Google Professional Cloud Network Engineer
Get started today
Ultimate access to all questions.
You are troubleshooting an intermittently failing application in your Google Cloud network, where low-volume packets sent from a Compute Engine VM to an on-premises destination via Cloud Interconnect VLAN attachments may be getting lost. You've confirmed that Cloud NGFW rules contain no egress deny statements and no explicit allow rules. To diagnose whether packets are correctly leaving the VM per Google's best practices, what action should you take?
You are troubleshooting an intermittently failing application in your Google Cloud network, where low-volume packets sent from a Compute Engine VM to an on-premises destination via Cloud Interconnect VLAN attachments may be getting lost. You've confirmed that Cloud NGFW rules contain no egress deny statements and no explicit allow rules. To diagnose whether packets are correctly leaving the VM per Google's best practices, what action should you take?
Explanation:
To determine if packets are leaving the VM, packet mirroring (A) is the most reliable method. VPC Flow Logs (B) only log traffic that is both allowed by firewall rules and successfully routed by the VPC. If there's a routing issue (e.g., no valid route to on-prem), flow logs might not capture the packets, even if the VM sends them. Packet mirroring directly captures all packets sent from the VM's interface, regardless of routing outcomes, providing definitive insight into whether the VM is transmitting packets. While VPC Flow Logs with SAMPLE_RATE=1.0 (B) could show allowed traffic, they depend on proper routing and are connection-oriented, not packet-level. Options C and D focus on later stages (interconnect drops or firewall logging) and do not address the core task of verifying VM egress.