Question 221
Your organization has a highly available application that is not HTTP-based. The application runs on multiple TCP ports and is hosted in multiple regions. You need to design a solution to load balance the application in the same Shared VPC where the service will be accessed. The IP address header must contain the client's true source IP address. No public internet access is required. What should you do?
A. Configure multiple regional internal proxy Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
B. Configure multiple regional internal Application Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
C. Configure a single cross region internal proxy Network Load Balancer.
D. Configure multiple regional internal passthrough Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
Question 222
Your organization is using a Shared VPC model. Service project owners want to independently manage their DNS zones in service projects. All service project workloads must be able to resolve all private zones that are defined in other service projects. You need to create a solution that meets these goals. What should you do?
A. Create a Cloud DNS private zone in each service project. Use a Cloud DNS forwarding zone to forward queries to the Shared VPC in the host project.
B. Create a Cloud DNS private zone in each service project. Use Cloud DNS peering zones that target the Shared VPC in the host project.
C. Create a Cloud DNS response policy zone in each service project. Use Cloud DNS peering zones that target the Shared VPC in the host project.
D. Create a Cloud DNS private zone in each service project. Use cross-project binding to associate the zones to the Shared VPC in the host project.
Question 223
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?
A. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same encrypted Cloud Router used for the Cloud Interconnect tier.
B. Enable MACsec on Partner Interconnect.
C. Enable MACsec for Cloud Interconnect on the VLAN attachments.
D. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels.
Question 224
You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations to ensure that there are no rules allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work. What should you do?
A. Export all your Cloud NGFW rules into a CSV file and search for 0.0.0.0/0.
B. Use Firewall Insights, and enable insights for Overly permissive rules.
C. Run Connectivity Tests from multiple external sources to confirm that traffic is not allowed to ingress to your most critical services in Google Cloud.
D. Review Network Analyzer insights on the VPC network category.
Question 225
Your organization is connecting their Shared VPC network to their on-premises data center by using Dedicated Interconnect to provide connectivity to all of its service projects. You need to create a design to configure your VLAN attachments and Cloud Routers. You also want to achieve a 99.9% Cloud Interconnect SLA based on Google Cloud s reference design. What should you do?
A. Create two Cloud Interconnect connections in different edge availability domains of two different co-location facilities in a project that will contain your connections. Create one VLAN attachment and Cloud Router for each physical interconnect in the Shared VPC host project.
B. Create two Interconnect connections in different edge availability domains of the co-location facility in a project that will contain your connections. Create one VLAN attachment for each physical Cloud Interconnect connection and a single Cloud Router in the Shared VPC host project.
C. Create two Cloud Interconnect connections in different edge availability domains of the co-location facility in a project that will contain your connections. Create one VLAN attachment for each physical interconnect and a single Cloud Router in the service projects.
D. Create two Cloud Interconnect connections in different edge availability domains of the co-location facility in a project that will contain your connections. Create a Cloud Router in the Shared VPC host project and the VLAN attachments in the Shared VPC service projects.
Question 226
Your organization's on-premises networking team is reporting frequent BGP session flaps toward your Google Cloud environment. You need to review the BGP configuration. What should you do?
A. Switch to static routing.
B. Increase the BGP hold timer to 36000 seconds max.
C. Ensure that graceful restart is enabled on the on-premises router.
D. Ask the on-premises team to enable Bidirectional Forwarding Detection (BFD).
Question 227
Your organization has over 250 autonomous business units that currently operate in a decentralized manner. Due to the organization's maturity, there is limited routable private IP address space, which is insufficient to accommodate all of the necessary workloads. You need to create a cloud-first network design that uses the same IP address space across business unit workloads where possible. These business units require communication between units, and access to their on-premises data center. What should you do?
A. Create a hub and spoke model that incorporates VPC Network Peering with hybrid connectivity centralized within the hub.
B. Create a Network Connectivity Center design that incorporates Private NAT to facilitate communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment.
C. Create a Network Connectivity Center design that incorporates Private Service Connect to provide bidirectional communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment.
D. Create a hub and spoke design that incorporates a centralized network virtual appliance (NVA) in the hub to perform routing and NAT between spokes.
Question 228
You are configuring an Application Load Balancer. The backend resides in your on-premises data center and is connected by Dedicated Interconnect. You need to ensure the load balancer can reference these on-premises resources. You do not want the traffic to traverse the internet at all. What should you do?
A. Configure an internet network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the proxy-only subnet.
B. Configure a zonal network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the client source IPs.
C. Configure a hybrid network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the proxy-only subnet.
D. Configure a Private Service Connect network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the client source IPs.
Question 229
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights to what is occurring within Google Cloud. What should you do?
A. Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.
B. Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.
C. Enable the Firewall Insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.
D. Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
Question 230
You configured a single IPSec Cloud VPN tunnel for your organization to a third-party customer. You confirmed that the VPN tunnel is established. However, the BGP session status states that the BGP is not configured. The customer has provided you with their BGP settings:
• Local BGP address: 169.254.11.1/30
• Local ASN: 64515
• Peer BGP address: 169.254.11.2
• Peer ASN: 64517
• Base MED: 1000
• MD5 Authentication: Disabled
You need to configure the local BGP session for this tunnel based on the settings provided by the customer. You already associated the Cloud Router with the Cloud VPN Tunnel. What settings should you use for the BGP session?
A. Peer ASN: 64517 -
Advertised Route Priority (MED): 100
Local BGP IP: 169.254.11.2 -
Peer BGP IP: 169.254.11.1 -
MD5 Authentication: Disabled
B. Peer ASN: 64515 -
Advertised Route Priority (MED): 100
Local BGP IP: 169.254.11.1 -
Peer BGP IP: 169.254.11.2 -
MD5 Authentication: Disabled
C. Peer ASN: 64515 -
Advertised Route Priority (MED): 100
Local BGP IP: 169.254.11.2 -
Peer BGP IP: 169.254.11.1 -
MD5 Authentication: Disabled
D. Peer ASN: 64515 -
Advertised Route Priority (MED): 1000
Local BGP IP: 169.254.11.2 -
Peer BGP IP: 169.254.11.1 -
MD5 Authentication: Enabled
