Shared VPC.2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project3. In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.

D. 1.Configure a Cloud DNS private zone in the host project of the Shared VPC.2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.3. Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.

You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

A. In the Network Intelligence Canter, check for the number of packet drops on the VPN.

B. In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

C. In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.

D. In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

A. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

B. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters, Re-use the secondary address range for the services across multiple private GKE clusters.

C. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: –enable-ip-alias and –enable-private-nodes.

D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: –disable-default-snat, –enable-ip-alias, and –enable-private-nodes.

You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)

A. Enable Private Google Access on all the subnets.

B. Enable Private Google Access on the VPC.

C. Enable Private Services Access on the VPC.

D. Create network peering between your VPC and BigQuery.

E. Create a Cloud NAT, and route the application traffic via NAT gateway.

You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements:
•	Your on-premises resources should resolve your Google Cloud zones.
•	Your Google Cloud resources should resolve your on-premises zones.
•	You need the ability to resolve “.internal” zones provisioned by Google Cloud.
What should you do?

A. Configure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google’s public DNS 8.8.8.8.

B. Configure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud’s DNS resolver.

C. Configure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud’s DNS resolver.

D. Configure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google’s public DNS 8.8.8.8.

You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

A. Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

B. Create a hierarchical firewall ruleset, and apply it to the VPC’s parent organization resource node.

C. Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

D. Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?

A. None

B. Client IP

C. Client IP and protocol

D. Client IP, port and protocol

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?

A. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

C. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

D. Rename the default VPC as “Distribution” and peer it via network peering.

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

A. VPC peering

B. Shared VPC

C. Cloud VPN

D. Dedicated Interconnect

E. Cloud NAT

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.
When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?

A. Check the VPC flow logs for the instance.

B. Try connecting to the instance via SSH, and check the logs.

C. Create a new firewall rule to allow traffic from port 22, and enable logs.

D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

You work for a university that is migrating to GCP.
These are the cloud requirements:
"¢ On-premises connectivity with 10 Gbps
"¢ Lowest latency access to the cloud
"¢ Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.

B. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC’s host project.

C. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects’ Interconnects.

D. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

You have two VPCs: VPC A in Project A and VPC B in Project

A. The VPCs are peered, and each VPC has VM instances in four zones. You are using the Network Intelligence Center Performance Dashboard to investigate the packet loss for traffic flows that start in VPC A and terminate in VPC

B. You need the reported packet loss metric to have at least a 90% confidence level. What should you do?

C. Ensure that each zone in each of the VPC networks has at least 10 compute instances. Look in Project A for the reported metric.

D. Ensure that each zone in each of the VPC networks has at least 9 compute instances. Look in Project B for the reported metric.

E. Ensure that each zone in each of the VPC networks has at least 9 compute instances. Look in Project A for the reported metric.

F. Ensure that each zone in each of the VPC networks has at least 10 compute instances. Look in Project B for the reported metric.

You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

A. Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.

B. Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

C. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

D. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node. Which Pod per node CIDR range should you use?

A. /24

B. /25

C. /26

D. /28

You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

A. “¢ Create a Cloud VPN instance. “¢ Create a policy-based VPN tunnel per subnet. “¢ Configure the appropriate local and remote traffic selectors to match your local and remote networks. “¢ Create the appropriate static routes.

B. “¢ Create a Cloud VPN instance. “¢ Create a policy-based VPN tunnel. “¢ Configure the appropriate local and remote traffic selectors to match your local and remote networks. “¢ Configure the appropriate static routes.

C. “¢ Create a Cloud VPN instance. “¢ Create a route-based VPN tunnel. “¢ Configure the appropriate local and remote traffic selectors to match your local and remote networks. “¢ Configure the appropriate static routes.

D. “¢ Create a Cloud VPN instance. “¢ Create a route-based VPN tunnel. “¢ Configure the appropriate local and remote traffic selectors to 0.0.0.0/0. “¢ Configure the appropriate static routes.

You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?

A. AS-Path

B. Community

C. Local Preference

D. Multi-exit Discriminator

You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?

A. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.

B. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.

C. Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.

D. Add a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.

You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

A. Configure the remote autonomous system number (ASN) to 4096.

B. Configure a second Cloud Router to scale bandwidth in and out of the VPC.

C. Configure the maximum transmission unit (MTU) to its highest supported value.

D. Configure a second set of active/passive VPN tunnels.

Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

A. Configure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.

B. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.

C. Consolidate all existing projects’ subnetworks into a single VPCreate separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.

D. Configure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects’ VPC networks to the hub VPC. Export custom routes from the hub VPC and import on all projects’ VPC networks.

You work for a multinational enterprise that is moving to GCP.
These are the cloud requirements:
"¢ An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary
HQ) and us-east4 (backup)
"¢ Multiple regional offices in Europe and APAC
"¢ Regional data processing is required in europe-west1 and australia-southeast1
"¢ Centralized Network Administration Team
Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us- west1.
What should you do?

A. “¢ Create 2 VPCs in a Shared VPC Host Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Host Project. “¢ Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. “¢ Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

B. “¢ Create 2 VPCs in a Shared VPC Host Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Service Project. “¢ Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. “¢ Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

C. “¢ Create 1 VPC in a Shared VPC Host Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Host Project. “¢ Attach NIC0 in us-west1 subnet of the Host Project. “¢ Attach NIC1 in us-west1 subnet of the Host Project “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

D. “¢ Create 1 VPC in a Shared VPC Service Project. “¢ Configure a 2-NIC instance in zone us-west1-a in the Service Project. “¢ Attach NIC0 in us-west1 subnet of the Service Project. “¢ Attach NIC1 in us-west1 subnet of the Service Project “¢ Deploy the instance. “¢ Configure the necessary routes and firewall rules to pass traffic through the instance.

You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

A. Create a network load balancer that used backend services containing one instance group with two instances.

B. Create a network load balancer that uses a target pool backend with two instances.

C. Create a TCP proxy that uses a zonal network endpoint group containing one instance.

D. Create a TCP proxy that uses backend services containing an instance group with two instances.

Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

A. Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

B. Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

C. Use the default Cloud NAT gateway’s NAT proxy to dynamically scale using a single NAT IP address.

D. Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

E. Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

A. /21

B. /22

C. /23

D. /25

You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

A. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.3. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24

B. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.2. Configure your on-premises firewall to accept traffic from 35.199.192.0/193. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

C. 1. Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.3. Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88

D. 1. Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.2. Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.3. Configure your on-premises firewall to accept traffic from 35.199.192.0/19.4. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working.
You want to resolve the problem.
What should you do?

A. Apply an additional IAM role to the Google API’s service account to allow custom modefinetworks.

B. Update the VPC firewall to allow the Cloud Deployment Manager to access the custom modefinetworks.

C. Explicitly reference the custom modefinetworks in the Cloud Armor whitelist.

D. Explicitly reference the custom modefinetworks in the Deployment Manager templates.

You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required. What should you do?

A. Enable VPC Flow Logs and send the output to BigQuery for analysis.

B. Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis.

C. Configure Packet Mirroring to send all traffic to a VM. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC.

D. Deploy a third-party network appliance and configure it as the default gateway. Use the third-party network appliance to identify users with high network traffic.

You are planning to use Terraform to deploy the Google Cloud infrastructure for your company. The design must meet the following requirements:
•	Each Google Cloud project must represent an internal project that your team will work on.
•	After an internal project is finished, the infrastructure must be deleted.
•	Each internal project must have its own Google Cloud project owner to manage the Google Cloud resources.
•	You have 10-100 projects deployed at a time.
While you are writing the Terraform code, you need to ensure that the deployment is simple and the code is reusable with centralized management.
What should you do?

A. Create a single project and single VPC for each internal project.

B. Create a single Shared VPC and attach each Google Cloud project as a service project.

C. Create a single project and additional VPCs for each internal project.

D. O Create a Shared VPC and service project for each internal project.

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?

A. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.

B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.

C. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.

D. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?

A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.

B. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.

C. Create a single firewall rule to allow port 22 with priority 1000.

D. Create a single firewall rule to allow port 3389 with priority 1000.

You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.
Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)

A. Create a single Cloud VPN tunnel that uses route-based VPN.

B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors.

C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses.

D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors.

E. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to the same peer IP address.

Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend.
You want to use a GCP-native solution when possible.
How should you deploy this service in GCP?

A. Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.

B. Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.

C. Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.

D. Use GCP’s ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.

You just finished your company’s migration to Google Cloud and configured an architecture with 3 Virtual Private Cloud (VPC) networks: one for Sales, one for Finance, and one for Engineering. Every VPC contains over 100 Compute Engine instances, and now developers using instances in the Sales VPC and the Finance VPC require private connectivity between each other. You need to allow communication between Sales and Finance without compromising performance or security. What should you do?

A. Configure an HA VPN gateway between the Finance VPC and the Sales VPC.

B. Configure the instances that require communication between each other with an external IP address.

C. Create a VPC Network Peering connection between the Finance VPC and the Sales VPC.

D. Configure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.