Q: 14
You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected
with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The
Cloud Router is configured with the default settings. Your on-premises DNS server is located at
192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can
resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving
Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?
Options
Discussion
A . Only A keeps the VPN architecture simple by using central DNS forwarding and peering zones, no extra tunnels in the spokes. Having direct VPNs from each spoke like in C or D isn't needed unless you want more resiliency, which the scenario doesn't mention. Anyone disagree?
Its A
Is "best practice" in the question about minimizing VPN tunnels or more about DNS configuration specifics?
Choosing A lets you centralize DNS resolution using the hub’s forwarding and peering zones, so spokes don’t need their own VPNs. That lines up with Google’s best practices for keeping things simple and scalable. The others add extra complexity that isn't called for here, I think. Anyone see a reason it couldn’t just be A?
I think A, but second-guessing myself since the VPN setup details get tricky. I think Google wants you to centralize DNS via the hub and not build more VPNs in the spokes unless you absolutely need to. Anyone see a gotcha here?
Seen similar on practice exams. Pretty sure A fits Google best practices since it centralizes DNS forwarding in the hub and avoids building more VPNs than needed. The private peering zone lets the spokes use the hub for resolution. Could be missing a detail but I think A covers both DNS and network simplicity.
If you set up the forwarding zone and private peering as in A, wouldn't that cover DNS resolution from the spokes to on-prem via the hub anyway? I think extra direct VPNs from each spoke (like in C or D) aren't really needed.
Nah, not D. Pretty sure it's A because it doesn't require extra VPN tunnels from each spoke. Google recommends centralizing DNS and minimizing direct on-prem connections. Anyone see a reason to prefer D over A?
Be respectful. No spam.
