Win IT Exam with Last Dumps 2025

Your organization requires that all SMTP traffic to your cloud environment is blocked, except for traffic that originates from your corporate network. Your organization also requires that only specific VPCs across your Google Cloud projects will allow SMTP access from your corporate network. You need to configure a security policy that will enable this connectivity. What should you do?

A. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.
2. Configure an egress hierarchical firewall rule with priority 10010 specifying the source of your corporate network as TCP port 25 and the goto_next action.
3. Associate the hierarchical firewall policy at the organization level.
4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.

B. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the allow action.
2. Associate the hierarchical firewall policy at the organization level.
3. Configure firewall policy rules to deny TCP port 25 in the firewall policies associated with the respective VPCs that do not require that access.

C. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the source of your corporate network, TCP port 25, and the goto_next action.
2. Configure an ingress hierarchical firewall rule with priority 10010 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.
3. Associate the hierarchical firewall policy at the organization level.
4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.

D. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.
2. Associate the hierarchical firewall policy at the organization level.
3. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.

Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag. What should you do?

A. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account.

B. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag.

C. Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

D. Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

You are implementing hybrid connectivity between your company's data center and Google Cloud. You've already deployed redundant Dedicated Interconnect connections, and are now deploying VLAN attachments in us-central1. You want to use an active/passive approach, where interconnect-1 is active and interconnect-2 is a passive backup. You need to deploy a Cloud Router to enable BGP connectivity. You want to follow Google-recommended practices. What should you do?

A. 1. Configure the primary interconnect-1 BGP session on the Cloud Router with priority 0 and ASN 65101.
2. Configure the secondary interconnect-2 BGP session on the Cloud Router with priority 200 and ASN 65102.
3. Configure the on-premises ASN as 65000.

B. 1. Configure the primary interconnect-1 BGP session on the Cloud Router with priority 0.
2. Configure the secondary interconnect-2 BGP session on the Cloud Router with priority 200.
3. Configure both Google-side BGP ASNs as 65100.
4. Configure the on-premises ASN as 65000.

C. 1. Configure the primary and secondary interconnects of the BGP sessions on the Cloud Router with priority 100 and ASN 16550.
2. Configure the on-premises ASN as 65001 for primary interconnect-1.
3. Configure the on-premises ASN as 65002 for secondary interconnect-2.

D. 1. Configure the primary and secondary interconnects of the BGP sessions on the Cloud Router with priority 100 and ASN 4200000001.
2. Configure the on-premises ASN as 4200000010.
3. Disable the BGP session on the on-premises router for the secondary interconnect-2.

Your organization has multiple VMs running on Google Cloud within a VPC. The VMs require connectivity to certain Google APIs. You need to enable Private Google Access for VM connectivity to Cloud Storage. What should you do?

A. Enable Private Google Access on the project, remove the default route that points to the default internet gateway, and enable the Cloud Storage API.

B. Enable Private Google Access on the VM, remove the default route that points to the default internet gateway, and enable the Cloud Storage API.

C. Enable Private Google Access on the VPC, create a default route that points to the default internet gateway, and enable the Cloud Storage API.

D. Enable Private Google Access on the subnet, create a default route that points to the default internet gateway, and enable the Cloud Storage API.

You are configuring the final elements of a migration effort where resources have been moved from on-premises to Google Cloud. While reviewing the deployed architecture, you noticed that DNS resolution is failing when queries are being sent to the on-premises environment. You login to a Compute Engine instance, try to resolve an on-premises hostname, and the query fails. DNS queries are not arriving at the on-premises DNS server. You need to use managed services to reconfigure Cloud DNS to resolve the DNS error. What should you do?

A. Ensure that the operating systems of the Compute Engine instances are configured to send DNS queries to the on-premises DNS servers directly.

B. Validate that there is network connectivity to the on-premises environment and that the Compute Engine instances can reach other on-premises resources. If errors persist, remove the VPC Network Peerings and recreate the peerings after validating the routes.

C. Validate that the Compute Engine instances are using the Metadata Service IP address as their resolver. Configure an outbound forwarding zone for the on-premises domain pointing to the on-premises DNS server. Configure Cloud Router to advertise the Cloud DNS proxy range to the on-premises network.

D. Review the existing Cloud DNS zones, and validate that there is a route in the VPC directing traffic destined to the IP address of the DNS servers. Recreate the existing DNS forwarding zones for . to forward all queries to the on-premises DNS servers.

Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected. What should you do?

A. Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs.

B. Use Cloud NGFW Essentials. Create a firewall rule for egress traffic, and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities.

C. Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content.

D. Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the --tls-inspect flag, and associate the firewall rules with the VMs.

Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue. What should you do?

A. Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.

B. Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

C. Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

D. Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

Your organization has a legacy VPN device that uses IKEv1 and does not support BGP. Connectivity from your on-premises environment to Google Cloud needs to be established. You are using 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24 in your on-premises environment, and 192.168.100.0/24, 192.168.101.0/24, and 192.168.102.0/24 in your Google Cloud environment. You have configured a VPN gateway and you need to configure a policy-based VPN tunnel. What should you do?

A. Configure the tunnel with LOCAL_TS set to 172.16.100.0/22 and REMOTE_TS set to 192.168.100.0/22.

B. Configure the tunnel with LOCAL_TS set to 192.168.100.0/22 and REMOTE_TS set to 172.16.100.0/22.

C. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 192.168.100.0/24,192.168.101.0/24, and 192.168.102.0/24.

D. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 0.0.0.0/0.

You plan to deploy Google Cloud Armor web application firewall (WAF) policies that use the preconfigured WAF rules. You want all Google Cloud Armor logs to be sent to Cloud Logging with the highest level of detail possible. You have enabled Cloud Load Balancing logs for all the backend services where Cloud Armor WAF policies are applied. What should you do?

A. Set the sample rate of the Cloud Load Balancing logs to 0.5.

B. Set the Google Cloud Armor logging option to VERBOSE.

C. Enable Google Cloud Armor logging for all the backend services where Cloud Armor WAF policies are applied. Set the Google Cloud Armor logging option to VERBOSE.

D. Set the sample rate of the Cloud Load Balancing logs to 1.0.

Your organization has implemented Vertex AI online prediction in your Google Cloud environment, which is in the us-central1 region. Online prediction is available through private services access by using the IP CIDR range of 172.16.53.0/24. You need to configure access to Vertex AI without affecting the existing routes. You want to use the VLAN attachments that are located in the us-west1 region as primary. The interconnect VLAN attachments in the us-west2 region can only be used as a backup. What should you do?

A. Create a custom route advertisement on VLAN attachments in the us-west1 region for prefix 172.16.53.0/24. Create a custom route advertisement on VLAN attachments in the us-west2 region for prefix 172.16.53.0/24.

B. Create a custom learned route on VLAN attachments in the us-west1 region for prefix 172.16.53.0/24, and set the route priority on the BGP session as 100. Create a custom route advertisement on VLAN attachments in the us-west2 region for prefix 172.16.53.0/24, and set the route priority on the BGP session as 200.

C. Create a custom route advertisement on VLAN attachments in the us-west1 region for prefix 172.16.53.0/24, and set the route priority on the BGP session as 100. Create a custom route advertisement on VLAN attachments in the us-west2 region for prefix 172.16.53.0/24, and set the route priority on the BGP session as 200.

D. Create a custom route advertisement on VLAN attachments in the us-west1 region for prefix 172.16.53.0/24, and create a BGP route-policy to set the multi-exit discriminator (MED) to 100. Create a custom route advertisement on VLAN attachments in the us-west2 region for prefix 172.16.53.0/24, and create a BGP route-policy to set the multi-exit discriminator (MED) to 200.