exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam

Exam Professional Cloud Network Engineer topic 1 question 67 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 67
Topic #: 1
[All Professional Cloud Network Engineer Questions]

In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)

  • A. Connect both projects using Cloud VPN.
  • B. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
  • C. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
  • D. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
  • E. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
mikelabs
Highly Voted 3 years, 1 month ago
Answer is B & D. B: Minimizes cost and quickly. D: You need to create firewall rules to allow traffic between subnets over each VPC.
upvoted 25 times
PurplePanda
1 year, 4 months ago
I don't think D will work. Firewall rules only apply to a particular project, not across projects. "Virtual Private Cloud (VPC) firewall rules apply to a given project and network. If you want to apply firewall rules to multiple VPC networks in an organization, see Hierarchical firewall policies overiew. " https://cloud.google.com/vpc/docs/firewalls
upvoted 2 times
amoyano
1 year, 4 months ago
PurplePanda, it's true, rules applies for one project, but you can configure the firewall rules of the other project and it's solved. D alternative doesn't say that you'd work only over one firewall.
upvoted 1 times
subhala
9 months, 3 weeks ago
there will be routes across VPCs.
upvoted 1 times
...
...
...
zbyszekz
12 months ago
We don't know about IP range in each VPC, so VPN is better to avoid IP conflict.
upvoted 2 times
desertlotus1211
7 months, 1 week ago
You're adding additional cost and overhead
upvoted 1 times
...
...
...
seddy
Highly Voted 2 years, 7 months ago
B and D 100% -First of all, we only have 2 separate VPCs in 2 different projects each where each project resides in the same organization. This set-up already yells that we need NW peering! -In addition, to be able to use a Shared VPC we need to delete existing service project resources and recreate them in the shared VPC subnet, which is something the question statement does not want, so Shared VPC is automatically eliminated -Lastly, with nw peering, the subnet routes of both VPCs are automatically shared, but we still need to create firewall rules to allow incoming requests for both ends. Hence B and D
upvoted 15 times
AzureDP900
1 year ago
Agreed.
upvoted 1 times
...
gcpengineer
4 months, 2 weeks ago
Nope, each department want full control of ntw so shared vpc is ruled out
upvoted 2 times
...
...
Gurminderjit
Most Recent 1 week, 5 days ago
B and D
upvoted 1 times
...
bus_karan19
2 months, 1 week ago
Selected Answer: BD
B & D are the best bet
upvoted 1 times
...
Thornadoo
4 months ago
Selected Answer: BE
This question is confusing - It clearly states in the document (https://cloud.google.com/vpc/docs/vpc-peering): You can't disable the subnet route exchange or select which subnet routes are exchanged. After peering is established, all resources within subnet IP addresses are accessible across directly peered networks. VPC Network Peering doesn't provide granular route controls to filter out which subnet CIDR ranges are reachable across peered networks. You must use firewall rules to filter traffic if that's required. This is why to me D doesn't make sense as they want unfettered access between their subnets for the 2 projects (FW rules only required for granular access).
upvoted 1 times
gcpengineer
3 months, 3 weeks ago
without fw rules they wont be able toa ccess
upvoted 1 times
...
...
rglearn
4 months, 4 weeks ago
Selected Answer: BD
Along with VPC-Peering we will need firewall rules also in place to allow unrestricted communication across two VPCs.
upvoted 1 times
...
adfghn
7 months, 2 weeks ago
Key point is STEP SHOULD BE FOLLOWED 1st VPC peering 2nd Allow firewall policy b/w 2 VPCs ==== Cloud VPN is one option but it will increase the cost.
upvoted 1 times
desertlotus1211
5 months, 2 weeks ago
what's your answer?
upvoted 1 times
...
...
pk349
11 months, 2 weeks ago
B D are correct
upvoted 1 times
...
Mr_MIXER007
1 year, 2 months ago
Selected Answer: BD
DDDDDDD&&&&&&&&BBBBBBBBBB
upvoted 2 times
...
kumarp6
1 year, 11 months ago
Answer is : B and D
upvoted 2 times
...
kumarp6
1 year, 11 months ago
Answer is B & D.
upvoted 1 times
...
VivekMishraV
2 years, 7 months ago
it B and D https://cloud.google.com/vpc/docs/vpc-peering#firewall When you connect networks using VPC Network Peering, firewall rules are not exchanged between them. To allow ingress traffic from VM instances in a peer network, you must create ingress allow firewall rules. By default, ingress traffic to VMs is blocked by the implied deny ingress rule. If you need to restrict access to VMs such that only other VMs in your VPC network have access, ensure that the sources for your ingress allow firewall rules only identify VMs in your VPC network, not ones from peer networks. For example, you can specify source IP ranges for just the subnets in your VPC network. To restrict access to an internal TCP/UDP load balancer, create ingress firewall rules that apply to the load balancer's backend VMs.
upvoted 6 times
...
Plinci
2 years, 8 months ago
Has to be A and B. D would not work as VPCs are in different projects, allowing all traffic would expose resources on it externally, you can't allow the subnet private ranges as it would reach the VPC with an external IP through Internet and not the source subnet private IP ranges.
upvoted 1 times
buldas
2 years, 8 months ago
VPN or Peereing, A and B doesn't make any sense.
upvoted 2 times
...
...
Vidyasagar
2 years, 9 months ago
B and D
upvoted 4 times
...
subhala
2 years, 12 months ago
How about A and B?
upvoted 1 times
...
cesar7816
3 years ago
B and D,
upvoted 2 times
...
[Removed]
3 years, 1 month ago
Ans - BD
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago