D - Because you can't update the selectors after creating the VPN they need to be left open. This from GCP: When you create a route based tunnel using the Cloud Console, Classic VPN performs both of the following tasks: Sets the tunnel's local and remote traffic selectors to any IP address (0.0.0.0/0) For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.

with route-based, you dont have to select local networks, only remote networks.. Answer should be B

-With route-based when using gcloud the local and remote selector are specified[1] -Also when using gcloud it is necessary to use commands to create the static routes[2] -It makes more sense selecting D, because that option will avoid having to modify the traffic selector when the network grows [1]https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns#:~:text=To%20configure%20a%20route%2Dbased%20VPN%20tunnel%2C%20run%20the%20following%20command%3A [2]If you use the gcloud CLI to create the tunnel, you must use additional gcloud commands to create the routes

Choose B. Explanation: Cloud VPN Instance: You need to create a Cloud VPN instance to establish the VPN connection between your on-premises network and GCP. Policy-Based VPN Tunnel: In this option, a policy-based VPN tunnel is chosen. This approach uses traffic selectors to determine which traffic should be sent over the VPN tunnel. It is a valid option, especially when dealing with non-BGP-capable on-premises VPN devices that support only IKEv2. Local and Remote Traffic Selectors: Configure the local and remote traffic selectors to match your on-premises and GCP networks. This ensures that the correct traffic is allowed through the VPN tunnel. Static Routes: Configure the appropriate static routes to direct traffic through the VPN tunnel. This is essential for routing traffic between your on-premises network and GCP.

To minimise operational downtime for future network growth you need to preselect all possible addresses - i.e. option D

hi can anyone send the PDF exam with answers and discussions to [email protected] thank you so much !

https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing

Final answer is B , only in policy based we can configure both remote and local ranges , and we can omit option A coz it cant be configured per subnet level

Cloud VPN disallows editing any traffic selectors after you have created a VPN. To change either the local or the remote traffic selector for a Cloud VPN tunnel, you must delete the tunnel and then re-create it. You do not have to delete the Cloud VPN gateway, though.

Option B is the correct answer. Since the on-premises VPN device is not BGP-capable, policy-based VPN is the only option. Also, following Google-recommended practices, a single policy-based VPN tunnel should be used instead of creating one per subnet.

You want to minimize downtime and operational overhead when your network grows For above, I may go with D

B. You don't specify dest Routes incase of Route based VPN tunnels. https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing#ts-tun-routing

D is correct answer for me. To support IKEv2 and reduce the operational overhead.

B. You don't specify dest Routes incase of Route based VPN tunnels.

Correct answer is B, select to any IP address (0.0.0.0/0) is not recommended solution.

The answer is : B If you check the settings for route based configuration you will find that you cant select local selectors and only provide remote address list. and as all answers provide the following sentence : "Configure the appropriate local and remote traffic selectors". This eliminates answer D as you cant select local selectors on route based VPN. "Route-based VPN. When you use the Google Cloud console to create a route-based VPN, you only specify a list of remote IP ranges. Those ranges are used only to create routes in your VPC network to peer resources."

The IKEv1 protocol only supports a single CIDR per Child SA as defined in RFC 2407 and RFC 2409. Because Cloud VPN requires a single Child SA per VPN tunnel, when you use IKEv1, you can only supply a single CIDR for the local traffic selector and a single CIDR for the remote traffic selector. When you create a policy-based Classic VPN tunnel, if you use IKEv2, you can specify multiple CIDRs per traffic selector. Cloud VPN always uses a single Child Security Association (SA), regardless of IKE version. https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing#ts-ip-ranges B should be better.