Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different
backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:
/fr/video
/en/video
/es/video
/../video
/fr/audio
/en/audio
/es/audio
/../audio
Which solution should you recommend? Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/audio. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z] {2}\/audio. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.
You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.
Which GKE resource should you use? GKE Node GKE Cluster GKE Ingress GKE Pod.
You have provisioned a Dedicated Interconnect connection of 20 Gbps with a VLAN attachment of 10 Gbps. You recently noticed a steady increase in ingress traffic on the Interconnect connection from the on-premises data center. You need to ensure that your end users can achieve the full 20 Gbps throughput as quickly as possible. Which two methods can you use to accomplish this? (Choose two.) Configure an additional VLAN attachment of 10 Gbps in the same region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED). Configure an additional VLAN attachment of 10 Gbps in another region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED). Configure Link Aggregation Control Protocol (LACP) on the on-premises router to use the 20-Gbps Dedicated Interconnect connection. From the Google Cloud Console, request a new Dedicated Interconnect connection of 20 Gbps, and configure a VLAN attachment of 10 Gbps. From the Google Cloud Console, modify the bandwidth of the VLAN attachment to 20 Gbps.
You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs? resource.type= “vpn_gateway” resource.type= “vpn_tunnel” resource.type= “gce_network_region” resource.type= “gce_router”.
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check? Set proxy-header to the default value, and set host to include a custom host header that identifies the health check. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will alwaysreturn in the response body. Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies thehealth check.
You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do? Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter. Configure Private Google Access to privately access the Cloud Storage service using private IP addresses. Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ. Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.
Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow.
Your company requires end-to-end encryption, but you do not have access to the SSL certificates.
Which Google Cloud load balancer should you use? HTTPS load balancer SSL proxy load balancer TCP proxy load balancer Network load balancer.
You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a
Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private
IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.
Which connectivity method should you choose? 50-Mbps Partner VLAN attachment Cloud VPN Dedicated Interconnect with a single VLAN attachment Dedicated Interconnect, but don't provision any VLAN attachments.
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range? /22 /21 /25 /23.
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.
How should you provision your instances? Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region. Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group. Create a single managed instance group, specify the desired region, and select Multiple zones for the location. Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working.
You want to resolve the problem. What should you do? Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks. Explicitly reference the custom mode networks in the Cloud Armor whitelist. Apply an additional IAM role to the Google API's service account to allow custom mode networks. Explicitly reference the custom mode networks in the Deployment Manager templates.
You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do? Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend. Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node. Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups. Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.) VPC flow logs Cloud Audit logs Compute Engine instance system logs Firewall logs Stackdriver Trace.
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.
What should you do?
Alter the routing table to resolve the asymmetric route. Delete the legacy network and recreate it to allow transitive peering. Configure VPC peering in a full mesh. Create network tags to allow connectivity between all three VPCs.
You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do? Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field. Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field. Enable VPC Flow Logs for the VPAnalyze the logs and get the source IP addresses from the src_location field. Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.
You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do? Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices. Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices. Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices. Deploy your serverless services to the existing VPConfigure firewall rules to allow traffic between the serverless services and your existing microservices.
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose? The name and region of the Cloud VPN tunnel The IP address of the Cloud VPN gateway The default internet gateway The IP address of the instance on the remote side of the VPN tunnel.
You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application.
Which type of load balancer should you use? Network load balancer Internal TCP/UDP load balancer HTTP(S) load balancer TCP/SSL proxy load balancer.
MJTelco Case Study -
Company Overview -
MJTelco is a startup that plans to build networks in rapidly growing, underserved markets around the world. The company has patents for innovative optical communications hardware. Based on these patents, they can create many reliable, high-speed backbone links with inexpensive hardware.
Company Background -
Founded by experienced telecom executives, MJTelco uses technologies originally developed to overcome communications challenges in space. Fundamental to their operation, they need to create a distributed data infrastructure that drives real-time analysis and incorporates machine learning to continuously optimize their topologies. Because their hardware is inexpensive, they plan to overdeploy the network allowing them to account for the impact of dynamic regional politics on location availability and cost.
Their management and operations teams are situated all around the globe creating many-to-many relationship between data consumers and provides in their system. After careful consideration, they decided public cloud is the perfect environment to support their needs.
Solution Concept -
MJTelco is running a successful proof-of-concept (PoC) project in its labs. They have two primary needs:
✑Scale and harden their PoC to support significantly more data flows generated when they ramp to more than 50,000 installations.
Refine their machine-learning cycles to verify and improve the dynamic models they use to control topology definition.
MJTelco will also use three separate operating environments `" development/test, staging, and production `" to meet the needs of running experiments, deploying new features, and serving production customers.
Business Requirements -
✑Scale up their production environment with minimal cost, instantiating resources when and where needed in an unpredictable, distributed telecom user community.
✑Ensure security of their proprietary data to protect their leading-edge machine learning and analysis.
✑Provide reliable and timely access to data for analysis from distributed research workers
✑Maintain isolated environments that support rapid iteration of their
machine-learning models without affecting their customers.
Technical Requirements -
Ensure secure and efficient transport and storage of telemetry data Rapidly scale instances to support between 10,000 and 100,000 data providers with multiple flows each.
Allow analysis and presentation against data tables tracking up to 2 years of data storing approximately 100m records/day
Support rapid iteration of monitoring infrastructure focused on awareness of data pipeline problems both in telemetry flows and in production learning cycles.
CEO Statement -
Our business model relies on our patents, analytics and dynamic machine learning. Our inexpensive hardware is organized to be highly reliable, which gives us cost advantages. We need to quickly stabilize our large distributed data pipelines to meet our reliability and capacity commitments.
CTO Statement -
Our public cloud services must operate as advertised. We need resources that scale and keep our data secure. We also need environments in which our data scientists can carefully study and quickly adapt our models. Because we rely on automation to process our data, we also need our development and test environments to work as we iterate.
CFO Statement -
The project is too large for us to maintain the hardware and software required for the data and analysis. Also, we cannot afford to staff an operations team to monitor so many data feeds, so we will rely on automation and infrastructure. Google Cloud's machine learning will allow our quantitative researchers to work on our high-value problems instead of problems with our data pipelines.
You need to compose visualization for operations teams with the following requirements:
✑Telemetry must include data from all 50,000 installations for the most recent 6 weeks (sampling once every minute)
✑The report must not be more than 3 hours delayed from live data. ✑The actionable report should only show suboptimal links.
✑Most suboptimal links should be sorted to the top.
Suboptimal links can be grouped and filtered by regional geography.
✑User response time to load the report must be <5 seconds.
You create a data source to store the last 6 weeks of data, and create
visualizations that allow viewers to see multiple date ranges, distinct geographic regions, and unique installation types. You always show the latest data without any changes to your visualizations. You want to avoid creating and updating new visualizations each month. What should you do? Look through the current data and compose a small set of generalized charts and tables bound to criteria filters that allow value selection. Export the data to a spreadsheet, compose a series of charts and tables, one for each possible combination of criteria, and spread them across multiple tabs. Load the data into relational database tables, write a Google App Engine application that queries all rows, summarizes the data across each criteria, and then renders results using the Google Charts and visualization API. Look through the current data and compose a series of charts and tables, one for each possible combination of criteria. .
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do? Configure Dynamic Routing for the subnet hosting the application. Configure a policy-based route rule to prioritize the traffic. Configure an HTTP load balancer, and direct the traffic to it. Configure the TTL for the DNS zone to decrease the time between updates. .
One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance.
In the GCP Console, what should you do? Add custom metadata to the instance with key internal-address and value reserved. Change the instance's current internal IP address to static. Assign a new reserved internal IP address to the instance. Assign a public IP address to the instance. .
You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do? Review the VPC audit logs in Cloud Logging for the affected instances. Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address. Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances. Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
"¢ Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
"¢ The subnetwork logs are not excluded from Stackdriver.
"¢ The instance that is hosting the application can communicate outside the subnet.
"¢ Other instances within the subnet can communicate outside the subnet.
"¢ The external resource initiates communication. What is the most likely cause of the missing log lines?
The traffic is matching the expected egress rule. The traffic is not matching the expected egress rule. The traffic is not matching the expected ingress rule. The traffic is matching the expected ingress rule. .
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?
Assign each user the compute.networkAdmin role. Assign each user the editor role. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get. .
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?
Direct Peering Dedicated Interconnect Partner Interconnect Carrier Peering.
Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do? Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.
Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs. Which service should you use? TCP/UDP Load Balancing Cloud DNS Cloud NAT Identity Aware-Proxy .
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?
Client IP and protocol None Client IP Client IP, port and protocol.
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?
Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect. What should you do? Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges. Most Voted Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges. .
You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do? Enable firewall logs, and view the logs in Firewall Insights. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging. Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console. Enable VPC Flow Logs, and view the logs in Cloud Logging.
You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the object in the storage bucket can be served by the CDN.
What should you do in the GCP Console?
Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend. Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly. Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend. Create a new cloud storage bucket, and then enable Cloud CDN on it. .
Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do? 1. Configure a Cloud DNS private zone in the host project of the Shared VPC.
2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project
3. In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment. 1.Configure a Cloud DNS private zone in the host project of the Shared VPC.
2. Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.
3. Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.
1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.
2. In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.
1. Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.
2. In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.
.
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.
When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?
Create a new firewall rule to allow traffic from port 22, and enable logs. Try connecting to the instance via SSH, and check the logs. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs. Check the VPC flow logs for the instance. .
You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range? /22 /23 /25 /21.
You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do? 1. Create a private forwarding zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC.
2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
3. Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.
4. Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.
1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.
2. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.
3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
4. Configure VPC peering in the spoke VPCs to peer with the hub VPC.
1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.
2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.
.
You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required. What should you do? Enable VPC Flow Logs and send the output to BigQuery for analysis. Configure Packet Mirroring to send all traffic to a VM. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC. Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis. Deploy a third-party network appliance and configure it as the default gateway. Use the third-party network appliance to identify users with high network traffic. .
You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?
Configure the remote autonomous system number (ASN) to 4096. Configure the maximum transmission unit (MTU) to its highest supported value. Configure a second Cloud Router to scale bandwidth in and out of the VPC. Configure a second set of active/passive VPN tunnels. .
Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do? Use the default public domains for all Google APIs and services. Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services. Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services. Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)
Dedicated Interconnect Cloud VPN Cloud NAT Shared VPC VPC peering.
You have two Google Cloud projects in a perimeter to prevent data exfiltration. You need to move a third project inside the perimeter; however, the move could negatively impact the existing environment. You need to validate the impact of the change. What should you do? Modify the existing VPC Service Controls policy to include the new project in dry run mode. Monitor the Resource Manager audit logs inside the perimeter. Enable VPC Flow Logs inside the third project, and monitor the logs for negative impact. Enable Firewall Rules Logging inside the third project.
You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?
Partner Interconnect with a layer 2 partner Partner Interconnect with a layer 3 partner Dedicated Interconnect Direct Peering.
You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do? Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?
Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000. Create a single firewall rule to allow port 3389 with priority 1000. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000. Create a single firewall rule to allow port 22 with priority 1000.
You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible. What should you do? Create a custom Google Compute Engine image with your public ssh key embedded. Upload your public ssh key to the project Metadata. Use gcloud compute ssh to automatically copy your public ssh key to the instance. Upload your public ssh key to each instance Metadata. .
Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path? Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1 Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1 Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1 Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1.
You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid
What should you do?
Add the resourcemanager.projects.setIamPolicy permission, and try again. Remove the resourcemanager.projects.list permission, and try again. Add the resourcemanager.projects.get permission, and try again. Try again with a different role with a new name but the same permissions. .
You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router. What should you do? Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings. Configure the route advertisement to the default setting. On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.
Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.) Use the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address. Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128. Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64. Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256. Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.
Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:
• Certain data must stay in the project where it is stored and not be exfiltrated to other projects.
• Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.
• All DNS resolution must be done on-premises.
• The solution should only provide access to APIs that are compatible with VPC Service Controls.
What should you do?
1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.
1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.
1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
.
You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run? gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS gcloud compute instances add-access-config instance-1 gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS gcloud compute health-checks update http health-check --unhealthy-threshold 10.
|
