Professional Cloud Network Engineer - Google Cloud Certified Exam Questions

Best choice: III.
Introduce a higher‑priority static route for 0.0.0.0/0 that points to the default internet gateway, scoped to the instances via a network tag. Ensure its priority is higher (i.e. a lower numeric value) than the existing VPN‑next‑hop route.

Why III is correct

• Cloud NAT only applies to traffic routed via the internet gateway.
  Public Cloud NAT gateways require a local static route to the default internet gateway (nextHopGateway: DEFAULT_INTERNET_GATEWAY). If your only 0.0.0.0/0 route points to the VPN tunnel, NAT is never invoked Google Cloud.

• Override the VPN route selectively.
  By creating a second 0.0.0.0/0 route with a higher priority (lower number) and tagging it for just those Compute Engine instances, you force their egress to go out the internet gateway instead of the VPN. Cloud NAT then picks it up and translates the source IPs as intended Google Cloud.

Why the other options aren’t sufficient

• I. Adjust the TCP Established Connection Idle Timeout.
  Idle timeouts only affect how long a NAT mapping stays open; they do not change whether Cloud NAT is used in the first place.

• II. Implement firewall rules for the NAT IP and assign tags.
  Firewall rules control packet filtering, not routing. Even with correct firewall rules, if traffic never reaches the internet gateway (and thus Cloud NAT), no translation occurs.

• IV. Increase the default min‑ports‑per‑vm for the NAT gateway.
  Port exhaustion settings only matter if NAT is already in use and running out of ports. In this case, NAT isn’t applied at all due to the VPN route.

Correct command: III

Run

gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

--zone-file-format tells the import tool that the input is a BIND-style zone file; without it, Cloud DNS assumes YAML and the import fails. cloud.google.com | cloud.google.com

Why the other commands aren’t suitable

• I – Omits --zone-file-format, so Cloud DNS tries to parse the BIND file as YAML and returns an error.

• II – Still missing --zone-file-format; --replace-origin-ns is only for the rare case where you intentionally overwrite Cloud DNS’s default NS records. Without the format flag the import will fail first. cloud.google.com

• IV – Uses --delete-all-existing (wipes every current record) but, again, no --zone-file-format. This is both destructive and incorrectly formatted for a BIND import unless you explicitly need to replace the SOA/NS records. cloud.google.com

The two valid ways to provision a health check for an HTTP(S) load balancer backend are:

A. Use the gcloud CLI to create a new health check
You can run, for example:

gcloud compute health‑checks create http http-basic-check \
 --port 80

This command creates a global HTTP health check that you then attach to your backend service. Google Cloud

C. During the backend‑service configuration in the Cloud Console, create or select a health check
When you’re in Network Services Load balancing and you add (or edit) a backend service, the UI lets you Create a new health check inline or pick an existing one from your project. Google Cloud

Why the others don’t apply

• B. Go to the VPC Network section and create a health check there
  Health checks live under Network Services Health checks, not in the VPC Network menu.

• D. Use gcloud to create a legacy health check
  Legacy health checks are only for target‑pool‑based Network LBs, not for modern HTTP(S) backend services.

• E. Create a legacy health check in the Console’s Health checks page
  The Console won’t let you create a legacy health check standalone—legacy checks can only be auto‑created when you provision a target‑pool Network LB.

Only directly peered VPCs can communicate. VPC Network Peering does not support transitive routing—so in your hub–spoke example:

Spoke 1 ←→ Hub ←→ Spoke 2

Spoke 2 cannot reach Spoke 1 (or its control plane) via the hub peering alone Google Cloud. The only way to bridge that gap is to introduce a proxy in the GKE‑cluster spoke that both authorized networks and peering can reach:

Answer: D
Deploy a proxy (for example, a small HTTP(S) reverse‑proxy or TCP proxy) in the spoke project that hosts the private GKE cluster. Allow traffic from your other spoke projects to that proxy (via their peering), and have the proxy forward requests to the cluster’s private endpoint.

Why D is the only way

• Non‑transitive peering
  Even though Hub is peered with both Spoke 1 (the cluster) and Spoke 2 (the clients), those spokes cannot talk to each other directly. Google Cloud peering explicitly blocks transit across two peerings Google Cloud.

• Master Authorized Networks
  You can only whitelist the proxy’s subnet in your cluster’s Master Authorized Networks—Spoke 2’s range would still not be allowed unless routed through the proxy’s network.

• Zero additional VPCs or tunnels
  You avoid spinning up new VPNs or Shared VPCs: the proxy lives in the existing spoke and simply bridges the peering gap.

Why the other options fail

• A. Firewall rule allowing port 443
  You cannot open a firewall on the GKE control plane; it enforces access via Master Authorized Networks only.

• B. Private Google Access
  This feature only affects how compute VMs reach Google APIs, not how peered VPCs reach a GKE control plane.

• C. Adjust authorized networks for Spoke 2’s CIDR
  Even if you add Spoke 2’s range, the control plane’s private endpoint is unreachable across two peerings—there’s no path for that traffic.

Select B and C

B. Configure DNS forwarding and zone transfers between the DNS environments in both organizations

• Keep using each org’s existing DNS servers, and set up conditional forwarders so that queries for Org A’s zones are sent to Org A’s DNS and vice versa.

• Enable zone transfers (AXFR/IXFR) between the primary and secondary servers in each org so that hostname records stay in sync automatically—no manual A-record copy.

• Zone transfers are the standard DNS protocol mechanism for replicating an entire zone between servers. cloud.google.com

C. Use Cloud VPN in combination with Cloud Router to create dynamic, secure connectivity between VPC networks across both organizations

• Establish a site-to-site VPN tunnel between the two organizations’ VPCs.

• Attach a Cloud Router to the VPN gateway and enable dynamic (BGP) routing, so any new subnets or routes you add automatically propagate—no tunnel-recreation or static-route churn.

• Google’s best practices call for dynamic routing with Cloud Router to minimize operational overhead and downtime as networks grow. cloud.google.com | medium.com

Why the other options aren’t ideal

• A. Deploy a Cloud Interconnect
  Extremely high throughput and low latency, but much longer lead time, higher fixed cost, and greater operational complexity compared to VPN.

• D. Manually create A records in Cloud DNS
  Tedious to maintain, error-prone, and doesn’t scale—every time a VM’s IP changes or you spin up new services, you’d need to update records by hand.

• E. New GCP org + central Shared VPC
  Migrating all projects into a brand-new organization and reconfiguring Shared VPC is a major overhaul, not “minimal downtime” or “low complexity.”

The most suitable action for this scenario is:

A. Create 2 VPCs within a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Host Project. Attach NIC0 to VPC #1's us-west1 subnet in the Host Project. Attach NIC1 to VPC #2's us-west1 subnet in the Host Project. Deploy the instance. Set up the necessary routes and firewall rules for traffic passage through the instance.

Explanation:

This approach best addresses the requirements of the multinational corporation:

1. Shared VPC Host Project: The use of a Shared VPC Host Project allows for centralized network administration, which is a key requirement. This structure enables a single team to manage network resources across multiple VPCs (representing different environments or regions).

2. Two VPCs for Separation: Creating two VPCs within the Shared VPC Host Project provides the necessary separation of environments. One VPC can be dedicated to the primary HQ region (us-west1), while the other can serve the backup region (us-east4). This segregation aligns with the company's existing infrastructure.

3. Two-NIC Instance in Host Project: Placing the two-NIC instance within the Host Project ensures that it can control traffic flow between the two VPCs. Each NIC connects to a subnet in a different VPC, allowing the instance to act as a gateway or a virtual appliance.

4. Virtual Inline Security Appliance: This configuration perfectly supports the deployment of a virtual inline security appliance for L7 inspection and URL filtering. The two-NIC instance can function as this appliance, inspecting traffic passing between the VPCs.

Why Other Options Are Incorrect:

• B. Establish 2 VPCs within a Shared VPC Host Project...in the Service Project: Deploying the instance in a Service Project would not provide the same level of control and visibility for the centralized network administration team. The Host Project is designed for managing shared network resources.

• C. Form 1 VPC within a Shared VPC Host Project: A single VPC wouldn't provide the necessary separation between the primary and backup regions (us-west1 and us-east4).

• D. Establish 1 VPC within a Shared VPC Service Project: This option doesn't leverage the Shared VPC model's benefits, such as centralized administration and resource sharing across projects.

Relevant Documentation:

• Shared VPC Overview: https://cloud.google.com/vpc/docs/shared-vpc

• Dedicated Interconnect: https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview

• Virtual Private Cloud (VPC): https://cloud.google.com/vpc/docs/vpc

  
  

Correct Answer: II. Implement Private Google Access for on‑premises hosts, utilizing restricted.googleapis.com virtual IP addresses.

Why II is the right choice

• Private Google Access for hybrid connectivity
  Google’s Private Google Access feature can be extended to on‑premises resources over Cloud Interconnect or VPN. By directing all API calls to restricted.googleapis.com (199.36.153.4/30 and its IPv6 equivalent), you ensure that only the subset of Google APIs and services covered by VPC Service Controls are reachable—and you keep traffic on Google’s network under the Cloud Interconnect SLA (99.99%). Google Cloud

• Enforced via VPC Service Controls
  The restricted.googleapis.com domain blocks any APIs not supported by VPC Service Controls, providing an additional layer of data‑exfiltration protection while still leveraging your high‑throughput, SLA‑backed Interconnect. Google Cloud

Why the other options don’t fit

• I. Advertise public virtual IP addresses of Google APIs via Cloud Router
  Advertising Google’s public VIPs (e.g. 199.36.153.8/30 for private.googleapis.com or 199.36.153.4/30 for restricted.googleapis.com) as custom routes can let on‑premises resources reach those addresses, but it doesn’t enforce VPC Service Controls. You’d accidentally allow all Google public APIs—including those not under VPC SC—to traverse your Interconnect, defeating the policy requirement.

• III. Advertise a default route and use Cloud NAT
  Sending a 0.0.0.0/0 route over Interconnect and then NAT’ing on‑premises traffic out via Cloud NAT simply moves egress to the public internet. It provides no guarantee that traffic stays within Google’s private network or stays under the VPC SC umbrella, nor does it carry an SLA for API connectivity.

• IV. Add Direct Peering links for public VIPs
  Direct Peering (public peering) connects your on‑premises router to Google’s edge but is not covered by a connectivity SLA, and it likewise provides access to all public Google APIs—both VPC SC‑protected and unprotected—so it fails the “only supported by VPC Service Controls” requirement.

Best single answer: D

Enable global dynamic routing. Configure the Cloud Router in us-east1 with a base advertised-route priority of 1000, and the Cloud Router in us-west1 with a base priority of 1.

Why this meets the requirement

• Global dynamic routing is required so that each Cloud Router advertises all VPC subnets (both its local region’s and the other region’s) to your on-premises routers. In regional mode, a router only advertises the subnets in its own region, which would prevent the us-west1 router from “offering” east-region subnets over the primary link. cloud.google.com

• When in global mode, Cloud Router uses your configured base priority as the BGP MED for local subnets (those in the same region) and uses base + inter-region cost for remote subnets (those in the other region). Region-to-region costs are generated by Google and range from 201 – 9 999, inclusive. cloud.google.com

• By setting:

  • us-west1 Cloud Router to 1

  • us-east1 Cloud Router to 1000

  you ensure that for every VPC subnet prefix (whether it lives in us-west1 or us-east1), the advertisement from the west router has the lowest MED:

  • West→West subnet: MED = 1

  • East→West subnet (remote): MED = 1 + cost ≥ 202

  • East→East subnet: MED = 1000

  • West→East subnet (remote): MED = 1 + cost ≥ 202

  In all cases, 1 (west router) < 202 and < 1000, so on-premises routers send all ingress traffic over the us-west1 link. If that link fails, its BGP session tears down and the only remaining advertisements are from the east router (MED 1000+cost), so traffic automatically fails over to the us-east1 Interconnect.

Why the other options don’t work

• A & C (Regional routing).
  In regional mode, each Cloud Router advertises only its own region’s subnets. You’d never learn east-region subnets over the us-west1 link, so traffic to those VMs could only arrive via us-east1.

• B (Global routing + east priority 100).
  With east = 100 (< 201), the east router advertises east-region subnets with MED = 100, which is lower than the west router’s MED for those same prefixes (1 + cost ≥ 202). As a result, east-region traffic would still arrive over the us-east1 link—failing the “all ingress via us-west1” goal.

Key references

• Subnet advertisements in global vs. regional mode: cloud.google.com

• Base advertised-route priority and inter-region cost details: cloud.google.com

Best choice — B. Access Cloud Storage through a Private Service Connect (PSC) endpoint and keep every other Google API on its default public endpoint.

Why this meets the new policy

• Cloud Storage traffic stays on the private path.
  A PSC endpoint for Google APIs is an internal IP inside your VPC. When you create one that targets storage.googleapis.com, packets from your on-prem hosts travel over the Cloud Interconnect into the VPC and terminate on that internal IP; Google then forwards them to Cloud Storage entirely within Google’s backbone. No public internet is involved.

• All other Google APIs keep using the public internet.
  Because you create the PSC endpoint only for Cloud Storage, calls to services such as BigQuery, Cloud Logging, or Google Maps continue to resolve to their public DNS names and exit through your normal NAT / ISP path. Nothing in option B forces those services onto the Interconnect.

• Simple, service-specific control.
  PSC lets you isolate just the service you care about without global DNS overrides or mixed VIPs. A single internal DNS A-record (for example, gcs.private.company) or a Cloud DNS stub zone that maps storage.googleapis.com to the PSC IP is enough to direct only Cloud Storage requests onto the private link.

Why the other options fall short

• A — default public endpoints everywhere
  Cloud Storage traffic would still leave through the internet path, violating the “private-only for Cloud Storage” requirement.

• C & D — Private Google Access (private.googleapis.com or restricted.googleapis.com)
  Both special VIPs (199.36.153.8/30 and 199.36.153.4/30) cover all Google APIs that match their domain. Using them would force not only Cloud Storage but also every other Google API onto the Interconnect, which the policy explicitly rejects.

• C additionally maps Cloud Storage to restricted.googleapis.com, which is limited to VPC Service Controls-compatible APIs and could break workloads that need non-restricted Cloud Storage features.

• D still sends “other Google APIs” to restricted.googleapis.com, so they would also traverse the Interconnect (and many APIs wouldn’t work because they aren’t on the restricted list).

Reference:

https://cloud.google.com/vpc/docs/private-service-connect#google-apis

Answer: A

1. Update the Private Services Access peering for Cloud SQL to export the reserved IP range.

2. Configure your Cloud Router to advertise that custom IP range to your on‑premises network.

Why A is correct

• Export the Cloud SQL private IP prefix
  By default, the VPC peering that Private Services Access uses for Cloud SQL does not share its allocated (non‑RFC 1918) IP range with your on‑prem network. You must update the peering to export custom routes so that on‑prem routers learn the Cloud SQL private IPs. For example:

  gcloud compute networks peerings update servicenetworking-googleapis-com \
   --network=YOUR_VPC \
   --export-custom-routes-with-public-ip

  This change ensures that your on‑premises routers see the Cloud SQL private IP range Google Cloud.

• Advertise via Cloud Router
  Even after exporting the peered subnet routes, Cloud Router won’t advertise the Cloud SQL range over your Interconnect/VPN unless you explicitly configure a custom route advertisement. You do this by editing your router:

  gcloud compute routers update router-1 \
   --region=us-west1 \
   --advertisement-mode=custom \
   --custom-advertisement-routes=10.10.0.0/28

  (Replace 10.10.0.0/28 with your actual reserved Cloud SQL CIDR.) This pushes the prefix over BGP to your on‑prem peers, enabling seamless connectivity Google Cloud.

Why the other options aren’t as good

• B. Switch routing mode to global
  Global vs. regional dynamic routing affects VPC‑to‑VPC route propagation within Google Cloud, not what your on‑prem network learns. It does not influence your ability to advertise private‑services IPs over Interconnect/VPN.

• C. Add another Cloud Router in us‑west2
  Introducing a second router in another region is unnecessary when your SQL instance and Interconnect both live in us‑west1. It also doesn’t address the missing peering export or custom advertisement.

• D. Change routing mode + enable peering export
  Again, routing mode isn’t relevant here. The core requirements are (1) exporting the peered Cloud SQL range and (2) advertising it via Cloud Router—not switching dynamic routing modes.