You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command. Which next hop should you choose?
A.
The default internet gateway
B.
The IP address of the Cloud VPN gateway
C.
The name and region of the Cloud VPN tunnel
D.
The IP address of the instance on the remote side of the VPN tunnel
Correct Answer is (C):
When you create a route based tunnel using the Cloud Console, Classic VPN performs both of the following tasks:
Sets the tunnel's local and remote traffic selectors to any IP address (0.0.0.0/0)
For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.
https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns
Option B is correct because in a policy-based VPN, routing is based on policies that are defined for each connection. These policies specify the source IP ranges, destination IP ranges, and protocols that are permitted for a connection. Because policy-based routing is used, traffic must be sent to the IP address of the Cloud VPN gateway so that the appropriate policy can be applied and the traffic can be forwarded to the on-premises resource. Therefore, the next hop for the static route should be the IP address of the Cloud VPN gateway.
Option A, choosing the default internet gateway, is incorrect because it would direct traffic to the public internet rather than the on-premises resource behind the VPN gateway.
Option C, choosing the name and region of the Cloud VPN tunnel, is also incorrect because it specifies the VPN tunnel itself rather than the next hop for traffic to reach the on-premises resource behind the VPN gateway.
Option D, choosing the IP address of the instance on the remote side of the VPN tunnel, is incorrect because it would not account for any policy-based routing or routing rules that may be in place on the VPN gateway. Additionally, it assumes that there is only one instance on the remote side of the VPN tunnel, which may not be the case.
The name and region of the Cloud VPN tunnel are used when defining the static route via the gcloud command to ensure the traffic uses the correct tunnel.
I think C is correct.
We can use gcloud compute routes create command.
The options of this command can be used to achieve the objective.
https://cloud.google.com/sdk/gcloud/reference/compute/routes/create
Sets the tunnel's local and remote traffic selectors to any IP address (0.0.0.0/0).
For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR and whose next hop is the tunnel.
Likely C. The gcloud certainly support that parameter. https://cloud.google.com/sdk/gcloud/reference/compute/routes/create
Worth to mention that this apply only for the "classic VPN" product that will be phased out in March 2022. HA VPN cannot be referenced that way ( they do not support static route, BGP only ).
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ESP_SAP
Highly Voted 3 years, 6 months agoKomal697
Highly Voted 1 year, 1 month agoKomal697
1 year, 1 month agosaraali
Most Recent 2 months, 2 weeks agoGurminderjit
4 months, 3 weeks agoYushiSato
4 months, 3 weeks agoPotatoGCP
6 months, 2 weeks agobus_karan19
6 months, 3 weeks agosierra1784
7 months, 1 week agohoai_nam_1512
7 months, 3 weeks agogcpengineer
8 months agovishnuramac
8 months, 2 weeks agosamuelmorher
9 months, 2 weeks agopk349
1 year, 3 months agoAzureDP900
1 year, 5 months agoMr_MIXER007
1 year, 7 months agokumarp6
2 years, 3 months agoEranSolstice
2 years, 6 months ago