Question 161
You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Iga1 and int-Iga2) terminate on the same Cloud Router. The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection falls, you want the passive Interconnect connection to automatically begin routing all traffic. Which two actions should you take to meet this requirement? (Choose two.)
A. Configure the advertised route priority as 200 for the BGP session associated with the active interconnect connection.
B. Configure the advertised route priority > 10,200 on the active Interconnect connection.
C. Advertise a lower MED on the active Interconnect connection from the on-premises router.
D. Advertise a lower MED on the passive Interconnect connection from the on-premises router.
E. Configure the advertised route priority as 200 for the BGP session associated with the passive Interconnect connection.
Question 162
You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible. To ease the transition, you decided to use the same architecture as your on-premises network: a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic is sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?
A. Connect all the spokes to the hub with Cloud VPN.
B. Connect all the spokes to the hub with VPC Network Peering.
C. Connect all the spokes to the hub with Cloud VPN. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.
D. Connect all the spokes to the hub with VPC Network Peering. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.
Question 163
You have the networking configuration shown in the diagram. Two VLAN attachments associated with two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BGP) sessions associated with each of the VLAN attachments.
You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?
A. From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results.
B. From the Cloud CLI, run gcloud compute –-project PROJECT_ID routers get-status mycloudrouter –-region REGION and review the results.
C. From the Google Cloud console, navigate to the Hybrid Connectivity, select the Cloud Router, and view BGP sessions.
D. From the Cloud CLI, run gcloud compute routers describe mycloudrouter –-region REGION and review the results.
Question 164
You are responsible for designing a new connectivity solution between your organization's on-premises data center and your Google Cloud Virtual Private Cloud (VPC) network. Currently, there is no end-to-end connectivity. You must ensure a service level agreement (SLA) of 99.99% availability. What should you do?
A. Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.
B. Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router.
C. Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.
D. Use HA VPN. Configure one tunnel from each interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.
Question 165
Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node. Which Pod per node CIDR range should you use?
A. /24
B. /25
C. /26
D. /28
Question 166
You are designing a packet mirroring policy as part of your network security architecture for your gaming workload. Your infrastructure is located in the us-west2 region and deployed across several zones: us-west2-a, us-west2-b, and us-west2-c. The infrastructure is running a web-based application on TCP ports 80 and 443 with other game servers that utilize the UDP protocol. You need to deploy packet mirroring policies and collector instances to monitor web application traffic while minimizing inter-zonal network egress costs.
Following Google-recommended practices, how should you deploy the packet mirroring policies and collector instances?
A. Crate three packet mirroring policies: one for each zone. Create one group of collector instances for the us-west2 region. Configure each packet mirroring policy to match traffic for its zone based on instance-tags, and create a filter for TCP traffic.
B. Create one packet mirroring policy for the us-west2 region. Create one group of collector instances for the us-west2 region. Configure the packet mirroring policy to match traffic for web server instances based on instance-tags, and create a filter for TCP traffic.
C. Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure each policy to match traffic for its zone based on instance-tags, and create a filter for TCP traffic.
D. Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure each policy to match traffic for its zone based on subnets, and create a filter for TCP traffic.
Question 167
Your company recently migrated to Google Cloud. You configured separate Virtual Private Cloud (VPC) networks for Department A and Department B. You need to configure both VPC networks to have access to the same on-premises location through separate links with full isolation between the VPC networks. Your design must also query on-premises DNS servers from workloads in Google Cloud using conditional forwarding. You want to minimize operational overhead. What should you do?
A. Customize the operating system DNS configuration files to target the on-premises DNS servers.
B. Keep the different VPC networks from both departments isolated with different on-premises links, and separate Cloud DNS private zones and Cloud DNS forwarding zones.
C. Peer Department A's and Department B's VPC networks to have all on-premises connectivity via a single VPC network. Use separate Cloud DNS private zones and Cloud DNS forwarding zones.
D. Configure a Cloud DNS Peering zone in Department A's VPC network pointing to Department B's VPC and a Cloud DNS outbound forwarding zone in Department B's VPC network. Use separate on-premises links in each VPC network.
Question 168
You are planning to use Terraform to deploy the Google Cloud infrastructure for your company. The design must meet the following requirements:
• Each Google Cloud project must represent an internal project that your team will work on.
• After an internal project is finished, the infrastructure must be deleted.
• Each internal project must have its own Google Cloud project owner to manage the Google Cloud resources.
• You have 10-100 projects deployed at a time.
While you are writing the Terraform code, you need to ensure that the deployment is simple and the code is reusable with centralized management.
What should you do?
A. Create a single project and single VPC for each internal project.
B. Create a single Shared VPC and attach each Google Cloud project as a service project.
C. Create a single project and additional VPCs for each internal project.
D.O Create a Shared VPC and service project for each internal project.
Question 169
You have the following Shared VPC design. VPC Flow Logs is configured for Subnet-1 in the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?
A. Configure a VPC Flow Logs filter for Subnet-2 in the host project VPC.
B. Configure VPC Flow Logs in the service project VPC for Subnet-2.
C. Configure Packet Mirroring in both the host and service project VPCs.
D. Configure a firewall rule to permit Subnet-2 IP addresses outbound in the host project VPC.
Question 170
You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.
Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)
A. Create a single Cloud VPN tunnel that uses route-based VPN.
B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors.
C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses.
D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors.
E. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to the same peer IP address.
