You are configuring a new application that will be exposed behind an external load
balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443.
You will have backends in two regions: us-west1 and us-east1. You want to serve the
content with the lowest possible latency while ensuring high availability and autoscaling.
Which configuration should you use?

A.

Use global SSL Proxy Load Balancing with backends in both regions.

B.

Use global TCP Proxy Load Balancing with backends in both regions

C.

Use global external HTTP(S) Load Balancing with backends in both regions.

D.

Use Network Load Balancing in both regions, and use DNS-based load balancing to
direct traffic to the closest region.

In your Google Cloud organization, you have two folders: Dev and Prod. You want a
scalable and consistent way to enforce the following firewall rules for all virtual machines
(VMs) with minimal cost:
Port 8080 should always be open for VMs in the projects in the Dev folder.
Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.
What should you do?

A.

Create and associate a firewall policy with the Dev folder with a rule to open port 8080.
Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

B.

Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects.
Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall
rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared
VPCs.

C.

In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all
VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

D.

Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev
VMs and deny traffic to port 8080 on the Prod VMs.

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket,
and both objects have been successfully cached. Now you want to make sure that one of
the two objects will not be cached anymore, and will always be served to the internet
directly from the origin.
What should you do?

A.

Ensure that the object you don’t want to be cached anymore is not shared publicly.

B.

Create a new storage bucket, and move the object you don’t want to be checked
anymore inside it. Then edit the bucket setting and enable the private attribute.

C.

Add an appropriate lifecycle rule on the storage bucket containing the two objects.

D.

Add a Cache-Control entry with value private to the metadata of the object you don’t
want to be cached anymore. Invalidate all the previously cached copies.

Your company offers a popular gaming service. Your instances are deployed with private
IP addresses, and external access is granted through a global load balancer. You believe
you have identified a potential malicious actor, but aren't certain you have the correct client
IP address. You want to identify this actor while minimizing disruption to your legitimate
users.
What should you do?

A.

Create a Cloud Armor Policy rule that denies traffic and review necessary logs.

B.

Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review
necessary logs.

C.

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to
disabled, and review necessary logs.

D.

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to
enabled, and review necessary logs.

You need to define an address plan for a future new Google Kubernetes Engine (GKE)
cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the
default Pod IP range allocation will be used. You must pre-provision all the needed VPC
subnets and their respective IP address ranges before cluster creation. The cluster will
initially have a single node, but it will be scaled to a maximum of three nodes if necessary.
You want to allocate the minimum number of Pod IP addresses. Which subnet mask
should you use for the Pod IP address range?

A.

/21

B.

/22

C.

/23

D.

/25

You have an HA VPN connection with two tunnels running in active/passive mode between
your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has
recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets
are being dropped. You need to configure your VPN connection to Google Cloud to support
4 Gbps. What should you do?

A.

Configure the remote autonomous system number (ASN) to 4096.

B.

Configure a second Cloud Router to scale bandwidth in and out of the VPC.

C.

Configure the maximum transmission unit (MTU) to its highest supported value.

D.

Configure a second set of active/passive VPN tunnels.

You are designing the network architecture for your organization. Your organization has
three developer teams: Web, App, and Database. All of the developer teams require
access to Compute Engine instances to perform their critical tasks. You are part of a small
network and security team that needs to provide network access to the developers. You
need to maintain centralized control over network resources, including subnets, routes, and
firewalls. You want to minimize operational overhead. How should you design this
topology?

A.

Configure a host project with a Shared VPC. Create service projects for Web, App, and
Database.

B.

Configure one VPC for Web, one VPC for App, and one VPC for Database. Configure
HA VPN between each VPC.

C.

Configure three Shared VPC host projects, each with a service project: one for Web,
one for App, and one for Database.

D.

Configure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC
Network Peering to connect all VPCs in a full mesh.

You have provisioned a Partner Interconnect connection to extend connectivity from your
on-premises data center to Google Cloud. You need to configure a Cloud Router and
create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create
the VLAN attachment.
What should you do?

A.

Use a 4-byte private ASN 4200000000-4294967294.

B.

Use a 2-byte private ASN 64512-65535.

C.

Use a public Google ASN 15169.

D.

Use a public Google ASN 16550.

You have provisioned a Dedicated Interconnect connection of 20 Gbps with a VLAN
attachment of 10 Gbps. You recently noticed a steady increase in ingress traffic on the
Interconnect connection from the on-premises data center. You need to ensure that your
end users can achieve the full 20 Gbps throughput as quickly as possible. Which two
methods can you use to accomplish this? (Choose two.)

A.

Configure an additional VLAN attachment of 10 Gbps in another region. Configure the
on-premises router to advertise routes with the same multi-exit discriminator (MED).

B.

Configure an additional VLAN attachment of 10 Gbps in the same region. Configure the
on-premises router to advertise routes with the same multi-exit discriminator (MED).

C.

From the Google Cloud Console, modify the bandwidth of the VLAN attachment to 20
Gbps.

D.

From the Google Cloud Console, request a new Dedicated Interconnect connection of
20 Gbps, and configure a VLAN attachment of 10 Gbps.

E.

Configure Link Aggregation Control Protocol (LACP) on the on-premises router to use
the 20-Gbps Dedicated Interconnect connection.

You are deploying a global external TCP load balancing solution and want to preserve the
source IP address of the original layer 3 payload.
Which type of load balancer should you use?

A.

HTTP(S) load balancer

B.

Network load balancer

C.

Internal load balancer

D.

TCP/SSL proxy load balancer

You are configuring your Google Cloud environment to connect to your on-premises
network. Your configuration must be able to reach Cloud Storage APIs and your Google
Kubernetes Engine nodes across your private Cloud Interconnect network. You have
already configured a Cloud Router with your Interconnect VLAN attachments. You now
need to set up the appropriate router advertisement configuration on the Cloud Router.
What should you do?

A.

Configure the route advertisement to the default setting.

B.

On the on-premises router, configure a static route for the storage API virtual IP address
which points to the Cloud Router's link-local IP address.

C.

Configure the route advertisement to the custom setting, and manually add prefix
199.36.153.8/30 to the list of advertisements. Leave all other options as their default
settings.

D.

Configure the route advertisement to the custom setting, and manually add prefix
199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud
Router.

You created a VPC network named Retail in auto mode. You want to create a VPC network
named Distribution and peer it with the Retail VPC. How should you configure the Distribution VPC?

A.

Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

B.

Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the
necessary subnets, and then peer them via network peering.

C.

Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create
the necessary subnets, and then peer them via network peering.

D.

Rename the default VPC as "Distribution" and peer it via network peering.