Question 211
As part of your organization's modernization efforts, the application teams are migrating services to GKE on Google Cloud (GKE). The GKE clusters will live in service projects. The teams have validated the applications and configurations in their sandbox projects. When moving to production, you noticed that GKE nodes were not being created. Users were able to create Compute Engine instances, but the operation failed when they tried to create a GKE cluster. You need to enable the application teams so they can create said GKE clusters. What should you do?
A. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project.
B. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostserviceAgentUser and compute.networkUser IAM permissions in the service project.
C. Ensure that the service project's GKE service account has the compute.networkUser IAM permission in the service project.
D. Review the firewall rules configuration in the VPC. Identify what rule is blocking node creation.
Question 212
You are implementing a Shared VPC network for your organization, which has distributed teams. One of the application developers works across several teams and notices that they can deploy applications in subnets that are reserved for another application's service projects. You want to ensure that developers can only deploy resources in the subnets that are reserved for their respective service project. What should you do?
A. Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint.
B. Grant the compute.NetworkViewer role to the developer in the Shared VPC host project.
C. Restrict another application's project from accessing specific subnets in the host project by using the constraints/compute.restrictSharedVpcHostProject organizational constraint.
D. Grant the compute.NetworkUser role to the developer in the specific Shared VPC service project.
Question 213
You are configuring HA VPN for your organization to connect your on-premises environment to your Google Cloud network. Your on-premises environment is closest to the us-west1 Google Cloud region. You have Google Cloud resources in us-west2, which requires a throughput of 300,000 packets per second (PPS) and an approximate bandwidth of 4 Gbps. You need to have predictable bandwidth management and maintain an SLA of 99.99% with minimal costs. What should you do?
A. Create an HA VPN gateway with two tunnels. Configure BGP on both tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 200. Configure the on-premises router with the corresponding multi-exit discriminator (MED) value.
B. Create two HA VPN gateways, each with two tunnels. Configure BGP on each of the gateways' tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 100. Configure the on-premises router with the same corresponding multi-exit discriminator (MED) value.
C. Create an HA VPN gateway with two tunnels. Configure BGP on both tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 100. Configure the on-premises router with the corresponding multi-exit discriminator (MED) value.
D. Create an HA VPN gateway with four tunnels. Configure BGP on four tunnels with tunnel 0 configured with a base routing priority metric of 100, tunnel 1 with a base routing priority metric of 200, tunnel 2 with a base routing priority of 300, and tunnel 3 with a base routing priority of 400. Configure the on-premises router with the corresponding multi-exit discriminator (MED) value.
Question 214
Your organization mandates that all internal IP addresses used by all database VMs must be statically allocated. While analyzing your VPC IP address allocations, you observed that the database VMs do not have static IP addresses. You need to configure the VPC to follow your organization's mandate without causing any disruption to current operations. What should you do?
A. Promote the internal IP addresses to static assignments for all database VMs.
B. Create a firewall rule to allow only traffic to the IP addresses allocated to your database VMs.
C. Define a maintenance window to shut down the database VMs one at a time, promote the internal IP address to a static assignment, and restart the VM.
D. Define an organization policy to allow only statically allocated IP addresses for VMs. Ensure the prefix matches your database VMs.
Question 215
Your organization deployed a mission critical application that is expected to be a new revenue source. As part of the planning and deployment process, you have recently implemented a security profile with the default set of threat signatures provided by Cloud Next Generation Firewall (Cloud NGFW). This application is the only application running on this project. You need to increase the security posture of the application to log the threat and drop the related packets. What should you do?
A. Configure a new default threat signature with Deny All to all severity options. Review the logs to understand the impact.
B. Set up a Linux VM as the frontend gateway for the application. Create iptables rules to drop all packets, excluding the application port.
C. For all severity options (critical, high, medium, low and informational) in the security profile, change the default override action to Deny.
D. Configure Cloud Scheduler to run a task that checks the Cloud NGFW logs to verify the threats. Configure the task to create a security profile with each signature ID set to override the default action.
Question 216
You are configuring a Cross-Cloud Interconnect connection for your Google Cloud organization with two public cloud service providers (CSPs)–CSP 1 and CSP 2. The CSP 1 and CSP 2 environments are closest to Frankfurt, Germany. You can choose between two common colocation locations, Frankfurt and Munich. Your organization's Google Cloud infrastructure is deployed in the North American region, us-east4, which is located in Virginia, USA. The VPC dynamic routing mode has been set to GLOBAL. Your organization requires 20 Gbps of protected bandwidth with a 99.9% Google Cloud SLA. You want to minimize costs where possible. What should you do?
A. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany.
2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany.
3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
B. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany.
2. Create two Cross-Cloud Interconnect connections to CSP 2, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany.
3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
C. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1) in a common co-location facility located in Frankfurt, Germany and (20 Gbps in zone 2) in a common co-location facility located in Munich, Germany.
2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1) in a common co-location facility located in Frankfurt, Germany and (20 Gbps in zone 2) in a common co-location facility located in Munich, Germany.
3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
D. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany.
2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone 2) in a common co-location facility located in Frankfurt, Germany.
3. Create a Cloud Router in us-east4 (Ashburn, Virginia, USA), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
Question 217
Your organization's application is running on a VPC-native GKE Standard cluster with public IP addresses. You need to configure access to the remote address range 35.100.0.0/16 through Cloud NAT, instead of using the GKE nodes' external IP addresses. SNAT is enabled on the cluster and needs to be configured. What should you do?
A. Configure nonMasqueradeCIDRs in the ip-masq-agent ConfigMap. Include the 35.100.0.0/16 range in the list.
B. Configure nonMasqueradeCIDRs in the ip-masq-agent ConfigMap. Remove the 35.100.0.0/16 range from the list.
C. Configure Cloud NAT and create an exclusion rule for any SNAT address translation.
D. Configure Cloud NAT with nonMasqueradeCIDRs, and enable SNAT with the same configuration to allow traffic to 35.100.0.0/16.
Question 218
Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team. You must also make sure the solution can scale. What should you do?
A. Configure Policy-based Routing for each team.
B. Configure a Shared VPC, and create a VPC network in the host project.
C. Configure VPC Network Peering, and peer one of the VPC's to the service project.
D. Configure a Shared VPC, and create a VPC network in the service project.
Question 219
You are using Network Connectivity Center and you already have the hub configured. All VPCs in your environment need to have network connectivity to each other. All the subnet ranges are unique. You need to configure your topology accordingly. What should you do?
A. Configure a star topology, add the VPC spokes to the hub, and specify all subnet ranges in the excludeExportRanges filter.
B. Configure a mesh topology, add the VPC spokes to the hub, and specify all subnet ranges in the excludeExportRanges filter.
C. Configure a mesh topology, and add the VPC spokes to the hub.
D. Configure a star topology, and add the VPC spokes to the hub.
Question 220
You are creating a design that will connect your single on-premises data center to a VPC in Google Cloud by using an IPsec VPN connection. The connection must have a minimum SLA of 99.99%. There is a single VPN termination device located in your on-premises data center. The VPN termination device can be configured only with a single public IP address. Your design must also have the least amount of setup effort. What should you do?
A. 1. Create two HA VPN gateways.
2. Create one tunnel on interface 0 of one gateway and create one tunnel on interface 1 of the other gateway.
3. Terminate each of the two tunnels on the single public IP address that is configured on the VPN termination device located in your on-premises data center.
B. 1. Create one Classic VPN gateway and one HA VPN gateway.
2. Create one tunnel on the interface of the Classic VPN gateway and one tunnel on interface 1 of the HA VPN gateway.
3. Terminate each of the two tunnels on the single public IP address that is configured on the VPN termination device located in your on-premises data center.
C. 1. Replace the existing on-premises VPN termination device with a new device that is configured with two different public IP addresses.
2. Create one HA VPN gateway.
3. Create one tunnel for each of the two HA VPN gateway interfaces.
4. Terminate each of the two tunnels on one of the two public IP addresses that is configured on the new VPN termination device located in your on-premises data center.
D. 1. Create one HA VPN gateway.
2. Create one tunnel for each of the two HA VPN gateway interfaces.
3. Terminate each of the two tunnels on the single public IP address that is configured on the VPN termination device located in your on-premises data center.
