Answer-first summary for fast verification
Answer: Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.
The issue arises because the existing default route (0.0.0.0/0) with the VPN tunnel as the next hop takes precedence over the internet gateway route, forcing all traffic through the on-premises network. Cloud NAT translates traffic only when it exits via the VPC's internet gateway. To redirect traffic for specific Compute Engine instances to use Cloud NAT, a **higher-priority route** (lower numerical priority value) targeting those instances must override the default VPN route. Option C achieves this by creating a static default route with the internet gateway as the next hop, applying it to tagged instances, and ensuring its priority is higher than the VPN route. This ensures traffic from these instances uses the internet gateway and triggers Cloud NAT translation. Other options (firewall rules, timeouts, port settings) do not address the core routing misconfiguration.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company's on-premises network is connected to a VPC via a Cloud VPN tunnel. The VPC has a static route (0.0.0.0/0) with the VPN tunnel as its next hop, causing all internet-bound traffic to route through the on-premises network. You set up Cloud NAT in one region to translate primary IP addresses of Compute Engine instances, expecting their internet traffic to exit directly from the VPC instead of the on-premises network. However, VM traffic is not being translated as intended. What should you do?
A
Lower the TCP Established Connection Idle Timeout for the NAT gateway.
B
Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority value higher than the priority value of the default route to the VPN gateway.
C
Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.
D
Increase the default min-ports-per-vm setting for the Cloud NAT gateway.
No comments yet.