Professional Documents
Culture Documents
Professional Cloud
Network Engineer
Journey
Course Workbook
Certification Exam Guide Sections
1 Designing, planning, and prototyping a Google Cloud network
Cymbal Bank has a network support A. The Compute Admin role bound at
engineering team which will need access to the project level for the project that
create or change subnet names, locations, owns the VPC network
and IP address ranges for some but not all B. The Compute Network Admin role bound at the project level for the
subnetworks of a VPC network in a Google Project that owns the VPC network
Cloud project. Cymbal Bank uses the
C. The Compute Network Admin role bound at the resource level for the
principle of least privilege and would like to
subnetworks of the VPC network that will be created or changed by the
restrict role usage to Google predefined
team
roles.
D. The Compute Admin role bound at the resource level for the
subnetworks of the VPC network that will be created or changed by the
Which role should be assigned team
to this group?
1.1 Diagnostic Question 03
You are a network engineer designing a solution A. Cloud CDN could be used to cache static
for hosting a Cymbal Bank web application in content resources at edge locations close to
Google Cloud. The application will serve a end-users, increasing their availability and
collection of static and dynamic web resources minimizing their latency.
served over HTTPS to users worldwide. You B. Cloud NAT could be used to provide outbound connectivity to the internet for
need to design a solution that maximizes resources with only internal IP addresses, thereby increasing their availability.
availability while minimizing average user
C. Cloud Armor could be used to provide protection against DDoS and injection attacks
latency.
and thereby minimize solution latency.
D. An HTTPS load balancer with a backend service connected to a set of regional
MIGs, distributed over the regions closest to the users, to improve availability and
Which of the following features of minimize latency.
Google Cloud networking can you E. Network Intelligence Center could be used to provide network insights, enabling the
utilize? (Select 2) web application to be deployed in a configuration with maximum availability and
minimal latency.
Designing an overall network architecture
1.1
Courses
Documentation
Networking in Google Cloud Networking in Google Cloud: Hybrid conne Compute Engine IAM roles and permissions
● M2 Controlling access to VPC ctivity and network management
Cloud CDN overview
networks ● M2 Controlling access to VPC networks
● M4 Load balancing ● M4 Load balancing Cloud NAT overview
● M5 Hybrid connectivity Cloud Load Balancing overview
● M7 Network design and Networking in Google Cloud: Hybrid conne Google Cloud Armor overview
deployment ctivity and network management
● M1 Hybrid connectivity Network Intelligence Center
● M3 Network design and deployment
1.2 Diagnostic Question 04
Cymbal Bank needs to create one or more VPC A. 3 custom VPC networks, one in each region
networks to host their cloud services in 3 with one subnet each. The VPC networks all
regions: Northeastern US, Western Europe, and connected with VPC peering with default firewall
Southeast Asia. The services require bi- rules, and custom routes added to support the traffic requirements.
directional inter-regional communication on B. 3 custom VPC networks, one in each region with one subnet each. The VPC
port 8443. The services receive external internet networks all connected with VPC peering with default routes, and firewall rules
traffic on port 443. added to support the traffic requirements.
C. 1 custom VPC network, with a subnet in each region. The VPC network has the
default routes, and the appropriate firewall rules added to support the traffic
requirements.
What is the minimal network topology D. 1 custom VPC network, with a subnet in each region. The VPC network has default
in Google Cloud that would satisfy firewall rules and custom routes added to support the traffic requirements.
these requirements?
1.2 Diagnostic Question 05
Sarah is a network architect responsible for the A. Shared VPC network connecting
network design between Cymbal Bank’s on- Google Cloud resources for Cymbal Bank
premises network and Google Cloud resources, and the partner company
and also between Cymbal Bank’s Google Cloud B. VPC peering between VPC networks for Cymbal Bank and the partner company
resources and a partner company’s Google
C. A Dedicated Interconnect connection between Cymbal Bank’s on-premises network
Cloud resources. These connections must
and their Google Cloud VPC network
provide private IP connectivity and support up
to 100 Gbps of data exchange with minimum D. A Cloud VPN tunnel between Cymbal Bank’s on-premises network and their Google
possible latency. Cloud VPC network
E. 50 Cloud VPN tunnels between Cymbal Bank’s on-premises network and their
Google Cloud VPC network
You are selecting Google Cloud locations to deploy A. Deploy instances in multiple
Google Cloud VMs. You have general requirements to zones in the northamerica-
maximize availability and reduce average user latency northeast1 (Montreal) and
with a lower priority goal of reducing networking costs. northamerica-northeast2 regions.
The users served by these VMs will be in Toronto and B. Deploy instances in a single zone in the northamerica-northeast1
Montreal. You must deploy workloads requiring instances and northamerica-northeast2 regions.
at 99.5% availability in Toronto and 99.99% availability
C. Deploy instances in a single zone in the northamerica-northeast1
in Montreal. These instances all exchange a large amount
region and multiple zones in the northamerica-northeast2 region.
of traffic among themselves.
D. Deploy instances in multiple zones in the northamerica-
northeast1 region and a single zone in the northamerica-
Which deployment option northeast2.
satisfies these requirements?
1.2 Designing a VPC
Documentation
You are designing a VPN solution to connect A. Classic VPN with route-based static routing
Cymbal Bank’s on-premises data center to B. Classic VPN with policy-based static routing
Google Cloud. You have a BGP-capable
C. Classic VPN with Cloud Router and dynamic routing
VPN gateway installed in the data center and
require 99.99% availability for the VPN D. HA VPN with Cloud Router and dynamic routing
link.
To reduce latency, you will be replacing an existing Cloud VPN A. A 10 Gbps Dedicated
Classic VPN connection. You will connect your organization’s Interconnect connection
on-premises data center to Google Cloud resources in a VPC with one 10 Gbps
network with all resources in a single subnet and region using VLAN attachments
private/internal IP connectivity. The connection will need to B. A 2 Gbps Dedicated Interconnect connection with one 2 Gbps
support 1.5 Gbps of traffic. Due to cost considerations, you VLAN attachments
would like to order the option that provides just enough
C. A Partner Interconnect connection with 1 or 2 VLAN attachments
bandwidth and not more but must have significantly lower
latency than the existing Cloud VPN connection. D. A Cloud VPN HA VPN connection with Cloud Router
Courses Documentation
You need to create a GKE cluster, be able to A. A GKE route-based cluster in a subnet with
connect to pod IP addresses from your on- primary IP range 10.0.240.0/20 and pod IP
premises environment, and control access to range of 10.1.0.0/16
pods directly using firewall rules. You will need B. A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod
to support 300 nodes, 30000 pods, and 2000 IP range of 10.252.0.0/14
services.
C. A GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP
range of 10.252.0.0/15, and service IP range of 10.0.224.0/20
Which configuration satisfies these D. A GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP
requirements? range of 10.252.0.0/16, and service IP range of 10.0.224.0/20
1.4 Diagnostic Question 10
Cymbal Bank wants to ensure communication from A. Deploy a private GKE cluster with public
their on-premises data centers to the GKE control endpoint access enabled and authorized
plane stays private using internal IP communication networks disabled.
and their Dedicated Interconnect links. However, they B. Deploy a private GKE cluster with public endpoint access
will need to allow administrators to periodically
enabled and authorized networks enabled. Configure authorized networks for the cluster to
connect to the cluster control plane from remote include all remote source IP ranges that administrators may connect from.
internet-accessible locations that don’t have access to
the on-premises private network. You want to select a C. Deploy a private GKE cluster with public endpoint access disabled. Create a VM in the same
configuration and connection approach that will enable subnet with only an internal IP address and provide IAP tunnel based SSH access to remote
these requirements while providing the highest administrators for this VM. Have remote administrators connect via IAP tunnel SSH to this VM
security. when requiring access to the GKE cluster control plane.
D. Deploy a private GKE cluster with public endpoint access disabled. Provide remote
administrators IAP tunnel based SSH access to a node in the cluster. Have remote administrators
connect via an IAP tunnel SSH to this node when requiring access to the GKE cluster control
What should you do? plane.
Designing an IP addressing plan
1.4 for Google Kubernetes Engine
Cymbal Bank has a custom VPC network with two subnets (in us- A. Create a new subnet in us-central1 with
central1 and us-east1) hosting 500 VMs each. The primary ranges primary IP range 10.128.128.0/22, delete
for each are 10.128.128.0/23 and 10.128.192.0/23. The VPC has the VMs in the existing subnets one at a
default routes and 3 firewall rules (all at priority 1000), one (A) time and re-create them in the new subnet, delete the old subnets, update the B and C
allowing ingress on TCP port 443 from any IP address, another (B) firewall rules to use the single new subnet primary range.
allowing ingress on TCP port 8443 from the primary ranges of
B. Create a new subnet in us-central1 with primary IP range 10.192.128.0/22, delete the VMs in
each subnet, and a third (C) denying egress to the primary ranges
the existing subnets one at a time and re-create them in the new subnet, delete the old
for each subnet for all ports and protocols except for TCP port
subnets, update the B and C firewall rules to use the single new subnet primary range.
8443. To reduce networking costs, Cymbal Bank would like to
consolidate the 1000 VMs into a single subnet in us-central1 (and C. Expand the subnet in us-central1 to a primary IP range 10.128.128.0/22, delete the VMs in
use a primary IP range for that subnet to support that) and delete the us-east1 subnet one at a time and re-create them in the new subnet, delete the us-east1
the us-east1 subnet. You would like to ensure the simplest possible subnet, update the B and C firewall rules to use the single new subnet primary range.
firewall rules in the new configuration providing the same traffic D. Expand the existing subnet in us-central1 to a primary IP range 10.192.128.0/22, delete the
control. VMs in the us-east1 subnet one at a time and re-create them in the new subnet, delete the us-
east1 subnet, update the B and C rules to use the single new subnet primary range.
You are designing a networking scheme for A. Connect the VMs across the
Cymbal Bank with the requirement to use internal Cymbal projects and partner organization
IP addresses for communication, with the lowest using VPCs in each project (V1, V2, V3, V4, V5)
possible latency. Cymbal Bank has several teams, and VPC peering (peering V1 to V2, V2 to V3, V3 to V4, and V4 to V5).
each with their own projects: P1, P2, and P3. B. Connect the VMs across the Cymbal projects (P1-P3) using Shared VPC (Shared
Cymbal Bank would like consolidated network VPC host project P6 with VPC V6, and P1-P3 are the service projects) and then
billing, administration, and access control for the peer that Shared VPC to the partner organization VPCs (V6 peered to V4 and V4
cloud environment. VMs in these projects need to to V5).
connect to VMs in a partner organization, in
projects P4 and P5. C. Connect the VMs across Cymbal and partner organization projects (P1-P5) using
Shared VPC (Shared VPC host project P6 with VPC V6, and P1-P5 are the
service projects).
D. Connect the VMs across the Cymbal projects (P1-P3) using Shared VPC (Shared
Which networking option best satisfies these
VPC host project P6 with VPC V6, and P1-P3 are the service projects) and then
requirements?
peer that Shared VPC to the partner organization VPCs (V6 peered to V4 and V6
to V5).
21
. Configuring VPCs
Cymbal Bank needs to connect two on-premises A. Configure the VPC for regional dynamic routing
networks to a single VPC network in Google mode, create a Cloud Router in each of the two
Cloud. One on-premises network supports BGP regions, connect each office to its closest region
routing and is located near the us-central1 region. via an HA VPN gateway with dynamic routing in that region.
The other on-premises network does not support
B. Configure the VPC for regional dynamic routing mode, create one Cloud Router in the us-
BGP routing and is located near us-east1. The VPC
central1 region, connect the office close to us-central1 to the VPC using an HA VPN gateway
network has subnets in each of these regions. You
with dynamic routing in us-central1, and connect the other office via a Classic VPN gateway
will use Cloud VPN to enable private
using static routing in us-east1.
communication between the on-premises networks
and the VPC network. C. Configure the VPC for global dynamic routing mode, create Cloud Routers in each of the 2
regions, connect each office to its closest region via an HA VPN gateway with dynamic routing
in that region.
D. Configure the VPC for global dynamic routing mode, create Cloud Routers in each of the 2
Which configuration provides the highest regions, connect the office close to us-central1 to the VPC using an HA VPN gateway with
availability and the lowest average latency? dynamic routing in us-central1, and connect the other office via a Classic VPN gateway using
static routing in us-east1.
2.2 Diagnostic Question 04
You are designing a VPC network with the A. Create a custom route to the destination
requirement that all external traffic destined 0.0.0.0/0 and specify the next hop as the proxy VM.
for the Internet be passed through a proxy VM. B. Delete the system-generated default route, then create a custom route to
The proxy will have software installed to scan, destination 0.0.0.0/0 and specify the next hop as the proxy VM.
detect, and drop invalid egress traffic, to help
prevent data exfiltration, outbound attacks, or C. Create a custom route to the destination 0.0.0.0/0 and specify the next hop as the
access to blocked websites. proxy VM and configure the scanning VM to enable IP forwarding.
D. Delete the system-generated default route, then create a custom route to
destination 0.0.0.0/0. Specify the next hop as the proxy VM, and configure the
proxy VM to enable IP forwarding.
Select the configuration that can most
easily accomplish this.
2.2 Configuring routing
Networking in Google Cloud: Hybrid connec Networks and tunnel routing | Cloud VPN
tivity and network management
Cloud Router overview
● M1 Hybrid connectivity Google Cloud
● M3 Network design and deployment Network Performance and Optim Routes overview | VPC
ization Quest
Using routes | VPC
2.3 Diagnostic Question 05
Cymbal Bank has an existing subnet that A. Expand the subnet primary IP address range to 10.128.0.0/16, create a secondary
you’d like to use for a new VPC-native GKE range in the subnet of size /14 for pods and another of size /17 for services, create
cluster. The subnet primary IP address range is the GKE VPC-native cluster in the subnet using these secondary ranges.
10.128.128.0/20. Currently there are 1000 B. Create a secondary range in the subnet of size /13 for pods and another of size /16
other VMs using that subnet and have taken for services, create the GKE VPC-native cluster in the subnet using these
1000 of the available IP addresses. The new secondary ranges.
GKE cluster should support 200,000 pods and
30,000 services. C. Create a GKE VPC-native cluster in the subnet, specifying the pod range to be of
size /14 and services range to be of size /17.
D. Create a GKE VPC-native cluster in the subnet, specifying the pod range to be of
Select the minimal set of configuration size /13 and services range to be of size /17.
steps and the smallest possible IP ranges to
enable this.
2.3 Diagnostic Question 06
A. Assign the
You will be deploying a VPC-native GKE
service-{serviceProjectNumber}@container-engine-robot.iam.gserviceaccount.com
cluster into an existing service project of a
Shared VPC. You will create an Ingress to service account (where serviceProjectNumber is the
trigger the automatic creation, connection, and project number of the service project) the Compute
firewall configuration of an HTTP(S) load Network User role (in the host project).
balancer to a service deployed in the cluster B. Assign the
for container-native load balancing. service-{serviceProjectNumber}@container-engine-robot.iam.gserviceaccount.com service
account (where serviceProjectNumber is the project number of the service project) the Host
Service Agent User (in the host project).
Select the option corresponding to the C. Assign the
IAM policy binding of least privilege service-{serviceProjectNumber}@container-engine-robot.iam.gserviceaccount.com service
necessary. account (where serviceProjectNumber is the project number of the service project) the Host
Service Agent User and the Compute Network User (in the host project).
D. Assign the
service-{serviceProjectNumber}@container-engine-robot.iam.gserviceaccount.com service
account (where serviceProjectNumber is the project number of the service project) the Host
Service Agent User (in the host project) and the Compute Network User (for the subnet of the
GKE cluster in the shared VPC in the host project).
Configuring and maintaining Google
2.3 Kubernetes Engine clusters
You are trying to determine which firewall A. Go to the Firewall Insights landing page of the Cloud Console.
rule(s) is/are incorrectly blocking requests Find the names of the deny firewall rules with hits to identify
between two VMs running within a VPC rules that are blocking requests. Go to the Legacy Logs Viewer
or Logs Explorer page, view the firewall logs, and filter for logs
network: VM1 and VM2. Firewall logging is
matching those rules by name using jsonPayload.rule_details.
enabled for all firewall rules, including
reference field, matching the names of the deny firewall rules with hits.
metadata. The Firewall Insights and
B. Go to the Logs Explorer or Legacy Logs Viewer page, view the firewall logs, and filter for logs matching the
Recommendations API also have been enabled.
source and destination VMs VM1 and VM2 using the jsonPayload.instance.project_id,
All insights have been enabled, and
jsonPayload.instance.vm_name, jsonPayload.instance.region, and jsonPayload.instance.zone,
observation period set over a period capturing
jsonPayload.remote_instance.vm_name, jsonPayload.remote_instance.region, and
the blocked requests. jsonPayload.remote_instance.zone.
C. Go to the Logs Explorer or Legacy Logs Viewer page, view the firewall logs, and filter for logs matching the
destination VM2 in the VPC using the jsonPayload.instance.project_id, jsonPayload.instance.vm_name,
jsonPayload.instance.region, and jsonPayload.instance.zone fields.
Select a valid troubleshooting approach to D. Go to the Firewall Insights landing page of the Cloud Console and find the names of the allow firewall rules with
find the incorrectly configured firewall no hits to identify rules that are not allowing requests. Go to the Logs Viewer or Explorer page to view the
rule. firewall logs and filter for logs matching those rules by name using jsonPayload.rule_details.reference field
(matching the names of the allow firewall rules with no hits).
Configuring and managing firewall
2.4 rules
Cymbal Bank has a set of VPC service A. Create a service perimeter bridge connecting the the service
control service perimeters around several perimeters of all the projects.
projects with BigQuery datasets, with each B. Create a service perimeter bridge connecting the service perimeters of all the
project in its own separate service projects, and update all the service perimeters to add an access level providing the
perimeter. You would like to restrict access external access for the specified users.
to these projects’ BigQuery datasets to
VMs in the VPCs of one of these projects C. Update the service perimeter configurations for all the projects to add an ingress rule
(project P1,) and for a small set of users to with an access level to provide the external access for the specified users.
have external access from a combination of D. Update the service perimeter configurations for all the projects to add an ingress rule
a specific IP range, geo-location, and to provide the external access for the specified users, and another ingress rule to
device type. provide the access from the VPCs of the specified project P1.
Documentation
Overview of VPC Service Controls Ingress and egress rules | VPC Service Controls
Service perimeter details and configuration | VPC Service Contr Sharing across perimeters with bridges | VPC Service Controls
ols
Creating a perimeter bridge | VPC Service Controls
Secure data exchange with ingress and egress rules
Ingress and egress rules | VPC Service Controls
Context-aware access with ingress rules | VPC Service Controls
Sharing across perimeters with bridges | VPC Service Controls
Access level attributes | Access Context Manager
Creating a service perimeter | VPC Service Controls
Custom access level specification | Access Context Manager
Dry run mode for Service Perimeters | VPC Service Controls
Section 3:
Configuring network services
3.1 Diagnostic Question 01
Cymbal Bank wants a web application to A. A global external HTTP(S) load balancer
have global anycast load balancing across with one global forwarding rule,
multiple regions. The web application will forwarding to one target proxy with one URL
serve static asset files and will also use map connected to 2 backend services
REST APIs that serve dynamic responses. B. A global external HTTP(S) load balancer with two global forwarding rules,
The load balancer should support HTTP and forwarding to two target proxies, one with URL map and no backend service
HTTPS requests and redirect HTTP to and the other with URL map and 2 backend services
HTTPS. The load balancer should also serve
C. 2 global external HTTP(S) load balancers, each with one global forwarding
all the requests from the same domain
rule forwarding to one target proxy with one URL map connected to 1 backend
name, with different paths indicating static
service
versus dynamic resources.
D. A global external HTTP(S) load balancer with two global forwarding rules,
forwarding to two target proxies, one with URL map and no backend service
Select the load balancer configuration that would and the other with URL map, one backend service, and one backend bucket
most effectively enable this scenario.
3.1 Diagnostic Question 02
Google Cloud
Network endpoint groups overview | Load Balancing
Build and Secure Networks i
n Google Cloud Quest Zonal network endpoint groups overview | Load Bala
ncing
Cymbal Bank would like to protect A. Configure Cloud Armor with the appropriate
their services which are deployed rules.
behind an HTTP(S) load balancer B. Configure a VM with appropriate scanning and filtering
from L7 distributed denial of software in front of the HTTP(S) load balancer.
service (DDoS), SQL injection
C. Configure Google Cloud WAF with the appropriate
(SQLi), and cross-site scripting
rules.
(XSS) attacks.
D. Configure Google Cloud NAT with the appropriate
rules.
Cymbal Bank uses Cloud CDN to cache a A. Set the Cloud CDN cache mode for
web application served from a backend the backend bucket to CACHE_ALL_STATIC.
bucket connected to a Cloud Storage bucket. B. Set the Cloud CDN cache mode for the backend
You need to cache all the web-app files with bucket to FORCE_CACHE_ALL, and ensure the Cache-Control metadata for
appropriate time to live (TTL) except for index.html is set to private.
the index.html file. The index.html file
C. Set the Cloud CDN cache mode for the backend bucket to
contains links to versioned files and should
CACHE_ALL_STATIC, and ensure the Cache-Control metadata for index.html
always be fetched or re-validated from the
is not set or set to no-store, no-cache, or private.
origin.
D. Set the Cloud CDN cache mode to USE_ORIGIN_HEADERS, set
the Cache-Control metadata for index.html to no-store, and set the
Which configuration option satisfies these Cache-Control headers for all the other files with appropriate TTL
requirements with minimal effort? values.
3.3 Diagnostic Question 05
Cymbal Bank will use a hybrid DNS approach. A. Create an single Cloud DNS managed
Cymbal has a VPC in Google Cloud that zone in Google Cloud that is configured for
connects to their on-premises networks via private DNS for gcp.cymbalbank.com and
Interconnect. You will use Google Cloud DNS public DNS for cymbalbank.com and that also acts as a forwarding zone to the on-
for Cymbal’s public DNS zone at premise DNS for corp.cymbalbank.com DNS requests.
cymbalbank.com, and also for private DNS for B. Create a Cloud DNS private managed zone for gcp.cymbalbank.com, a public
resources at gcp.cymbalbank.com. You will use managed zone for cymbalbank.com, and a third forwarding zone for
Cymbal’s on-premises DNS, which is corp.cymbalbank.com that forwards DNS requests to the on-premise DNS.
configured as authoritative for on-premises
C. Create a public managed zone for cymbalbank.com and a Cloud DNS private
private resources at corp.cymbalbank.com.
managed zone for gcp.cymbalbank.com that also forwards DNS requests for
corp.cymbalbank.com to the on-premises DNS.
D. Create a Cloud DNS private managed zone for gcp.cymbalbank.com, and a public
Which Cloud DNS managed zone
managed zone for cymbalbank.com that also forwards DNS requests for
configuration will satisfy the
corp.cymbalbank.com to the on-premises DNS.
requirements?
3.4 Diagnostic Question 07
You are configuring hybrid DNS for Google A. For the VPC in one of the projects,
Cloud using Cloud DNS and your on- create a Cloud DNS forwarding zone for
premises DNS. You have three VPC its VPC. For the VPC in each of the other
networks in Google Cloud in three different projects, create a Cloud DNS peering zone that
projects that will need to forward DNS targets the VPC with the forwarding zone.
requests for a particular private domain to B. Create a forwarding zone in one of the projects that is visible to the
the on-premises DNS. All 3 projects have VPCs in all of the projects.
Cloud VPN connections to the on-premises
C. Create a forwarding zone in each of the projects that is visible to the
network.
VPC in that project.
D. Create a forwarding zone and a peering zone in each project. Make the
Select the Google recommended approach for forwarding zone visible to the VPC in the same project and the peering
enabling this requirement. managed zones associated with the VPCs in the other projects.
3.4 Configuring and maintaining Cloud DNS
Documentation
Cloud DNS overview Name resolution order | Cloud DNS
General DNS overview DNS policies overview
DNS best practices Cross-project binding zones | Clou
d DNS
Key terms | Cloud DNS
Manage zones | Cloud DNS
DNS server policies
Manage records | Cloud DNS
Manage response policies and rules | Clo
DNS Security Extensions (DNSS ud DNS
EC) overview
Manage DNS routing policies
3.5 Diagnostic Question 08
Cymbal is using Cloud NAT to provide A. Set the minimum ports per VM to 1000 and
internet connectivity to a group of VMs in a the number of IP addresses used by the
subnet. There are 500 VMs in the subnet and Cloud NAT Gateway to 8.
each VM may have up to 1000 internet B. Set the minimum ports per VM to 2000 and the number of IP addresses
bound connections simultaneously. used by the Cloud NAT Gateway to 8.
C. Set the minimum ports per VM to 2000 and the number of IP addresses
used by the Cloud NAT Gateway to 10.
D. Set the minimum ports per VM to 1000 and the number of IP addresses
What Cloud NAT configuration will support used by the Cloud NAT Gateway to 6.
this requirement?
3.5 Configuring Cloud NAT
Courses Documentation
You are designing a system in A. Create the 2 subnets in the same VPC. Create a VM running
Google Cloud to ensure all the 3rd party scanning software in one of the
traffic being sent between two subnets. Create custom routes in the VPC to send traffic for
subnets is passed through a each subnet from the opposite subnet through that VM.
security gateway VM. The VM B. Create the 2 subnets in the same VPC. Create a VM running the 3rd party scanning software in each of
runs 3rd party software that the subnets. Create custom routes in the VPC to send traffic destined for each subnet originating in the
scans traffic for known attack opposite subnet through the VM in its subnet.
signatures, then forwards or C. Create the 2 subnets in 2 separate VPCs. Create a VM with 2 network interfaces (NICs), with each NIC
drops traffic based on the scan connected to the subnet in each VPC. Create custom routes in each VPC to send traffic destined for each
results. subnet originating in the opposite subnet through the VM.
D. Create the 2 subnets in the same VPC. Create 2 VMs running the 3rd party scanning software, with one in
each of the subnets. Create custom routes in the VPC to send traffic destined for each subnet originating in
the opposite subnet through the VM in the opposite subnet.
Which configuration satisfies
these requirements?
3.6 Diagnostic Question 10
Networking in Google Cloud: Defining Internal TCP/UDP load balancers as next hops | L
and implementing networks oad Balancing
● M1 Google Cloud VPC networking
fundamentals Setting up Internal TCP/UDP Load Balancing for
● M3 Sharing networks across projects third-party appliances
Networking in Google Cloud: Hybrid connectivity
and network management
● M3 Network design and deployment Packet Mirroring overview | VPC
● M4 Network monitoring and troubleshooting Using Packet Mirroring | VPC
Monitoring Packet Mirroring | VPC
Section 4:
Implementing hybrid
interconnectivity
4.1 Diagnostic Question 01
You are setting up a Dedicated Interconnect connection and need A. 1 200 Gbps circuit
to provide the highest capacity possible. B. 2 100 Gbps circuits
C. 8 10 Gbps circuits
D. 8 50 Gbps circuits
Cymbal Bank wants to achieve 99.9% A. 2 100 Gbps connections in separate edge availability zones of the co-
availability with Dedicated Interconnect. location facility, 4 50 Gbps VLAN attachments
You want to support 100 Gbps of B. 2 100 Gbps connections in separate edge availability zones of the co-
throughput, even if a single interconnect location facility, 2 100 Gbps VLAN attachments
connection were to fail.
C. 1 200 Gbps connection in a single edge availability zone of the co-
location facility, 4 50 Gbps VLAN attachments
What is the simplest and least expensive D. 2 50 Gbps connections in separate edge availability zones of the co-
configuration that can meet these location facility, 4 25 Gbps VLAN attachments
requirements?
Proprietary + Confidential
Cymbal Bank is connecting one A. Create the Cloud Routers in the Shared
of their Shared VPC networks to VPC host project and the VLAN attachments
their on-premises network via in the Shared VPC service projects.
Dedicated Interconnect. B. Create the VLAN attachments and Cloud Routers in the Shared VPC host
project.
C. Create the VLAN attachments in the Shared VPC host project and the Cloud
Routers in the Shared VPC service projects.
Select the recommended D. Create the VLAN attachments and Cloud Routers in the Shared VPC service
approach for configuring their projects.
VLAN attachments and Cloud
Routers.
4.2 Diagnostic Question 05
Cymbal Bank is connecting a branch office A. Configure an HA VPN gateway to connect to the on-premises gateway
with an old VPN gateway that doesn’t and use dynamic routing.
support BGP. The old VPN gateway only B. Configure a Classic VPN gateway to connect to the on-premises gateway
supports IKEv1 and does not support local using static routing with a route-based tunnel.
and remote traffic selectors to be
C. Configure a Classic VPN gateway to connect to the on-premises gateway
configured as 0.0.0.0/0.
using static routing with a policy-based tunnel with local and remote
traffic selectors matching the office VPN but reversed.
D. Configure a Classic VPN gateway to connect to the on premise gateway
Which configuration option can satisfy
and use dynamic routing.
these requirements?
4.2 Diagnostic Question 06
You are using the gcloud tool to create a A. A Cloud Router with default route advertisements
Classic VPN with static routing and a B. A Cloud Router with a custom route advertisements including the range
route-based tunnel. The on-premises 192.168.1.0/24
resources are all in the 192.168.1.0/24
C. A route with destination 192.168.1.0/24 and next hop set to the VPN
range. You have issued commands to
gateway
create the VPN gateway, IP addresses,
forwarding rules, and the VPN tunnel. D. A route with destination 0.0.0.0/0 and next hop set to the VPN gateway
Cymbal Bank is connecting a branch office A. An external VPN gateway resource with 2 interfaces, a Cloud
with a modern VPN gateway that supports Router in the same region, a cloud HA VPN gateway with one tunnel
BGP to Google Cloud in a region. The office from each interface to each external VPN gateway interface, and BGP
VPN gateway has two interfaces and only sessions for both tunnels
requires a single tunnel to each to provide B. An external VPN gateway resource with 2 interfaces, 2 Cloud Routers in the same
99.99% availability. region, a cloud HA VPN gateway with one tunnel from each interface to each external
VPN gateway interface, and BGP sessions for both tunnels
C. An external VPN gateway resource with 4 interfaces, a Cloud Router in the same
region, 2 cloud HA VPN gateway with one tunnel from each interface to each external
VPN gateway interface, and BGP sessions for all 4 tunnels
Select the simplest Google Cloud VPN D. An external VPN gateway resource with 4 interfaces, 2 Cloud Routers in the same
configuration that will provide 99.99% region, 2 cloud HA VPN gateways with one tunnel from each interface to each external
availability. VPN gateway interface, and BGP sessions for all 4 tunnels
Proprietary + Confidential
You have an HA VPN gateway with 2 A. Remove the BGP session for one of the HA VPN tunnels.
interfaces in active/active mode. You would B. Disable the BGP session for one of the HA VPN tunnels.
like to reconfigure them to active/passive
C. Update the base advertised route priorities for both of the HA VPN
mode.
tunnels’ BGP sessions.
D. Update the base advertised route priority for one of the HA VPN
tunnel’s BGP sessions.
Cymbal Bank has a Cloud Router in a region; A. Update the Cloud Router custom
the VPC advertises some of its subnets. The advertisements by advertising the IP ranges
VPC advertises none of the subnets in other for all the subnets across all regions, then
regions. You require an update to advertise all update the configured list whenever subnets are added or removed.
subnets in all regions for that VPC. You also B. Check the dynamic routing mode of the VPC and update it to global if it is
want to automatically advertise newly added currently regional. Update the Cloud Router custom advertisements by
subnets, as well as stop advertising removed advertising the IP ranges for all the subnets across all regions, then update the
subnets in the future. configured list whenever subnets are added or removed.
C. Check the dynamic routing mode of the VPC and update it to global if it is
currently regional. Configure the Cloud Router to default advertisement mode.
Select the simplest configuration that will D. Check the dynamic routing mode of the VPC and update it to regional if it is
accomplish this goal. currently global. Configure the Cloud Router to default advertisement mode.
4.3 Diagnostic Question 10
Cymbal Bank would like to achieve 99.99% A. 1 Cloud Router in one region with the VPC in regional
availability for their Dedicated Interconnect dynamic routing mode
link from an on-premises network to their B. 2 Cloud Routers in one region, with the VPC in global
VPC. dynamic routing mode
C. 2 Cloud Routers in 2 distinct regions, with the VPC in
regional dynamic routing mode
D. 2 Cloud Routers in 2 distinct regions, with the VPC in global
Select the configuration that will achieve dynamic routing mode.
this.
Proprietary + Confidential
Documentation
4.3 Configuring Cloud Router
Cloud Router overview
Creating Cloud Routers
Establishing BGP sessions | Cloud Router
Courses Skill Badges Updating the base advertised route priority | Cloud Ro
uter
Networking in Google Cloud
Custom route advertisements introduction | Cloud Ro
● Course labs uter
Google Cloud
Cymbal Bank needs to log all cache hits and misses A. Enable logging on the backend bucket
for their static assets served from Cloud CDN via and configure logging sample rate to 1.0.
an HTTP(S) load balancer backend bucket. B. Use the default behavior, no configuration required.
C. Enable logging on the backend bucket.
D. Configure the logging sample rate on the backend bucket to
What should you do? 1.0.
5.1 Diagnostic Question 02
C. vpn.googleapis.com/network/sent_bytes_count,
Select the metrics that vpn.googleapis.com/network/received_bytes_count
would be important to
include in the alerting D. vpn.googleapis.com/network/sent_packets_count,
vpn.googleapis.com/network/received_packets_count,
policies.
vpn.googleapis.com/network/dropped_received_packets_count,
vpn.googleapis.com/network/network/dropped_sent_packets_count
Proprietary + Confidential
Cymbal Bank has set up A. Enable the Firewall Insights API. Enable the Firewall
firewall rules for a VPC. You Rules logging for all rules. Configure an observation
period starting immediately and lasting 24h. After 24h
want to monitor them to
have passed, view the Firewall Insights Deny rules with hits page.
determine which Deny rules
are triggering to block traffic B. Enable the Firewall Insights API. Configure an observation period starting immediately and
over the next 24 hours. lasting 24h. After 24h have passed, view the Firewall Insights Deny rules with hits page.
C. Enable the Firewall Insights API. After 24h have passed, view the Firewall Insights Deny rules
with hits page.
Select the simplest setup
and process to accomplish D. Enable Firewall Rules logging for all rules. Configure an observation period starting
immediately and lasting 24h. After 24h have passed, view the Firewall Insights Deny rules with
this.
hits page.
5.2 Diagnostic Question 04
C. Use the Policy Analyzer with scope set to Organization, and resource set to the VPC,
and role set to Network Admin.
Select the simplest setup D. Use the Policy Analyzer with scope set to Organization, resource set to the VPC,
and process to accomplish role set to Network Admin, and identity set to all users and groups.
this.
Proprietary + Confidential
You are using VPC flow logs to analyze traffic A. Configure them with a sampling rate of 0.1 and a filter expression for the connection
arriving at a subnet. You need to capture source and destination IP within the IP range of the subnet.
approximately 10% of the traffic and
B. Configure them with a sampling rate of 1.0 and a filter expression for the connection
determine how much traffic originates from source and destination IP within the IP range of the subnet.
outside the subnet. The VPC flow logs have
already been enabled for the subnet. You want C. Configure them with a sampling rate of 0.1 and a filter expression for the connection
to use the least expensive process. destination IP within the IP range of the subnet.
D. Configure them with a sampling rate of 1.0 and a filter expression for the connection
destination IP within the IP range of the subnet.
You are debugging a Layer 2 Partner Interconnect A. Check the ASN configuration of the on-premises router and
connection that is indicating a failure to create a the Cloud Router.
BGP session in the Cloud Router for the associated
B. Check the BGP keepalive timer configuration of the Cloud
VLAN attachments. Router.
You are trying to debug a connectivity issue A. Disable Firewall rules one by one in all combinations to
between VMs in the same VPC using internal IP determine the problem.
addresses. The issue began immediately after
B. Remove static routes one by one in all combinations to determine
configuring routes and firewall rules. the problem.
Google Cloud Networking in Networking in Build and secure Network Sample questions
Fundamentals: Core Google Cloud: Google Cloud: networks in Google performance and
Infrastructure Defining and Hybrid connectivity Cloud optimization Skill
implementing and network Skill Badge Badge Review
networks management documentation
Security and Identity
Fundamentals
Skill Badge
Weekly study plan
Now, consider what you’ve learned about your knowledge and skills through
the diagnostic questions in this course. You should have a better
understanding of what areas you need to focus on and what resources are
available.
Use the template that follows to plan your study goals for each week.
Consider:
● What exam guide section(s) or topic area(s) will you focus on?
● What courses (or specific modules) will help you learn more?
● What Skill Badges or labs will you work on for hands-on practice?
● What documentation links will you review?
● What additional resources will you use - such as sample questions?
You may do some or all of these study activities each week.
Duplicate the weekly template for the number of weeks in your individual
preparation journey.
Weekly study template (example)
Area(s) of focus: Configuring VPCs
Courses/modules Networking in Google Cloud: Defining and implementing networks M1, M2, M3
to complete: Networking in Google Cloud: Hybrid connectivity and network management M3
Courses/modules
to complete:
Skill Badges/labs
to complete:
Documentation
to review:
Additional study: