Question 181
You are implementing a VPC architecture for your organization by using a Network Connectivity Center hub and spoke topology:
• There is one Network Connectivity Center hybrid spoke to receive on-premises routes.
• There is one VPC spoke that needs to be added as a Network Connectivity Center spoke.
Your organization has limited routable IP space for their cloud environment (192.168.0.0/20). The Network Connectivity Center spoke VPC is connected to on-premises with a Cloud Interconnect connection in the us-east4 region. The on-premises IP range is 172.16.0.0/16. You need to reach on-premises resources from multiple Google Cloud regions (us-west1,europe-central1, and asia-southeast1) and minimize the IP addresses being used. What should you do?
A. 1. Configure a Private NAT gateway and NAT subnet in us-west1(192.168.1.0/24), europe-central1(192.168.2.0/24) and asia-southeast1(192.168.3.0/24).
2. Add the VPC as a spoke and configure an export include policy to advertise only 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4.
B. 1. Configure a Private NAT gateway instance in us-west1(172.16.1.0/24), europe-central1(172.16.2.0/24), and asia-southeast1(172.16.3.0/24).
2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise only the NAT subnets 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 to the hub.
3. Enable global dynamic to allow resources in us-west1, us-central1, and asia-southeast1 to reach the on-premises location through us-east4.
C. 1. Configure a Private NAT gateway instance in us-east4(192.168.1.0/24).
2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise 192.168.1.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4.
D. 1. Configure a Private NAT gateway instance in us-west1(192.168.1.0/24), europe-central1(192.168.2.0/24), and asia-southeast1(192.168.3.0/24).
2. Add the VPC as a spoke and configure an export exclude policy on the VPC spoke to advertise only the NAT subnets 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-west1, us-central1, and asia-southeast1 to reach the on-premises location through us-east4.
Question 182
You have several VMs across multiple VPCs in your cloud environment, which require access to internet endpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use Cloud NAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. You want to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoid any unintentional configuration issues caused by other administrators, and align to Google-recommended practices. What should you do?
A. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure all primary and secondary subnet source ranges.
B. Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
C. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure a custom source range that includes the allowed subnets.
D. Deploy Cloud NAT in each VPC, and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.
Question 183
Your organization has five different VPCs across different projects in y our Google Cloud organization that need high-throughput connectivity. You have performed an audit of the IP address utilization in each VPC, and there are two overlapping subnets that are used by two of the VPCs: 240.0.0.0/16 and 240.128.0.0/24. You have confirmed that no Class E subnets (240.0.0.0/4) will require inter-VPC connectivity, but all other subnets in the VPCs will need connectivity. You need to deploy a Google Cloud routing solution to meet the connectivity requirements. What should you do?
A. Create a full mesh of VPC Network Peering connections between all five VPCs. Make sure not to import or export subnet routes with public IP addresses. Add Cloud network firewall policy rules to allow traffic.
B. Create a Network Connectivity Center hub with a mesh topology. Add a VPC spoke for each of the five VPCs and configure an export exclude filter for 240.0.0.0/4. Add Cloud network firewall policy rules to allow traffic.
C. Create a series of multiple network interface VMs with an interface in each VPPlace the VMs in an instance group. Create an internal passthrough Network Load Balancer in each VPC with the backend of the instance group. Configure custom static routes in each VPC with the next hop of the respective load balancer. Add Cloud network firewall policy rules to allow traffic.
D. Create a full mesh of VPC Network Peering connections between all five VPCs with an export exclude filter for 240.0.0.0/4 on every side. Add Cloud network firewall policy rules to allow traffic.
Question 184
You are attempting to establish a HA VPN to your on-premises network; however, the VPN connection is not establishing successfully. You have full administrative control over the Google Cloud networking environment and the on-premises firewalls that are acting as the VPN devices. The Google Cloud console shows "Negotiation failure" and "BGP is down". You check Cloud Logging by using a query for resource.type="vpn_gateway" and resource.labels.gateway_id="TUNNEL_ID_NUMBER". Logs Explorer shows frequent log entries:
log name: …/logs/cloud.googleapis.com%2Fipsec_events"
type: "vpn_gateway"
textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built"
You need to troubleshoot the VPN failure and take corrective action based on the Cloud Logging entries. What should you do?
A. Update the Google Cloud BGP session configuration to match the BGP peer ASN on the on-premises side.
B. Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
C. Create a new Cloud VPN gateway in a region closer to the peer VPN gateway.
D. Compare the Phase 1 settings and recreate the Cloud VPN tunnel by choosing a different IKE version and pre-shared key.
Question 185
Your team deployed two applications in GKE that are exposed through an external Application Load Balancer. When queries are sent to www.mountkirkgames.com/sales and www.mountkirkgames.com/get-an-analysis, the correct pages are displayed. However, you have received complaints that www.mountkirkgames.com yields a 404 error. You need to resolve this error. What should you do?
A. Review the Service YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML.
B. Review the Ingress YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML.
C. Review the Ingress YAML file. Define the default backend. Reapply the YAML.
D. Review the Service YAML file. Define a default backend. Reapply the YAML.
Question 186
Your multi-region VPC has had a long-standing HA VPN configured in "region 1" connected to your corporate network. You are planning to add two 10 Gbps Dedicated Interconnect connections and VLAN attachments in "region 2" to connect to the same corporate network. You need to plan for connectivity between your VPC and corporate network to ensure that traffic uses the Dedicated Interconnect connections as the primary path and the HA VPN as the secondary path. What should you do?
A. Enable regional dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in "region 1" to use a base priority value of 100. Configure BGP associated with the VAN attachments to use a base priority of 20000. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
B. Enable regional dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in "region 1" to use a base priority value of 20000. Configure BGP associated with the VLAN attachments to use a base priority of 100. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
C. Enable global dynamic routing mode on the VPConfigure BGP associated with the HA VPN in "region 1" to use a base priority value of 20000. Configure BGP associated with the VLAN attachments to use a base priority of 100. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
D. Enable global dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in "region 1" to use a base priority value of 100. Configure BGP associated with the VLAN attachments to use a base priority of 20000. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
Question 187
Your organization is developing a landing zone architecture with the following requirements:
• There should be no communication possible between production and non-production en-vironments.
• Communication between applications within an environment may be necessary.
• Network administrators should centrally manage all network resources, including subnets, routes, and firewall rules.
• Each application should be billed separately.
• Developers of an application within a project should have the autonomy to create their compute resources. They should not create or modify networking resources.
• Up to 1000 applications are expected per environment.
You need to create a design that accommodates these requirements. What should you do?
A. Create a design that has one Shared VPC host project for the production environment, and another Shared VPC host project for the nonproduction environment. Associate the various applications' service projects with the corresponding environment's host project.
B. Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.
C. Create a design that implements a single Shared VPUse VPC firewall rules with secure tags to enforce micro-segmentation between environments.
D. Create a design where each project in each environment has its own VPC with its own subnets, routes, and firewall rules. Ensure all VPCs are added as spokes to a Network Connectivity Center hub.
Question 188
Your company uses Compute Engine instances that are exposed to the public internet. Each compute instance has a single network interface with a single public IP address. You need to block any connection attempt that originates from internet clients with IP addresses that belong to the BGP_ASN_TOBLOCK BGP ASN. What should you do?
A. Create a new Cloud Armor backend security policy, and use the --network-src-asns parameter.
B. Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter.
C. Create a new Cloud Armor edge security policy, and use the --network-src-asns parameter.
D. Create a new firewall policy ingress rule, and use the --network-src-asns parameter.
Question 189
Your frontend application VMs and your backend database VMs are all deployed in the same VPC but across different subnets. Global network firewall policy rules are configured to allow traffic from the frontend VMs to the backend VMs. Based on a recent compliance requirement, this traffic must now be inspected by network virtual appliances (NVAs) firewalls that are deployed in the same VPC. The NVAs are configured to be full network proxies and will source NAT-allowed traffic. You need to configure VPC routing to allow the NVAs to inspect the traffic between subnets. What should you do?
A. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add the global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the backend VM subnet, destination IP range of the frontend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the backend network tag. Add a backend network tag to your backend servers.
B. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ILB1. Add a frontend network tag to your frontend VMs.
C. Create your NVA with multiple interfaces. Configure NIC0 for NVA in the backend subnet. Configure NIC1 for NVA in the frontend subnet. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ILB1. Add a frontend network tag to your frontend VMs.
D. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the frontend VM subnet, destination IP range of the backend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the frontend network tag. Add a frontend network tag to your frontend servers.
Question 190
Your organization wants to set up hybrid connectivity with VLAN attachments that terminate in a single Cloud Router with 99.9% uptime. You need to create a network design for your on-premises router that meets those requirements and has an active/passive configuration that uses only one VLAN attachment at a time. What should you do?
A. Create a design that uses the LOCAL_PREF BGP attribute to influence the egress path from Google Cloud to the on-premises environment.
B. Create a design that uses an equal-cost multipath (ECMP) with flow-based hashing on your on-premises devices.
C. Create a design that uses a BGP multi-exit discriminator (MED) attribute to influence the egress path from Google Cloud to the on-premises environment.
D. Create a design that uses the AS_PATH BGP attribute to influence the egress path from Google Cloud to the on-premises environment.
