GCP Professional Cloud Security Engineer Practice Question
Your company must establish encrypted connectivity between its on-premises data center, which has two border routers operating in active/active mode, and a single Google Cloud VPC. The networking team requires Google's 99.99 % Cloud VPN SLA and automatic failover if either an on-prem router or a Google zone becomes unavailable. Which design satisfies these requirements while following Google best practices?
Create one HA VPN gateway in your VPC with two interfaces located in separate zones; configure a Cloud Router and build one BGP tunnel on each interface, terminating on different on-prem routers.
Deploy two Classic VPN gateways in different Google Cloud regions, each with a single static route-based tunnel to the same on-prem router, and rely on your internal IGP for failover.
Configure an HA VPN gateway with two interfaces but place both dynamic BGP tunnels on interface 0, terminating on the same on-prem router for simplicity.
Provision a single HA VPN gateway with only one interface and establish two policy-based IPsec tunnels (static routes) to each on-prem router.
To qualify for Google's 99.99 % Cloud VPN SLA, you must use HA VPN and build two concurrently active tunnels, each on a different external interface (0 and 1) of the same HA VPN gateway, with each tunnel terminating on a distinct peer router or peer interface. HA VPN requires Cloud Router and dynamic routing (BGP) to exchange routes and enable sub-second failover when a tunnel or zone fails. The proposed solution with an HA VPN gateway that uses one interface per zone and one BGP-based tunnel per interface to separate on-prem routers meets all of these conditions.
The other options do not meet the SLA or best-practice criteria:
Two Classic VPN gateways provide only a 99.9 % SLA and lack the fast, automatic failover of HA VPN.
A single HA VPN interface with two policy-based, static tunnels lacks the diversity across interfaces and does not use BGP, so it does not achieve the 99.99 % SLA.
Placing both tunnels on the same interface or terminating them on the same on-prem router creates a single point of failure and therefore fails to meet the SLA.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is HA VPN in Google Cloud?
Open an interactive chat with Bash
What is BGP and why is it required for HA VPN?
Open an interactive chat with Bash
Why does Google's 99.99% Cloud VPN SLA require multiple tunnels?
Open an interactive chat with Bash
What is HA VPN?
Open an interactive chat with Bash
What role does Cloud Router play in HA VPN setups?
Open an interactive chat with Bash
Why is active/active mode important for on-premises routers in this design?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .