Google Cloud Professional Cloud Network Engineer — Question 114

Your company’s on-premises network is connected to a VPC using a Cloud VPN tunnel. You have a static route of 0.0.0.0/0 with the VPN tunnel as its next hop defined in the VPC. All internet bound traffic currently passes through the on-premises network. You configured Cloud NAT to translate the primary IP addresses of Compute Engine instances in one region. Traffic from those instances will now reach the internet directly from their VPC and not from the on-premises network. Traffic from the virtual machines (VMs) is not translating addresses as expected. What should you do?

Answer options

• A. Lower the TCP Established Connection Idle Timeout for the NAT gateway.
• B. Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority value higher than the priority value of the default route to the VPN gateway.
• C. Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.
• D. Increase the default min-ports-per-vm setting for the Cloud NAT gateway.

Correct answer: C

Explanation

The correct answer is C because adding a default static route to the VPC with the internet gateway as the next hop allows traffic from the Compute Engine instances to be routed directly to the internet, bypassing the on-premises network. Options A and D do not address the routing issue, while option B may allow traffic but does not establish a direct path to the internet for the VMs.