Google Cloud Professional Cloud Network Engineer — Question 163

You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.

Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)

Answer options

• A. Create a single Cloud VPN tunnel that uses route-based VPN.
• B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors.
• C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses.
• D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors.
• E. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to the same peer IP address.

Correct answer: A, C

Explanation

The correct answers are A and C. Option A allows for a single tunnel using route-based VPN, which is efficient for managing multiple CIDRs. Option C also works by creating multiple tunnels but ensures that each tunnel is dedicated to a single CIDR block for better organization. Options B, D, and E are incorrect as they do not align with the requirement to manage 30 CIDRs effectively without exceeding the limits set by the VPN gateway's SA constraints.