Professional Cloud Network Engineer Exam QuestionsBrowse all questions from this exam
Go to Exam

Professional Cloud Network Engineer Exam - Question 170

You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.

Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)

Show Answer
Correct Answer: AC

To connect an on-premises network that does not support BGP to Google Cloud, while ensuring the 30 CIDR ranges are reachable, you can use the following methods: First, create a single Cloud VPN tunnel that uses a route-based VPN (option A). This approach allows for static routing configurations for each CIDR range, thus simplifying management and minimizing overhead. Second, create multiple Cloud VPN tunnels that use policy-based routing, with each tunnel dedicated to a unique CIDR block for its local and remote traffic selectors, and connect each tunnel to unique peer IP addresses (option C). This method ensures the required ranges are covered efficiently without needing BGP support from the on-premises network. Combining these two methods aligns with Google-recommended practices and maintains connectivity and routing integrity.

Discussion

5 comments
Sign in to comment
GoReplyGCPExamOptions: AC
Feb 8, 2024

The correct methods are options A and C.

GoReplyGCPExam
Feb 8, 2024

A. Create a single Cloud VPN tunnel that uses route-based VPN. This method allows you to establish a single VPN tunnel between your on-premises network and Google Cloud. Route-based VPNs use static routes to determine which traffic should be sent over the VPN tunnel. You can configure static routes for each of the 30 CIDR ranges to ensure they are reachable. C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses. With this approach, you create multiple VPN tunnels, each tunnel dedicated to a subset of the 30 CIDR ranges. Policy-based routing allows you to define specific routing policies for different traffic selectors. By connecting each tunnel to a unique peer IP address, you can ensure segregation of traffic and routing based on CIDR ranges.

BB_norway
Feb 21, 2024

So with this we require 30 unique remote peer IP? is that realistic?

Positron75Options: AC
Apr 8, 2024

The documentation points towards A+C: https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing?hl=en#route-alignment For A: "Use a route-based VPN. Both traffic selectors are 0.0.0.0/0 by definition for route-based VPNs. You can create routes that are more specific than the traffic selectors." For C: "Use policy-based routing to create multiple Cloud VPN tunnels so that each tunnel only has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. (...) Your peer VPN gateway must offer separate external IP addresses to which each Cloud VPN tunnel can connect. Tunnels on the same Classic VPN gateway must connect to unique peer gateway IP addresses."

dev62Options: BC
Feb 26, 2024

B&C : https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing

dev62
Mar 1, 2024

C & E also seems correct

desertlotus1211Options: AB
Mar 14, 2024

Answer A&B are correct.

desertlotus1211
Mar 21, 2024

Rethinking - B&C

AzurePeteOptions: BD
Jul 1, 2024

B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors. D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors. Policy-based routing allows you to specify which traffic is sent over specific tunnels based on the local and remote traffic selectors (CIDR blocks). You can either create a single tunnel with 30 remote traffic selectors (option B) or create multiple tunnels, each with up to 10 remote traffic selectors (option D). Option A is incorrect because route-based VPNs require BGP, which your on-premises network does not support. Options C and E are incorrect because they suggest creating a tunnel for each CIDR block, which would result in 30 tunnels. This is unnecessary and would increase complexity and management overhead.