Google Professional Cloud Network Engineer
Get started today
Ultimate access to all questions.
As a network administrator managing hybrid connectivity, your team needs to access a Cloud SQL instance in the us-west1 region within a Shared VPC. You've set up a Dedicated Interconnect connection and a Cloud Router in us-west1, confirming successful connectivity between the Shared VPC and on-premises data center. After establishing a private services access connection for Cloud SQL using the reserved IP range with default settings, on-premises users still cannot reach the instance. How do you troubleshoot and resolve this issue?
As a network administrator managing hybrid connectivity, your team needs to access a Cloud SQL instance in the us-west1 region within a Shared VPC. You've set up a Dedicated Interconnect connection and a Cloud Router in us-west1, confirming successful connectivity between the Shared VPC and on-premises data center. After establishing a private services access connection for Cloud SQL using the reserved IP range with default settings, on-premises users still cannot reach the instance. How do you troubleshoot and resolve this issue?
Explanation:
The issue arises because the private services access connection (VPC peering) does not automatically export routes to on-premises. By default, VPC Network Peering does not enable route import/export for service peerings. To resolve this:
- Modify the VPC Network Peering connection to enable route import/export, ensuring the Cloud SQL IP range is imported into the Shared VPC.
- Create a custom route advertisement on the Cloud Router to explicitly advertise the Cloud SQL IP range over BGP via the Dedicated Interconnect. This ensures on-premises knows how to route traffic to the Cloud SQL instance.
Options B, C, and D are incorrect because:
- Changing the VPC routing mode to global (B, D) is not applicable here, as Shared VPC routing modes cannot be modified after creation.
- Creating additional Cloud Routers or BGP peerings (C) is unnecessary since the existing Cloud Router in us-west1 is sufficient once properly configured.