Configure an HA VPN gateway between the Finance VPC and the Sales VPC.

Configure the instances that require communication between each other with an external IP address.

Create a VPC Network Peering connection between the Finance VPC and the Sales VPC.

Configure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.

Direct Peering

Dedicated Interconnect

Partner Interconnect with a layer 2 partner

Partner Interconnect with a layer 3 partner

Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.

Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.

Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.

Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

Assign each user the editor role.

Assign each user the compute.networkAdmin role.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

Peer the two VPCs, and use the default configuration for the Cloud Routers.

Peer the two VPCs, and use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce a default route to the on-premises locations.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Enable Private Google Access on all the subnets.

Enable Private Google Access on the VPC.

Enable Private Services Access on the VPC.

Create network peering between your VPC and BigQuery.

Create a Cloud NAT, and route the application traffic via NAT gateway.

Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

Use the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.

Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.

Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.

Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.

Configure the route advertisement to the default setting.

On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.

Assign members of the networking team the compute.networkUser role.

Assign members of the networking team the compute.networkAdmin role.

Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Use Network Intelligence Center's Connectivity Tests.

Enable Packet Mirroring on your application and send test traffic.

Use Network Intelligence Center's Network Topology visualizations.

Enable VPC Flow Logs and send test traffic.

HTTP(S) load balancer

SSL proxy load balancer

TCP proxy load balancer

Network load balancer

gcloud compute instances add-access-config instance-1

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

gcloud compute health-checks update http health-check --unhealthy-threshold 10

Create a VPC and request static external IP addresses from Google Cloud Assagn the IP addresses to the Compute Engine instances. Notify your customers of the new IP addresses so they can update their DNS

Verify ownership of your IP addresses. After the verification, Google Cloud advertises and provisions the IP prefix for you_ Assign the IP addresses to the Compute Engine Instances

Create a VPC With the same IP address range as your on-premises network Asson the IP addresses to the Compute Engine Instances.

Verify ownership of your IP addresses. Use live migration to import the prefix Assign the IP addresses to Compute Engine instances.

Configure global load balancing to point 172.16.45.0/24 to the correct instance.

Create unique DNS records for each service that sends traffic to the desired IP address.

Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.

Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Use multiple VPC networks with a transit network using VPC Network Peering.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.

Use non-RFC 1918 ranges with a single global VPC.

/24

/25

/26

/28

Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and

\/[a-z]{2}\/audio.

Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

Configure VPC peering in a full mesh.

Alter the routing table to resolve the asymmetric route.

Create network tags to allow connectivity between all three VPCs.

Delete the legacy network and recreate it to allow transitive peering.

Lower the TCP Established Connection Idle Timeout for the NAT gateway.

Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority value higher than the priority value of the default route to the VPN gateway.

Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.

Increase the default min-ports-per-vm setting for the Cloud NAT gateway.

Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.

Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.

Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.

Configure Packet Mirroring on the VPC. Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

Keep the existing Dedicated interconnect. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.

Keep the existing Dedicated Interconnect. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.

Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC global routing to access workloads in us-central1.

Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

Configure a Cloud Storage bucket permission that gives the Storage Legacy Object Reader role

Change the cache mode to cache all content.

Increase the default time-to-live (TTL) for the backend service.

Enable negative caching for the backend bucket

Configure an additional VLAN attachment of 10 Gbps in another region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED).

Configure an additional VLAN attachment of 10 Gbps in the same region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED).

From the Google Cloud Console, modify the bandwidth of the VLAN attachment to 20 Gbps.

From the Google Cloud Console, request a new Dedicated Interconnect connection of 20 Gbps, and configure a VLAN attachment of 10 Gbps.

Configure Link Aggregation Control Protocol (LACP) on the on-premises router to use the 20-Gbps Dedicated Interconnect connection.

Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.

Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.

Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Configure a policy-based route rule to prioritize the traffic.

Configure an HTTP load balancer, and direct the traffic to it.

Configure Dynamic Routing for the subnet hosting the application.

Configure the TTL for the DNS zone to decrease the time between updates.

Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.

Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.

Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.

Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router.

Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

Use HA VPN. Configure one tunnel from each Interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.

Configure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.

Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.

Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

Configure the remote autonomous system number (ASN) to 4096.

Configure a second Cloud Router to scale bandwidth in and out of the VPC.

Configure the maximum transmission unit (MTU) to its highest supported value.

Configure a second set of active/passive VPN tunnels.

GetIamPolicy() via REST API

setIamPolicy() via REST API

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Dynamic routing using Cloud Router

Route-based routing using default traffic selectors

Policy-based routing using a custom local traffic selector

Policy-based routing using the default local traffic selector

Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.

Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-

premises data center.

Use a 4-byte private ASN 4200000000-4294967294.

Use a 2-byte private ASN 64512-65535.

Use a public Google ASN 15169.

Use a public Google ASN 16550.

VPC peering

Shared VPC

Cloud VPN

Dedicated Interconnect

Cloud NAT

Create a network load balancer that used backend services containing one instance group with two instances.

Create a network load balancer that uses a target pool backend with two instances.

Create a TCP proxy that uses a zonal network endpoint group containing one instance.

Create a TCP proxy that uses backend services containing an instance group with two instances.

Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.

In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Check the VPC flow logs for the instance.

Try connecting to the instance via SSH, and check the logs.

Create a new firewall rule to allow traffic from port 22, and enable logs.

Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

The default internet gateway

The IP address of the Cloud VPN gateway

The name and region of the Cloud VPN tunnel

The IP address of the instance on the remote side of the VPN tunnel

Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.

Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

/21

/22

/23

/25

The on-premises routers are configured with the same routes.

A firewall is blocking the traffic across the second VPN connection.

You do not have a load balancer to load-balance the network traffic.

The ASNs being used on the on-premises routers are different.