Question 231
Your organization's current architecture has one Shared VPC host project (SH_HOST_PRJ) that contains a single VPC (SH_VPC) and two Shared VPC service projects (SP_ONE_PRJ and SP_TWO_PRJ) that do not contain any VPCs. Each Shared VPC service project belongs to a different team: TEAM_ONE manages SP_ONE_PRJ and TEAM_TWO manages SP_TWO_PRJ.
You must design a solution that allows each team to create their own DNS private zones and DNS records only in their respective Shared VPC service projects. Workloads in SP_ONE_PRJ must be able to resolve all the DNS private zones defined in SP_TWO_PRJ and conversely. Your design must have the least amount of set up effort. What should you do?
A. 1. TEAM_ONE uses cross-project binding and creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the Shared VPC host project (SH_HOST_PRJ).
2. TEAM_TWO creates Cloud DNS private zones and DNS records in SP_TWO_PRJ, and uses cross-project binding to connect the zones to the Shared VPC host project (SH_HOST_PRJ).
B. 1. TEAM_ONE uses cross-project binding and creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ).
2. TEAM_TWO creates DNS private zones and DNS records in SP_TWO_PRJ and uses cross-project binding to connect the zones to the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ).
C. 1. TEAM_ONE creates a new VPC (SP_ONE_VPC) in the Shared VPC service projects (SP_ONE_PRJ). TEAM_ONE creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the new VPC (SP_ONE_VPC). TEAM_ONE creates a Cloud DNS peering relationship between SP_ONE_VPC and the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ).
2. TEAM_TWO completes the same actions for the SP_TWO_PRJ project.
D. 1. TEAM_ONE creates a new VPC (SP_ONE_VPC) in the Shared VPC service projects (SP_ONE_PRJ). TEAM_ONE creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the new VPC (SP_ONE_VPC). TEAM_ONE creates a VPC Network Peering relationship between SP_ONE_VPC and the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ).
2. TEAM_TWO completes the same actions for the SP_TWO_PRJ project.
Question 232
You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?
A. Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures.
B. Enable VPC Flow Logs on the subnet that the VM is deployed in with SAMPLE_RATE = 1.0, and run a query in Logs Explorer to analyze the packet flow.
C. Verify the network/attachment/egress_dropped_packets_count Cloud Interconnect VLAN attachment metric.
D. Enable Firewall Rules Logging on your firewall rules and review the logs.
Question 233
Your organization is launching a new video game that will be available to all users globally through Cloud CDN. During the earl y release phase, you discovered that the wrong binary version was uploaded from Cloud Storage and cached in Cloud CDN. Thousands of users have downloaded the wrong version. Your marketing department has notified users that this was the wrong version of the game and asked all users to download the updated version using the same URL. You need to ensure users are downloading the updated version of the game. What should you do?
A. Create a security policy to block all Cloud CON requests, review the logs, and filter which users are attempting to download the wrong game binary.
B. Create a new URL path for the updated game binary. Allow the cache to expire automatically through HTTP headers.
C. Upload the updated game binary to Cloud Storage. Invalidate the wrong game binary from the Cloud CDN cache.
D. Disable Cloud CDN. Reconfigure the load balancer with the updated game binary. Enable Cloud CDN.
Question 234
You recently reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in the rate of client requests. You need to limit the concurrent sessions and return an HTTP 429 Too Many Requests response back to the client while following Google-recommended practices. What should you do?
A. Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle; conform action: allow; exceed action: deny-429.
B. Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic.
C. Create a Cloud Armor security policy, and apply the predefined Open Worldwide Security Application Project (OWASP) rules to automatically implement the rate limit per client IP address.
D. Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application.
Question 235
Your company uses web application firewall (WAF) capabilities from a third-party cloud WAF provider. This WAF provider proxies all the HTTPS connections from internet clients, applies security policies, and then opens a new HTTPS connection to the public IP address of your global Application Load Balancer in Google Cloud. Your Google Cloud workloads are the backend of this global Application Load Balancer. Currently, Cloud Am1or is not configured. You need to create a Cloud Armor security policy that blocks sessions that originate from internet clients with source IP addresses that belong to the IP_RANGE_BLOCK IP range. The block must be executed by the Cloud Armor security policy; it will not be done by the third-party cloud WAF provider. Whal should you do?
A. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute.
2. Add a policy rule that denies traffic that matches inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.
3. Apply the policy to the backend service that includes all your Google Cloud workloads.
B. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute.
2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement.
3. Apply the policy to the backend service that includes all your Google Cloud workloads.
C. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders[] attribute.
2. Add a policy rule that denies traffic that matches the inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.
3. Apply the policy to the backend service that includes all your Google Cloud workloads.
D. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders[] attribute.
2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement.
3. Apply the policy to the backend service that includes all your Google Cloud workloads.
Question 236
Your organization, TerramEarth, is launching a global application to manage credit card payments. There are some client VMs inside the same VPC as the application that need to access this application privately. Due to compliance requirements, the internal clients cannot use the global external IP address of the application. Currently, Cloud DNS only resolves myglobalapp.terramearth.com to the public IP address with a public zone. The clients will need to reach myglobalapp.example.com, without using its external IP address. You need to configure Cloud DNS to follow this requirement while following Google-recommended practices. What should you do?
A. Create a sub-domain named internal.terramearth.com. Add the new DNS entry (myglobalapp.internal.terramearth.com) to the sub-domain pointing to the internal IP address from the application VM.
B. Configure a query logic script inside Cloud DNS to check the source IP address from the VPC, and respond with a modified DNS record to include the internal IP address from the application VM.
C. Configure a private zone for the application record (myglobalapp.terramearth.com) and point to the internal IP address of the application VM. Bind this zone to the VPC.
D. Promote the ephemeral IP address from the application VM to static, add this static ip address to each internal client's host file, and change the myglobalapp.terramearth.com DNS record to this new static IP address.
Question 237
You are setting up a Dedicated Interconnect connection from your organization’s on-premises data center in Frankfurt, Germany, towards the europe-west3 region, which is also in the Frankfurt metropolitan area. The AI team lead expressed their concern regarding connectivity to the europe-west4 region because their team wants to use Google Cloud TPUs for their workloads. You need to ensure that low latency network connectivity is established for this team’s workloads. You want to minimize costs and operational overhead. What should you do?
A. Set up the Dedicated Interconnect connection towards the europe-west4 region instead of the europe-west3 region.
B. Set up an additional Partner Interconnect connection between your data center and the europe-west4 region.
C. Set up a remote VLAN attachment to the europe-west4 region on the Dedicated Interconnect connection.
D. Use Cloud VPN instead of Dedicated Interconnect to send traffic over the internet.
Question 238
Your company uses VPC firewall rules and denies all egress traffic. You need to allow some VMs to contact external websites based on their fully qualified domain name (FQDN). You apply the new configuration, but the traffic is still denied. You need to adjust your setup to apply the new configuration. What would you do?
A. Raise the priority of the network firewall policy rules.
B. Lower the priority of the network firewall policy rules.
C. Update the default policy and rule evaluation order to BEFORE_CLASSIC_FIREWALL.
D. Update the default policy and rule evaluation order to AFTER_CLASSIC_FIREWALL.
Question 239
Your VPC is configured with regional dynamic routing mode. You have deployed VMs and VLAN attachments in the europe-west2 region, and regional internal Application Load Balancers in us-east1. You need to ensure the VMs in the europe-west2 region have connectivity to the regional internal Application Load Balancers in the us-east1 region. What should you do?
A. Create the backend in us-east1, create multiple forwarding rules in each region, and then enable regional access.
B. Create the backend service in europe-west2, create the forwarding rule in us-east1, and then enable regional access.
C. Create the backend service in us-east1, create the forwarding rule in europe-west2, and then enable global access.
D. Create the backend service in us-east1, create the forwarding rule in us-east1, and then enable global access.
Question 240
You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps. What should you do?
A. Configure Private Google Access on the VPC resource. Create a default route to the internet.
B. Configure Private Google Access on the subnet resource. Create a default route to the internet.
C. Configure Cloud NAT, and remove the default route to the internet.
D. Configure a global Secure Web Proxy, and remove the default route to the internet.
