← CCA hub

CCA — BGP and External Networking

6% of the CCA exam. Sample questions below; the full library has 7 questions tagged to this domain.

Sample questions on BGP and External Networking

BGP and External Networking

Q1. A CiliumBGPPeeringPolicy defines a virtual router peering with an external ToR (top-of-rack) switch. The policy specifies: ```yaml asn: 65000 ``` What does this ASN represent?

Reveal answer and explanations
  1. A The ToR switch's Autonomous System Number

    Incorrect. The ToR switch's ASN is specified separately in the peering configuration.

  2. B The Kubernetes cluster's private Autonomous System Number

    Correct. The ASN in CiliumBGPPeeringPolicy represents the cluster's (Cilium's) local ASN for BGP peering.

  3. C A globally unique BGP ASN assigned by IANA for the cluster

    Incorrect. Private ASNs (64512-65534) are used for internal routing; they don't require IANA assignment.

  4. D The virtual router's local ASN within the cluster for peer identification

    Incorrect. ASNs are globally meaningful in BGP; there's no cluster-local scope.

BGP and External Networking

Q2. A CiliumBGPPeeringPolicy advertises the cluster's pod CIDR (10.0.0.0/8) to external routers via BGP. External hosts can ping pod IPs directly. What type of IP forwarding must be enabled on the cluster nodes?

Reveal answer and explanations
  1. A Only the Cilium agent requires forwarding; regular kubelet doesn't need it

    Incorrect. IP forwarding is a system-wide kernel setting; it affects all traffic, not just agent traffic.

  2. B BGP advertisement requires Linux policy routing (ip rule) instead of IP forwarding

    Incorrect. Policy routing supplements but doesn't replace the need for IP forwarding.

  3. C IP forwarding (net.ipv4.ip_forward=1) must be enabled to forward external traffic to pod destinations

    Correct. External hosts route to the pod CIDR based on BGP advertisements; the cluster nodes must have IP forwarding enabled to accept and forward this traffic to pods.

  4. D IP forwarding is not required; BGP advertisement enables external routing without kernel forwarding

    Incorrect. BGP only advertises routes; the kernel must forward traffic to reach pods.

BGP and External Networking

Q3. A Service is configured with: ```yaml type: LoadBalancer ``` It also uses a Cilium egress gateway. External clients access the Service via the LoadBalancer IP. What is the primary purpose of the egress gateway in this scenario?

Reveal answer and explanations
  1. A The egress gateway provides TLS termination for LoadBalancer services

    Incorrect. TLS termination is a gateway/ingress responsibility, not an egress gateway function.

  2. B The egress gateway ensures traffic from pod backends to external systems originates from a consistent source IP

    Correct. Cilium's egress gateway SNAT's outbound traffic from pod backends, ensuring consistent source IP for external systems, critical for egress traffic filtering and logging.

  3. C The egress gateway terminates the LoadBalancer IP and routes traffic to service backends

    Incorrect. The LoadBalancer IP is routed by the cloud provider or BGP; the egress gateway doesn't terminate it.

  4. D The egress gateway advertises the LoadBalancer IP to external routers via BGP

    Incorrect. LoadBalancer IP advertisement is handled by the service controller, not the egress gateway.

BGP and External Networking

Q4. A CiliumBGPPeeringPolicy fails to establish a peering session with an external BGP neighbor. The error log shows 'hold timer expired'. What does this indicate?

Reveal answer and explanations
  1. A BGP authentication (MD5) failed during the three-way handshake

    Incorrect. MD5 auth failures would cause a separate TCP connection reset, not hold timer expiration.

  2. B No BGP packets (Keepalive/Update) were received from the neighbor within the hold time interval

    Correct. Hold timer expiration means no BGP packets were received from the neighbor within the negotiated hold time, indicating network connectivity or neighbor issues.

  3. C The external neighbor rejected the BGP Open message due to ASN mismatch

    Incorrect. ASN mismatch would cause an explicit notification message, not hold timer expiration.

  4. D The neighbor's hold timer (proposed in BGP Open) is longer than Cilium's configured hold time

    Incorrect. Hold timers are negotiated; the smaller of the two proposed values is used.

BGP and External Networking

Q5. You enable source IP preservation for egress traffic from a pod using Cilium's egress gateway. A pod sends a request to an external API, which logs the source IP. Which IP will be logged?

Reveal answer and explanations
  1. A The pod's cluster IP

    Incorrect. ClusterIP is for ingress services, not egress source IPs.

  2. B The egress gateway's fixed external IP configured in the policy

    Correct. The egress gateway's configured fixed external IP is SNAT'd for egress traffic, so the external API logs this consistent IP.

  3. C The pod's identity virtual IP (reserved:unknown)

    Incorrect. Identity VIPs are for ingress traffic policy, not egress source IP.

  4. D The node's host IP where the pod is running

    Incorrect. Egress gateway specifically overrides the node IP for egress SNAT.

Drill BGP and External Networking with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

BGP and External Networking accounts for 6% of the CCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 7-question domain bank will close those gaps.