GCP Professional Cloud Security Engineer Practice Question

Your company operates two on-premises routers, each connected to Google Cloud through its own 10-Gbps Dedicated Interconnect circuit that terminates in different Google edge PoPs. A regulatory audit now mandates encryption for all traffic between the data center and your VPC in us-central1. Business continuity requirements state that the encrypted transport must offer a 99.99 % SLA and fail over automatically if any single circuit, tunnel, or router becomes unavailable. All traffic must remain on the private Interconnect paths; using the public internet is prohibited. Which design meets these requirements while provisioning the least number of Google Cloud resources?

Deploy two Classic VPN gateways (one per circuit) and configure a pair of redundant IPsec tunnels on each gateway that use static routes distributed to the VPC.
Enable MACsec on both Interconnect circuits for encryption and rely solely on the underlying Interconnect HA configuration with Cloud Router for routing; do not deploy any VPN gateways.
Provision one HA VPN gateway that establishes two tunnels over public IP addresses, front it with Cloud NAT to keep instances private, and advertise routes through a Cloud Router.
Create one HA VPN gateway. Attach each of its two interfaces to a separate VLAN attachment on the two Dedicated Interconnect circuits, build one BGP-based tunnel per interface through a single Cloud Router.

Report Issue

Answer Description

The most efficient design is to deploy a single HA VPN gateway and build two VPN tunnels-one on each Interconnect circuit-by placing each HA VPN interface in its own VLAN attachment that maps to a different Interconnect connection. An HA VPN gateway provides two active-active tunnels that each negotiate their own BGP session with a Cloud Router. With both tunnels up, the service delivers a 99.99 % availability SLA and offers sub-second fail-over if any path or device fails. Because the VPN endpoints use the private IPs of the VLAN attachments, all encrypted traffic follows the Dedicated Interconnect rather than the public internet.

The other options fail for these reasons:

Two Classic VPN gateways with static routes do not meet the 99.99 % SLA and cannot perform rapid, dynamic fail-over.
Relying only on MACsec encrypts the Layer 2 Interconnect but omits an IP-layer VPN, which the requirement explicitly calls for. It also offers no dynamic fail-over if a circuit or router goes down.
Building an HA VPN over public IP addresses would violate the mandate that traffic stays on the private Interconnect paths.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.