Your organization uses a hub-and-spoke architecture with critical Compute Engine
instances in your Virtual Private Clouds (VPCs). You are responsible for the design of
Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from
your on-premises data center and enable on-premises name resolution from your hub-andspoke
VPC design. What should you do?

A.

Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the onpremises
server.
Configure DNS peering from the spoke VPCs to the hub VPC.

B.

Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke
VPCs.
Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

C.

Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an
alternate DNS server.
Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke
VPCs.

D.

Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an
alternate DNS server.
Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

You recently noticed a recurring daily spike in network usage in your Google Cloud project.
You need to identify the virtual machine (VM) instances and type of traffic causing the spike
in traffic utilization while minimizing the cost and management overhead required. What
should you do?

A.

Enable VPC Flow Logs and send the output to BigQuery for analysis.

B.

Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for
analysis.

C.

Configure Packet Mirroring to send all traffic to a VM. Use Wireshark on the VM to
identity traffic utilization for each VM in the VPC.

D.

Deploy a third-party network appliance and configure it as the default gateway. Use the
third-party network appliance to identify users with high network traffic.

You are the network administrator responsible for hybrid connectivity at your organization.
Your developer team wants to use Cloud SQL in the us-west1 region in your Shared VPC.
You configured a Dedicated Interconnect connection and a Cloud Router in us-west1, and
the connectivity between your Shared VPC and on-premises data center is working as
expected. You just created the private services access connection required for Cloud SQL
using the reserved IP address range and default settings. However, your developers
cannot access the Cloud SQL instance from on-premises. You want to resolve the issue.
What should you do?

A.

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import
and export of routes.
Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP
address range.

B.

Change the VPC routing mode to global.
Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP
address range.

C.

Create an additional Cloud Router in us-west2.
Create a new Border Gateway Protocol (BGP) peering connection to your on-premises
data center.
Modify the VPC Network Peering connection used for Cloud SQL, and enable the import
and export of routes.

D.

Change the VPC routing mode to global.
Modify the VPC Network Peering connection used for Cloud SQL, and enable the import
and export of routes.

You deployed a hub-and-spoke architecture in your Google Cloud environment that uses
VPC Network Peering to connect the spokes to the hub. For security reasons, you
deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects
with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed. When you attempt to reach the GKE
control plane from a different spoke project, you cannot access it. You need to allow
access to the GKE control plane from the other spoke projects. What should you do?

A.

Add a firewall rule that allows port 443 from the other spoke projects.

B.

Enable Private Google Access on the subnet where the GKE nodes are deployed.

C.

Configure the authorized networks to be the subnet ranges of the other spoke projects.

D.

Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to
the control plane through the proxy.

Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect
connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect
connection is attached to a Cloud Router in its respective region by a VLAN attachment.
You need to configure a high availability failover path. By default, all ingress traffic from the
on-premises environment should flow to the VPC using the us-west1 connection. If uswest1
is unavailable, you want traffic to be rerouted to us-east1. How should you configure
the multi-exit discriminator (MED) values to enable this failover path?

A.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set
the us-west1 Cloud Router to a base priority of 1

B.

Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the
us-west1 Cloud Router to a base priority of 1

C.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set
the us-west1 Cloud Router to a base priority of 1

D.

Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the
us-west1 Cloud Router to a base priority of 1

You are creating an instance group and need to create a new health check for HTTP(s)
load balancing.
Which two methods can you use to accomplish this? (Choose two.)

A.

Create a new health check using the gcloud command line tool.

B.

Create a new health check using the VPC Network section in the GCP Console.

C.

Create a new health check, or select an existing one, when you complete the load
balancer’s backend configuration in the GCP Console.

D.

Create a new legacy health check using the gcloud command line tool.

E.

Create a new legacy health check using the Health checks section in the GCP Console.

Your company has recently expanded their EMEA-based operations into APAC. Globally
distributed users report that their SMTP and IMAP services are slow. Your company
requires end-to-end encryption, but you do not have access to the SSL certificates.
Which Google Cloud load balancer should you use?

A.

SSL proxy load balancer

B.

Network load balancer

C.

HTTPS load balancer

D.

TCP proxy load balancer

You create a Google Kubernetes Engine private cluster and want to use kubectl to get the
status of the pods. In one of your instances you notice the master is not responding, even
though the cluster is up and running.
What should you do to solve the problem?

A.

Assign a public IP address to the instance.

B.

Create a route to reach the Master, pointing to the default internet gateway.

C.

Create the appropriate firewall policy in the VPC to allow traffic from Master node IP
address to the instance.

D.

Create the appropriate master authorized network entries to allow the instance to
communicate to the master.

Your company has separate Virtual Private Cloud (VPC) networks in a single region for two
departments: Sales and Finance. The Sales department's VPC network already has
connectivity to on-premises locations using HA VPN, and you have confirmed that the
subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA
tunnels for on-premises connectivity, while providing internet connectivity for the Google
Cloud workloads through Cloud NAT. Internet access from the on-premises locations
should not flow through Google Cloud. You need to propagate all routes between the
Finance department and on-premises locations. What should you do?

A.

Peer the two VPCs, and use the default configuration for the Cloud Routers.

B.

Peer the two VPCs, and use Cloud Router’s custom route advertisements to announce
the peered VPC network ranges to the on-premises locations.

C.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales
and import custom routes on Finance's VPC network. Use Cloud Router’s custom route
advertisements to announce a default route to the on-premises locations.

D.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales
and import custom routes on Finance's VPC network. Use Cloud Router’s custom route
advertisements to announce the peered VPC network ranges to the on-premises locations.

Your company’s on-premises network is connected to a VPC using a Cloud VPN tunnel.
You have a static route of 0.0.0.0/0 with the VPN tunnel as its next hop defined in the VPC.
All internet bound traffic currently passes through the on-premises network. You configured
Cloud NAT to translate the primary IP addresses of Compute Engine instances in one
region. Traffic from those instances will now reach the internet directly from their VPC and
not from the on-premises network. Traffic from the virtual machines (VMs) is not translating
addresses as expected. What should you do?

A.

Lower the TCP Established Connection Idle Timeout for the NAT gateway.

B.

Add firewall rules that allow ingress and egress of the external NAT IP address, have a
target tag that is on the Compute Engine instances, and have a priority value higher than
the priority value of the default route to the VPN gateway.

C.

Add a default static route to the VPC with the default internet gateway as the next hop,
the network tag associated with the Compute Engine instances, and a higher priority than
the priority of the default route to the VPN tunnel.

D.

Increase the default min-ports-per-vm setting for the Cloud NAT gateway.

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC.
You cannot meet Google at one of its point-of-presence (POP) locations, and your onpremises
router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?

A.

Direct Peering

B.

Dedicated Interconnect

C.

Partner Interconnect with a layer 2 partner

D.

Partner Interconnect with a layer 3 partner

Your company has recently installed a Cloud VPN tunnel between your on-premises data
center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access
to the Cloud Functions API for your on-premises servers. The configuration must meet the
following requirements:
Certain data must stay in the project where it is stored and not be exfiltrated to other
projects.
Traffic from servers in your data center with RFC 1918 addresses do not use the internet to
access Google Cloud APIs.
All DNS resolution must be done on-premises.
The solution should only provide access to APIs that are compatible with VPC Service
Controls.
What should you do?

A.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel
terminates.

B.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com
addresses.

C.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel
terminates.

D.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the
addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the private.googleapis.com
addresses.