ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 115 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 115
Topic #: 1
[All Professional Cloud Network Engineer Questions]

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

• Certain data must stay in the project where it is stored and not be exfiltrated to other projects.
• Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.
• All DNS resolution must be done on-premises.
• The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

  • A. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
    2. Create a CNAME record for *.googleapis.com that points to the A record.
    3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
    4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
  • B. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
    2. Create a CNAME record for *.googleapis.com that points to the A record.
    3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
    4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.
  • C. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
    2. Create a CNAME record for *.googleapis.com that points to the A record.
    3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
    4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
  • D. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
    2. Create a CNAME record for *.googleapis.com that points to the A record.
    3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
    4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by playpacman at Dec. 2, 2022, 12:48 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
pfilourenco
Highly Voted 2 years ago
Selected Answer: B
B it is.
upvoted 5 times
...
xhilmi
Most Recent 11 months, 4 weeks ago
Selected Answer: B
Choose B
upvoted 1 times
...
Thornadoo
1 year, 3 months ago
Selected Answer: B
A and D are eliminated as restricted.googleapis.com is the right URL (not private.googleapis.com) Between B and C, removing the default gateway at VPC does not help as this relates to on-premise. Instead opening a direct access to the API external IP address would enable the servers to access the API directly.
upvoted 3 times
...
didek1986
1 year, 4 months ago
Selected Answer: B
https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity#configure-firewall
upvoted 1 times
...
samuelmorher
1 year, 12 months ago
Selected Answer: D
I was posting a big explanation here but the website has failed and I am very lazy to write it again, so now I'll write the sort version. The correct Answer is D. Every GKE node reserves a CIDR network for it based in the pods per node number (I suppose that for routing purposes using iptables). To calculate it, just multiply the pods per node number * 2 and select the upper closer CIDR. 8 * 2 = 16, which fits into a /28 CIDR which has exactly 16 addresses. A 10 nodes cluster will require then 160 addresses which only fits in a /24 CIDR and above, so the only answer that match is the D. The other CIDR calculation match, even the services one. It uses a /22 CIDR and like it doesn't requires to reserve the network and broadcast addresses, it match the 1024 requirement. Best regards
upvoted 1 times
flyhighman
1 year, 12 months ago
This commentary should move to the question below.
upvoted 3 times
...
...
AzureDP900
2 years ago
B is right answer
upvoted 2 times
...
playpacman
2 years ago
B it is, as we need to allow traffic on the firewall on-prem. As well, we have to use restricted due to compatibility
upvoted 3 times
ccieman2016
2 years ago
Agree, B is correct. https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel