You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
• Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
• The subnetwork logs are not excluded from Stackdriver.
• The instance that is hosting the application can communicate outside the subnet.
• Other instances within the subnet can communicate outside the subnet.
• The external resource initiates communication. What is the most likely cause of the missing log lines?

1. A. The traffic is matching the expected ingress rule.
2. B. The traffic is matching the expected egress rule.
3. C. The traffic is not matching the expected ingress rule.
4. D. The traffic is not matching the expected egress rule.

Correct Answer: C

You work for a university that is migrating to GCP. These are the cloud requirements:
• On-premises connectivity with 10 Gbps
• Lowest latency access to the cloud
• Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

1. A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
2. B. Use Shared VPC, and deploy the VLAN attachments in the service project
3. C. Connect the VLAN attachment to the Shared VPC's host project.
4. D. Use standalone projects, and deploy the VLAN attachments in the individual project
5. E. Connect the VLAN attachment to the standalone projects' Interconnects.
6. F. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Correct Answer: A
https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects
Using Cloud Interconnect with Shared VPC You can use Shared VPC to share your VLAN attachment in a project with other VPC networks. Choosing Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to your on-premises network. In this scenario, the host project contains a common Shared VPC network usable by VMs in service projects. Because VMs in the service projects use this network, Service Project Admins don't need to create other VLAN attachments or Cloud Routers in the service projects. In this scenario, you must create VLAN attachments and Cloud Routers for a Cloud Interconnect connection only in the Shared VPC host project. The combination of a VLAN attachment and its associated Cloud Router are unique to a given Shared VPC network.
https://cloud.google.com/network-connectivity/docs/interconnect/how-to/enabling-multiple-networks-access-sa
https://cloud.google.com/vpc/docs/shared-vpc

You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route
--network custom-network1
--destination-range 0.0.0.0/0
--next-hop instance nat-gateway
--next-hop instance-zone us-central1-a
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway. Which command should you execute?

1. A. sudo sysctl -w net.ipv4.ip_forward=1
2. B. gcloud compute instances add-tags [existing-instance] --tags no-ip
3. C. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip
4. D. gcloud compute instances create example-instance --network custom-network1 \--subnet subnet-us-central \--no-address \--zone us-central1-a \--image-family debian-9 \--image-project debian-cloud \--tags no-ip

Correct Answer: B
https://cloud.google.com/sdk/gcloud/reference/compute/routes/create
In order to apply a route to an existing instance we should use a tag to bind the route to it.

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?

1. A. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
2. B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
3. C. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
4. D. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

Correct Answer: B
https://cloud.google.com/armor/docs/security-policy-concepts#preview_mode

Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.
Which Google Cloud load balancer should you use?

1. A. SSL proxy load balancer
2. B. Network load balancer
3. C. HTTPS load balancer
4. D. TCP proxy load balancer

Correct Answer: D
https://cloud.google.com/security/encryption-in-transit/ Automatic encryption between GFEs and backends For the following load balancer types, Google automatically encrypts traffic between Google Front Ends (GFEs) and your backends that reside within Google Cloud VPC networks: HTTP(S) Load Balancing TCP Proxy Load Balancing SSL Proxy Load Balancing