













































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam assesses knowledge of designing, implementing, and managing cloud-based networking solutions. Topics include VPC design, hybrid connectivity, firewall configuration, load balancing, DNS, routing, monitoring, and security. Candidates must demonstrate ability to build and maintain scalable, secure, and efficient cloud networks in alignment with business needs.
Typology: Exams
1 / 85
This page cannot be seen from the preview
Don't miss anything!














































































Question 1. Which VPC mode automatically creates subnets in each region with a /20 CIDR block? A) Custom mode B) Auto mode C) Shared VPC mode D) Legacy mode Answer: B Explanation: Auto mode VPCs automatically generate one subnet per region, each with a predefined /20 CIDR block, simplifying initial network setup. Question 2. In a Shared VPC architecture, which project owns the network resources such as subnets and firewall rules? A) Service project B) Host project C) Both projects equally D) Neither; they are owned by Google Cloud Answer: B Explanation: The host project contains the VPC network, subnets, and firewall policies that are shared with service projects. Question 3. What is the maximum number of VPC network peerings allowed per VPC? A) 5 B) 10 C) 25 D) 50 Answer: C Explanation: A single VPC can have up to 25 active peering connections, subject to quota limits.
Question 4. Which IP address range is considered non-RFC 1918 and therefore not recommended for internal workloads? A) 10.0.0.0/ B) 172.16.0.0/ C) 192.168.0.0/ D) 100.64.0.0/ Answer: D Explanation: 100.64.0.0/10 is reserved for carrier-grade NAT, not for private internal addressing, unlike the RFC 1918 ranges. Question 5. When configuring a Cloud Router for dynamic routing, which protocol is used to exchange routes with on-premises devices? A) OSPF B) RIP C) BGP D) EIGRP Answer: C Explanation: Cloud Router uses Border Gateway Protocol (BGP) to advertise and learn routes dynamically. Question 6. In VPC routing, a route with a lower priority value is considered: A) Higher priority B) Lower priority C) Ignored D) Equivalent to any other route Answer: A Explanation: Lower numeric priority values take precedence over higher values when multiple routes match traffic. Question 7. Which of the following tags can be used to apply a firewall rule to a specific group of VMs?
C) Providing secondary IP ranges for containers and pods D) Reserving IPs for future use Answer: C Explanation: Alias IPs let you allocate secondary CIDR blocks to a VM, enabling container-native networking such as GKE pod IPs. Question 11. Which firewall rule priority number will cause the rule to be evaluated before a rule with priority 1000? A) 2000 B) 1500 C) 900 D) 1000 Answer: C Explanation: Lower numeric priority values are evaluated first; 900 is evaluated before 1000. Question 12. A hierarchical firewall policy is applied at which level of the resource hierarchy? A) Project only B) Organization, folder, or project C) VPC network only D) Subnet level only Answer: B Explanation: Hierarchical firewall policies can be attached to an organization, folder, or project, propagating downwards. Question 13. Private Google Access enables: A) Access to Google APIs from on-premises over the internet B) Access to Google APIs from VMs without external IPs C) Public internet access from VMs with only internal IPs D) Direct peering with Google’s backbone
Answer: B Explanation: Private Google Access allows VMs that only have internal IPs to reach Google APIs and services via Google’s internal network. Question 14. Which service provides private, fully managed connectivity to Google APIs without using public IP addresses? A) Cloud VPN B) Private Service Connect (PSC) C) Cloud Interconnect D) Cloud NAT Answer: B Explanation: PSC creates a private endpoint within a VPC that forwards traffic to Google APIs, keeping it off the public internet. Question 15. VPC Service Controls primarily protect against: A) DDoS attacks B) Data exfiltration from Google Cloud services C) Unauthorized SSH access D) Misconfigured firewall rules Answer: B Explanation: VPC Service Controls create service perimeters that restrict data movement to and from Google-managed services, mitigating exfiltration. Question 16. Which load balancer type can distribute traffic across multiple continents with a single anycast IP? A) Regional TCP/UDP Load Balancer B) Internal HTTP(S) Load Balancer C) Global External HTTP(S) Load Balancer D) Network Load Balancer Answer: C
Question 20. Cloud CDN caches content at edge locations. Which cache-control header tells the CDN to cache content for 1 hour? A) Cache-Control: no-store B) Cache-Control: max-age= C) Expires: 0 D) Pragma: no-cache Answer: B Explanation: max-age=3600 instructs caches, including Cloud CDN, to store the response for 3600 seconds (1 hour). Question 21. To provide outbound internet access for VMs without external IPs, you should configure: A) Cloud VPN B) Cloud NAT C) Cloud Interconnect D) Cloud Load Balancing Answer: B Explanation: Cloud NAT translates internal IPs to a pool of external IPs, allowing private VMs to initiate outbound connections. Question 22. Which Cloud VPN configuration provides a 99.99% SLA? A) Classic VPN with a single tunnel B) HA VPN with two tunnels per tunnel group C) VPN over Cloud Interconnect D) Site-to-site VPN using IKEv1 only Answer: B Explanation: HA VPN creates two active tunnels across separate Google Cloud regions, delivering a 99.99% availability SLA. Question 23. In an HA VPN tunnel, which protocol is used for key exchange?
A) IKEv2 only B) IKEv1 only C) Both IKEv1 and IKEv2 are supported D) No key exchange required Answer: C Explanation: HA VPN supports both IKEv1 and IKEv2, allowing flexibility with on-premises devices. Question 24. Dedicated Interconnect provides which of the following physical connection speeds? A) 1 Gbps only B) 10 Gbps and 100 Gbps C) 5 Gbps and 20 Gbps D) 50 Gbps only Answer: B Explanation: Dedicated Interconnect offers link capacities of 10 Gbps or 100 Gbps via partner-provisioned fiber. Question 25. Which Interconnect option is best when you need a quick, low-cost connection without owning fiber? A. Dedicated Interconnect B. Partner Interconnect C. Direct Peering D. Carrier Peering Answer: B Explanation: Partner Interconnect leverages a service provider’s existing infrastructure, offering a faster and cheaper setup than dedicated fiber. Question 26. Direct Peering is primarily used for: A) Connecting to Google Cloud via a carrier’s MPLS network B) Establishing a BGP session with Google’s edge routers using a private ASN
D) Cloud Storage buckets Answer: C Explanation: IAP secures web applications and APIs that are accessed via HTTP(S) by enforcing identity-based access control. Question 30. Cloud IDS is a managed service that provides: A) DDoS mitigation B) Intrusion detection using signature-based analysis of VPC flow logs C) Automatic firewall rule generation D) SSL/TLS termination for load balancers Answer: B Explanation: Cloud IDS inspects traffic mirrored from VPCs, applying threat signatures to detect malicious activity. Question 31. Packet mirroring is required for Cloud IDS because: A) IDS needs a copy of traffic to analyze without affecting the original flow B. Mirroring reduces latency for all packets C. Mirroring encrypts traffic for security D. Mirroring enables NAT translation Answer: A Explanation: Packet mirroring duplicates traffic to a collector (e.g., Cloud IDS) so that inspection can occur offline. Question 32. Which log type contains detailed information about every accepted and denied connection in a VPC? A) Cloud Audit Logs B) VPC Flow Logs C) Cloud DNS Logs D) Cloud NAT Logs Answer: B
Explanation: VPC Flow Logs record metadata about each network flow, including source/destination IPs, ports, protocol, and action. Question 33. In Cloud Monitoring, which metric would you use to detect packet loss on a VM’s network interface? A) compute.googleapis.com/instance/network/received_bytes_count B) compute.googleapis.com/instance/network/received_packets_count C) compute.googleapis.com/instance/network/packet_loss_rate D) compute.googleapis.com/instance/network/sent_bytes_count Answer: C Explanation: The packet_loss_rate metric reports the percentage of packets lost, useful for diagnosing connectivity issues. Question 34. The Connectivity Test tool in Network Intelligence Center verifies: A) DNSSEC validation B) Whether two endpoints can communicate given current firewall and routing rules C) Load balancer health check status D) Cloud NAT address utilization Answer: B Explanation: Connectivity Tests simulate traffic between source and destination to identify configuration gaps such as missing firewall rules. Question 35. When troubleshooting a GKE cluster’s pod-to-pod traffic, which Kubernetes object controls allowed traffic flows? A) Service Account B) NetworkPolicy C) Ingress D) ConfigMap Answer: B Explanation: NetworkPolicy resources define how pods are allowed to communicate with each other, enforcing isolation at the network layer.
Question 39. What is the purpose of the “next hop IP” field in a custom static route? A) To specify the destination subnet B) To define the next router the packet should be sent to C) To set the priority of the route D) To assign a firewall rule ID Answer: B Explanation: The next hop IP tells the VPC where to forward packets that match the route’s destination CIDR. Question 40. In a dual-stack VPC, which statement is true about IPv6 address allocation? A) IPv6 addresses are automatically assigned to all VMs without configuration B) IPv6 subnets must be created separately from IPv4 subnets C) IPv6 can only be used for load balancer front-ends, not VM interfaces D) IPv6 addresses are derived from the IPv4 CIDR block Answer: B Explanation: IPv6 subnets are defined independently of IPv4 subnets; you must create them explicitly to allocate IPv6 addresses. Question 41. Which of the following best describes the purpose of a “service attachment” in Private Service Connect? A) It defines a DNS forwarder for private zones B) It represents a consumer-side endpoint that forwards traffic to a provider service C) It is a firewall rule that blocks all inbound traffic D) It creates a VPN tunnel between two VPCs Answer: B Explanation: A service attachment is a producer-side configuration that exposes a service via PSC, allowing consumers to connect through a private endpoint.
Question 42. To limit the number of connections per second from a single IP address to a load-balanced backend, you would configure: A) Cloud Armor rate-limiting rule B) Firewall rule with connection-limit flag C) Backend service’s max-connections setting D) Health check with aggressive interval Answer: A Explanation: Cloud Armor can enforce rate-limiting based on source IP, protecting backends from traffic spikes. Question 43. Which metric in Cloud Monitoring indicates the number of active sessions on a TCP load balancer? A) loadbalancing.googleapis.com/https/active_sessions_count B) loadbalancing.googleapis.com/tcp/active_connections C) compute.googleapis.com/instance/network/tcp_connections D) network.googleapis.com/tcp/connection_rate Answer: B Explanation: The tcp/active_connections metric tracks currently open TCP connections handled by the load balancer. Question 44. When using Cloud NAT, which of the following statements is accurate regarding source IP translation? A) Each VM gets a unique external IP from the NAT pool B) All VMs in a subnet share the same NAT IP unless multiple NATs are configured C) NAT does not translate source IPs, only destination IPs D) NAT can only be used with static external IPs Answer: B Explanation: By default, Cloud NAT uses a single external IP per NAT gateway for all VMs in the configured subnet range, though you can configure multiple NAT gateways for higher address diversity.
Question 48. Which of the following is a valid use case for Cloud Interconnect’s “partner” option? A) Connecting a single VM to a Google API B) Establishing a low-latency, high-throughput link for a multi-region enterprise with no direct fiber access C) Providing a backup internet connection for a small startup D) Enabling direct peering with Google’s edge routers Answer: B Explanation: Partner Interconnect is ideal for enterprises that need high-capacity, low-latency connectivity but cannot install dedicated fiber themselves. Question 49. When configuring a Global External HTTP(S) Load Balancer, which component defines the mapping between request URLs and backend services? A) URL map B) Backend bucket C) Frontend configuration D) SSL certificate Answer: A Explanation: The URL map contains host and path rules that route incoming requests to specific backend services. Question 50. In Cloud DNS, what is the effect of enabling “DNS forwarding” for a private zone? A) Queries for unknown zones are forwarded to an on-premises DNS server B. All queries are resolved using Google’s public DNS resolvers C. DNSSEC validation is disabled D. The zone becomes publicly accessible Answer: A Explanation: DNS forwarding allows a private zone to forward queries for external domains to a specified upstream DNS server.
Question 51. Which of the following is true about a “service perimeter” in VPC Service Controls? A) It automatically encrypts all data in transit B) It restricts access to Google Cloud services based on IP address ranges only C) It defines a boundary that prevents data from leaving the perimeter unless explicitly allowed D) It replaces firewall rules for VPC networks Answer: C Explanation: Service perimeters create a logical boundary that blocks data exfiltration to external services unless an egress rule is defined. Question 52. To mitigate a volumetric DDoS attack targeting a web application, which Google Cloud feature should you enable first? A) Cloud NAT B) Cloud Armor with an “under-attack” policy C) VPC Flow Logs D) Cloud IDS Answer: B Explanation: Cloud Armor’s “under-attack” mode provides immediate protection against large-scale DDoS by rate-limiting and presenting a challenge page. Question 53. Which of the following best describes a “stateful” firewall rule in GCP? A) It tracks connection state and allows return traffic automatically B) It blocks all traffic regardless of connection state C) It only inspects the first packet of a flow D. It requires explicit rules for both inbound and outbound directions Answer: A Explanation: GCP firewall rules are stateful; once a connection is allowed in one direction, return traffic is permitted without an additional rule.
Question 57. Which Cloud Armor rule type can be used to block traffic from known malicious IP addresses listed in a Google-maintained threat feed? A) IP denylist B) Geo-block rule C) Rate-limit rule D) ReCAPTCHA protection rule Answer: A Explanation: IP denylist rules let you block traffic from specific IPs or CIDR ranges, often populated from threat intelligence feeds. Question 58. In a VPC network, which component determines whether traffic is allowed to cross subnets? A) VPC firewall rules B) Subnet CIDR overlap C) Cloud Router BGP policies D) Service accounts Answer: A Explanation: Firewall rules are evaluated for traffic moving between subnets; if no rule permits the traffic, it is denied by default. Question 59. Which of the following is NOT a valid target for a VPC firewall rule? A) Network tag B) Service account email C) Instance name D) All instances in the network (no target) Answer: C Explanation: Firewall rules cannot target specific instance names; they target tags, service accounts, or the entire network.
Question 60. When configuring a Cloud NAT gateway, what does the “min-ports per VM” setting control? A) Minimum number of NAT ports reserved for each VM to reduce port exhaustion B) Minimum number of simultaneous connections a VM can open C) Minimum number of external IP addresses assigned to the NAT D) Minimum bandwidth allocated to each VM Answer: A Explanation: The min-ports per VM setting ensures each VM has a guaranteed pool of NAT ports, preventing port exhaustion under heavy outbound traffic. Question 61. Which of the following is a prerequisite for using Cloud IDS? A) Enabling VPC Flow Logs on the subnet(s) to be inspected B) Deploying a Cloud NAT gateway C) Creating a Private Service Connect endpoint D) Configuring a Cloud VPN tunnel Answer: A Explanation: Cloud IDS relies on mirrored traffic; enabling VPC Flow Logs (or packet mirroring) is required to provide data for inspection. Question 62. In the context of GKE networking, which CNI plugin enables “VPC-native” (alias-IP) pod networking? A) Calico B) Flannel C) GKE-VPC-native (alias-IP) D) Weave Net Answer: C Explanation: GKE’s VPC-native mode uses alias IP ranges to allocate pod IPs directly from the VPC subnet, providing native L3 routing. Question 63. Which of the following best describes the purpose of the “Network Service Tier” setting?