Network Topologies
Reaching on-premises: VPN or Interconnect
A scenario says "connect our data center to Google Cloud at 50 Gbps, and the traffic must never cross the public internet." That single sentence picks the product: Cloud Interconnect[1], not Cloud VPN[2]. The whole hybrid-to-on-premises decision turns on two questions, throughput and whether the path may be the public internet, and the products line up cleanly against them.
Cloud VPN: IPsec over the public internet
Cloud VPN builds encrypted IPsec tunnels between your on-premises gateway and Google Cloud over the public internet. It is fast to stand up and needs no physical provisioning, which makes it the right first answer for modest bandwidth, for a migration experiment, or for an encrypted link you need this week. The recommended product is HA VPN: when you configure it with two interfaces connected to two peer devices, it carries a 99.99% availability SLA[2] for most topologies; other configurations drop to 99.9%. Classic VPN is the legacy option and only reaches 99.9%, so HA VPN is the right answer for any new high-availability design. The limitation that sends architects to Interconnect is bandwidth: HA VPN throughput is per-tunnel, roughly 1 to 3 Gbps (up to 250,000 packets per second), so you add tunnels to scale, and every byte still rides the shared internet.
Cloud Interconnect: a private physical circuit
Cloud Interconnect gives you a private link whose traffic flows directly between networks, not through the public internet[1]. It comes in two forms that differ only in who owns the last mile:
- Dedicated Interconnect runs your own 10-Gbps, 100-Gbps, or 400-Gbps circuits[3] into a Google colocation facility, and you can bundle up to 8 circuits per Interconnect for higher aggregate capacity. You carve it into VLAN attachments sized from 50 Mbps to 50 Gbps. Choose it when you can reach a colocation facility and want the highest, most cost-effective private bandwidth.
- Partner Interconnect uses a supported service provider[4] to bridge the last mile when you cannot reach a Google facility directly, with VLAN attachments from 50 Mbps to 50 Gbps.
Both keep traffic off the internet and earn an availability SLA only when the topology meets the redundancy requirements: 99.9% needs two connections in the same metro but different edge availability domains, and 99.99% needs four connections, two in each of two different metros. The trade against VPN is setup time and physical dependency: Interconnect must be provisioned, VPN can be live in an afternoon.
Cross-cloud and Google-to-Google connectivity
When the far side is not your data center, the product changes. Reaching another public cloud is Cross-Cloud Interconnect[5]; connecting Google networks to each other is VPC Network Peering, Network Connectivity Center, or Shared VPC. Each solves a distinct problem, so name the problem first and the product follows.
Cross-Cloud Interconnect: Google Cloud to another cloud
Cross-Cloud Interconnect establishes a dedicated physical connection between Google Cloud and another cloud provider[5], with Google provisioning and managing the link up to the remote provider's network. Port sizes are 10 Gbps and 100 Gbps (and up to 400 Gbps for AWS and OCI), and the supported providers are AWS, Microsoft Azure, OCI, and Alibaba Cloud. This is the product for a multicloud architecture; do not substitute Dedicated Interconnect, which terminates at your own colocation equipment, or Cloud VPN, which is internet-bound and bandwidth-limited.
Connecting Google networks: three models, three jobs
The three GCP-to-GCP designs are easy to confuse because they all "connect networks," so anchor each to the job only it does.
VPC Network Peering links exactly two VPC networks and makes them exchange subnet routes[6] so resources reach each other over internal IPs with same-network latency and throughput. Three constraints decide exam questions:
- It is non-transitive. If
net-apeers withnet-bandnet-apeers withnet-c, that does not connectnet-bandnet-c. Each pair needs its own peering, which is why a full mesh of many networks becomes unmanageable. - It exchanges routes only. Peered networks stay administratively separate[6], and peering does not exchange firewall rules or policies; each network keeps its own IAM and firewalls.
- Ranges cannot overlap. No subnet range may match, contain, or fit within a subnet range in the peered network.
Network Connectivity Center (NCC) is the answer when more than two networks must all reach each other. NCC is an orchestration framework with a hub-and-spoke model[7]: spokes attached to a central hub communicate transitively through it, which is exactly the connectivity VPC Peering cannot provide. A spoke can be a VPC network or a hybrid link (an HA VPN tunnel, a Cloud Interconnect VLAN attachment, or a router appliance), so one hub becomes the backbone for VPC-to-VPC, on-premises, and multicloud traffic at once.
Shared VPC is a different kind of thing: it does not connect separate networks, it puts many projects onto one network. A host project owns the Shared VPC network[8] and its subnets, routes, and firewalls; service projects attach to it and deploy resources that use internal IPs from that one network. A service project attaches to exactly one host project, and both must sit in the same organization. The point is administrative: a central network team controls the network while application teams stay out of it, the least-privilege split the exam rewards.
The one-line test: two networks and a simple link, use Peering; many networks needing any-to-any reachability, use NCC; many projects sharing one centrally-run network, use Shared VPC.
Load balancing for cloud, internet, and cloud-adjacent access
Pick a load balancer by answering three questions in order: which OSI layer, what geographic reach, and who the clients are. Google Cloud's whole load-balancing taxonomy[9] follows that order, so once you can place a workload on those three axes the product is decided.
Axis 1: layer
The first split is the protocol layer. Application Load Balancers operate at Layer 7: they understand HTTP and HTTPS and can route by host, URL path, and headers, terminate TLS, and apply content-based rules. Network Load Balancers operate at Layer 4: they handle TCP, UDP, and other IP protocols without reading the application payload. So an HTTP API behind path-based routing wants an Application Load Balancer; a database protocol or a UDP game server wants a Network Load Balancer.
Network Load Balancers split once more on how they handle the connection. A proxy Network Load Balancer terminates the client connection and opens a new one to the backend (useful for TLS offload on non-HTTP traffic). A passthrough Network Load Balancer forwards packets without terminating, so the backend sees the original client source IP, which matters when the application needs the real client address.
Axis 2: reach (global or regional)
Each type is offered as global or regional. A global load balancer spreads backends across regions; the global external Application Load Balancer fronts worldwide backends behind a single anycast IP address[9] on the Premium network tier, so one address serves users on the closest healthy backend. A regional load balancer keeps backends in one region, the right choice when data residency or a single-region service constrains the design.
Axis 3: exposure (external or internal)
The last axis is who reaches it. An external load balancer takes traffic from the public internet. An internal load balancer serves clients inside the VPC, and also cloud-adjacent on-premises clients reaching it over Cloud Interconnect or HA VPN, exactly the access pattern this domain's blueprint calls out for cloud-adjacent services. So an internal Application Load Balancer is how an on-premises client, arriving over Interconnect, reaches an HTTP service in your VPC by an internal address.
Security protection and private service access
Network security in a VPC is layered, and the exam tests where each control lives. The base layer is the VPC firewall[10]; above it sit organization-wide policies; alongside it, Private Service Connect removes the need to open the internet at all.
Stateful firewall rules and the implied baseline
VPC firewall rules are stateful: when a connection is allowed in one direction, the return traffic for that connection is automatically allowed[10], so you do not write a separate rule for replies. Every network starts from two implied rules you cannot delete: an implied allow-egress that lets instances send outbound to any destination, and an implied deny-ingress that blocks all inbound until a rule permits it. Rules carry a priority in the range 0 to 65535 where a lower number wins, defaulting to 1000 when you do not set one. Firewall rules are scoped to a single VPC network and are not shared across networks, even peered ones, which is why VPC Peering exchanges routes but never firewalls.
Org-wide control: hierarchical firewall policies
When a control must apply across many networks (a company-wide block, a baseline allow for health checks), per-VPC rules do not scale. Hierarchical firewall policies[11] attach at the organization or folder level and apply to every VPC beneath that node, giving central security teams enforcement that a project owner cannot override. Use them for governance baselines; keep per-VPC rules for network-specific needs.
Private access to services with Private Service Connect
Intrusion and access control are not only about firewalls; the strongest control is to never expose a service publicly. Private Service Connect (PSC)[12] lets a consumer reach managed services and Google APIs (such as Cloud Storage and BigQuery) over internal IP addresses inside their own VPC, with traffic staying entirely within Google Cloud, no public internet path and no VPC peering required. It is how you give an application private access to a published service or a Google API without widening the attack surface, which is the access-control answer the blueprint pairs with firewalls.
Exam-pattern recognition
PCA network questions are usually scenario stems where the right product hides behind one decisive phrase. Map the phrase to the product and most distractors fall away.
Stem signals to the right answer
| The stem emphasizes... | Right answer | Why the obvious distractor is wrong |
|---|---|---|
| High bandwidth to on-prem, must not cross the internet | Dedicated Interconnect | VPN rides the public internet and is bandwidth-limited |
| Encrypted link to on-prem, needed fast, modest bandwidth | HA VPN | Interconnect needs physical provisioning, slower to deliver |
| Connect Google Cloud to AWS or Azure | Cross-Cloud Interconnect | Dedicated Interconnect terminates at your own colo, not another cloud |
| Many VPCs must all reach each other | Network Connectivity Center | VPC Peering is non-transitive, so a mesh does not scale |
| Central team runs one network, many app teams deploy into it | Shared VPC | Peering keeps networks administratively separate, not centrally run |
| Reach a managed service or Google API privately, no peering | Private Service Connect | A public endpoint or peering widens exposure unnecessarily |
| Route HTTP by URL path / host across regions | Global external Application Load Balancer | A Network Load Balancer is Layer 4 and cannot route by path |
| Preserve the client source IP for a TCP service | Passthrough Network Load Balancer | A proxy LB terminates the connection and hides the source IP |
| On-prem client over Interconnect reaches an HTTP app in the VPC | Internal Application Load Balancer | An external LB faces the internet, not cloud-adjacent clients |
Three traps to internalize
- VPC Peering is non-transitive. Peering A-B and A-C never connects B and C, and peering never exchanges firewall rules. When the scenario needs any-to-any across more than two networks, the answer is Network Connectivity Center, not more peerings.
- Match the far side to the product. On-premises means Cloud Interconnect or HA VPN; another public cloud means Cross-Cloud Interconnect. Choosing Dedicated Interconnect to reach AWS is the classic miss.
- Application LB is Layer 7 only. If the traffic is not HTTP or HTTPS, or the app must see the real client IP, it is a Network Load Balancer (passthrough for source-IP preservation), not an Application Load Balancer.
Hybrid and cross-cloud connectivity: which product when
| Dimension | Cloud VPN (HA VPN) | Dedicated Interconnect | Partner Interconnect | Cross-Cloud Interconnect |
|---|---|---|---|---|
| Far side | On-premises | On-premises | On-premises | Another cloud (AWS/Azure/OCI/Alibaba) |
| Path | IPsec over public internet | Private physical circuit | Private, via service provider | Private physical link to other cloud |
| Bandwidth | Modest, per-tunnel | 10 or 100 Gbps circuits | 50 Mbps to 50 Gbps per VLAN | 10/100 Gbps (up to 400 on AWS/OCI) |
| Availability SLA | 99.99% (two interfaces) | End-to-end, up to 99.99% with redundancy | Up to 99.99% with redundancy; partial provider-dependent | Up to 99.99% with redundant pairs |
| Best for | Quick, encrypted, low bandwidth | Highest private bandwidth, colo access | No colo facility access | Connecting to another cloud provider |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Cloud VPN runs over the public internet; Cloud Interconnect is a private link
The on-premises connectivity choice splits first on the path. Cloud VPN builds encrypted IPsec tunnels across the public internet, so it is quick to deploy and needs no physical gear, but bandwidth is per-tunnel and limited. Cloud Interconnect carries traffic over a private physical circuit that never touches the internet, giving far higher throughput at the cost of physical provisioning. When a scenario forbids internet transit or demands tens of gigabits, the answer is Interconnect; when speed-to-deploy and encryption matter more than raw bandwidth, it is VPN.
Trap Reaching for Cloud VPN when the requirement says traffic must not cross the public internet; VPN tunnels are internet-bound, only Interconnect keeps the path private.
- Use HA VPN and build two interfaces for the 99.99% SLA
HA VPN is the recommended Cloud VPN product for new designs; Classic VPN is the legacy option and only reaches a 99.9% SLA. HA VPN earns a 99.99% availability SLA for most topologies when configured with two interfaces connected to two peer devices; other configurations drop to 99.9%. Throughput is per-tunnel, roughly 1 to 3 Gbps (up to 250,000 packets per second), so you add tunnels to scale, which is why VPN suits modest bandwidth and Interconnect wins for tens of gigabits.
Trap Choosing Classic VPN for a new high-availability connection; it tops out at a 99.9% SLA, while a two-interface HA VPN reaches 99.99%.
- Dedicated Interconnect needs a colocation facility; Partner Interconnect uses a service provider
Both forms of Cloud Interconnect give a private path, and they differ only in who owns the last mile. Dedicated Interconnect runs your own 10-Gbps or 100-Gbps circuits into a Google colocation facility and is the most cost-effective choice for high bandwidth when you can reach one. Partner Interconnect uses a supported service provider to bridge the gap when you cannot reach a Google facility, with VLAN attachments from 50 Mbps to 50 Gbps. The deciding question is physical reach to a colocation facility.
Trap Recommending Dedicated Interconnect for an organization with no access to a Google colocation facility; that gap is exactly what Partner Interconnect exists to cover.
- Dedicated Interconnect circuits are 10, 100, or 400 Gbps; VLAN attachments scale 50 Mbps to 50 Gbps
Dedicated Interconnect provisions physical circuits at 10 Gbps, 100 Gbps, or 400 Gbps, and you can bundle up to 8 circuits per Interconnect for higher aggregate capacity. You then carve each circuit into VLAN attachments sized anywhere from 50 Mbps to 50 Gbps, which is how you map the physical capacity to individual VPC networks. Knowing the circuit sizes separates Interconnect (tens to hundreds of gigabits) from VPN (a few gigabits per tunnel) in a bandwidth question.
- Cross-Cloud Interconnect connects Google Cloud to another cloud, not to on-premises
When the far side is AWS, Microsoft Azure, OCI, or Alibaba Cloud rather than your data center, the product is Cross-Cloud Interconnect: a dedicated physical link that Google provisions to the other provider's network, at 10 Gbps or 100 Gbps (up to 400 Gbps on AWS and OCI). It is the multicloud answer. Dedicated Interconnect terminates at your own colocation equipment for on-premises reach, and VPN is internet-bound and bandwidth-limited, so neither fits a cloud-to-cloud requirement.
Trap Choosing Dedicated Interconnect to link Google Cloud to AWS; Dedicated Interconnect reaches your own colo, while Cross-Cloud Interconnect is the product built to land in another cloud provider.
- Direct and Carrier Peering reach Google APIs and Workspace, not VPC internal IPs
Direct Peering and Carrier Peering connect your network to Google's edge to reach Google APIs and Google Workspace, but they give no access to VPC resources over internal IPs and carry no SLA. So if a scenario only needs Workspace or public Google API access, peering can suffice without standing up Interconnect or VPN. If it needs to reach resources inside a VPC, peering is the wrong tool; use Cloud Interconnect or HA VPN instead.
Trap Using Direct or Carrier Peering to reach VM instances inside a VPC by internal IP; peering only reaches Google APIs and Workspace, with no VPC access and no SLA.
- VPC Network Peering is non-transitive
VPC Network Peering links exactly two VPC networks and exchanges their subnet routes so resources communicate over internal IPs at same-network latency. The defining limitation is that peering is not transitive: if net-a peers with net-b and net-a peers with net-c, net-b and net-c still cannot reach each other. Every pair needs its own peering, so a many-network mesh becomes unmanageable, which is precisely when you move to Network Connectivity Center.
Trap Assuming that peering net-a to net-b and net-a to net-c connects net-b and net-c; peering is non-transitive, so that path does not exist.
4 questions test this
- Your company has three development teams using separate Google Cloud projects with their own VPC networks: project-a with vpc-a, project-b…
- Your organization uses vpc-central to provide shared services to multiple project VPCs through VPC Network Peering. The vpc-central network…
- Your organization has three VPC networks: network-a, network-b, and network-c. Network-a is connected to network-b via VPC Network Peering,…
- Cymbal Retail has implemented a hub-and-spoke network architecture using VPC Network Peering. The hub VPC (network-a) in project-central…
- VPC Peering exchanges routes only, never firewall rules, and forbids overlapping ranges
Peered VPC networks stay administratively separate: peering exchanges subnet routes but does not share firewall rules, policies, or IAM, so each network keeps its own controls. Subnet ranges also cannot overlap, no range may match, contain, or fit within a range in the peered network. These constraints explain why peering is a routing link, not a merged network, and why security must be configured per network on both sides.
Trap Expecting firewall rules to carry across a peering so a rule on one side protects the other; peering exchanges routes only, each network enforces its own firewalls.
3 questions test this
- You are configuring VPC Network Peering between two VPC networks in different Google Cloud projects to enable private communication between…
- You have established VPC Network Peering between vpc-frontend in project-a and vpc-backend in project-b. Security team members in project-a…
- You are architecting a multi-project solution where project-a has vpc-a using the 10.10.0.0/16 subnet range, and project-b has vpc-b using…
- Network Connectivity Center gives transitive any-to-any connectivity via hub-and-spoke
When more than two networks must all reach each other, Network Connectivity Center (NCC) is the answer. NCC is a hub-and-spoke orchestration framework: spokes attach to a central hub and communicate transitively through it, supplying the any-to-any reachability that VPC Peering cannot. A spoke can be a VPC network or a hybrid link such as an HA VPN tunnel, a Cloud Interconnect VLAN attachment, or a router appliance, so one hub becomes the backbone for VPC-to-VPC, on-premises, and multicloud traffic together.
Trap Adding more VPC peerings to give many networks full any-to-any reachability; peering is non-transitive, so the mesh grows quadratically. NCC's hub provides transitivity instead.
Shared VPC does not connect separate networks; it places resources from many projects onto one VPC owned by a host project. The host project owns the subnets, routes, and firewalls, and service projects attach to it and deploy resources that use internal IPs from that shared network. The purpose is administrative separation of duties: a central network team controls the network while application teams deploy into it without managing it, the least-privilege split for enterprise networking.
Trap Reaching for VPC Peering when the requirement is one centrally-administered network for many project teams; peering keeps networks separately administered, while Shared VPC centralizes control under a host project.
Shared VPC has firm structural limits worth memorizing. A service project can attach to only one host project at a time, a project cannot be both a host and a service project, and all projects must belong to the same organization. Establishing the configuration requires the Shared VPC Admin role at the organization level. These constraints often decide whether a proposed Shared VPC layout is even valid.
- Application Load Balancers are Layer 7; Network Load Balancers are Layer 4
Cloud Load Balancing splits first on protocol layer. Application Load Balancers operate at Layer 7 and route HTTP and HTTPS by host, path, and headers, and can terminate TLS. Network Load Balancers operate at Layer 4 for TCP, UDP, and other IP protocols without reading the payload. So path-based or host-based HTTP routing requires an Application Load Balancer, while a raw TCP or UDP service requires a Network Load Balancer.
Trap Putting an Application Load Balancer in front of non-HTTP TCP or UDP traffic; Application LBs only handle HTTP and HTTPS, so Layer 4 traffic needs a Network Load Balancer.
- Use a passthrough Network Load Balancer to preserve the client source IP
Network Load Balancers come in two flavors. A passthrough Network Load Balancer forwards packets without terminating the connection, so the backend sees the original client source IP, which matters when the application logs or authorizes by client address. A proxy Network Load Balancer terminates the client connection and opens a new one to the backend, which is what you want for TLS offload on non-HTTP traffic but which hides the real source IP behind the load balancer.
Trap Choosing a proxy Network Load Balancer when the backend must see the real client IP; the proxy terminates the connection, so only a passthrough load balancer preserves the source IP.
- The global external Application Load Balancer fronts worldwide backends behind one anycast IP
Load balancers are offered as global or regional. The global external Application Load Balancer serves backends in regions around the world behind a single anycast IP address on the Premium network tier, so one address routes each user to the nearest healthy backend. A regional load balancer keeps backends in one region, which is the right call when data residency or a single-region service constrains the design. Choose global for worldwide reach, regional when geography is pinned.
- Use an internal load balancer for VPC and cloud-adjacent on-premises clients
The last load-balancer axis is exposure. An external load balancer accepts traffic from the public internet; an internal load balancer serves clients inside the VPC and cloud-adjacent on-premises clients reaching it over Cloud Interconnect or HA VPN. So an on-premises client arriving over Interconnect that needs to reach an HTTP service in your VPC by an internal address wants an internal Application Load Balancer, not an external one.
Trap Exposing a service that only serves VPC and on-premises clients through an external load balancer; an internal load balancer keeps it off the internet and still serves cloud-adjacent clients over Interconnect or VPN.
- VPC firewall rules are stateful, so return traffic is allowed automatically
VPC firewall rules are stateful: when a connection is allowed in one direction, the return traffic for that connection is permitted automatically, so you never write a separate rule for replies. The network also ships with two implied rules you cannot delete, an implied allow-egress that lets instances reach any destination and an implied deny-ingress that blocks all inbound until a rule allows it. Rules carry a priority from 0 to 65535 where lower wins, defaulting to 1000.
Trap Writing a separate inbound rule to permit the replies to an allowed outbound connection; the firewall is stateful, so return traffic on an established connection is already allowed.
- Apply org-wide controls with hierarchical firewall policies, not per-VPC rules
VPC firewall rules are scoped to a single network and are not shared across networks, even peered ones. When a control must apply across many networks at once, such as a company-wide block or a baseline health-check allow, hierarchical firewall policies attach at the organization or folder level and apply to every VPC beneath that node, which a project owner cannot override. Use hierarchical policies for centralized governance; keep per-VPC rules for network-specific needs.
Trap Trying to enforce an organization-wide firewall baseline by editing each VPC's own rules; that does not scale or prevent override. Hierarchical firewall policies at the org or folder level apply to every network below.
- Private Service Connect reaches managed services and Google APIs over internal IPs, no peering
The strongest access control is to never expose a service publicly. Private Service Connect (PSC) lets a consumer reach managed services and Google APIs such as Cloud Storage and BigQuery over internal IP addresses inside their own VPC, with traffic staying entirely within Google Cloud, no public internet path and no VPC peering required. It is how you give an application private access to a published service or a Google API without widening the attack surface.
Trap Setting up VPC Peering or a public endpoint to let a VPC consume a managed service privately; Private Service Connect gives that private internal-IP access without peering and without exposing the service to the internet.
- Set the VPC to Global dynamic routing mode to reach regions other than the Cloud Router's
A Cloud Router in Regional dynamic routing mode (the default) only advertises and learns routes for subnets in its own region. When VLAN attachments or VPN tunnels must carry traffic to or from resources in a different region than the Cloud Router, switch the VPC network to Global dynamic routing mode so routes propagate across all regions.
Trap Regional mode is the default, so cross-region Interconnect/VPN silently fails until you flip the whole VPC to Global — it is a VPC-wide setting, not a per-attachment one.
5 questions test this
- A multinational company has provisioned a Dedicated Interconnect connection in us-central1 and needs to create VLAN attachments to reach…
- Your company has established a Dedicated Interconnect connection in the us-west1 region. You need to create VLAN attachments that allow…
- Your organization has a VPC network with subnets deployed in us-east1 and us-west1 regions. You have configured an HA VPN gateway in…
- Cymbal Retail is deploying Dedicated Interconnect connections to achieve 99.99% availability for their mission-critical workloads. Their…
- Cymbal Retail has a Dedicated Interconnect connection and wants to create VLAN attachments that can reach subnets in a different Google…
- Cloud Router load-balances across attachments only with equal MED in the same region; lower MED wins
Advertised route priority is the BGP MED value, and a lower MED is preferred. To spread egress across multiple Interconnect VLAN attachments or VPN tunnels, place them in the same region and advertise the same prefix with identical MED so Cloud Router uses ECMP (a five-tuple hash). For active-passive failover instead, give the primary a lower MED and the standby a higher MED.
Trap ECMP hashes per flow, so a single TCP stream always pins to one tunnel — lopsided traffic is not a misconfiguration; test with multiple concurrent flows.
4 questions test this
- EHR Healthcare has provisioned a Dedicated Interconnect connection with a single 100-Gbps link. They need to create VLAN attachments to…
- You are troubleshooting connectivity issues for KnightMotives Automotive's HA VPN deployment. Two VPN tunnels are configured with BGP…
- You want to configure ECMP load balancing for egress traffic across multiple VLAN attachments on your Dedicated Interconnect connections.…
- Your organization wants to configure an active-passive HA VPN deployment where traffic prefers the primary tunnel but fails over to a…
- Cloud Router needs a private ASN different from the peer; Partner Interconnect forces ASN 16550
For HA VPN and Dedicated Interconnect, the Cloud Router must use a private ASN (16-bit 64512-65534 or 32-bit 4200000000-4294967294) that differs from the peer ASN, since Google Cloud only runs eBGP. Partner Interconnect is the exception: its Cloud Router must use the Google-owned ASN 16550.
Trap Partner Interconnect rejects a private ASN — 16550 is mandatory there, unlike Dedicated Interconnect which takes your private ASN.
4 questions test this
- Your organization is setting up Partner Interconnect to connect your on-premises data center to Google Cloud. You need to create a Cloud…
- Altostrat Media is creating a Cloud Router to establish BGP sessions with their on-premises data center through HA VPN. Their on-premises…
- Your organization is configuring an HA VPN gateway to connect your on-premises data center to Google Cloud. You need to create a Cloud…
- Your organization is configuring Partner Interconnect VLAN attachments to connect your on-premises data center to Google Cloud. The network…
- Network tags are VPC-local; use service accounts or secure tags for cross-network and hierarchical targeting
Network tags in a VPC firewall rule resolve only to instances in that same VPC, so they never match VMs reached through VPC Peering, and hierarchical firewall policies reject network tags entirely. To target VMs in those cases, use target service accounts or IAM-governed secure tags instead.
Trap A peered VM carrying the same network-tag string is not matched by the other network's rules, and a 'forgot the target tag' allow rule silently lets a lower-priority deny-all win.
4 questions test this
- Your company uses hierarchical firewall policies at the folder level to enforce security standards for development and production…
- You are configuring firewall rules for a multi-tier application in Google Cloud. The application has web servers, application servers, and…
- A security administrator has created VPC firewall rules in network-a using network tags to control traffic between VMs. Network-a is now…
- You have established VPC Network Peering between vpc-frontend in project-a and vpc-backend in project-b. Security team members in project-a…
Also tested in
References
- Choosing a Network Connectivity product
- Cloud VPN overview
- Dedicated Interconnect overview
- Partner Interconnect overview
- Cross-Cloud Interconnect overview
- VPC Network Peering
- Network Connectivity Center overview
- Shared VPC
- Cloud Load Balancing overview
- VPC firewall rules
- Hierarchical firewall policies overview
- Private Service Connect