Exam Professional Cloud Network Engineer topic 1 question 135 discussion

C says a lower priority for MED, NOT a lower value.

On-Premises Router Advertising Default Route (0.0.0.0/0) with Lower Priority: The on-premises router advertises a default route back to the on-premises data center via BGP with a lower priority (e.g., higher MED value) than the VPC’s default internet gateway route. This ensures that general internet traffic is sent to the on-premises data center for scrubbing, but traffic to Google APIs stays in the VPC. Private Cloud DNS Zone: A private Cloud DNS zone for googleapis.com is created. A CNAME for *.googleapis.com to private.googleapis.com ensures that API traffic resolves to Google’s private IPs. Static Route for 199.36.153.8/30: C should be the answer. This route ensures that traffic destined for private.googleapis.com (Google APIs) stays within the VPC and does not get routed back to the on-premises network or the internet.

Does someone know if MED is always compared? As per my previous knowledge, During the best-path selection process, MED comparison is done only among paths from the same autonomous system. Since the two default routes are not coming from the same ASN, I guess, modifying the MED value doesn't have any effect. In this case, D should be the answer.

Answer C says lower priority for MED, NOT lower value. So for me: D

"If the VPC network to which your on-premises network connects contains a default route whose next hop is the default internet gateway, that route meets the routing requirements for Private Google Access for on-premises hosts." https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid?hl=en#config-routing

Only difference between C and D is that the default route is not removed from VPC. If the BGP route from on-prem is lost, Internet traffic would go out without inspection. I vote D.

VPC network custom routing If you've replaced or changed your default route, ensure that you have custom static routes configured for the destination IP ranges used by private.googleapis.com or restricted.googleapis.com. To check the configuration of custom routes for Google APIs and services in a given network, follow these directions.

D is wrong, VPC must have routes for the IP address ranges used by private.googleapis.com or restricted.googleapis.com. These routes must use the default internet gateway next hop: https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-routing The correct answer is C

D. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).

D. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP). 2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30. 3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

D looks more promising to me

D/C- If we want to ensure that all VM traffic is routed back to on-premises data center(let's imagine bgp fails we will send the trafic to internet), it's D the correct(deleting the default route).

C is correct. Adjusted on premise resources and configure routing to restricted API on inside VPC.