Google Professional Cloud Network Engineer
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
You are setting up a connection between your organization's Google Cloud environment and your on-premises network, which does not support BGP. Your on-premises network has 30 CIDR ranges that need to be accessible from Google Cloud. The VPN gateway generates a unique child security association (SA) for each CIDR. To ensure all 30 on-premises CIDR ranges are reachable from Google Cloud while following Google's best practices, which two approaches should you use? (Select two.)
Explanation:
To connect an on-premises network with 30 CIDR ranges to Google Cloud without BGP support, two methods align with Google-recommended practices:
Route-based VPN (Option A): A single tunnel with route-based VPN uses a broad traffic selector (e.g., 0.0.0.0/0) and relies on static routes to direct traffic. This avoids the CIDR limit per tunnel, enabling all 30 CIDRs to be reachable through a single tunnel.
Policy-based VPN with Multiple Tunnels (Option E): Policy-based VPNs allow up to 5 CIDRs per tunnel. To cover 30 CIDRs, multiple tunnels are required. Option E uses one CIDR per tunnel (30 tunnels total) connected to the same on-prem peer IP. While not ideal due to management complexity, this complies with technical limits and ensures reachability.
Options B, C, and D are invalid due to exceeding CIDR limits per tunnel (B, D) or requiring impractical peer IP configurations (C).