Topic 1 Question 111
Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?
Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.
Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.
Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.
Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.
ユーザの投票
コメント(5)
- 正解だと思う選択肢: C
100% for C.
Following this link (https://cloud.google.com/vmware-engine/docs/networking/workload-internet-access#use_an_on-premises_connection_for_workload_internet_access) we eliminate A and B.
Requirement is on premise router sent 0.0.0.0/0, but this setup create black role to APIs google services. traffic to APIs (199.36.153.4/30) need still inside GCP, so is required adjust it, create custom routing to default gateway gcp (https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-routing-custom)
"If you've replaced or changed your default route, ensure that you have custom static routes configured for the destination IP ranges used by private.googleapis.com or restricted.googleapis.com"
100% sure for C.
👍 6ccieman20162022/12/02 - 正解だと思う選択肢: C
100% for C.
👍 2pfilourenco2022/12/03 - 正解だと思う選択肢: C
Agree on C. If your VPC network contains a default route whose next hop is the default internet gateway, you can use that route to access Google APIs and services, without needing to create custom routes. If you have replaced an IPv4 default route (destination 0.0.0.0/0) with a custom route whose next hop is not the default internet gateway, you can meet the routing requirements for Google APIs and services using custom routing instead. custom routing: As an alternative to a default route for IPv4 traffic, you can use custom static routes, each having a more specific destination, and each using the default internet gateway next hop. https://cloud.google.com/vmware-engine/docs/networking/workload-internet-access#use_an_on-premises_connection_for_workload_internet_access
👍 2al_zo2022/12/07
シャッフルモード