Google Cloud Professional Cloud Network Engineer — Question 220

You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?

Answer options

• A. Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures.
• B. Enable VPC Flow Logs on the subnet that the VM is deployed in with SAMPLE_RATE = 1.0, and run a query in Logs Explorer to analyze the packet flow.
• C. Verify the network/attachment/egress_dropped_packets_count Cloud Interconnect VLAN attachment metric.
• D. Enable Firewall Rules Logging on your firewall rules and review the logs.

Correct answer: A

Explanation

The correct answer is A because creating a packet mirroring policy allows you to capture and analyze the actual packets being sent from the VM, which is essential for diagnosing where packet loss might be occurring. Option B, while useful for analyzing flow, may not provide the granularity needed to identify specific packet loss issues. Option C focuses on a specific metric that may not give a complete picture of the packet flow, and Option D will only show logs for denied traffic, which doesn't help in this case since there are no deny rules.