Google Cloud Professional Cloud Network Engineer — Question 59

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

Answer options

• A. Dynamic routing using Cloud Router
• B. Route-based routing using default traffic selectors
• C. Policy-based routing using a custom local traffic selector
• D. Policy-based routing using the default local traffic selector

Correct answer: C

Explanation

The correct answer is C, as policy-based routing with a custom local traffic selector allows you to define specific subnets for reachability over the tunnel. Options A and B are not suitable since they either require BGP or do not provide the granularity needed for specific subnets. Option D also does not allow for custom selections, limiting your control over the traffic flow.