Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

SALE! AWS Specialty Practice Exams at $15.99 USD each ONLY instead of $17.99

Google Cloud Router

  • Cloud Router is a fully distributed and managed Google Cloud service that helps you define custom dynamic routes and scales with your network traffic.

Features

  • It works with both legacy networks and Virtual Private Cloud (VPC) networks.
  • Cloud Router utilizes Border Gateway Protocol (BGP) to exchange routes between your Virtual Private Cloud (VPC) network and your on-premises network.
  • Using Cloud Router is required or recommended in the following cases:
    • Required for Cloud NAT
    • Required for Cloud Interconnect and HA VPN
    • A recommended configuration option for Classic VPN
  • When you extend your on-premises network to Google Cloud, use Cloud Router to dynamically exchange routes between your Google Cloud networks and your on-premises network.
  • Cloud Router peers with your on-premises VPN gateway or router. The routers exchange topology information through BGP.

Route advertisements

  • Through BGP, Cloud Router advertises the IP addresses of Google resources that clients in your on-premises network can reach. Your on-premises network then sends packets to your VPC network that have a destination IP address matching an advertised IP range. After reaching Google Cloud, your VPC network’s firewall rules and routes determine how Google Cloud route the packets.
  • Default Route Advertisement – Cloud Router advertises subnets in its region for regional dynamic routing or all subnets in a VPC network for global dynamic routing.
  • Custom Route Advertisement – You explicitly specify the routes that a Cloud Router advertises to your on-premises network.
IT Certification Category (English)728x90

Validate Your Knowledge

Question 1

You are hosting a web application in your on-premises data center that needs to fetch files from a Cloud Storage bucket. However, your company strictly implements security policies that prohibit your bare-metal servers from having a public IP address or having any access to the Internet. You want to follow Google-recommended practices to provide your web application the necessary access to Cloud Storage.

What should you do?

  1. a. Issue nslookup command on your command-line to get the IP address for storage.googleapis.com.
    b. Discuss with the security team why you need to have a public IP address for the servers.
    c. Explicitly allow egress traffic from your servers to the IP address of storage.googleapis.com.

  2. a. Create a VPN tunnel connecting to a custom-mode VPC in the Google Cloud Platform using Cloud VPN.
    b. Create a Compute Engine instance and install the Squid Proxy Server. Use the custom-mode VPC as the location.
    c. Configure your on-premises servers to use the new instance as a proxy to access the Cloud Storage bucket.

  3. a. Migrate your on-premises server using Migrate for Compute Engine (formerly known as Velostrata).
    b. Provision an internal load balancer (ILB) that uses storage.googleapis.com as a backend.
    c. Set up the new instances to use the ILB as a proxy to connect to the Cloud Storage.

  4. a. Create a VPN tunnel to GCP using Cloud VPN or Cloud Interconnect.
    b. Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network via VPN tunnel.
    c. Configure the DNS server in your on-premises network to resolve *.googleapis.com as a CNAME to restricted.googleapis.com.

Correct Answer: 4

Private Google Access for on-premises hosts requires that you direct services to one of the following special domains. The special domain you choose determines which services you can access:

private.googleapis.com (199.36.153.8/30) provides access to most Google APIs and services, including Cloud and Developer APIs that support VPC Service Controls and those that do not support VPC Service Controls. VPC Service Controls are enforced when you configure a service perimeter.

restricted.googleapis.com (199.36.153.4/30) only provides access to Cloud and Developer APIs that support VPC Service Controls. VPC Service Controls are enforced for these services if you’ve configured a service perimeter. Access to any Google API or service that does not support VPC Service Controls is prohibited.

For on-premises hosts to reach restricted Google API services, requests to Google APIs must be sent through a VPC network, either through a Cloud VPN tunnel or Cloud Interconnect connection.

In both cases, all requests to Google APIs and services must be sent to a virtual IP address (VIP) range 199.36.153.4/30 (restricted.googleapis.com). The IP address range is not announced to the Internet. Traffic sent to the VIP stays within Google’s network only.

Routes in your on-premises network must be configured to direct traffic for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains to the next hop Cloud VPN tunnels or Cloud Interconnect attachments (VLANs) that connect to your VPC network.

You can use Cloud Router Custom Route Advertisements to announce routes for the following destinations:

199.36.153.8/30 – if you chose private.googleapis.com

199.36.153.4/30 – if you chose restricted.googleapis.com

Your on-premises network must have DNS zones and records configured so that Google domain names resolve to the set of IP addresses for either private.googleapis.com or restricted.googleapis.com. You can create Cloud DNS-managed private zones and use a Cloud DNS inbound server policy, or you can configure on-premises name servers. For example, you can use BIND or Microsoft Active Directory DNS.

Hence, the correct answer is:

1. Create a VPN tunnel to GCP using Cloud VPN or Cloud Interconnect.

2. Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network via VPN tunnel.

3. Configure a CNAME record on your on-premises DNS server to resolve all *.googleapis.com traffic to restricted.googleapis.com.

The following option is incorrect because your company does not allow you to provision a public IP address for your on-premises data center. Moreover, you still have to establish a VPN tunnel to connect your on-premises network to the Google Cloud privately, which is not mentioned in this option:

1. Issue nslookup command on your command-line to get the IP address for storage.googleapis.com.

2. Discuss with the security team why you need to have a public IP address for the servers.

3. Explicitly allow egress traffic from your servers to the IP address of storage.googleapis.com.

The following option is incorrect because using a Squid Proxy server exposes your network to the public through the Compute Engine instance. You need to connect to Cloud Storage privately so this option does not satisfy the requirement:

1. Create a VPN tunnel connecting to a custom-mode VPC in the Google Cloud Platform using Cloud VPN.

2. Create a Compute Engine instance and install the Squid Proxy Server. Use the custom-mode VPC as the location.

3. Configure your on-premises servers to use the new instance as a proxy to access the Cloud Storage bucket.

The following option is incorrect because you don’t need to migrate your existing on-premises server to Google Cloud. It is stated in the scenario that you need your on-premises application to connect to Cloud Storage privately so using Migrate for Compute Engine is inappropriate for this scenario:

1. Migrate your on-premises server using Migrate for Compute Engine

2. Provision an internal load balancer (ILB) that uses storage.googleapis.com as a backend.

3. Set up the new instances to use the ILB as a proxy to connect to the Cloud Storage.

References:
https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid
https://cloud.google.com/vpc-service-controls/docs/private-connectivity
https://cloud.google.com/network-connectivity/docs/router/how-to/advertising-custom-ip

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

Tutorials Dojo Study Guide and Cheatsheet

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Certified Associate Cloud Engineer Practice Exams

Reference:
https://cloud.google.com/network-connectivity/docs/router/concepts/overview

AWS Specialty Practice Exams SALE!

NEW! AWS Certified Developer Associate Video Course (Early Access Release)

NEW! AWS Certified Solutions Architect Associate Video Course [Early Access Release]

Pass your AWS, Azure, and Google Cloud Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

FREE AWS Cloud Practitioner Essentials Course!

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

error: Content is protected !!