Question 241
You have configured a single IPSec Cloud VPN tunnel for your organization to one of your customers. The VPN Tunnel Status is showing as Established; however the BGP Session Status is showing as BGP not configured. Your customer’s BGP settings are:
• Customer BGP address: 169.254.11.1/30
• Customer ASN: 64515
• Google Cloud BGP address: 169.254.11.2
• Google Cloud ASN: 64517
• MD5 Authentication: Disabled
You need to configure your local BGP session for this tunnel based on the settings provided by the third party customer. You have already associated the Cloud Router with the Cloud VPN Tunnel. What should you do?
A. Create a BGP session with these settings:
• Peer ASN: 64517
• Advertise Route Priority (MED): 100
• Local BGP IP: 169.254.11.2
• Peer BGP IP: 169.254.11.1
• MD5 Authentication: Disabled.
B. Create a BGP session with these settings:
• Peer ASN: 64515
• Advertise Route Priority (MED): 100
• Local BGP IP: 169.254.11.1
• Peer BGP IP: 169.254.11.2
• MD5 Authentication: Disabled.
C. Create a BGP session with these settings:
• Peer ASN: 64515
• Advertise Route Priority (MED): 100
• Local BGP IP: 169.254.11.2
• Peer BGP IP: 169.254.11.1
• MD5 Authentication: Disabled.
D. Create a BGP session with these settings:
• Peer ASN: 64515
• Advertise Route Priority (MED): 1000
• Local BGP IP: 169.254.11.2
• Peer BGP IP: 169.254.11.1
• MD5 Authentication: Enabled.
Question 242
Your organization has an on-premises data center. You need to provide connectivity from the on-premises data center to Google Cloud. Bandwidth must be at least 1 Gbps, and the traffic must not traverse the internet. What should you do?
A. Configure HA VPN by using high availability gateways and tunnels.
B. Configure Cross-Cloud Interconnect by creating a VLAN attachment, activate the connection, and then submit the pairing key to your service provider.
C. Configure Dedicated Interconnect by creating a VLAN attachment, activate the connection, and submit the pairing key to your service provider.
D. Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.
Question 243
Your company’s web application was just deployed on Compute Engine VMS in multiple Google Cloud regions. You have created multiple instance groups and you need to distribute traffic between these VMs. You want your users to automatically connect to the backend that is located in the closest region while following Google-recommended practices. What should you do?
A. Create one global external Application Load Balancer and multiple backend services. Ensure that each backend service contains one backend. Point each backend to a different instance group.
B. Create one global external Application Load Balancer and one backend service with multiple backends. Point each backend to a different instance group.
C. Create two global external Application Load Balancers with one backend service and one backend. Point each back end to a different instance group.
D. Create two global external Application Load Balancers with multiple backend services. Ensure that each backend service contains one backend. Point each backend to a different instance group.
Question 244
Your company uses Network Connectivity Center to connect its VPCs in Google Cloud. They plan to connect their on-premises data center to one of these VPCs by using HA VPN. The CIDR range of your on-premises network overlaps with the IP addresses in Google Cloud. You want your VMs in Google Cloud to connect directly to the IP address of the on-premises hosts. What should you do?
A. Configure a subnet of purpose REGIONAL_MANAGED_PROXY and use a Google Cloud application load balancer.
C. Configure a subnet of purpose REGIONAL_MANAGED_PROXY and use a Google Cloud TCP proxy load balancer.
D. Configure a subnet of purpose PRIVATE_NAT and use Private NAT for the Network Connectivity Center spokes.
E. Configure a subnet of purpose PRIVATE_NAT and use Hybrid NAT.
Question 245
Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two VLAN attachments. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?
A. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Use the existing Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels.
B. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Create a new Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels.
C. Enable MACsec on the VLAN attachments.
D. Enable MACsec on Partner Cloud Interconnect.
Question 246
Your organization wants to deploy an internal application named app-1 in VPC-1. The application will consume services from another internal application named app-2 in VPC-2. VPC Network Peering will connect both applications. You need to apply microsegmentation between these two applications and VPCs. What should you do?
A. Assign network tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure a hierarchical firewall policy with an ingress rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule.
B. Assign secure tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure a hierarchical firewall policy with an ingress rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule.
C. Assign network tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure an ingress VPC firewall rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule.
D. Assign secure tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure a network firewall policy that is attached to VPC-2 with an ingress rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule.
Question 247
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. The connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights to what is occurring within Google Cloud. What should you do?
A. Create a Connectivity Test. Review the results for configuration issues in the VPC routing table.
B. Enable and review Cloud Logging for Cloud Armor. Look for logs with errors that match the destination IP address of the public SaaS provider.
C. Enable and review Cloud Logging on your Cloud NAT Gateway. Look for logs with errors that match the destination IP address of the public SaaS provider.
D. Enable the Firewall Insights API. Set the Deny rule insights observation period to one day. Review Insight results to assure there are no firewall rules denying traffic.
Question 248
You are designing a Google Kubernetes Engine cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 Services. Because of the migration of new Services over the next two years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 Services. You want to use VPC-native clusters with alias IP address ranges, while minimizing address consumption. How should you design this topology?
A. Create a subnet of size /28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the Services are ready to be deployed, resize the subnets.
B. Use gcloud container clusters create [CLUSTER_NAME]--enable-ip-alias to create a VPC-native Cluster.
C. Create a subnet of size /25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
D. Use gcloud container clusters create [CLUSTER_NAME] to create a VPC-native Cluster.
