PROFESSIONAL-CLOUD-NETWORK-ENGINEER Question #113: Real Exam Question with Answer & Explanation

Question

Your company's on-premises network is connected to a VPC using a Cloud VPN tunnel. You have a static route of 0.0.0.0/0 with the VPN tunnel as its next hop defined in the VPC. All internet bound traffic currently passes through the on-premises network. You configured Cloud NAT to translate the primary IP addresses of Compute Engine instances in one region. Traffic from those instances will now reach the internet directly from their VPC and not from the on-premises network. Traffic from the virtual machines (VMs) is not translating addresses as expected. What should you do?

Options

• ALower the TCP Established Connection Idle Timeout for the NAT gateway.
• BAdd firewall rules that allow ingress and egress of the external NAT IP address, have a target tag
• CAdd a default static route to the VPC with the default internet gateway as the next hop, the
• DIncrease the default min-ports-per-vm setting for the Cloud NAT gateway.

Explanation

Cloud NAT allows VM instances without external IP addresses and private GKE clusters to send outbound packets to the internet and receive any corresponding established inbound response packets. However, Cloud NAT does not work if a VM has a route that directs its outbound traffic through a VPN tunnel. Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel. This option allows you to override the default route that directs all traffic through the VPN tunnel for only those instances that have a specific network tag. This way, those instances can use Cloud NAT for their outbound traffic.

No community discussion yet for this question.