You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are
using a non BGP-capable on-premises VPN device. You want to minimize downtime and
operational overhead when your network grows. The device supports only IKEv2, and you
want to follow Google-recommended practices.
What should you do?
A.
• Create a Cloud VPN instance.• Create a policy-based VPN tunnel per subnet.•
Configure the appropriate local and remote traffic selectors to match your local and remote
networks.• Create the appropriate static routes.
B.
• Create a Cloud VPN instance.• Create a policy-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to match your local and remote networks.•
Configure the appropriate static routes.
C.
• Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to match your local and remote networks.•
Configure the appropriate static routes.
D.
Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to 0.0.0.0/0.• Configure the appropriate static routes.
• Create a Cloud VPN instance.• Create a policy-based VPN tunnel.• Configure the
appropriate local and remote traffic selectors to match your local and remote networks.•
Configure the appropriate static routes.
Explanation: https://cloud.google.com/network-connectivity/docs/vpn/how-to/creatingstatic-
vpns#creating_a_gateway_and_tunnel
Your company has just launched a new critical revenue-generating web application. You
deployed the application for scalability using managed instance groups, autoscaling, and a
network load balancer as frontend. One day, you notice severe bursty traffic that the
caused autoscaling to reach the maximum number of instances, and users of your
application cannot complete transactions. After an investigation, you think it as a DDOS
attack. You want to quickly restore user access to your application and allow successful
transactions while minimizing cost.
Which two steps should you take? (Choose two.)
A.
Use Cloud Armor to blacklist the attacker’s IP addresses
B.
Increase the maximum autoscaling backend to accommodate the severe bursty traffic
C.
Create a global HTTP(s) load balancer and move your application backend to this load
balancer.
D.
Shut down the entire application in GCP for a few hours. The attack will stop when the
application is offline
E.
SSH into the backend compute engine instances, and view the auth logs and syslogs to
further understand the nature of the attack.
Increase the maximum autoscaling backend to accommodate the severe bursty traffic
SSH into the backend compute engine instances, and view the auth logs and syslogs to
further understand the nature of the attack.
You are trying to update firewall rules in a shared VPC for which you have been assigned
only Network Admin permissions. You cannot modify the firewall rules. Your organization
requires using the least privilege necessary. Which level of permissions should you request?
A.
Security Admin privileges from the Shared VPC Admin
B.
Service Project Admin privileges from the Shared VPC Admin
C.
Shared VPC Admin privileges from the Organization Admin
D.
Organization Admin privileges from the Organization Admin
Security Admin privileges from the Shared VPC Admin
Explanation: A Shared VPC Admin can define a Security Admin by granting an IAM
member the Security Admin (compute.securityAdmin) role to the host project. Security
Admins manage firewall rules and SSL certificates.
You have deployed a new internal application that provides HTTP and TFTP services to
on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine
instances, but need to ensure that clients are sticky to a particular instance across both
services.
Which session affinity should you choose?
A.
None
B.
Client IP
C.
Client IP and protocol
D.
Client IP, port and protocol
Client IP
You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud
(VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the
VM to understand where the traffic is coming from. What should you do?
A.
Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP
addresses from the subnetworks.get field.
B.
Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP
addresses from the connection field.
C.
Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses
from the src_location field.
D.
Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP
addresses from the networks.get field.
Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP
addresses from the connection field.
You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and
on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to
restrict VPN tunnels created in the project to only connect to your on-premises VPN public
IP address: 203.0.113.1/32. What should you do?
A.
Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to
VPN_GATEWAY_1.
B.
Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to
use an allowList consisting of only the 203.0.113.1/32 address.
C.
Configure a Google Cloud Armor security policy, and create a policy rule to allow
203.0.113.1/32.
D.
Configure an access control list on the peer VPN gateway to deny all traffic except
203.0.113.1/32, and attach it to the primary external interface.
Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to
use an allowList consisting of only the 203.0.113.1/32 address.
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?
A.
Add an appropriate lifecycle rule on the storage bucket.
B.
Issue a cache invalidation command with pattern /folder-a/*.
C.
Make sure that all the objects with prefix folder-a are not shared publicly.
D.
Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on
the storage bucket.
Issue a cache invalidation command with pattern /folder-a/*.
You want to implement an IPSec tunnel between your on-premises network and a VPC via
Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and
you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?
A.
Dynamic routing using Cloud Router
B.
Route-based routing using default traffic selectors
C.
Policy-based routing using a custom local traffic selector
D.
Policy-based routing using the default local traffic selector
Policy-based routing using a custom local traffic selector
You need to create a GKE cluster in an existing VPC that is accessible from on-premises.
You must meet the following requirements:
IP ranges for pods and services must be as small as possible.
The nodes and the master must not be reachable from the internet.
You must be able to use kubectl commands from on-premises subnets to manage
the cluster.
How should you create the GKE cluster?
A.
• Create a private cluster that uses VPC advanced routes.
•Set the pod and service ranges as /24.
•Set up a network proxy to access the master.
B.
• Create a VPC-native GKE cluster using GKE-managed IP ranges.
•Set the pod IP range as /21 and service IP range as /24.
•Set up a network proxy to access the master.
C.
• Create a VPC-native GKE cluster using user-managed IP ranges.
•Enable a GKE cluster network policy, set the pod and service ranges as /24.
•Set up a network proxy to access the master.
•Enable master authorized networks.
D.
• Create a VPC-native GKE cluster using user-managed IP ranges.
•Enable privateEndpoint on the cluster master.
•Set the pod and service ranges as /24.
•Set up a network proxy to access the master.
•Enable master authorized networks.
• Create a VPC-native GKE cluster using user-managed IP ranges.
•Enable privateEndpoint on the cluster master.
•Set the pod and service ranges as /24.
•Set up a network proxy to access the master.
•Enable master authorized networks.
Creating GKE private clusters with network proxies for controller access When you create a
GKE private cluster with a private cluster controller endpoint, the cluster's controller node is
inaccessible from the public internet, but it needs to be accessible for administration. By
default, clusters can access the controller through its private endpoint, and authorized
networks can be defined within the VPC network. To access the controller from onpremises
or another VPC network, however, requires additional steps. This is because the
VPC network that hosts the controller is owned by Google and cannot be accessed from
resources connected through another VPC network peering connection, Cloud VPN or
Cloud Interconnect. https://cloud.google.com/solutions/creating-kubernetes-engine-privateclusters-
with-net-proxies
You have configured a service on Google Cloud that connects to an on-premises service
via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to
determine whether the traffic is being dropped because of firewall rules or a routing
decision. What should you do?
A.
Use the Network Intelligence Center Connectivity Tests to test the connectivity between
the VPC and the on-premises network.
B.
Use Network Intelligence Center Network Topology to check the traffic flow, and replay
the traffic from the time period when the connectivity issue occurred
C.
Configure VPC Flow Logs. Review the logs by filtering on the source and destination.
D.
Configure a Compute Engine instance on the same VPC as the service running on
Google Cloud to run a traceroute targeted at the on-premises service.
Use Network Intelligence Center Network Topology to check the traffic flow, and replay
the traffic from the time period when the connectivity issue occurred
You built a web application with several containerized microservices. You want to run those
microservices on Cloud Run. You must also ensure that the services are highly available to
your customers with low latency. What should you do?
A.
Deploy the Cloud Run services to multiple availability zones. Create a global TCP load
balancer. Add the Cloud Run endpoints to its backend service.
B.
Deploy the Cloud Run services to multiple regions. Create serverless network endpoint
groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach
the serverless NEGs as backend services of the load balancer.
C.
Deploy the Cloud Run services to multiple availability zones. Create Cloud Endpoints
that point to the services. Create a global HTTPS load balancer, and attach the Cloud
Endpoints to its backend.
D.
Deploy the Cloud Run services to multiple regions. Configure a round-robin A record in
Cloud DNS.
Deploy the Cloud Run services to multiple regions. Create serverless network endpoint
groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach
the serverless NEGs as backend services of the load balancer.
You converted an auto mode VPC network to custom mode. Since the conversion, some of
your Cloud Deployment Manager templates are no longer working. You want to resolve the problem.
What should you do?
A.
Apply an additional IAM role to the Google API’s service account to allow custom mode
networks.
B.
Update the VPC firewall to allow the Cloud Deployment Manager to access the custom
mode networks.
C.
Explicitly reference the custom mode networks in the Cloud Armor whitelist.
D.
Explicitly reference the custom mode networks in the Deployment Manager templates
Explicitly reference the custom mode networks in the Deployment Manager templates
| Page 2 out of 13 Pages |
| Previous |