Exam Professional Cloud Network Engineer topic 1 question 103 discussion

I go with A. In my opinion C and D are wrong (on-premises DNS as an alternate DNS server?) B is also wrong: configure a DNS policy in the HUB VPC to allow inbound query forwarding from the spoke VPC. This is not needed " DNS peering runs in parallel with VPC Network Peering connections to allow name resolution between environments." A is correct, although is missing second part of requirements in the question (resolution from on-prem to Google Cloud). https://cloud.google.com/dns/docs/best-practices#hybrid-architecture-using-hub-vpc-network-connected-to-spoke-vpc-networks

C and D for me is wrong, no make sense DNS on premise like alternative. A is wrong, because inverted direction is necessary onpremise > cloud dns. B is next to solution, but one step is necessary to, and there isn't mention to DNS policy to allow DNS condicional forwarding from on premise. I'll go to B.

Option A is the best solution because it centralizes DNS management in the hub VPC and uses DNS forwarding and peering to ensure seamless DNS resolution for both Cloud DNS and on-premises resources.

Oh man so many wrong answers here :( - neither A and B are correct: A - Missing INBOUND POLICY --> on-prem to resolve GCP B - No forwarding to on-prem --> gcp can't resolve on-prem The only CORRECT answer is D: has INBOUND policy and Alternate DNS server --> that is forwarding to the on-prem if the on-prem can't be resolved by Cloud DNS

Answer is A: From the question - it's seems like the spoke private zones are already setup. So we just need to setup private zone in Hub, DNS peering to spokes, and forwarding to on-premise... If nothing has been done - this questions should have two choices: A&B

DNS policy in the HUB VPC to allow inbound query forwarding from the spoke VPC. This is not needed. so NOT B

A is the ans

https://cloud.google.com/architecture/deploy-hub-spoke-vpc-network-topology#vpn

In this option, a DNS policy is configured in the hub VPC to allow inbound query forwarding from the spoke VPCs. This allows the spoke VPCs to resolve private zones in the hub VPC. The spoke VPCs are then configured with a private zone and DNS peering is set up to the hub VPC. This enables name resolution from the on-premises data center to the spoke VPCs. Option A is incorrect because it only configures DNS forwarding from the hub VPC to the on-premises server and DNS peering from spoke VPCs to the hub VPC. It does not enable on-premises name resolution to the spoke VPCs.

• B. 1. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs. PK: Just remember query forwarding ******* 2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

B is the solution to received querys from on-prem, but still missing from cloud to on-prem... D is ok to forward DNS querys to on-prem. But will override any private zone configurations or default nameservers on a network. In this case B+D is the solution...

B could be right but how does outgoing traffic from GC to on-orem work