Answer-first summary for fast verification
Answer: Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures.
To determine if packets are leaving the VM, packet mirroring (A) is the most reliable method. VPC Flow Logs (B) only log traffic that is both allowed by firewall rules and successfully routed by the VPC. If there's a routing issue (e.g., no valid route to on-prem), flow logs might not capture the packets, even if the VM sends them. Packet mirroring directly captures all packets sent from the VM's interface, regardless of routing outcomes, providing definitive insight into whether the VM is transmitting packets. While VPC Flow Logs with SAMPLE_RATE=1.0 (B) could show allowed traffic, they depend on proper routing and are connection-oriented, not packet-level. Options C and D focus on later stages (interconnect drops or firewall logging) and do not address the core task of verifying VM egress.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are troubleshooting an intermittently failing application in your Google Cloud network, where low-volume packets sent from a Compute Engine VM to an on-premises destination via Cloud Interconnect VLAN attachments may be getting lost. You've confirmed that Cloud NGFW rules contain no egress deny statements and no explicit allow rules. To diagnose whether packets are correctly leaving the VM per Google's best practices, what action should you take?
A
Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures.
B
Enable VPC Flow Logs on the subnet that the VM is deployed in with SAMPLE_RATE = 1.0, and run a query in Logs Explorer to analyze the packet flow.
C
Verify the network/attachment/egress_dropped_packets_count Cloud Interconnect VLAN attachment metric.
D
Enable Firewall Rules Logging on your firewall rules and review the logs.