You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a
Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?
AGrant the compute.instanceAdmin to your user account.
BGrant the iam.serviceAccountUser to your user account.
CGrant the read-only privilege to the service account for the Cloud Storage bucket.
DGrant the cloud-platform privilege to the service account for the Cloud Storage bucket.
You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application.
Which type of load balancer should you use?
AHTTP(S) load balancer
BNetwork load balancer
CInternal TCP/UDP load balancer
DTCP/SSL proxy load balancer
In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.
What should you do?
ACreate a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
BCreate a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
CDelete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
DMove instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?
AAssign each user the editor role.
BAssign each user the compute.networkAdmin role.
CGive each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
DGive each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?
AManually patch some of the instances, and then perform a rolling restart on the instance group.
BUsing the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.
CDeploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.
DPerform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.
How should you provision your instances?
ACreate a single managed instance group, specify the desired region, and select Multiple zones for the location.
BCreate a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.
CCreate an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
DCreate an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.
How should you design this topology?
ACreate 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
BCreate 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
CCreate 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
DCreate 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)
ATurn on Private Google Access at the subnet level.
BTurn on Private Google Access at the VPC level.
CTurn on Private Services Access at the VPC level.
DCreate a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
ECreate a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
You work for a university that is migrating to GCP.
These are the cloud requirements:
"¢ On-premises connectivity with 10 Gbps
"¢ Lowest latency access to the cloud
"¢ Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?
AUse Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
BUse Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
CUse standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.
DUse standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?
ACreate a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
BCreate 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
CCreate 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
DCreate a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?
ACreate a Cloud Armor Policy rule that denies traffic and review necessary logs.
BCreate a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
CCreate a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
DCreate a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.
You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?
ACreate the Distribution VPC in auto mode. Peer both the VPCs via network peering.
BCreate the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
CCreate the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
DRename the default VPC as "Distribution" and peer it via network peering.
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.
When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?
ACheck the VPC flow logs for the instance.
BTry connecting to the instance via SSH, and check the logs.
CCreate a new firewall rule to allow traffic from port 22, and enable logs.
DCreate a new firewall rule with priority 65500 to deny all traffic, and enable logs.
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?
ANone
BClient IP
CClient IP and protocol
DClient IP, port and protocol
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
"¢ Each on-premises router is configured with a unique ASN.
"¢ Each on-premises router is configured with the same routes and priorities.
"¢ Both on-premises routers are configured with a VPN connected to a single Cloud Router.
"¢ BGP sessions are established between both on-premises routers and the Cloud Router.
"¢ Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?
AThe on-premises routers are configured with the same routes.
BA firewall is blocking the traffic across the second VPN connection.
CYou do not have a load balancer to load-balance the network traffic.
DThe ASNs being used on the on-premises routers are different.
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?
AAssign members of the networking team the compute.networkUser role.
BAssign members of the networking team the compute.networkAdmin role.
CAssign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
DAssign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules.
Your organization requires using the least privilege necessary.
Which level of permissions should you request?
ASecurity Admin privileges from the Shared VPC Admin.
BService Project Admin privileges from the Shared VPC Admin.
CShared VPC Admin privileges from the Organization Admin.
DOrganization Admin privileges from the Organization Admin.
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?
ADouble the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
BCreate two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
CAdd a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
DAdd a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?
AAssign a public IP address to the instance.
BCreate a route to reach the Master, pointing to the default internet gateway.
CCreate the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
DCreate the appropriate master authorized network entries to allow the instance to communicate to the master.
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?
ASet request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.
BSet request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
CSet request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.
DSet proxy-header to the default value, and set host to include a custom host header that identifies the health check.
Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow.
Your company requires end-to-end encryption, but you do not have access to the SSL certificates.
Which Google Cloud load balancer should you use?
ASSL proxy load balancer
BNetwork load balancer
CHTTPS load balancer
DTCP proxy load balancer
Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year.
These are the assumptions for both GCP environments.
"¢ Each organization has enabled full connectivity between all of its projects by using Shared VPC.
"¢ Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.
"¢ There are no prefix overlaps between the two organizations.
"¢ Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.
"¢ Neither organization has Interconnects to their on-premises environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.
Which two steps should you take? (Choose two.)
AProvision Cloud Interconnect to connect both organizations together.
BSet up some variant of DNS forwarding and zone transfers in each organization.
CConnect VPCs in both organizations using Cloud VPN together with Cloud Router.
DUse Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
ECreate a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?
AOpen the Cloud Shell SSH into the instance using gcloud compute ssh.
BSet the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
CGenerate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
DGenerate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
You want to create a service in GCP using IPv6.
What should you do?
ACreate the instance with the designated IPv6 address.
BConfigure a TCP Proxy with the designated IPv6 address.
CConfigure a global load balancer with the designated IPv6 address.
DConfigure an internal load balancer with the designated IPv6 address.
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?
AThe instance has been configured with multiple interfaces.
BAn external IP address has been configured on the instance.
CYou have created static routes that use RFC1918 ranges.
DThe instance is accessible by a load balancer external IP address.
Preview
