Diagnostic questions

Your score: 10% Passing score: 80%

Unfortunately, you need at least a 80% to pass this assessment. Not to worry though, review your
answers and try again.

Retake

close

1.

Cymbal has a network support engineering team which will need access to create or change subnet
names, locations, and IP address ranges for some but not all subnetworks of a VPC network in a
Google Cloud project. Cymbal uses the principle of least privilege and would like to restrict role-
usage to Google predefined roles. Which role should be assigned to this group?

closeThe Compute Network Admin role bound at the project level for the Project that owns the VPC
network.

The Compute Network Admin role bound at the resource level for the subnetworks of the VPC
network that will be created or changed by the team.

The Compute Admin role bound at the resource level for the subnetworks of the VPC network that
will be created or changed by the team.

The Compute Admin role bound at the project level for the project that owns the VPC network.

Incorrect. Assigning the role at the Project level will provide access to all VPC networks and
subnetworks. They only need access to some subnetworks of a specific VPC network.

close

2.

Cymbal needs to create one or more VPC networks to host their cloud services in 3 regions:
Northeastern US, Western Europe, and Southeast Asia. The services require bi-directional inter-
regional communication on port 8443. The services receive external internet traffic on port 443.
What is the minimal network topology in Google Cloud that would satisfy these requirements?

1 custom VPC network, with a subnet in each region). The VPC network has default firewall rules and
custom routes added to support the traffic requirements

close3 custom VPC networks, one in each region with one subnet each. The VPC networks all
connected with VPC peering with default firewall rules, and custom routes added to support the
traffic requirements

1 custom VPC network, with a subnet in each region). The VPC network has the default routes, and
the appropriate firewall rules added to support the traffic requirements

3 custom VPC networks, one in each region with one subnet each. The VPC networks all connected
with VPC peering with default routes, and firewall rules added to support the traffic requirements

Incorrect. A single VPC network with 3 subnets is the minimal topology to satisfy these
requirements.
close

3.

To reduce latency, you will be replacing an existing Cloud VPN Classic VPN connection. You will
connect your organization’s on premises data center to Google Cloud resources in a VPC network
with all resources in a single subnet and region using private/internal IP connectivity. The connection
will need to support 1.5 Gbps of traffic. Due to cost considerations, you would like to order the
option that provides just enough bandwidth and not more but must have significantly lower latency
than the existing Cloud VPN connection. What should you use?

closeA 10 Gbps Dedicated Interconnect connection with one 10 Gbps VLAN attachments

A Partner Interconnect connection with 1 or 2 VLAN attachments

A Cloud VPN HA VPN connection with Cloud Router.

A 2 Gbps Dedicated Interconnect connection with one 2 Gbps VLAN attachments

This option will not be the lowest cost as it involves purchasing the 10 Gbps connection. Only 1.5
Gbps is required and can be purchased at lower cost through Partner Interconnect.

close

4.

Cymbal wants to ensure communication from their on-premises data centers to the GKE control
plane stays private using internal IP communication and their Dedicated Interconnect links.
However, they will need to allow administrators to periodically connect to the cluster control plane
from remote internet-accessible locations that don’t have access to the on-premises private
network. You want to select a configuration and connection approach that will enable these
requirements while providing the highest security. What should you do?

Deploy a private GKE cluster with public endpoint access enabled and authorized networks enabled.
Configure authorized networks for the cluster to include all remote source IP ranges that
administrators may connect from.

Deploy a private GKE cluster with public endpoint access disabled. Create a VM in the same subnet
with only an internal IP address and provide IAP tunnel based SSH access to remote administrators
for this VM. Have remote administrators connect via IAP tunnel SSH to this VM when requiring
access to the GKE cluster control plane.

Deploy a private GKE cluster with public endpoint access enabled and authorized networks disabled

Close Deploy a private GKE cluster with public endpoint access disabled. Provide remote
administrators IAP tunnel based SSH access to a node in the cluster. Have remote administrators
connect via an IAP tunnel SSH to this node when requiring access to the GKE cluster control plane.

Incorrect.Though satisfying requirements, this approach is slightly less secure than approach C as it
provides direct node access to the remote administrators when only control plane access is required.
(Option C only provides access to the control plane without access to the nodes.)

close

5.
You are designing a VPN solution to connect Cymbal’s on-premises data center to Google Cloud. You
have a BGP-capable VPN gateway installed in the data center and require 99.99% availability for the
VPN link. What Cloud VPN configuration meets these requirements while requiring the least setup
and maintenance?

Classic VPN with policy-based static routing.

closeClassic VPN with Cloud Router and dynamic routing.

Classic VPN with route-based static routing.

HA VPN with Cloud Router and dynamic routing

Incorrect. This configuration does not provide the required availability. It can only provide 99.9%
availability

close

6.

Sarah is a network architect. They are responsible for the network design between Cymbal’s on-
premises network and Google Cloud resources, and also between Cymbal’s Google Cloud resources
and a partner company’s Google Cloud resources. These connections must provide private IP
connectivity and support up to 100 Gbps of data exchange with minimum possible latency. Which
options satisfy these requirements? (select 2 of the options)infoNote: To get credit for a multiple-
select question, you must select all of the correct options and none of the incorrect ones.

closeA Shared VPC network connecting Google Cloud resources for Cymbal and the partner company

Incorrect. A Shared VPC network cannot be used to connect resources across separate organizations.

closeA Cloud VPN tunnel between Cymbal’s on-premises network and their Google Cloud VPC
network.

Incorrect. Cloud VPN maximum bandwidth is 3 Gps per tunnel, which is considerably less than the
100 Gbps that is required. Also Cloud VPN has significantly more latency than Cloud Interconnect
and Dedicated Interconnect.

A Dedicated Interconnect connection between Cymbal’s on-premises network and their Google
Cloud VPC network.

VPC peering between VPC networks for Cymbal and the partner company.

50 Cloud VPN tunnels between Cymbal’s on-premises network and their Google Cloud VPC
network.check

7.

You are a network engineer designing a solution for hosting a Cymbal web application in Google
Cloud. The application will serve a collection of static and dynamic web resources served over HTTPS
to users worldwide. You need to design a solution that maximizes availability while minimizing
average user latency. Which of the following features of Google Cloud networking can you utilize?
(select 2)

checkAn Application Load Balancer with a backend service connected to a set of regional MIGs,
distributed over the regions closest to the users, to improve availability and minimize latency.
Correct! Using an HTTPS LB with a backend service connected to a set of regional MIGs distributed
over the regions closest to the users would ensure high availability and minimal average user latency
for serving dynamic web resources.

Cloud NAT could be used to provide outbound connectivity to the internet for resources with only
internal IP addresses, thereby increasing their availability.

Network Intelligence Center could be used to provide network insights, enabling the web application
to be deployed in a configuration with maximum availability and minimal latency.

Google Cloud Armor could be used to provide protection against DDoS and injection attacks and
thereby minimize solution latency.

checkCloud CDN could be used to cache static content resources at edge locations close to end-
users, increasing their availability and minimizing their latency.

Correct! Cloud CDN can be used to cache static content at edge locations. This would help maximize
the availability and minimize the average latency for end users accessing those resources.

close

8.

You are a network engineer designing a network IP plan and need to select an IP address range to
use for a subnet. The subnet will need to host up to 2000 virtual machines, each to be assigned one
IP address from the subnet range. It will also need to fit in the network IP range 10.1.0.0/16 and be
as small as possible. What subnet range should you use?

10.1.240.0/21

10.1.1.0/21

close10.1.240.0/20

10.1.1.0/24

Incorrect. This range has 4080 IP addresses. However, 10.1.240.0/21 can host up to 2040 IP
addresses and is therefore a better fit.

close

9.

You need to create a GKE cluster, be able to connect to pod IP addresses from your on-premises
environment, and control access to pods directly using firewall rules. You will need to support 300
nodes, 30000 pods, and 2000 services. Which configuration satisfies these requirements?

A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod IP range of
10.252.0.0/14.

closeA GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP range of
10.252.0.0/16, and service IP range of 10.0.224.0/20

A GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP range of
10.252.0.0/15, and service IP range of 10.0.224.0/20
A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod IP range of
10.1.0.0/16

Incorrect. This option will satisfy the first 2 requirements (being a VPC-native cluster), but the pod IP
range will not be sufficient to hold the required number of nodes and pods.

close

10.

You are selecting Google Cloud locations to deploy Google Cloud VMs. You have general
requirements to maximize availability and reduce average user latency with a lower priority goal of
reducing networking costs. The users served by these VMs will be in Toronto and Montreal. You
must deploy workloads requiring instances at 99.5% availability in Toronto and 99.99% availability in
Montreal. These instances all exchange a large amount of traffic among themselves. Which
deployment option satisfies these requirements?

Deploy instances in a single zone in the northamerica-northeast1 (Montreal) and northamerica-

northeast2 (Toronto) regions.

closeDeploy instances in a single zone in the northamerica-northeast1(Montreal) region and multiple

zones in the northamerica-northeast2 (Toronto) region.

Deploy instances in multiple zones in the northamerica-northeast1 (Montreal) and northamerica-

northeast2 (Toronto) regions.

Deploy instances in multiple zones in the northamerica-northeast1(Montreal) region and a single

zone in the northamerica-northeast2 (Toronto).

Incorrect.This would provide higher than necessary availability in Toronto and increase the
networking costs in that region by incurring inter-zone traffic. It would also not provide the required
availability in Montreal as single-zone deployments would not provide 99.99% availability.

Diagnostic questions

Your score: 40% Passing score: 80%

Unfortunately, you need at least a 80% to pass this assessment. Not to worry though, review your
answers and try again.

Retake

check

1.
You need to create a GKE cluster, be able to connect to pod IP addresses from your on-premises
environment, and control access to pods directly using firewall rules. You will need to support 300
nodes, 30000 pods, and 2000 services. Which configuration satisfies these requirements?

A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod IP range of
10.252.0.0/14.

Check A GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP range of
10.252.0.0/15, and service IP range of 10.0.224.0/20

A GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP range of
10.252.0.0/16, and service IP range of 10.0.224.0/20

A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod IP range of
10.1.0.0/16

Correct! This option will satisfy all requirements. A VPC-native cluster will satisfy the first 2
requirements and the provided ranges will support the required number of nodes, pods, and
services.

close

2.

Cymbal wants to ensure communication from their on-premises data centers to the GKE control
plane stays private using internal IP communication and their Dedicated Interconnect links.
However, they will need to allow administrators to periodically connect to the cluster control plane
from remote internet-accessible locations that don’t have access to the on-premises private
network. You want to select a configuration and connection approach that will enable these
requirements while providing the highest security. What should you do?

Close Deploy a private GKE cluster with public endpoint access enabled and authorized networks
disabled

Deploy a private GKE cluster with public endpoint access disabled. Provide remote administrators
IAP tunnel based SSH access to a node in the cluster. Have remote administrators connect via an IAP
tunnel SSH to this node when requiring access to the GKE cluster control plane.

Deploy a private GKE cluster with public endpoint access disabled. Create a VM in the same subnet
with only an internal IP address and provide IAP tunnel based SSH access to remote administrators
for this VM. Have remote administrators connect via IAP tunnel SSH to this VM when requiring
access to the GKE cluster control plane.

Deploy a private GKE cluster with public endpoint access enabled and authorized networks enabled.
Configure authorized networks for the cluster to include all remote source IP ranges that
administrators may connect from.

Incorrect. This option satisfies the requirements; however, it is the least secure option because it
provides access to the control plane from any public IP address

check

3.
You are designing a VPN solution to connect Cymbal’s on-premises data center to Google Cloud. You
have a BGP-capable VPN gateway installed in the data center and require 99.99% availability for the
VPN link. What Cloud VPN configuration meets these requirements while requiring the least setup
and maintenance?

Classic VPN with route-based static routing.

checkHA VPN with Cloud Router and dynamic routing

Classic VPN with Cloud Router and dynamic routing.

Classic VPN with policy-based static routing.

Correct! This configuration can provide the required availability of 99.99%. It also minimizes setup
and maintenance configuration by using dynamic routing,

check

4.

You are a network engineer designing a solution for hosting a Cymbal web application in Google
Cloud. The application will serve a collection of static and dynamic web resources served over HTTPS
to users worldwide. You need to design a solution that maximizes availability while minimizing
average user latency. Which of the following features of Google Cloud networking can you utilize?
(select 2)

Google Cloud Armor could be used to provide protection against DDoS and injection attacks and
thereby minimize solution latency.

Cloud NAT could be used to provide outbound connectivity to the internet for resources with only
internal IP addresses, thereby increasing their availability.

checkAn Application Load Balancer with a backend service connected to a set of regional MIGs,
distributed over the regions closest to the users, to improve availability and minimize latency.

Correct! Using an HTTPS LB with a backend service connected to a set of regional MIGs distributed
over the regions closest to the users would ensure high availability and minimal average user latency
for serving dynamic web resources.

Network Intelligence Center could be used to provide network insights, enabling the web application
to be deployed in a configuration with maximum availability and minimal latency.

checkCloud CDN could be used to cache static content resources at edge locations close to end-
users, increasing their availability and minimizing their latency.

Correct! Cloud CDN can be used to cache static content at edge locations. This would help maximize
the availability and minimize the average latency for end users accessing those resources.

check

5.

Cymbal has a network support engineering team which will need access to create or change subnet
names, locations, and IP address ranges for some but not all subnetworks of a VPC network in a
Google Cloud project. Cymbal uses the principle of least privilege and would like to restrict role-
usage to Google predefined roles. Which role should be assigned to this group?
The Compute Admin role bound at the project level for the project that owns the VPC network.

The Compute Admin role bound at the resource level for the subnetworks of the VPC network that
will be created or changed by the team.

checkThe Compute Network Admin role bound at the resource level for the subnetworks of the VPC
network that will be created or changed by the team.

The Compute Network Admin role bound at the project level for the Project that owns the VPC
network.

Correct! The Compute Network Admin role is the minimum predefined role that provides the
necessary permissions. Assigning it for just the applicable subnetworks rather than at the project
level ensures that it will only apply to those subnetworks - and not all VPC networks and
subnetworks in the project.

close

6.

You are selecting Google Cloud locations to deploy Google Cloud VMs. You have general
requirements to maximize availability and reduce average user latency with a lower priority goal of
reducing networking costs. The users served by these VMs will be in Toronto and Montreal. You
must deploy workloads requiring instances at 99.5% availability in Toronto and 99.99% availability in
Montreal. These instances all exchange a large amount of traffic among themselves. Which
deployment option satisfies these requirements?

closeDeploy instances in multiple zones in the northamerica-northeast1 (Montreal) and

northamerica-northeast2 (Toronto) regions.

Deploy instances in multiple zones in the northamerica-northeast1(Montreal) region and a single

zone in the northamerica-northeast2 (Toronto).

Deploy instances in a single zone in the northamerica-northeast1(Montreal) region and multiple

zones in the northamerica-northeast2 (Toronto) region.

Deploy instances in a single zone in the northamerica-northeast1 (Montreal) and northamerica-

northeast2 (Toronto) regions.

Incorrect. This would provide higher than necessary availability in Toronto and increase the
networking costs in that region by incurring inter-zone traffic.

close

7.

Sarah is a network architect. They are responsible for the network design between Cymbal’s on-
premises network and Google Cloud resources, and also between Cymbal’s Google Cloud resources
and a partner company’s Google Cloud resources. These connections must provide private IP
connectivity and support up to 100 Gbps of data exchange with minimum possible latency. Which
options satisfy these requirements? (select 2 of the options)infoNote: To get credit for a multiple-
select question, you must select all of the correct options and none of the incorrect ones.

checkVPC peering between VPC networks for Cymbal and the partner company.
Correct!. VPC peering allows for private IP connectivity between Google Cloud resources across
organizations and is the lowest latency and highest bandwidth option for such connectivity

close50 Cloud VPN tunnels between Cymbal’s on-premises network and their Google Cloud VPC
network.

Incorrect. Cloud VPN maximum bandwidth is 3 Gps per tunnel, 50 tunnels would provide more than
the 100 Gbps that is required. However Cloud VPN has significantly more latency than Cloud
Interconnect and Dedicated Interconnect.

A Dedicated Interconnect connection between Cymbal’s on-premises network and their Google
Cloud VPC network.

A Shared VPC network connecting Google Cloud resources for Cymbal and the partner company

A Cloud VPN tunnel between Cymbal’s on-premises network and their Google Cloud VPC
network.close

8.

To reduce latency, you will be replacing an existing Cloud VPN Classic VPN connection. You will
connect your organization’s on premises data center to Google Cloud resources in a VPC network
with all resources in a single subnet and region using private/internal IP connectivity. The connection
will need to support 1.5 Gbps of traffic. Due to cost considerations, you would like to order the
option that provides just enough bandwidth and not more but must have significantly lower latency
than the existing Cloud VPN connection. What should you use?

A Cloud VPN HA VPN connection with Cloud Router.

closeA 2 Gbps Dedicated Interconnect connection with one 2 Gbps VLAN attachments

A Partner Interconnect connection with 1 or 2 VLAN attachments

A 10 Gbps Dedicated Interconnect connection with one 10 Gbps VLAN attachments

This option is not possible. Dedicated Interconnect connections start at 10 Gbps.

close

9.

You are a network engineer designing a network IP plan and need to select an IP address range to
use for a subnet. The subnet will need to host up to 2000 virtual machines, each to be assigned one
IP address from the subnet range. It will also need to fit in the network IP range 10.1.0.0/16 and be
as small as possible. What subnet range should you use?

10.1.240.0/20

10.1.1.0/24

close10.1.1.0/21

10.1.240.0/21

Incorrect. This range is invalid; the 3rd byte of the range mask occupies the range.

close
10.

Cymbal needs to create one or more VPC networks to host their cloud services in 3 regions:
Northeastern US, Western Europe, and Southeast Asia. The services require bi-directional inter-
regional communication on port 8443. The services receive external internet traffic on port 443.
What is the minimal network topology in Google Cloud that would satisfy these requirements?

3 custom VPC networks, one in each region with one subnet each. The VPC networks all connected
with VPC peering with default routes, and firewall rules added to support the traffic requirements

1 custom VPC network, with a subnet in each region). The VPC network has the default routes, and
the appropriate firewall rules added to support the traffic requirements

3 custom VPC networks, one in each region with one subnet each. The VPC networks all connected
with VPC peering with default firewall rules, and custom routes added to support the traffic
requirements

close1 custom VPC network, with a subnet in each region). The VPC network has default firewall
rules and custom routes added to support the traffic requirements

Incorrect! The traffic requirements can be satisfied with the default routes but would require
additional firewall rules.

Diagnostic questions

Your score: 90% Passing score: 80%

Congratulations! You passed this assessment.

Retake

check

1.

You are a network engineer designing a network IP plan and need to select an IP address range to
use for a subnet. The subnet will need to host up to 2000 virtual machines, each to be assigned one
IP address from the subnet range. It will also need to fit in the network IP range 10.1.0.0/16 and be
as small as possible. What subnet range should you use?

check10.1.240.0/21

10.1.240.0/20

10.1.1.0/21

10.1.1.0/24

Correct! This range will satisfy the requirements. It has 2040 IP addresses and can therefore host
2000 virtual machines with one IP address per machine. It is the smallest range that could host this
number of VMs, and it fits within the network range of 10.1.0.0/16

check

2.
You are a network engineer designing a solution for hosting a Cymbal web application in Google
Cloud. The application will serve a collection of static and dynamic web resources served over HTTPS
to users worldwide. You need to design a solution that maximizes availability while minimizing
average user latency. Which of the following features of Google Cloud networking can you utilize?
(select 2)

checkCloud CDN could be used to cache static content resources at edge locations close to end-
users, increasing their availability and minimizing their latency.

Correct! Cloud CDN can be used to cache static content at edge locations. This would help maximize
the availability and minimize the average latency for end users accessing those resources.

Google Cloud Armor could be used to provide protection against DDoS and injection attacks and
thereby minimize solution latency.

checkAn Application Load Balancer with a backend service connected to a set of regional MIGs,
distributed over the regions closest to the users, to improve availability and minimize latency.

Correct! Using an HTTPS LB with a backend service connected to a set of regional MIGs distributed
over the regions closest to the users would ensure high availability and minimal average user latency
for serving dynamic web resources.

Network Intelligence Center could be used to provide network insights, enabling the web application
to be deployed in a configuration with maximum availability and minimal latency.

Cloud NAT could be used to provide outbound connectivity to the internet for resources with only
internal IP addresses, thereby increasing their availability.check

3.

Cymbal has a network support engineering team which will need access to create or change subnet
names, locations, and IP address ranges for some but not all subnetworks of a VPC network in a
Google Cloud project. Cymbal uses the principle of least privilege and would like to restrict role-
usage to Google predefined roles. Which role should be assigned to this group?

The Compute Network Admin role bound at the project level for the Project that owns the VPC
network.

The Compute Admin role bound at the resource level for the subnetworks of the VPC network that
will be created or changed by the team.

checkThe Compute Network Admin role bound at the resource level for the subnetworks of the VPC
network that will be created or changed by the team.

The Compute Admin role bound at the project level for the project that owns the VPC network.

Correct! The Compute Network Admin role is the minimum predefined role that provides the
necessary permissions. Assigning it for just the applicable subnetworks rather than at the project
level ensures that it will only apply to those subnetworks - and not all VPC networks and
subnetworks in the project.

check

4.
Cymbal needs to create one or more VPC networks to host their cloud services in 3 regions:
Northeastern US, Western Europe, and Southeast Asia. The services require bi-directional inter-
regional communication on port 8443. The services receive external internet traffic on port 443.
What is the minimal network topology in Google Cloud that would satisfy these requirements?

1 custom VPC network, with a subnet in each region). The VPC network has default firewall rules and
custom routes added to support the traffic requirements

3 custom VPC networks, one in each region with one subnet each. The VPC networks all connected
with VPC peering with default firewall rules, and custom routes added to support the traffic
requirements

check1 custom VPC network, with a subnet in each region). The VPC network has the default routes,
and the appropriate firewall rules added to support the traffic requirements

3 custom VPC networks, one in each region with one subnet each. The VPC networks all connected
with VPC peering with default routes, and firewall rules added to support the traffic requirements

Correct! This is the correct minimal topology satisfying the requirements.

check

5.

You are selecting Google Cloud locations to deploy Google Cloud VMs. You have general
requirements to maximize availability and reduce average user latency with a lower priority goal of
reducing networking costs. The users served by these VMs will be in Toronto and Montreal. You
must deploy workloads requiring instances at 99.5% availability in Toronto and 99.99% availability in
Montreal. These instances all exchange a large amount of traffic among themselves. Which
deployment option satisfies these requirements?

Deploy instances in a single zone in the northamerica-northeast1 (Montreal) and northamerica-

northeast2 (Toronto) regions.

Deploy instances in a single zone in the northamerica-northeast1(Montreal) region and multiple

zones in the northamerica-northeast2 (Toronto) region.

checkDeploy instances in multiple zones in the northamerica-northeast1(Montreal) region and a

single zone in the northamerica-northeast2 (Toronto).

Deploy instances in multiple zones in the northamerica-northeast1 (Montreal) and northamerica-

northeast2 (Toronto) regions.

Correct! This satisfies the availability, latency and cost requirements. It ensures the lowest possible
latency for users in Toronto and Montreal. It provides the desired availability (99.5% in Toronto and
99.99% in Montreal). By minimizing inter-zone network traffic, this solution minimizes networking
costs.

close

6.

To reduce latency, you will be replacing an existing Cloud VPN Classic VPN connection. You will
connect your organization’s on premises data center to Google Cloud resources in a VPC network
with all resources in a single subnet and region using private/internal IP connectivity. The connection
will need to support 1.5 Gbps of traffic. Due to cost considerations, you would like to order the
option that provides just enough bandwidth and not more but must have significantly lower latency
than the existing Cloud VPN connection. What should you use?

closeA Cloud VPN HA VPN connection with Cloud Router.

A 10 Gbps Dedicated Interconnect connection with one 10 Gbps VLAN attachments

A Partner Interconnect connection with 1 or 2 VLAN attachments

A 2 Gbps Dedicated Interconnect connection with one 2 Gbps VLAN attachments

This option will be inexpensive but would not reduce the latency significantly relative to the Cloud
VPN Classic VPN connection.

check

7.

Sarah is a network architect. They are responsible for the network design between Cymbal’s on-
premises network and Google Cloud resources, and also between Cymbal’s Google Cloud resources
and a partner company’s Google Cloud resources. These connections must provide private IP
connectivity and support up to 100 Gbps of data exchange with minimum possible latency. Which
options satisfy these requirements? (select 2 of the options)

A Cloud VPN tunnel between Cymbal’s on-premises network and their Google Cloud VPC network.

A Shared VPC network connecting Google Cloud resources for Cymbal and the partner company

50 Cloud VPN tunnels between Cymbal’s on-premises network and their Google Cloud VPC network.

checkA Dedicated Interconnect connection between Cymbal’s on-premises network and their
Google Cloud VPC network.

Correct! Dedicated Interconnect provides private IP connectivity with bandwidths ranging from 10-
200 Gbps per interconnect link and has the lowest possible latency.

checkVPC peering between VPC networks for Cymbal and the partner company.

Correct!. VPC peering allows for private IP connectivity between Google Cloud resources across
organizations and is the lowest latency and highest bandwidth option for such connectivity

check

8.

Cymbal wants to ensure communication from their on-premises data centers to the GKE control
plane stays private using internal IP communication and their Dedicated Interconnect links.
However, they will need to allow administrators to periodically connect to the cluster control plane
from remote internet-accessible locations that don’t have access to the on-premises private
network. You want to select a configuration and connection approach that will enable these
requirements while providing the highest security. What should you do?

Deploy a private GKE cluster with public endpoint access enabled and authorized networks enabled.
Configure authorized networks for the cluster to include all remote source IP ranges that
administrators may connect from.
checkDeploy a private GKE cluster with public endpoint access disabled. Create a VM in the same
subnet with only an internal IP address and provide IAP tunnel based SSH access to remote
administrators for this VM. Have remote administrators connect via IAP tunnel SSH to this VM when
requiring access to the GKE cluster control plane.

Deploy a private GKE cluster with public endpoint access disabled. Provide remote administrators
IAP tunnel based SSH access to a node in the cluster. Have remote administrators connect via an IAP
tunnel SSH to this node when requiring access to the GKE cluster control plane.

Deploy a private GKE cluster with public endpoint access enabled and authorized networks disabled

Correct! This options satisfies the requirements in the most secure way by not providing any public
access to the control plane and no private access to the cluster nodes

check

9.

You need to create a GKE cluster, be able to connect to pod IP addresses from your on-premises
environment, and control access to pods directly using firewall rules. You will need to support 300
nodes, 30000 pods, and 2000 services. Which configuration satisfies these requirements?

A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod IP range of
10.1.0.0/16

checkA GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP range of
10.252.0.0/15, and service IP range of 10.0.224.0/20

A GKE route-based cluster in a subnet with primary IP range 10.0.240.0/20 and pod IP range of
10.252.0.0/14.

A GKE VPC-native cluster in a subnet with primary IP range 10.0.240.0/20, pod IP range of
10.252.0.0/16, and service IP range of 10.0.224.0/20

Correct! This option will satisfy all requirements. A VPC-native cluster will satisfy the first 2
requirements and the provided ranges will support the required number of nodes, pods, and
services.

check

10.

You are designing a VPN solution to connect Cymbal’s on-premises data center to Google Cloud. You
have a BGP-capable VPN gateway installed in the data center and require 99.99% availability for the
VPN link. What Cloud VPN configuration meets these requirements while requiring the least setup
and maintenance?

Classic VPN with policy-based static routing.

Classic VPN with Cloud Router and dynamic routing.

checkHA VPN with Cloud Router and dynamic routing

Classic VPN with route-based static routing.

Correct! This configuration can provide the required availability of 99.99%. It also minimizes setup
and maintenance configuration by using dynamic routing,

navigate_beforePrevious

Nextnavigate_next

Quiz

Your score: 100% Passing score: 66%

Congratulations! You passed this assessment.

Retake

check

1.

Why might a Google Cloud customer use resources in several regions around the world?

To earn discounts

To offer localized application versions in different regions.

checkTo bring their applications closer to users around the world, and for improved fault tolerance

To improve security

That is correct.

check

2.

What is the primary benefit to a Google Cloud customer of using resources in several zones within a
region?

For expanding services to customers in new areas

checkFor improved fault tolerance

For getting discounts on other zones

For better performance

Correct!

check

3.

What type of cloud computing service lets you bind your application code to libraries that give
access to the infrastructure your application needs?

checkPlatform as a service

Software as a service

Hybrid cloud
Infrastructure as a service

Virtualized data centers

Correct!