Your organization has a single project that contains multiple Virtual Private Clouds (VPCs).
You need to secure API access to your Cloud Storage buckets and BigQuery datasets by
allowing API access only from resources in your corporate public networks. What should
you do?

A.

Create an access context policy that allows your VPC and corporate public network IP
ranges, and then attach the policy to Cloud Storage and BigQuery.

B.

Create a VPC Service Controls perimeter for your project with an access context policy
that allows your corporate public network IP ranges.

C.

Create a firewall rule to block API access to Cloud Storage and BigQuery from
unauthorized networks.

D.

Create a VPC Service Controls perimeter for each VPC with an access context policy
that allows your corporate public network IP ranges.

You need to configure a static route to an on-premises resource behind a Cloud VPN
gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose?

A.

The default internet gateway

B.

The IP address of the Cloud VPN gateway

C.

The name and region of the Cloud VPN tunnel

D.

The IP address of the instance on the remote side of the VPN tunnel

You are the Organization Admin for your company. One of your engineers is responsible
for setting up multiple host projects across multiple folders and sharing subnets with
service projects. You need to enable the engineer's Identity and Access Management
(IAM) configuration to complete their task in the fewest number of steps. What should you
do?

A.

Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

B.

Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

C.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin
role at the folder level.

D.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin
role at the organization level.

You need to centralize the Identity and Access Management permissions and email
distribution for the WebServices Team as efficiently as possible.
What should you do?

A.

Create a Google Group for the WebServices Team.

B.

Create a G Suite Domain for the WebServices Team.

C.

Create a new Cloud Identity Domain for the WebServices Team.

D.

Create a new Custom Role for all members of the WebServices Team.

You recently deployed two network virtual appliances in us-central1. Your network
appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to
configure the routing for your Virtual Private Cloud (VPC). Your design must meet the
following requirements:
All access to your on-premises network must go through the network virtual appliances.
Allow on-premises access in the event of a single network virtual appliance failure.
Both network virtual appliances must be used simultaneously.
Which method should you use to accomplish this?

A.

Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate
network virtual appliances.

B.

Configure an internal HTTP(S) load balancer with the two network virtual appliances as
backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.

C.

Configure a network load balancer for the two network virtual appliances. Configure a
route for 10.0.0.0/8 with the network load balancer as the next hop.

D.

Configure an internal TCP/UDP load balancer with the two network virtual appliances as
backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

Your company is working with a partner to provide a solution for a customer. Both your
company and the partner organization are using GCP. There are applications in the
partner's network that need access to some resources in your company's VPC. There is no
CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without
compromising the security? (Choose two.)

A.

VPC peering

B.

Shared VPC

C.

Cloud VPN

D.

Dedicated Interconnect

E.

Cloud NAT

You create multiple Compute Engine virtual machine instances to be used as TFTP
servers. Which type of load balancer should you use?

A.

HTTP(S) load balancer

B.

SSL proxy load balancer

C.

TCP proxy load balancer

D.

Network load balancer

You are creating a new application and require access to Cloud SQL from VPC instances
without public IP addresses.
Which two actions should you take? (Choose two.)

A.

Activate the Service Networking API in your project

B.

Activate the Cloud Datastore API in your project

C.

Create a private connection to a service producer

D.

Create a custom static route to allow the traffic to reach the Cloud SQL API.

E.

Enable Private Google Access

You recently deployed your application in Google Cloud. You need to verify your Google
Cloud network configuration before deploying your on-premises workloads. You want to
confirm that your Google Cloud network configuration allows traffic to flow from your cloud
resources to your on- premises network. This validation should also analyze and diagnose
potential failure points in your Google Cloud network configurations without sending any
data plane test traffic. What should you do?

A.

Use Network Intelligence Center's Connectivity Tests.

B.

Enable Packet Mirroring on your application and send test traffic

C.

Use Network Intelligence Center's Network Topology visualizations

D.

Enable VPC Flow Logs and send test traffic

You have enabled HTTP(S) load balancing for your application, and your application
developers have reported that HTTP(S) requests are not being distributed correctly to your
Compute Engine Virtual Machine instances. You want to find data about how the request
are being distributed. Which two methods can accomplish this? (Choose two.)

A.

On the Load Balancer details page of the GCP Console, click on the Monitoring tab,
select your backend service, and look at the graphs.

B.

In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load
Balancers service.

C.

In Stackdriver Monitoring, select Resources > Metrics Explorer and search for
https/request_bytes_count metric.

D.

In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review
the Key Metrics graphs in the dashboard.

E.

In Stackdriver Monitoring, create a new dashboard and track the
https/backend_request_count metric for the load balancer.

You just finished your company’s migration to Google Cloud and configured an architecture
with 3 Virtual Private Cloud (VPC) networks: one for Sales, one for Finance, and one for
Engineering. Every VPC contains over 100 Compute Engine instances, and now
developers using instances in the Sales VPC and the Finance VPC require private
connectivity between each other. You need to allow communication between Sales and
Finance without compromising performance or security. What should you do?

A.

Configure an HA VPN gateway between the Finance VPC and the Sales VPC.

B.

Configure the instances that require communication between each other with an
external IP address.

C.

Create a VPC Network Peering connection between the Finance VPC and the Sales
VPC.

D.

Configure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.

You are using the gcloud command line tool to create a new custom role in a project by
coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?

A.

Add the resourcemanager.projects.get permission, and try again

B.

Try again with a different role with a new name but the same permissions

C.

Remove the resourcemanager.projects.list permission, and try again.

D.

Add the resourcemanager.projects.setIamPolicy permission, and try again