Practice PCNE Designing, planning, and prototyping a GCP network questions with full explanations on every answer.
Start practicing
Designing, planning, and prototyping a GCP network — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?
2A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?
3A network engineer needs to design a VPC network for a global application that will have Compute Engine instances in multiple regions. The instances need to communicate with each other using internal IP addresses. What is the simplest way to enable this communication?
4Which TWO of the following are valid methods to reduce latency between users in Europe and a GCP-hosted application?
5Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?
6A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?
7Based on the exhibit, what is the purpose of Cloud Router's BGP configuration?
8A company has a VPC with subnets in us-east1 and europe-west1. They have a Compute Engine instance in us-east1 with an internal IP 10.0.1.2. They need to allow SSH (port 22) from a specific on-premises IP 203.0.113.5 via Cloud VPN. The Cloud VPN tunnel uses a Cloud Router with BGP. The on-premises network advertises the route for 203.0.113.5/32 to the Cloud Router. Which firewall rule must be created?
9A company is deploying an internal load balancer (ILB) in a VPC to distribute traffic among backend instances in a managed instance group. The ILB should only be accessible from within the VPC. Which of the following is a required step when configuring the ILB?
10A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth up to 10 Gbps. Which connectivity option should they choose?
11A network engineer is designing a VPC in Google Cloud with multiple subnets across different regions. The application requires low-latency communication between instances in the same region but not across regions. Which VPC network configuration should be used?
12An organization wants to implement a hub-and-spoke network topology in Google Cloud using VPC Network Peering. The hub VPC hosts shared services and the spoke VPCs host application workloads. They need to ensure that spokes can communicate with each other through the hub. Which additional configuration is required?
13A company is planning to migrate their on-premises application to Google Cloud. The application requires consistent high bandwidth and low latency to on-premises databases. They have a Dedicated Interconnect connection with a 10 Gbps link. To improve availability, they decide to add a second Interconnect connection. Which of the following is a best practice for configuring BGP sessions?
14A network engineer is designing a Google Cloud network for a financial services company that requires strict compliance with PCI DSS. They need to isolate development, staging, and production environments. Which approach should they use to meet these requirements?
15Which TWO factors should be considered when selecting a Google Cloud region for deploying a globally distributed application to minimize latency for users?
16Which THREE components are required to set up a Cloud VPN with dynamic routing (BGP) between an on-premises network and Google Cloud?
17A company is designing a hybrid network between their on-premises data center and Google Cloud. They need high availability for traffic between the two environments and want to use Cloud VPN with dynamic routing. Which configuration ensures that if one VPN tunnel fails, traffic automatically fails over to the other tunnel without manual intervention?
18A company has deployed a Global External HTTP(S) Load Balancer with a backend service that points to an instance group in us-central1. The load balancer's frontend uses a reserved static external IP address. Users in Europe report high latency, while users in Asia cannot reach the application at all. The application works fine when accessed directly via the instance group's internal IPs from within us-central1. Which action should be taken to resolve the issue?
19A company wants to connect two VPC networks (vpc-a and vpc-b) that both reside in the same Google Cloud project. They need to ensure that all IP ranges in both VPCs can communicate using internal private IP addresses. Which solution should they implement?
20You run the command shown in the exhibit. Your on-premises network is connected to your VPC via a Cloud Router with two BGP sessions. You notice that your on-premises network receives routes for only the two custom IP ranges (10.0.1.0/24 and 10.0.2.0/24) but not for other subnets in the VPC. What is the most likely cause?
21A company is deploying a multi-tier application on Google Cloud. The frontend tier runs in a managed instance group behind a global external HTTP(S) load balancer. The backend tier runs on Compute Engine instances in a different VPC subnet. The frontend instances must communicate with the backend instances using internal IP addresses only. Which configuration should the network engineer use?
22Drag and drop the steps to create a VPC with custom subnet mode in Google Cloud into the correct order.
23Drag and drop the steps to set up a Private Service Connect for accessing Google APIs privately into the correct order.
24Match each Google Cloud networking service to its primary function.
25Match each network troubleshooting command/tool to its function.
26A company needs to connect their on-premises data center to Google Cloud using a VPN with high availability. They have two VPN appliances on-premises in different locations. What is the best design on the GCP side?
27A company has a VPC with subnets in us-east1 and europe-west1. They need low-latency communication between instances in these regions using private IPs only. Which solution should they use?
28An organization wants to use Shared VPC but restrict access to certain subnets for specific service projects. Which GCP feature should they use?
29A company has Compute Engine instances without external IPs that need to access the internet for updates. They do not want any inbound traffic. What is the best design?
30A company wants to migrate an on-premises application that uses IPsec VPN tunnels to Google Cloud. They need to ensure encrypted connectivity between the on-premises network and a VPC. Which GCP service should they use?
31An organization has two VPC networks in different Google Cloud organizations. They need to allow private IP communication between instances in these VPCs without using public IPs or VPNs. Which solution should they use?
32Which GCP service provides a dedicated, low-latency connection from an on-premises data center to Google Cloud?
33A company has a VPC with a firewall rule that allows SSH (tcp:22) from 0.0.0.0/0. They want to restrict SSH access to only the public IP address of their Cloud VPN gateway. How should they modify the firewall rule?
34A global application uses a global external HTTPS load balancer with backend NEGs in multiple regions. The content is static and must be cached at edge locations to reduce latency. Which GCP service should be enabled?
35Which TWO of the following are benefits of using Shared VPC?
36A company needs to connect three VPC networks in separate projects (two in the same organization, one in a different organization) to each other for private IP communication. Which TWO GCP solutions should they consider? (Choose 2.)
37Which THREE factors should be considered when designing a Cloud VPN for high availability? (Choose 3.)
38Refer to the exhibit. A network engineer reviews the firewall rules in a VPC. What is the most significant security concern?
39Refer to the exhibit. What is the purpose of the --enable-private-ip-google-access flag?
40Refer to the exhibit. What is the purpose of the IP address 169.254.0.1 assigned to the Cloud Router interface?
41A company is designing a VPC network to support multiple projects that require isolation but also need to communicate with a shared services project. Which approach should the company use to minimize administrative overhead while ensuring isolation?
42A company has Compute Engine instances without external IP addresses that need to access external APIs. The instances are in multiple zones within a region, and each zone has a subnet. The company wants a cost-effective and highly available solution that does not require manual failover. What should they do?
43An organization is connecting their on-premises data center to GCP using Dedicated Interconnect with multiple VLAN attachments. They have configured Cloud Router with BGP sessions for each VLAN attachment. They notice that traffic from GCP to on-premises is not load-balanced across the attachments; instead, all traffic uses a single link. What is the most likely cause?
44A company has multiple projects that each need their own administrative control but must share a common VPC network. Which networking solution should they use?
45An organization has Compute Engine instances in a VPC without external IP addresses. They need to allow these instances to access Google Cloud Storage buckets but not the internet. What should they configure?
46A company runs a Kubernetes cluster on GKE with a VPC-native cluster (alias IP ranges). They have pods that need to communicate with on-premises services via a Cloud VPN tunnel. Which networking configuration is required to enable pod-to-on-premises communication?
47A company has a VPC with three subnets and multiple firewall rules. They want to ensure that the most specific firewall rule takes precedence when there is a conflict. What is the default evaluation order of firewall rules?
48A company needs a dedicated, low-latency connection from their on-premises data center to GCP with a 10 Gbps capacity. They require the highest availability and service level agreement (SLA). Which connectivity option should they choose?
49A company is experiencing asymmetric routing between their VPC and on-premises network over two Cloud VPN tunnels with different BGP sessions. Some traffic from GCP to on-premises is dropped by firewall stateful inspection on-premises. What is the most likely cause?
50Which TWO of the following are true regarding VPC Network Peering? (Choose TWO.)
51Which THREE of the following are required to set up a highly available Cloud VPN with dynamic routing? (Choose THREE.)
52Which TWO of the following are advantages of using the Premium Tier of Google Cloud's Network Service Tiers? (Choose TWO.)
53A network engineer runs the gcloud command above for a Cloud NAT configured in us-central1. The VPC has 20 instances without external IPs in us-central1. They notice that only three instances have NAT mappings displayed. What could explain this?
54A team is deploying a new service in a Compute Engine instance without an external IP in subnet-b. The service needs to access Google Cloud Storage using internal IPs. What must the team do to enable this?
55A request comes from IP 192.0.2.5, with origin region code 'US', and path '/admin/dashboard'. What will be the final action?
56A company wants to connect on-premise to GCP via Cloud VPN with dynamic routing. They have two on-prem routers for redundancy. Which configuration ensures automatic failover?
57A company uses Shared VPC with multiple service projects. They need to allow certain service projects to create internal load balancers (ILBs) that are accessible from all projects in the organization. What is the best practice?
58A financial company requires encrypted traffic between on-premise and GCP. They have strict compliance requiring that encryption keys are managed on-premise and rotated every 30 days. Which connectivity solution should they use?
59A company is designing a VPC for a multi-tier application. The web tier must be accessible from the internet, the app tier only from the web tier, and the db tier only from the app tier. Which combination of firewall rules is appropriate?
60An organization is deploying a global application and wants to use an Internal Load Balancer (ILB) across multiple regions. What is the correct configuration?
61A company has a complex on-premises network with multiple BGP AS numbers. They are connecting to GCP using Cloud VPN and wish to advertise specific prefixes. They want to ensure that only selected on-prem prefixes are advertised to GCP and no other prefixes leak. What is the best approach?
62A startup wants to minimize costs for their development VPC. They have a few VMs that need occasional internet access for updates. What is the most cost-effective approach?
63A company needs to ensure that all traffic between GCP VMs in different regions is encrypted in transit. What is the recommended approach?
64An organization is using Shared VPC with 100 service projects. They want to allow each service project to manage its own Cloud NAT, but the network administration team wants to control the outbound IP addresses used. What is the best design?
65Which TWO services can be used to provide outbound connectivity to the internet for private VMs in a VPC? (Assume VMs have no external IPs.)
66Which TWO statements about VPC Network Peering are correct?
67Which THREE components are part of a typical Cloud Hybrid Networking architecture?
68Refer to the exhibit. A network engineer checks the BGP status of a Cloud Router. The on-prem router has two BGP peers configured. What is the most likely cause of the IDLE session for the second peer?
69Refer to the exhibit. A VM in the default VPC with IP 10.0.0.5 is unable to receive traffic from another VM in the same VPC with IP 10.0.1.5. The firewall rule shown is in place. What is the most likely reason?
70Refer to the exhibit. A company has enabled Private Google Access on the subnet. What effect does this have on VMs in the subnet?
71A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth of at least 10 Gbps. Which connectivity option meets these requirements?
72A startup is migrating a two-tier application to GCP. The web tier must be accessible from the internet, and the database tier must only be accessible from the web tier. Which network design should be used?
73An enterprise uses Shared VPC with a host project and multiple service projects. A service project team wants to create a Cloud VPN tunnel to their on-premises network. What must the network team configure in the host project to allow this?
74A company is designing a global application that requires low-latency access to GCP services like Cloud Storage and BigQuery. They also need to minimize egress costs for traffic to the internet. Which network service tier should they choose for their GCP resources?
75An organization needs to allow on-premises servers to resolve DNS names of GCP VM instances using RFC 1918 addresses. They have a Cloud VPN connection. Which DNS resolution approach should they implement?
76A company is deploying a global HTTP load balancer with a backend service that spans multiple regions. The backend instances are in a managed instance group. They want to use Cloud CDN to cache content. What is the minimal set of configurations required on the backend bucket or instance group to enable Cloud CDN?
77A network engineer is designing a VPC with custom subnet mode. They need to allocate IP addresses for three tiers: web (100 instances), app (200 instances), and db (50 instances). The VPC will be in the us-central1 region. Which subnet plan is most cost-effective and scalable?
78A company has a VPC with a subnet in us-central1 (10.0.0.0/16) and a Cloud VPN tunnel to an on-premises network (192.168.0.0/16). They also have a static route for 0.0.0.0/0 internet gateway. On-premises traffic to 10.0.0.0/16 is working. However, traffic from a GCE instance in the VPC to an on-premises IP 192.168.1.10 is timing out. What is the most likely cause?
79A developer wants to deploy a single Compute Engine instance that needs to initiate outbound connections to the internet, but should not have a public IP address. Which GCP networking feature must be configured?
80Which TWO statements are true about VPC Network Peering?
81Which THREE actions are required to configure a High-Availability Cloud VPN (HA VPN) with dynamic routing to an on-premises peer?
82Which TWO of the following are valid reasons to use a Shared VPC architecture?
83A company wants to connect their on-premises data center to Google Cloud using a site-to-site VPN with dynamic routing. Which protocol should they use for route exchange?
84A company wants to deploy an HTTP application on Compute Engine instances in us-east1 and europe-west1, and use a global external HTTP(S) load balancer. How should they configure the backend?
85A company uses Shared VPC with multiple service projects. They want to ensure that only specific service projects can use the Cloud NAT configured in the host project. What should they do?
86A company needs to connect on-premises to GCP using Dedicated Interconnect with a 10 Gbps link, and they require high availability. They plan to use a single VLAN attachment. What is the best design?
87A company wants to allow on-premises servers to access Google APIs and services through a Dedicated Interconnect without using public IPs. What should they configure?
88A company has a VPC with several subnets and wants to force traffic between two specific subnets (A and B) to be inspected by a third-party firewall appliance in a separate subnet (C). The firewall has source/destination check disabled. What is the best way to route traffic from A to B through C?
89A company is designing a hybrid network with Cloud VPN. Which TWO best practices should they follow? (Choose TWO.)
90A company uses Shared VPC. They want to restrict which service project's VMs can use a specific subnet. Which TWO methods can achieve this? (Choose TWO.)
91A company is planning to migrate to Google Cloud and needs to design a VPC network for a multi-tier application (web, app, database). Which THREE best practices should they follow? (Choose THREE.)
92Your company has a VPC with two subnets: 10.0.1.0/24 in us-central1 and 10.0.2.0/24 in us-east1. They have a Cloud VPN tunnel to the on-premises data center using dynamic routing (BGP). The Cloud Router was created in the us-central1 region with default settings. On-premises hosts can successfully communicate with instances in the 10.0.1.0/24 subnet, but cannot reach instances in the 10.0.2.0/24 subnet. All instances have appropriate firewall rules allowing traffic from on-premises. The BGP session is established and routes from on-premises are received in Cloud Router. What is the most likely reason for the issue?
93A company uses a Shared VPC with a host project and multiple service projects. They have deployed Cloud NAT in the host project's network to provide internet access for service project instances. The Cloud NAT is configured to use a network tag 'nat'. Instances in service projects that have the tag 'nat' can reach the internet. A new service project is added and its instances are created with the same tag 'nat' in a subnet in europe-west1. However, these instances cannot reach the internet. Other service project instances with the tag 'nat' in us-central1 work fine. The Cloud NAT is deployed in us-central1. What is the most likely cause?
94A company has an external HTTP(S) load balancer with a backend service pointing to an instance group in us-east1. They enable Cloud CDN to improve performance for global users. After enabling, they observe that users in Asia still experience high latency. They verify that the backend instances respond with Cache-Control headers that allow caching. What is the most likely reason for the high latency?
95A company uses Dedicated Interconnect to connect their on-premises data center to Google Cloud. They have enabled Private Google Access on the VPC subnet to allow on-premises hosts to access Google APIs via private IPs over the interconnect. Performance tests show that throughput to Google APIs is lower than expected, and the interconnect link utilization is below 30%. What should they do to improve throughput?
96A company has two VPCs in the same project, VPC-A and VPC-B. They have set up VPC peering between them. In VPC-A, there is a subnet 10.0.1.0/24. In VPC-B, there are subnets 10.0.2.0/24 and 10.0.3.0/24. A compute instance in VPC-A can ping an instance in VPC-B with IP 10.0.2.10, but fails to ping an instance in VPC-B with IP 10.0.3.10. All subnets are in the same region. Firewall rules allow all traffic between VPC-A and VPC-B. What is the most likely cause?
97A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They have deployed Compute Engine instances that need to communicate with an on-premises database via a Cloud VPN tunnel using BGP. The on-premises network advertises the database subnet 192.168.0.0/16. The instances can reach the database for a few minutes after reboot, but then connectivity drops. The Cloud VPN logs show no errors. The BGP session remains established. What is the most likely issue?
98A company is migrating its on-premises data center to Google Cloud. They currently have a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises router (ASN 65001) to a Cloud Router in us-central1 (ASN 64512). The on-premises network uses IP range 10.0.0.0/8, and the Google Cloud VPC uses 172.16.0.0/12. After migration, they notice intermittent connectivity issues: traffic from on-premises to a new VM (172.16.1.2) is sometimes dropped, while other VMs in the same subnet work fine. The VM 172.16.1.2 is fine when accessed from other Google Cloud VMs. The team suspects asymmetric routing. Investigation shows that the on-premises router receives two routes for 172.16.1.2/32: one with next-hop as the Cloud VPN tunnel and another with next-hop as the internet (default route). No custom route advertisements are configured on the Cloud Router. The VPC has a default route (0.0.0.0/0) pointing to the internet gateway. What should the network engineer do to resolve the issue without breaking other connectivity?
99A large multinational corporation uses a Shared VPC in Google Cloud with multiple service projects. They have a central Cloud NAT configured in the host project in the us-central1 region to provide internet egress for all VMs. Recently, the IT team added a new subnet (10.0.10.0/24) in a service project and deployed VMs there. All other VMs in the same project but in different subnets (e.g., 10.0.1.0/24) can reach the internet, but the new VMs in 10.0.10.0/24 cannot. The Cloud NAT gateway is configured in us-central1 with all IP ranges allowed. The VPC firewall rules allow egress traffic to the internet. The team verified that the VMs have a default route (0.0.0.0/0) with next-hop 'default-internet-gateway' and that the Cloud NAT router's NAT IPs are properly assigned. However, the new subnet's VMs are unable to connect to any external IP. The network engineer suspects that the Cloud NAT's NAT reservations might be the issue, but all NAT IPs are ephemeral. Further investigation shows that the Cloud Router used by Cloud NAT is advertising custom IP ranges via BGP to an on-premises router for a different use case. What is the most likely cause and solution?
100A company plans to connect an on-premises network to Google Cloud using HA VPN with dynamic routing (BGP). The on-premises side supports BGP and has two independent routers for redundancy. The company wants to ensure failover within seconds if one tunnel goes down. Which configuration meets this requirement?
101A company uses a Shared VPC host project with three service projects: Prod, Staging, and Dev. All service projects have similar network requirements except that Prod requires Private Google Access to access Google APIs from VM instances without external IP addresses. The network team creates a single subnet in the Shared VPC with Private Google Access enabled. However, Staging and Dev teams report that their VMs cannot reach external IP addresses on the internet because the subnet's route has a next hop of default internet gateway. What is the most cost-effective solution that meets all requirements?
102Which TWO statements about VPC Network Peering are correct? (Choose TWO.)
103Your company has a hybrid network architecture with two Cloud VPN tunnels (tunnel-a and tunnel-b) from an on-premises router to a Cloud VPN gateway in us-central1, and one Dedicated Interconnect connection from the same on-premises router to a VLAN attachment in us-east1. All connections use BGP to exchange routes. The on-premises router advertises the same CIDR block 10.0.0.0/8 to both VPN and Interconnect. Google Cloud routes for on-premises prefixes are learned via both paths with the same priority. You notice that traffic from Google Cloud VMs in us-central1 to on-premises destinations sometimes fails during periods of high load. Additionally, you observe ICMP redirects from the VMs. What is the most likely cause and recommended action?
The Designing, planning, and prototyping a GCP network domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.
The Courseiva PCNE question bank contains 103 questions in the Designing, planning, and prototyping a GCP network domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Designing, planning, and prototyping a GCP network domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included