Google Professional Cloud Network Engineer

Get started today

Ultimate access to all questions.

Explanation:

To ensure Compute Engine resources in spoke VPCs can resolve both on-premises and Google Cloud hostnames, the recommended approach involves DNS peering and proper route configuration. Here's the breakdown:

Private Forwarding Zone in Hub VPC: Create a private forwarding zone for 'corp.altostrat.com' in the hub VPC, pointing to the on-premises DNS server (192.168.20.88). This allows the hub to forward DNS queries for the on-premises domain.
Private Peering Zone in Spoke VPCs: Create a private peering zone in each spoke VPC for 'corp.altostrat.com', targeting the hub VPC. This enables spokes to route DNS queries for the domain to the hub, which then forwards them to on-premises.
Custom Route Advertisement: The Cloud Router in the hub must advertise the 35.199.192.0/19 subnet (Google's private DNS IP range) to ensure DNS queries for Google Cloud hostnames are routed correctly.
VPC Peering: Spoke VPCs must peer with the hub VPC to establish network connectivity required for DNS peering to function.

Option A includes all these steps. Option B omits VPC peering (step 4), which is essential for DNS peering to work. Options C and D suggest redundant VPN configurations, violating the hub-and-spoke best practices.

Explanation:

Private Forwarding Zone in Hub VPC: Create a private forwarding zone for 'corp.altostrat.com' in the hub VPC, pointing to the on-premises DNS server (192.168.20.88). This allows the hub to forward DNS queries for the on-premises domain.
Private Peering Zone in Spoke VPCs: Create a private peering zone in each spoke VPC for 'corp.altostrat.com', targeting the hub VPC. This enables spokes to route DNS queries for the domain to the hub, which then forwards them to on-premises.
Custom Route Advertisement: The Cloud Router in the hub must advertise the 35.199.192.0/19 subnet (Google's private DNS IP range) to ensure DNS queries for Google Cloud hostnames are routed correctly.
VPC Peering: Spoke VPCs must peer with the hub VPC to establish network connectivity required for DNS peering to function.

Comments (0)

No comments yet.

You are designing a hybrid cloud environment where your Google Cloud infrastructure connects to your on-premises network via HA VPN and Cloud Router in a central transit hub VPC (using default settings). Your on-premises DNS server is at 192.168.20.88. How can you enable Compute Engine instances across multiple spoke VPCs to resolve both on-premises private hostnames under the domain corp.altostrat.com and Google Cloud hostnames while adhering to Google's recommended practices?

Exam-Like

Last updated: March 20, 2026 at 14:04

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC. 2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target. 3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19. 4. Configure VPC peering in the spoke VPCs to peer with the hub VPC.

38.9%

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. 2. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target. 3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC. 2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target. 3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19. 4. Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.

16.7%

Create a private forwarding zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC. 2. Create a private peering zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target. 3. Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19. 4. Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.

22.2%