You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?
A. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
B. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
C. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
D. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?
A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)
A. Turn on Private Google Access at the subnet level.
B. Turn on Private Google Access at the VPC level.
C. Turn on Private Services Access at the VPC level.
D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.
What should you do on your on-premises servers?
A. Tune TCP parameters on the on-premises servers.
B. Compress files using utilities like tar to reduce the size of data being sent.
C. Remove the -m flag from the gsutil command to enable single-threaded transfers.
D. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiaggs://[BUCKET_NAME].
You work for a multinational enterprise that is moving to GCP.
These are the cloud requirements:
1.
An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary HQ) and us-east4 (backup)
2.
Multiple regional offices in Europe and APAC
3.
Regional data processing is required in europe-west1 and australia-southeast1
4.
Centralized Network Administration Team
Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us-west1.
What should you do?
A. Create 2 VPCs in a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Host Project. Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.
B. Create 2 VPCs in a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Service Project. Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.
C. Create 1 VPC in a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Host Project.
Attach NIC0 in us-west1 subnet of the Host Project.
Attach NIC1 in us-west1 subnet of the Host Project
Deploy the instance.
Configure the necessary routes and firewall rules to pass traffic through the instance.
D. Create 1 VPC in a Shared VPC Service Project. Configure a 2-NIC instance in zone us-west1-a in the Service Project. Attach NIC0 in us-west1 subnet of the Service Project. Attach NIC1 in us-west1 subnet of the Service Project Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?
A. Set request-pathto a specific URL used for health checking, and set proxy-headerto PROXY_V1.
B. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.
C. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.
D. Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?
A. Manually patch some of the instances, and then perform a rolling restart on the instance group.
B. Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.
C. Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.
D. Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center. Sales, Marketing, and IT each have a service project attached to the Organization's host project.
Where should you create the Cloud Router instance?
A. VPC network in all projects
B. VPC network in the IT Project
C. VPC network in the Host Project
D. VPC network in the Sales, Marketing, and IT Projects
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
1.
Each on-premises router is configured with the same ASN.
2.
Each on-premises router is configured with the same routes and priorities.
3.
Both on-premises routers are configured with a VPN connected to a single Cloud Router.
4.
The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
5.
BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?
A. One of the VPN sessions is configured incorrectly.
B. A firewall is blocking the traffic across the second VPN connection.
C. You do not have a load balancer to load-balance the network traffic.
D. BGP sessions are not established between both on-premises routers and the Cloud Router.
You are creating an instance group and need to create a new health check for HTTP(s) load balancing.
Which two methods can you use to accomplish this? (Choose two.)
A. Create a new health check using the gcloud command line tool.
B. Create a new health check using the VPC Network section in the GCP Console.
C. Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console.
D. Create a new legacy health check using the gcloudcommand line tool.
E. Create a new legacy health check using the Health checks section in the GCP Console.