Professional-Cloud-Network-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud Network Engineer

When integrating on-premises networks with VPC Service Controls for private access to Google APIs, the recommended approach involves using Private Google Access for Hybrid Connectivity and configuring DNS resolution to the restricted.googleapis.com domain. This domain resolves to the 199.36.153.8/30 IP address range. It's crucial to advertise this range from Google Cloud to your on-premises routers so that on-premises clients can route traffic to the Google APIs privately. Additionally, to allow your on-premises network to access the APIs within the VPC Service Controls perimeter, you must define an access level that includes the IP address range of your on-premises network.

Exact Extract:

"To enable private access to Google APIs and services from on-premises networks protected by a VPC Service Controls perimeter, you must configure Private Google Access for Hybrid Connectivity."

"For on-premises hosts, configure your DNS to resolve *.googleapis.com to restricted.googleapis.com. The restricted.googleapis.com domain resolves to the IP address range 199.36.153.8/30."

"You must advertise the 199.36.153.8/30 range from your Cloud Routers to your on-premises routers through BGP."

"To allow on-premises networks to access protected resources within a VPC Service Controls perimeter, you must define an access level that includes the on-premises network's IP ranges. This access level is then applied to the service perimeter."Reference: Google Cloud VPC Service Controls Documentation - Private connectivity to Google APIs, Private Google Access for Hybrid Connectivity

https://cloud.google.com/vpc/docs/private-access-options#pga Private Google Access VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the _external IP addresses_ of Google APIs and services.

Cloud Armour is applied at load balancers Configuring Google Cloud Armor through Ingress. https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features Security policy features Google Cloud Armor security policies have the following core features: You can optionally use the QUIC protocol with load balancers that use Google Cloud Armor. You can use Google Cloud Armor with external HTTP(S) load balancers that are in either Premium Tier or Standard Tier. You can use security policies with GKE and the default Ingress controller.

Explanation: The correct approach is to create an HA VPN gateway and associate it with the encrypted VLAN attachments. The same Cloud Router used for BGP sessions with Cloud Interconnect can be used for the HA VPN. This configuration ensures encryption of the traffic passing over the Cloud Interconnect links.

This answer follows the Google-recommended practices for using privately used public IP (PUPI) addresses for GKE Pod address blocks1. The benefits of this approach are:

It allows you to use any public IP addresses that are not owned by Google or your organization for your Pods, which can help mitigate address exhaustion in your enterprise.

It prevents any external traffic from reaching your Pods, as Google Cloud does not route PUPI addresses to the internet or to other VPC networks by default.

It enables you to use VPC Network Peering to connect your GKE cluster to other VPC networks that use different PUPI addresses, as long as you enable the export and import of custom routes for the peering connection.

It preserves the fully integrated network model of GKE, where Pods can communicate with nodes and other resources in the same VPC network without NAT.

The options that you need to select when creating a private GKE cluster with PUPI addresses are:

–disable-default-snat: This option disables source NAT for outbound traffic from Pods to destinations outside the cluster’s VPC network. This is necessary to prevent Pods from using RFC 1918 addresses as their source IP addresses, which could cause conflicts with other networks that use the same address space2.

–enable-ip-alias: This option enables alias IP ranges for Pods and Services, which allows you to use separate subnet ranges for them. This is required to use PUPI addresses for Pods1.

–enable-private-nodes: This option creates a private cluster, where nodes do not have external IP addresses and can only communicate with the control plane through a private endpoint. This enhances the security and privacy of your cluster3.

Option A is incorrect because it does not use PUPI addresses for Pods, but rather RFC 1918 addresses. This does not solve the problem of address exhaustion in your enterprise. Option B is incorrect because it reuses the secondary address range for Services across multiple private GKE clusters, which could cause IP conflicts and routing issues. Option C is incorrect because it does not specify the options that are needed to create a private GKE cluster with PUPI addresses.

1: Configuring privately used public IPs for GKE | Kubernetes Engine | Google Cloud 2: Using Cloud NAT with GKE | Kubernetes Engine | Google Cloud 3: Private clusters | Kubernetes Engine | Google Cloud

https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview?hl=En#provisioning "To provision a Partner Interconnect connection with a service provider, you start by connecting your on-premises network to a supported service provider. Work with the service provider to establish connectivity.