Professional Cloud Network Engineer Exam QuestionsBrowse all questions from this exam
Go to Exam

Professional Cloud Network Engineer Exam - Question 162

You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible. To ease the transition, you decided to use the same architecture as your on-premises network: a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic is sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?

Show Answer
Correct Answer: AC

The best way to implement the hub-and-spoke architecture in Google Cloud, matching the on-premises setup, is to connect all the spokes to the hub with Cloud VPN. Cloud VPN allows you to create secure tunnels between the spokes and the hub, ensuring all traffic is routed through the central hub for security reasons. This option minimizes management overhead and cost, as it leverages Google's default networking quotas and limits and aligns with the requirement of preventing direct connectivity between spokes.

Discussion

5 comments
Sign in to comment
gonlaferOption: C
Feb 18, 2024

VPC Network Peering connections are limited to 25 connections per VPC network.

PeppaPigOption: C
Feb 16, 2024

Can't be VPC peering. Google VPC supports up to 25 peering connections per VPC, here we need to connect 50 spokes. C is correct

GoReplyGCPExamOption: D
Feb 7, 2024

VPC Network Peering is a simple and a low cost way to connect VPC networks without using any external IP addresses or VPN gateways. It does not consume any quota or limit for VPN tunnels, external IP addresses, or forwarding rules. So, use it to conect the spokes to the hub. To fully prevent connectivity between the spokes, use a third-party network appliance as a default gateway (also if by default spokes can't communicate with the hub)

desertlotus1211
Mar 21, 2024

quota is 25, wrong answer.

desertlotus1211
Mar 21, 2024

It either A or C

hamish88Option: A
May 9, 2024

As per the following link, we should use a third-party network appliance or an NGFW as a default gateway in providing inter-spoke communications, not to prevent connectivity between spokes https://cloud.google.com/architecture/deploy-hub-spoke-vpc-network-topology

Positron75
Jun 17, 2024

As I understand it, that refers to the architecture using VPC Peering. Because VPC Peering is not transitive, you need a 3rd party solution to enable inter-spoke communication. However, the same documentation states that using VPN does allow transitive routing, which we do not want in this case according to the question. Therefore I think the correct answer here would be C, as otherwise by default the spokes will be able to connect to each other.