question: 1
You are designing a VPC for a company that wants to run applications in multiple regions. What is the best approach to ensure minimal latency and optimal network performance across regions?
A. Use a single global VPC with subnets in each region.
B. Create a separate VPC for each region.
C. Use Cloud VPN to interconnect different regional VPCs.
D. Use shared VPCs with multiple service projects.

correct answer: A
explanation: Google Cloud VPCs are global resources. Creating a single global VPC with regional subnets allows for better management, lower latency, and optimal network performance across regions.

question: 2
Which Google Cloud service provides global external HTTP(S) load balancing with cross-regional failover?
A. Internal TCP/UDP Load Balancer
B. Network Load Balancer
C. Global External HTTP(S) Load Balancer
D. Regional HTTP(S) Load Balancer

correct answer: C
explanation: The Global External HTTP(S) Load Balancer supports cross-regional failover and global routing based on proximity, ensuring high availability and low latency.

question: 3
Which two hybrid connectivity options does Google Cloud provide for secure, private connections to your on-premises network? (Choose two)
A. Cloud CDN
B. Cloud VPN
C. Cloud Interconnect
D. Cloud NAT

correct answers: B and C
explanation: Cloud VPN and Cloud Interconnect are used for secure and private hybrid connectivity. Cloud VPN uses IPsec tunnels, while Interconnect provides high-throughput dedicated or partner connections.

question: 4
How does VPC Peering affect network performance between two VPCs?
A. It introduces high latency.
B. It limits bandwidth to 1 Gbps.
C. It offers high bandwidth and low latency.
D. It requires Cloud VPN to function.

correct answer: C
explanation: VPC Peering provides high bandwidth and low-latency connectivity between VPCs in the same or different projects without needing VPNs or gateways.

question: 5
You are configuring firewall rules in GCP. Which rule takes priority if multiple rules match a traffic flow?
A. The rule with the highest priority number.
B. The most recently created rule.
C. The rule with the lowest priority number.
D. Rules are evaluated randomly.

correct answer: C
explanation: GCP firewall rules are evaluated in order of lowest priority number first. The first rule that matches the traffic is applied.

question: 6
Which of the following enables you to centralize network policy enforcement across multiple projects in a shared VPC environment?
A. Cloud NAT
B. VPC Peering
C. Firewall Policy
D. Cloud Router

correct answer: C
explanation: Firewall Policies (also known as hierarchical firewall policies) allow centralized network security rules at the organization or folder level in a shared VPC setup.

question: 7
What does Cloud NAT provide in Google Cloud networking?
A. Public IP addresses to internal load balancers
B. DNS services for private instances
C. Internet egress for private instances without public IPs
D. Ingress firewall management

correct answer: C
explanation: Cloud NAT allows instances without external IP addresses to initiate outbound connections to the internet securely.

question: 8
What is the maximum number of VPCs you can peer with a single VPC?
A. 25
B. 50
C. 75
D. 100

correct answer: D
explanation: As of the current limits, each VPC network can have up to 100 active VPC peering connections.

question: 9
Which Google Cloud tool helps troubleshoot connectivity issues in a VPC?
A. Cloud Armor
B. VPC Flow Logs
C. Network Intelligence Center
D. Cloud NAT

correct answer: C
explanation: The Network Intelligence Center provides visibility into network performance and troubleshooting tools like Connectivity Tests and Performance Dashboards.

question: 10
You need to configure private Google access for a subnet. What must be enabled?
A. A route to 0.0.0.0/0
B. Cloud NAT
C. “Private Google Access” option on the subnet
D. Enable IAP

correct answer: C
explanation: Private Google Access allows VMs without public IPs to reach Google APIs and services privately and must be enabled at the subnet level.

question: 11
What is the purpose of using a Cloud Router in a hybrid cloud setup?
A. To filter traffic between subnets
B. To allocate static IP addresses
C. To dynamically exchange routes between networks
D. To encrypt traffic using IPsec tunnels

correct answer: C
explanation: Cloud Router supports dynamic route exchange between Google Cloud and on-premises networks using BGP, enabling scalable hybrid networking.

question: 12
You want to restrict access to a Cloud Load Balancer from only specific IP ranges. What should you use?
A. Cloud NAT
B. Cloud DNS
C. Cloud Armor
D. VPC Service Controls

correct answer: C
explanation: Cloud Armor allows you to create security policies that restrict access to GCP load balancers based on IP addresses and other parameters.

question: 13
Which Google Cloud networking service allows DNS resolution between peered VPC networks?
A. Cloud Interconnect
B. Cloud DNS Peering
C. Private Service Connect
D. Cloud Router

correct answer: B
explanation: Cloud DNS Peering enables DNS resolution between VPCs connected through VPC peering by allowing forwarding between DNS servers.

question: 14
What is the default behavior of subnet IP address allocation in a custom-mode VPC?
A. Subnets are automatically created in all regions.
B. You must manually create subnets in each region.
C. Subnet IPs are shared across projects.
D. Subnets inherit firewall rules from the region.

correct answer: B
explanation: In a custom-mode VPC, you must manually create subnets for each region you intend to use, allowing precise IP range management.

question: 15
Which feature allows private, secure access to Google APIs from on-premises networks over Cloud Interconnect or VPN?
A. Private Google Access
B. Private Service Connect
C. Cloud NAT
D. Cloud CDN

correct answer: B
explanation: Private Service Connect allows you to access Google APIs and services securely from on-premises environments without using public IPs.

question: 16
A VM without a public IP needs internet access. Which service should you use?
A. Cloud Armor
B. Cloud NAT
C. Cloud VPN
D. Internal Load Balancer

correct answer: B
explanation: Cloud NAT provides internet access for instances without public IP addresses by translating their private IPs to a NAT gateway’s external IP.

question: 17
Which GCP resource defines how traffic is directed within a VPC network?
A. Subnet
B. Route
C. Firewall rule
D. Peering connection

correct answer: B
explanation: Routes in a VPC network define the path traffic takes from a VM to other destinations inside or outside the network.

question: 18
Which of the following must be configured to use BGP over a Cloud VPN tunnel?
A. Static route
B. VPC Peering
C. Cloud Router
D. Cloud Armor

correct answer: C
explanation: Cloud Router is required to enable dynamic routing using BGP over a Cloud VPN tunnel.

question: 19
You have multiple projects using a shared VPC. Where are the firewall rules applied?
A. In the service project
B. In the host project
C. Globally across all projects
D. In the Cloud IAM policy

correct answer: B
explanation: Firewall rules in a shared VPC are managed and enforced from the host project, even if resources are in service projects.

question: 20
What is a key benefit of using Private Service Connect for accessing Google services?
A. Lower latency
B. Access via private IP addresses
C. Increased bandwidth
D. Automatic DDoS protection

correct answer: B
explanation: Private Service Connect provides access to Google APIs over a private IP address range, avoiding exposure to the public internet.

question: 21
You are tasked with setting up a secure connection between your on-premises network and GCP with a bandwidth requirement of 5 Gbps. Which connectivity option is best suited?
A. Cloud VPN
B. Partner Interconnect (lower bandwidth)
C. Dedicated Interconnect
D. VPC Peering

correct answer: C
explanation: Dedicated Interconnect provides high-bandwidth (from 10 Gbps and above) and low-latency connectivity suitable for data-intensive workloads.

question: 22
Which load balancer type should you use for distributing TCP traffic within a single region?
A. Internal TCP/UDP Load Balancer
B. Global External HTTP(S) Load Balancer
C. Network Load Balancer
D. Internal HTTP Load Balancer

correct answer: A
explanation: Internal TCP/UDP Load Balancers are used for distributing traffic across instances within the same region on private IP addresses.

question: 23
What is the function of a custom static route in a VPC?
A. It allows DNS resolution for custom domains
B. It forwards traffic to a specific next-hop
C. It controls IAM access to instances
D. It replaces the default route automatically

correct answer: B
explanation: Custom static routes define traffic forwarding paths to specific destinations using next-hop configurations like a gateway or instance.

question: 24
What does Google recommend for limiting lateral movement in a VPC?
A. Use fewer firewall rules
B. Enable Cloud NAT
C. Use microsegmentation with service accounts and firewall rules
D. Allow all egress traffic by default

correct answer: C
explanation: Microsegmentation using firewall rules scoped to service accounts restricts lateral movement, enhancing network security.

question: 25
What role does Identity Aware Proxy (IAP) serve in GCP networking?
A. Encrypts VM disk data
B. Enables NAT traversal
C. Controls access to applications based on identity and context
D. Handles DNS forwarding

correct answer: C
explanation: IAP provides secure access to applications by enforcing identity and context-based access control.

question: 26
Which of the following supports traffic mirroring for packet-level inspection?
A. Cloud Armor
B. VPC Flow Logs
C. Packet Mirroring
D. Cloud Interconnect

correct answer: C
explanation: Packet Mirroring enables deep packet inspection by sending copies of network traffic to monitoring or analysis tools.

question: 27
Which type of Cloud Interconnect requires coordination with a supported service provider?
A. Partner Interconnect
B. Dedicated Interconnect
C. Shared Interconnect
D. Carrier Peering

correct answer: A
explanation: Partner Interconnect allows you to connect to GCP through a service provider, suitable when you don’t have a presence in a Google POP.

question: 28
You need to share a subnet across multiple projects. What should you configure?
A. VPC Peering
B. Shared VPC
C. DNS Peering
D. VPN Gateway

correct answer: B
explanation: A Shared VPC allows you to share network resources like subnets across multiple projects within the same organization.

question: 29
Which GCP product provides monitoring and troubleshooting tools for hybrid and cloud-only networks?
A. Cloud Logging
B. Network Intelligence Center
C. Cloud NAT
D. Cloud Monitoring

correct answer: B
explanation: The Network Intelligence Center is a suite of tools for network monitoring, performance analysis, and troubleshooting.

question: 30
Which of the following allows you to connect multiple service producers to your network via a private endpoint?
A. VPC Peering
B. Cloud VPN
C. Private Service Connect
D. Interconnect

correct answer: C
explanation: Private Service Connect creates private endpoints in your network to access managed services or Google APIs without exposing traffic to the public internet.

question: 31
Which logging feature should you use to record metadata about every network connection to and from VM instances in a VPC?
A. Cloud Logging
B. VPC Flow Logs
C. Cloud Audit Logs
D. Network Intelligence Center

correct answer: B
explanation: VPC Flow Logs provide near real-time logging of network flows to and from VM interfaces, useful for monitoring and security.

question: 32
How are firewall rules evaluated in GCP?
A. Randomly selected
B. By creation timestamp
C. From highest to lowest priority
D. From lowest to highest priority

correct answer: D
explanation: Firewall rules are evaluated in ascending order of priority number, where a lower number means higher priority.

question: 33
Which feature allows VMs in different projects to communicate as if they are in the same network?
A. VPC Peering
B. Shared VPC
C. Cloud NAT
D. Private Service Connect

correct answer: B
explanation: Shared VPC enables VM instances in service projects to use subnets from a host project as if they belong to the same network.

question: 34
You want to block traffic from a specific IP address range. Where should you configure this in GCP?
A. Subnet configuration
B. IAM policy
C. Firewall rule with a deny action
D. VPC Peering

correct answer: C
explanation: To block traffic from a specific IP range, create a firewall rule with a deny action that targets the source IP range.

question: 35
What is the maximum number of secondary IP ranges a subnet can have?
A. 10
B. 100
C. 200
D. 256

correct answer: D
explanation: Each subnet in a VPC network can support up to 256 secondary IP ranges, useful for alias IPs or GKE pods.

question: 36
Which type of IP address is required for instances using Cloud NAT?
A. Public IP
B. Alias IP
C. No public IP
D. Ephemeral external IP

correct answer: C
explanation: Cloud NAT is specifically designed for instances that do not have external (public) IP addresses but still need outbound internet access.

question: 37
Which of the following is a key limitation of VPC peering?
A. You cannot connect different regions
B. No transitive peering
C. No DNS resolution
D. Bandwidth is limited to 100 Mbps

correct answer: B
explanation: VPC peering is non-transitive, meaning if VPC A peers with B and B peers with C, A cannot communicate with C unless explicitly peered.

question: 38
Which protocol is used by Cloud Router to exchange routes?
A. OSPF
B. EIGRP
C. BGP
D. RIP

correct answer: C
explanation: Cloud Router uses Border Gateway Protocol (BGP) to dynamically exchange routes with on-premises routers or partner networks.

question: 39
What is the key use case for using internal HTTP(S) Load Balancers in GCP?
A. Global content delivery
B. Internet-facing web apps
C. Private service access within a VPC
D. Serving public APIs

correct answer: C
explanation: Internal HTTP(S) Load Balancers route traffic only within a VPC or Shared VPC, ideal for internal microservices and backend communications.

question: 40
You need to ensure high availability for a Cloud VPN connection. What should you implement?
A. Two VPN tunnels on the same gateway
B. A single tunnel with Cloud Router
C. Two VPN tunnels on separate gateways
D. NAT gateway with static routing

correct answer: C
explanation: For high availability, you should use two VPN tunnels on separate Cloud VPN gateways, typically connected to two different on-premises routers.

question: 41
You are designing a hub-and-spoke architecture in GCP using VPCs. Which method enables the spokes to connect to each other through the hub?
A. VPC Peering
B. Transitive peering
C. VPN Tunnels
D. Shared VPC with custom routes

correct answer: D
explanation: Shared VPC with custom routes allows a hub-and-spoke model where spokes communicate via the hub project. VPC peering is not transitive, so this design requires Shared VPC or Cloud Router with custom routing.

question: 42
You want to provide a private IP-based connection to a third-party SaaS provider hosted on GCP. What should you use?
A. VPC Peering
B. Cloud VPN
C. Private Service Connect
D. Cloud NAT

correct answer: C
explanation: Private Service Connect lets you create private endpoints in your network that connect to services hosted by third-party providers without exposing traffic to the public internet.

question: 43
Which GCP tool allows you to visualize the impact of network configuration changes?
A. Cloud Trace
B. VPC Flow Logs
C. Connectivity Tests (Network Intelligence Center)
D. Cloud Monitoring

correct answer: C
explanation: Connectivity Tests, part of the Network Intelligence Center, simulate traffic paths and help you visualize and troubleshoot network connectivity issues.

question: 44
Which of the following is true regarding GCP’s firewall rule logging?
A. Logging is enabled by default
B. Only allowed traffic is logged
C. You can log both allowed and denied traffic
D. It requires a third-party agent

correct answer: C
explanation: Firewall rule logging in GCP allows you to log both allowed and denied traffic for specific rules when enabled.

question: 45
Which GCP product would you use to expose a backend service to internal clients across multiple VPCs?
A. External HTTP(S) Load Balancer
B. Internal TCP/UDP Load Balancer
C. Private Service Connect
D. Cloud VPN

correct answer: C
explanation: Private Service Connect supports private service publishing, allowing backend services to be exposed securely to consumers across VPCs.

question: 46
How does GCP ensure high availability for Global External HTTP(S) Load Balancing?
A. Using regional backend instances only
B. Distributing traffic using DNS round robin
C. Using Anycast IPs and global backend failover
D. Using Cloud CDN in each region

correct answer: C
explanation: Global External HTTP(S) Load Balancer uses Anycast IPs to route users to the nearest healthy backend and automatically fails over across regions for high availability.

question: 47
You are migrating workloads to GCP and want to use a hybrid connectivity solution with dynamic routing and encryption. Which should you choose?
A. Partner Interconnect
B. Dedicated Interconnect
C. Cloud VPN with Cloud Router
D. VPC Peering

correct answer: C
explanation: Cloud VPN with Cloud Router supports BGP for dynamic routing and provides encryption for hybrid connectivity.

question: 48
What’s a key difference between Cloud NAT and Cloud Router?
A. NAT provides dynamic routing
B. Cloud Router provides dynamic BGP route exchange; NAT handles egress internet traffic
C. Cloud Router is used for private DNS
D. Cloud NAT provides ingress security

correct answer: B
explanation: Cloud Router is used for BGP route advertisement, while Cloud NAT enables internet egress for instances without public IPs.

question: 49
You need to grant a user access to configure networking resources across all projects in your GCP organization. What should you do?
A. Grant them the Compute Admin role on each project
B. Grant them the Network Admin role at the organization level
C. Create a custom role in each project
D. Use IAM Conditions to allow access to VPCs only

correct answer: B
explanation: Granting the Network Admin role at the organization level ensures the user has permissions to manage networking resources across all projects.

question: 50
Which of the following is a primary advantage of using Shared VPC in a large enterprise environment?
A. Easier to manage IAM roles
B. Simplifies DNS resolution
C. Centralized control of network resources
D. Faster internet access for VMs

correct answer: C
explanation: Shared VPC enables centralized network management across multiple service projects, helping large enterprises maintain consistent security and routing policies.