A.  

Open a Cloud Support ticket under the Cloud Interconnect category.

B.  

Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.

C.  

Run gcloud compute interconnects describe .

D.  

Check the email for the account of the NOC contact that you specified during the ordering process.

E.  

Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.

A.  

Configure the route advertisement to the default setting.

B.  

On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.

C.  

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.

D.  

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.

A.  

Use the default public domains for all Google APIs and services.

B.  

Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.

C.  

Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.

D.  

Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

A.  

HTTP(S) load balancer

B.  

Network load balancer

C.  

Internal TCP/UDP load balancer

D.  

TCP/SSL proxy load balancer

A.  

Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.

In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.

B.  

Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.

In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.

C.  

Configure a Cloud DNS private zone in the host project of the Shared VP

C.  

Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project

In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.

D.  

Configure a Cloud DNS private zone in the host project of the Shared VPC.

Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.

Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.

A.  

Use Firewall Insights, and enable insights for overly permissive rules.

B.  

Review Network Analyzer insights on the VPC network category.

C.  

Export all your Cloud NGFW rules into a CSV file and search for 0.0.0.0/0.

D.  

Run Connectivity Tests from multiple external sources to confirm that traffic is not allowed to ingress to your most critical services in Google Cloud.

A.  

Activate the Service Networking API in your project.

B.  

Activate the Cloud Datastore API in your project.

C.  

Create a private connection to a service producer.

D.  

Create a custom static route to allow the traffic to reach the Cloud SQL API.

E.  

Enable Private Google Access.

A.  

Create a design where each project has its own VPC. Ensure all VPCs are connected by a Network Connectivity Center hub that is centrally managed by the network team.

B.  

Create a design that implements a single Shared VPC. Use VPC firewall rules with secure tags to enforce micro-segmentation between environments.

C.  

Create a design that has one host project with a Shared VPC for the production environment, another host project with a Shared VPC for the non-production environment, and a service project that is associated with the corresponding host project for each initiative.

D.  

Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.

A.  

Create a Cloud Armor Policy rule that denies traffic and review necessary logs.

B.  

Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.

C.  

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.

D.  

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

A.  

The on-premises routers are configured with the same routes.

B.  

A firewall is blocking the traffic across the second VPN connection.

C.  

You do not have a load balancer to load-balance the network traffic.

D.  

The ASNs being used on the on-premises routers are different.

A.  

VPC peering

B.  

Shared VPC

C.  

Cloud VPN

D.  

Dedicated Interconnect

E.  

Cloud NAT

A.  

From the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.

B.  

From the Cloud CLI, run gcloud compute –protect_ID router get—status mycloudrouter —-region REGION and review the results.

C.  

From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results

D.  

From the Cloud CLI. run gcloud compute routers describe mycloudrouter

--region REGION and review the results

A.  

HTTP(S) load balancer

B.  

SSL proxy load balancer

C.  

TCP proxy load balancer

D.  

Network load balancer

A.  

Dynamic routing using Cloud Router

B.  

Route-based routing using default traffic selectors

C.  

Policy-based routing using a custom local traffic selector

D.  

Policy-based routing using the default local traffic selector

A.  

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

B.  

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

C.  

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

D.  

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, —enable-ip-alias, and—enable-private-nodes

A.  

Use a 4-byte private ASN 4200000000-4294967294.

B.  

Use a 2-byte private ASN 64512-65535.

C.  

Use a public Google ASN 15169.

D.  

Use a public Google ASN 16550.

A.  

Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.

B.  

Create a design where each project has its own VPC. Ensure all VPCs are connected by a Network Connectivity Center hub that is centrally managed by the network team.

C.  

Create a design that implements a single Shared VP

C.  

D.  

Create a design that has one host project with a Shared VPC for the production environment, another host project with a Shared VPC for the non-production environment, and a service project that is associated with the corresponding host project for each initiative.

A.  

Q Update the pre-shared key (PSK) of the on-premises router’s VPN tunnel configuration to match the PSK of the Cloud HA VPN.

B.  

Q Update the on-premises router’s BGP router ID to reflect the link-local IP peer address assigned by Cloud Router.

C.  

Q Update the on-premises router’s Phase 1 and Phase 2 lifetime IKE parameters to match the values in the Cloud HA VPN documentation.

D.  

Q Update the on-premises router’s Diffie-Hellman groups and cipher proposal list to match the values in the Cloud HA VPN documentation.

A.  

Cloud NAT

B.  

An instance with IP forwarding enabled

C.  

An instance configured with iptables DNAT rules

D.  

An instance configured with iptables SNAT rules

A.  

Review the Ingress YAML file. Define the default backend. Reapply the YAML.

B.  

Review the Ingress YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML.

C.  

Review the Service YAML file. Define a default backend. Reapply the YAML.

D.  

Review the Service YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML.

A.  

Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

B.  

Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.

C.  

Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

D.  

Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

A.  

The traffic is matching the expected ingress rule.

B.  

The traffic is matching the expected egress rule.

C.  

The traffic is not matching the expected ingress rule.

D.  

The traffic is not matching the expected egress rule.

A.  

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

B.  

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

C.  

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

D.  

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

A.  

Validate that the Compute Engine instances are using the Metadata Service IP address as their resolver. Configure an outbound forwarding zone for the on-premises domain pointing to the on-premises DNS server. Configure Cloud Router to advertise the Cloud DNS proxy range to the on-premises network.

B.  

Validate that there is network connectivity to the on-premises environment and that the Compute Engine instances can reach other on-premises resources. If errors persist, remove the VPC Network Peerings and recreate the peerings after validating the routes.

C.  

Review the existing Cloud DNS zones, and validate that there is a route in the VPC directing traffic destined to the IP address of the DNS servers. Recreate the existing DNS forwarding zones to forward all queries to the on-premises DNS servers.

D.  

Ensure that the operating systems of the Compute Engine instances are configured to send DNS queries to the on-premises DNS servers directly.

A.  

Create a VPC and request static external IP addresses from Google Cloud Assagn the IP addresses to the Compute Engine instances. Notify your customers of the new IP addresses so they can update their DNS

B.  

Verify ownership of your IP addresses. After the verification, Google Cloud advertises and provisions the IP prefix for you_ Assign the IP addresses to the Compute Engine Instances

C.  

Create a VPC With the same IP address range as your on-premises network Asson the IP addresses to the Compute Engine Instances.

D.  

Verify ownership of your IP addresses. Use live migration to import the prefix Assign the IP addresses to Compute Engine instances.

A.  

Use Cloud Armor to blacklist the attacker’s IP addresses.

B.  

Increase the maximum autoscaling backend to accommodate the severe bursty traffic.

C.  

Create a global HTTP(s) load balancer and move your application backend to this load balancer.

D.  

Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.

E.  

SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

A.  

Configure a global external Application Load Balancer with a Service Extension that points to an application running in a VM, which controls which requests go to each application.

B.  

Configure a global external Application Load Balancer with weighted traffic splitting.

C.  

Configure two separate global external Application Load Balancers, and use Cloud DNS geolocation routing policies.

D.  

Configure a global external Application Load Balancer with weighted request mirroring.

A.  

Configure a policy-based route rule to prioritize the traffic.

B.  

Configure an HTTP load balancer, and direct the traffic to it.

C.  

Configure Dynamic Routing for the subnet hosting the application.

D.  

Configure the TTL for the DNS zone to decrease the time between updates.

A.  

Assign a public IP address to the instance.

B.  

Create a route to reach the Master, pointing to the default internet gateway.

C.  

Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.

D.  

Create the appropriate master authorized network entries to allow the instance to communicate to the master.

A.  

Enable MACsec on Partner Interconnect.

B.  

Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same Cloud Router used for the Cloud Interconnect tier.

C.  

Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router peer VPN gateway resources and HA VPN tunnels.

D.  

Enable MACsec for Cloud Interconnect on the VLAN attachments.

A.  

Configure a firewall rule to permit Subnet-2 IP addresses outbound in the host protect VPC.

B.  

Configure Packet Mirroring in both the host and service project VPCs.

C.  

Configure a VPC Flow Logs filter for Subnet-2 in the host project VP

C.  

D.  

Configure VPC Flow Logs in the service project VPC for Subnet-2.

A.  

Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

B.  

Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

C.  

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

D.  

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

A.  

Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.

B.  

Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.

C.  

Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

D.  

Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

A.  

Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

B.  

Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

C.  

Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

D.  

Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.

A.  

Create a Google Group for the WebServices Team.

B.  

Create a G Suite Domain for the WebServices Team.

C.  

Create a new Cloud Identity Domain for the WebServices Team.

D.  

Create a new Custom Role for all members of the WebServices Team.

A.  

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 10.204.0.0/24.

Set a custom route advertisement on the Cloud Router for 10.204.0.0/24

B.  

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.

Configure your on-premises firewall to accept traffic from 35.199.192.0/19

Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

C.  

Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 10.204.0.0/24.

Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88

D.  

Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.

Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 35.199.192.0/19.

Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

A.  

GetIamPolicy() via REST API

B.  

setIamPolicy() via REST API

C.  

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

D.  

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

E.  

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

A.  

(Q) • Deploy Cross-Cloud Interconnect connections between AWS and Google Cloud with 100 Gbps circuits.

• Create VLAN attachments in your VPC, configuring IPsec encryption on both sides of the connection.

• Use Cloud Router and BGP to exchange dynamic routes between AWS and Google Cloud.

B.  

Q • Deploy Dedicated Interconnect connections between Google Cloud and your on-premises data center with 100 Gbps circuits from Google Cloud to your on-premises data center.

• Deploy an AWS Direct Connect 100 Gbps circuit from AWS to your on-premises data center.

• Create VLAN attachments in your VPC, configuring IPsec encryption on both sides of the connection.

• Use Cloud Router and BGP to exchange dynamic routes between

C.  

Q • Deploy Dedicated Interconnect connections between Google Cloud and your on-premises data center with 100 Gbps circuits.

• Deploy an AWS Direct Connect 100 Gbps circuit from AWS to your on-premises data center as well.

• Create VLAN attachments in your VP

C.  

• Use Cloud Router and BGP to exchange dynamic routes between AWS, Google Cloud, and the on-premises data center.

• Remove the obsolete 10 Gbps circuits on Goo

D.  

Q • Deploy Cross-Cloud Interconnect connections between AWS and Google Cloud with 100 Gbps circuits.

• Enable MACsec for Cloud Interconnect on the circuits, and create VLAN attachments in your VPC.

• Use Cloud Router and BGP to exchange dynamic routes between AWS and Google Cloud.

A.  

• Create a Cloud VPN instance.• Create a policy-based VPN tunnel per subnet.• Configure the appropriate local and remote traffic selectors to match your local and remote networks.• Create the appropriate static routes.

B.  

• Create a Cloud VPN instance.• Create a policy-based VPN tunnel.• Configure the appropriate local and remote traffic selectors to match your local and remote networks.• Configure the appropriate static routes.

C.  

• Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the appropriate local and remote traffic selectors to match your local and remote networks.• Configure the appropriate static routes.

D.  

• Create a Cloud VPN instance.• Create a route-based VPN tunnel.• Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.• Configure the appropriate static routes.

A.  

Assign each user the editor role.

B.  

Assign each user the compute.networkAdmin role.

C.  

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

D.  

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

A.  

Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.

Configure DNS peering from the spoke VPCs to the hub VPC.

B.  

Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.

Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

C.  

Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.

Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.

D.  

Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.

Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

A.  

VPC flow logs

B.  

Firewall logs

C.  

Cloud Audit logs

D.  

Stackdriver Trace

E.  

Compute Engine instance system logs

A.  

Lower the TCP Established Connection Idle Timeout for the NAT gateway.

B.  

Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority value higher than the priority value of the default route to the VPN gateway.

C.  

Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.

D.  

Increase the default min-ports-per-vm setting for the Cloud NAT gateway.

A.  

Enable firewall logging, and forward all filtered egress firewall logs to the IDS.

B.  

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.

C.  

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

D.  

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

A.  

Create a design that uses a BGP multi-exit discriminator (MED) attribute to influence the egress path from Google Cloud to the on-premises environment.

B.  

Create a design that uses the as_path BGP attribute to influence the egress path from Google Cloud to the on-premises environment.

C.  

Create a design that uses an equal-cost multipath (ECMP) with flow-based hashing on your on-premises devices.

D.  

Create a design that uses the local_pref BGP attribute to influence the egress path from Google Cloud to the on-premises environment.

A.  

Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.

B.  

Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE] .c.[PROJECT_ID].internal/.

C.  

Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service.

D.  

Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION] /.

A.  

Enable the Firewall Insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.

B.  

Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.

C.  

Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.

D.  

Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.

A.  

The default internet gateway

B.  

The IP address of the Cloud VPN gateway

C.  

The name and region of the Cloud VPN tunnel

D.  

The IP address of the instance on the remote side of the VPN tunnel

A.  

Assign a public IP address to the instance.

B.  

Assign a new reserved internal IP address to the instance.

C.  

Change the instance’s current internal IP address to static.

D.  

Add custom metadata to the instance with key internal-address and value reserved.

A.  

Create a new health check using the gcloud command line tool.

B.  

Create a new health check using the VPC Network section in the GCP Console.

C.  

Create a new health check, or select an existing one, when you complete the load balancer’s backend configuration in the GCP Console.

D.  

Create a new legacy health check using the gcloud command line tool.

E.  

Create a new legacy health check using the Health checks section in the GCP Console.

A.  

Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

B.  

Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.

C.  

In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

D.  

Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

A.  

Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

B.  

Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router.

C.  

Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VP

C.  

D.  

Use HA VPN. Configure one tunnel from each Interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.

A.  

Q Set a GKE pod IP address range that fits in 10.0.0.0/8. Configure the —disable-def ault-snat. flag.

B.  

Q Set a GKE pod IP address range that fits in 10.0.0.0/8. Do not configure the —disable-def ault-snat flag.

C.  

Q Set a GKE pod IP address range that does not fit in 10.0.0.0/8. Do not configure the —disable-default-snat flag.

D.  

Q Set a GKE pod IP address range that does not fit in 10.0.0.0/8. Configure the —disable-default-snat flag.

A.  

Configure HA VPN by using high availability gateways and tunnels.

B.  

Configure Dedicated Interconnect by creating a VLAN attachment, activate the connection, and submit the pairing key to your service provider.

C.  

Configure Cross-Cloud Interconnect by creating a VLAN attachment, activate the connection, and then submit the pairing key to your service provider.

D.  

Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.

A.  

Grant the compute.instanceAdmin to your user account.

B.  

Grant the iam.serviceAccountUser to your user account.

C.  

Grant the read-only privilege to the service account for the Cloud Storage bucket.

D.  

Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.

A.  

Firewall rule direction: ingress

Action: allow

Target: VM B service account

Source ranges: VM A service account

Priority: 1000

B.  

Firewall rule direction: ingress

Action: allow

Target: specific VM B tag

Source ranges: VM A tag and VM A source IP address

Priority: 1000

C.  

Firewall rule direction: ingress

Action: allow

Target: VM A service account

Source ranges: VM B service account and VM B source IP address

Priority: 100

D.  

Firewall rule direction: ingress

Action: allow

Target: specific VM A tag

Source ranges: VM B tag and VM B source IP address

Priority: 100

A.  

Add an appropriate lifecycle rule on the storage bucket.

B.  

Issue a cache invalidation command with pattern /folder-a/*.

C.  

Make sure that all the objects with prefix folder-a are not shared publicly.

D.  

Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.

A.  

Delete the load balancer and backend services. Create a new passthrough Network Load Balancer. Configure a failover group of VMs for the backend.

B.  

Access a VM in the VPC through SSH and try to access a backend VM directly. If the request is successful from the VM, increase the quantity of backends.

C.  

Enable and review the health check logs. Review the error responses in Cloud Logging.

D.  

Validate the health of the backend service. Enable logging for the backend service and identify the error response in Cloud Logging. Determine the cause of the error by reviewing the statusDetails log field.

E.  

Validate the health of the backend service. Enable logging on the load balancer and identify the error response in Cloud Logging. Determine the cause of the error by reviewing the statusDetails log field.

A.  

Configure a /28 primary IP address range for the node IP addresses. Configure a (25 secondary IP range for the Pods. Configure a /22 secondary IP range for the Services.

B.  

Configure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.

C.  

Configure a /28 primary IP address range for the node IP addresses. Configure a /28 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.

D.  

Configure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services.

A.  

Configure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.

B.  

Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

C.  

Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.

D.  

Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

A.  

Q Use Network Intelligence Center Performance Dashboard to view the inter-region packet loss for your VPC.

B.  

O Install and run tcpdump on both instances, and calculate the latency between the two instances by comparing the timestamps in the packet captures.

C.  

Q Use Network Intelligence Center Performance Dashboard to view inter-region latency for the Google Cloud network.

D.  

Q Use Network Intelligence Center Connectivity Tests, run a test between the two VMs, and review the inter-region latency in the test results.

A.  

Configure the CACHE_MAX_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses from the backends.

B.  

Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content based on response headers from the backends.

C.  

Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.

D.  

Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.

A.  

Grant the team the two predefined IAM roles.

B.  

Create a custom IAM role that combines the permissions from the two relevant predefined roles.

C.  

Create a custom IAM role that includes only the required permissions from the predefined roles.

D.  

Grant the team the IAM roles of Kubernetes Engine Admin and Cloud SQL Admin.

A.  

Create a Cloud Armor security policy, and apply the predefined Open Worldwide Application Security Project (OWASP) rules to automatically implement the rate limit per client IP address.

B.  

Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic.

C.  

Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application.

D.  

Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle, conform-action: allow, exceed-action: deny-429.

A.  

Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

B.  

Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

C.  

Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

D.  

Rename the default VPC as "Distribution" and peer it via network peering.

A.  

Provision Cloud Interconnect to connect both organizations together.

B.  

Set up some variant of DNS forwarding and zone transfers in each organization.

C.  

Connect VPCs in both organizations using Cloud VPN together with Cloud Router.

D.  

Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.

E.  

Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

A.  

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

B.  

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

C.  

• Create 1 VPC in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in us-west1 subnet of the Host Project.• Attach NIC1 in us-west1 subnet of the Host Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

D.  

• Create 1 VPC in a Shared VPC Service Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in us-west1 subnet of the Service Project.• Attach NIC1 in us-west1 subnet of the Service Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

A.  

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub.

Import the custom routes in the spokes.

B.  

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

Delete the default internet gateway route of the spokes.

C.  

Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

D.  

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Create a new route in the spoke VPC that points to IP address 10.0.0.5.

A.  

Configure VPC Network Peering, and peer one of the VPCs to the service project.

B.  

Configure a Shared VPC, and create a VPC network in the service project.

C.  

Configure a Shared VPC, and create a VPC network in the host project.

D.  

Configure Policy-based Routing for each team.