You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)
To allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs without sending traffic through the firewall, you need to enable Private Google Access at the subnet level. This allows VM instances to connect to Google APIs and services using their external IP addresses directly. Additionally, creating a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway ensures that the traffic bypasses the firewall. These actions satisfy the conditions mentioned in the question.
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?
Given that the instances are configured with the enable-oslogin set to FALSE and project-wide SSH keys are blocked, there are no SSH keys configured at the instance or project level. The gcloud compute ssh command in Cloud Shell utilizes IAM permissions and temporary SSH keys to provide access, bypassing the need for pre-configured SSH keys on the instance. This method allows you to SSH into the instance without modifying any metadata settings or adding SSH keys manually.
You work for a university that is migrating to GCP.
These are the cloud requirements:
"¢ On-premises connectivity with 10 Gbps
"¢ Lowest latency access to the cloud
"¢ Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?
Using Shared VPC while deploying VLAN attachments and Interconnect in the host project is the most cost-efficient and administratively efficient approach. With a Shared VPC, the centralized networking administration team can manage network resources centrally, reducing the complexity and duplication of efforts that would come with standalone projects. Deploying the VLAN attachments and Interconnect in the host project aligns with best practices for centralized management and helps maintain low latency and high bandwidth connectivity, fulfilling all the stated cloud requirements.
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?
To ensure that clients are sticky to a particular instance across both HTTP and TFTP services, the session affinity should be based on the Client IP. This is because you want to keep the communication consistent regardless of the protocol or port being used. By using Client IP affinity, all requests from the same client IP will be directed to the same backend instance, ensuring stickiness across the services.
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.
When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?
To see the logs for blocked traffic, you need to explicitly create a firewall rule that denies all traffic and has logging enabled. The default implicit deny rule does not log denied packets, which is why you cannot see them in the logs. Creating a custom deny-all rule with a priority of 65500 ensures that it captures and logs any traffic that would otherwise be blocked by the implicit deny rule.