Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNEDomainsDesigning, planning, and prototyping a GCP network
PCNEFree — No Signup

Designing, planning, and prototyping a GCP network

Practice PCNE Designing, planning, and prototyping a GCP network questions with full explanations on every answer.

103questions

Start practicing

Designing, planning, and prototyping a GCP network — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNE Domains

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityConfiguring network servicesImplementing network securityImplementing a Virtual Private Cloud

Practice Designing, planning, and prototyping a GCP network questions

10Q20Q30Q50Q

All PCNE Designing, planning, and prototyping a GCP network questions (103)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?

2

A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?

3

A network engineer needs to design a VPC network for a global application that will have Compute Engine instances in multiple regions. The instances need to communicate with each other using internal IP addresses. What is the simplest way to enable this communication?

4

Which TWO of the following are valid methods to reduce latency between users in Europe and a GCP-hosted application?

5

Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?

6

A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?

7

Based on the exhibit, what is the purpose of Cloud Router's BGP configuration?

8

A company has a VPC with subnets in us-east1 and europe-west1. They have a Compute Engine instance in us-east1 with an internal IP 10.0.1.2. They need to allow SSH (port 22) from a specific on-premises IP 203.0.113.5 via Cloud VPN. The Cloud VPN tunnel uses a Cloud Router with BGP. The on-premises network advertises the route for 203.0.113.5/32 to the Cloud Router. Which firewall rule must be created?

9

A company is deploying an internal load balancer (ILB) in a VPC to distribute traffic among backend instances in a managed instance group. The ILB should only be accessible from within the VPC. Which of the following is a required step when configuring the ILB?

10

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth up to 10 Gbps. Which connectivity option should they choose?

11

A network engineer is designing a VPC in Google Cloud with multiple subnets across different regions. The application requires low-latency communication between instances in the same region but not across regions. Which VPC network configuration should be used?

12

An organization wants to implement a hub-and-spoke network topology in Google Cloud using VPC Network Peering. The hub VPC hosts shared services and the spoke VPCs host application workloads. They need to ensure that spokes can communicate with each other through the hub. Which additional configuration is required?

13

A company is planning to migrate their on-premises application to Google Cloud. The application requires consistent high bandwidth and low latency to on-premises databases. They have a Dedicated Interconnect connection with a 10 Gbps link. To improve availability, they decide to add a second Interconnect connection. Which of the following is a best practice for configuring BGP sessions?

14

A network engineer is designing a Google Cloud network for a financial services company that requires strict compliance with PCI DSS. They need to isolate development, staging, and production environments. Which approach should they use to meet these requirements?

15

Which TWO factors should be considered when selecting a Google Cloud region for deploying a globally distributed application to minimize latency for users?

16

Which THREE components are required to set up a Cloud VPN with dynamic routing (BGP) between an on-premises network and Google Cloud?

17

A company is designing a hybrid network between their on-premises data center and Google Cloud. They need high availability for traffic between the two environments and want to use Cloud VPN with dynamic routing. Which configuration ensures that if one VPN tunnel fails, traffic automatically fails over to the other tunnel without manual intervention?

18

A company has deployed a Global External HTTP(S) Load Balancer with a backend service that points to an instance group in us-central1. The load balancer's frontend uses a reserved static external IP address. Users in Europe report high latency, while users in Asia cannot reach the application at all. The application works fine when accessed directly via the instance group's internal IPs from within us-central1. Which action should be taken to resolve the issue?

19

A company wants to connect two VPC networks (vpc-a and vpc-b) that both reside in the same Google Cloud project. They need to ensure that all IP ranges in both VPCs can communicate using internal private IP addresses. Which solution should they implement?

20

You run the command shown in the exhibit. Your on-premises network is connected to your VPC via a Cloud Router with two BGP sessions. You notice that your on-premises network receives routes for only the two custom IP ranges (10.0.1.0/24 and 10.0.2.0/24) but not for other subnets in the VPC. What is the most likely cause?

21

A company is deploying a multi-tier application on Google Cloud. The frontend tier runs in a managed instance group behind a global external HTTP(S) load balancer. The backend tier runs on Compute Engine instances in a different VPC subnet. The frontend instances must communicate with the backend instances using internal IP addresses only. Which configuration should the network engineer use?

22

Drag and drop the steps to create a VPC with custom subnet mode in Google Cloud into the correct order.

23

Drag and drop the steps to set up a Private Service Connect for accessing Google APIs privately into the correct order.

24

Match each Google Cloud networking service to its primary function.

25

Match each network troubleshooting command/tool to its function.

26

A company needs to connect their on-premises data center to Google Cloud using a VPN with high availability. They have two VPN appliances on-premises in different locations. What is the best design on the GCP side?

27

A company has a VPC with subnets in us-east1 and europe-west1. They need low-latency communication between instances in these regions using private IPs only. Which solution should they use?

28

An organization wants to use Shared VPC but restrict access to certain subnets for specific service projects. Which GCP feature should they use?

29

A company has Compute Engine instances without external IPs that need to access the internet for updates. They do not want any inbound traffic. What is the best design?

30

A company wants to migrate an on-premises application that uses IPsec VPN tunnels to Google Cloud. They need to ensure encrypted connectivity between the on-premises network and a VPC. Which GCP service should they use?

31

An organization has two VPC networks in different Google Cloud organizations. They need to allow private IP communication between instances in these VPCs without using public IPs or VPNs. Which solution should they use?

32

Which GCP service provides a dedicated, low-latency connection from an on-premises data center to Google Cloud?

33

A company has a VPC with a firewall rule that allows SSH (tcp:22) from 0.0.0.0/0. They want to restrict SSH access to only the public IP address of their Cloud VPN gateway. How should they modify the firewall rule?

34

A global application uses a global external HTTPS load balancer with backend NEGs in multiple regions. The content is static and must be cached at edge locations to reduce latency. Which GCP service should be enabled?

35

Which TWO of the following are benefits of using Shared VPC?

36

A company needs to connect three VPC networks in separate projects (two in the same organization, one in a different organization) to each other for private IP communication. Which TWO GCP solutions should they consider? (Choose 2.)

37

Which THREE factors should be considered when designing a Cloud VPN for high availability? (Choose 3.)

38

Refer to the exhibit. A network engineer reviews the firewall rules in a VPC. What is the most significant security concern?

39

Refer to the exhibit. What is the purpose of the --enable-private-ip-google-access flag?

40

Refer to the exhibit. What is the purpose of the IP address 169.254.0.1 assigned to the Cloud Router interface?

41

A company is designing a VPC network to support multiple projects that require isolation but also need to communicate with a shared services project. Which approach should the company use to minimize administrative overhead while ensuring isolation?

42

A company has Compute Engine instances without external IP addresses that need to access external APIs. The instances are in multiple zones within a region, and each zone has a subnet. The company wants a cost-effective and highly available solution that does not require manual failover. What should they do?

43

An organization is connecting their on-premises data center to GCP using Dedicated Interconnect with multiple VLAN attachments. They have configured Cloud Router with BGP sessions for each VLAN attachment. They notice that traffic from GCP to on-premises is not load-balanced across the attachments; instead, all traffic uses a single link. What is the most likely cause?

44

A company has multiple projects that each need their own administrative control but must share a common VPC network. Which networking solution should they use?

45

An organization has Compute Engine instances in a VPC without external IP addresses. They need to allow these instances to access Google Cloud Storage buckets but not the internet. What should they configure?

46

A company runs a Kubernetes cluster on GKE with a VPC-native cluster (alias IP ranges). They have pods that need to communicate with on-premises services via a Cloud VPN tunnel. Which networking configuration is required to enable pod-to-on-premises communication?

47

A company has a VPC with three subnets and multiple firewall rules. They want to ensure that the most specific firewall rule takes precedence when there is a conflict. What is the default evaluation order of firewall rules?

48

A company needs a dedicated, low-latency connection from their on-premises data center to GCP with a 10 Gbps capacity. They require the highest availability and service level agreement (SLA). Which connectivity option should they choose?

49

A company is experiencing asymmetric routing between their VPC and on-premises network over two Cloud VPN tunnels with different BGP sessions. Some traffic from GCP to on-premises is dropped by firewall stateful inspection on-premises. What is the most likely cause?

50

Which TWO of the following are true regarding VPC Network Peering? (Choose TWO.)

51

Which THREE of the following are required to set up a highly available Cloud VPN with dynamic routing? (Choose THREE.)

52

Which TWO of the following are advantages of using the Premium Tier of Google Cloud's Network Service Tiers? (Choose TWO.)

53

A network engineer runs the gcloud command above for a Cloud NAT configured in us-central1. The VPC has 20 instances without external IPs in us-central1. They notice that only three instances have NAT mappings displayed. What could explain this?

54

A team is deploying a new service in a Compute Engine instance without an external IP in subnet-b. The service needs to access Google Cloud Storage using internal IPs. What must the team do to enable this?

55

A request comes from IP 192.0.2.5, with origin region code 'US', and path '/admin/dashboard'. What will be the final action?

56

A company wants to connect on-premise to GCP via Cloud VPN with dynamic routing. They have two on-prem routers for redundancy. Which configuration ensures automatic failover?

57

A company uses Shared VPC with multiple service projects. They need to allow certain service projects to create internal load balancers (ILBs) that are accessible from all projects in the organization. What is the best practice?

58

A financial company requires encrypted traffic between on-premise and GCP. They have strict compliance requiring that encryption keys are managed on-premise and rotated every 30 days. Which connectivity solution should they use?

59

A company is designing a VPC for a multi-tier application. The web tier must be accessible from the internet, the app tier only from the web tier, and the db tier only from the app tier. Which combination of firewall rules is appropriate?

60

An organization is deploying a global application and wants to use an Internal Load Balancer (ILB) across multiple regions. What is the correct configuration?

61

A company has a complex on-premises network with multiple BGP AS numbers. They are connecting to GCP using Cloud VPN and wish to advertise specific prefixes. They want to ensure that only selected on-prem prefixes are advertised to GCP and no other prefixes leak. What is the best approach?

62

A startup wants to minimize costs for their development VPC. They have a few VMs that need occasional internet access for updates. What is the most cost-effective approach?

63

A company needs to ensure that all traffic between GCP VMs in different regions is encrypted in transit. What is the recommended approach?

64

An organization is using Shared VPC with 100 service projects. They want to allow each service project to manage its own Cloud NAT, but the network administration team wants to control the outbound IP addresses used. What is the best design?

65

Which TWO services can be used to provide outbound connectivity to the internet for private VMs in a VPC? (Assume VMs have no external IPs.)

66

Which TWO statements about VPC Network Peering are correct?

67

Which THREE components are part of a typical Cloud Hybrid Networking architecture?

68

Refer to the exhibit. A network engineer checks the BGP status of a Cloud Router. The on-prem router has two BGP peers configured. What is the most likely cause of the IDLE session for the second peer?

69

Refer to the exhibit. A VM in the default VPC with IP 10.0.0.5 is unable to receive traffic from another VM in the same VPC with IP 10.0.1.5. The firewall rule shown is in place. What is the most likely reason?

70

Refer to the exhibit. A company has enabled Private Google Access on the subnet. What effect does this have on VMs in the subnet?

71

A company is designing a hybrid network architecture to connect their on-premises data center to Google Cloud. They need high availability and bandwidth of at least 10 Gbps. Which connectivity option meets these requirements?

72

A startup is migrating a two-tier application to GCP. The web tier must be accessible from the internet, and the database tier must only be accessible from the web tier. Which network design should be used?

73

An enterprise uses Shared VPC with a host project and multiple service projects. A service project team wants to create a Cloud VPN tunnel to their on-premises network. What must the network team configure in the host project to allow this?

74

A company is designing a global application that requires low-latency access to GCP services like Cloud Storage and BigQuery. They also need to minimize egress costs for traffic to the internet. Which network service tier should they choose for their GCP resources?

75

An organization needs to allow on-premises servers to resolve DNS names of GCP VM instances using RFC 1918 addresses. They have a Cloud VPN connection. Which DNS resolution approach should they implement?

76

A company is deploying a global HTTP load balancer with a backend service that spans multiple regions. The backend instances are in a managed instance group. They want to use Cloud CDN to cache content. What is the minimal set of configurations required on the backend bucket or instance group to enable Cloud CDN?

77

A network engineer is designing a VPC with custom subnet mode. They need to allocate IP addresses for three tiers: web (100 instances), app (200 instances), and db (50 instances). The VPC will be in the us-central1 region. Which subnet plan is most cost-effective and scalable?

78

A company has a VPC with a subnet in us-central1 (10.0.0.0/16) and a Cloud VPN tunnel to an on-premises network (192.168.0.0/16). They also have a static route for 0.0.0.0/0 internet gateway. On-premises traffic to 10.0.0.0/16 is working. However, traffic from a GCE instance in the VPC to an on-premises IP 192.168.1.10 is timing out. What is the most likely cause?

79

A developer wants to deploy a single Compute Engine instance that needs to initiate outbound connections to the internet, but should not have a public IP address. Which GCP networking feature must be configured?

80

Which TWO statements are true about VPC Network Peering?

81

Which THREE actions are required to configure a High-Availability Cloud VPN (HA VPN) with dynamic routing to an on-premises peer?

82

Which TWO of the following are valid reasons to use a Shared VPC architecture?

83

A company wants to connect their on-premises data center to Google Cloud using a site-to-site VPN with dynamic routing. Which protocol should they use for route exchange?

84

A company wants to deploy an HTTP application on Compute Engine instances in us-east1 and europe-west1, and use a global external HTTP(S) load balancer. How should they configure the backend?

85

A company uses Shared VPC with multiple service projects. They want to ensure that only specific service projects can use the Cloud NAT configured in the host project. What should they do?

86

A company needs to connect on-premises to GCP using Dedicated Interconnect with a 10 Gbps link, and they require high availability. They plan to use a single VLAN attachment. What is the best design?

87

A company wants to allow on-premises servers to access Google APIs and services through a Dedicated Interconnect without using public IPs. What should they configure?

88

A company has a VPC with several subnets and wants to force traffic between two specific subnets (A and B) to be inspected by a third-party firewall appliance in a separate subnet (C). The firewall has source/destination check disabled. What is the best way to route traffic from A to B through C?

89

A company is designing a hybrid network with Cloud VPN. Which TWO best practices should they follow? (Choose TWO.)

90

A company uses Shared VPC. They want to restrict which service project's VMs can use a specific subnet. Which TWO methods can achieve this? (Choose TWO.)

91

A company is planning to migrate to Google Cloud and needs to design a VPC network for a multi-tier application (web, app, database). Which THREE best practices should they follow? (Choose THREE.)

92

Your company has a VPC with two subnets: 10.0.1.0/24 in us-central1 and 10.0.2.0/24 in us-east1. They have a Cloud VPN tunnel to the on-premises data center using dynamic routing (BGP). The Cloud Router was created in the us-central1 region with default settings. On-premises hosts can successfully communicate with instances in the 10.0.1.0/24 subnet, but cannot reach instances in the 10.0.2.0/24 subnet. All instances have appropriate firewall rules allowing traffic from on-premises. The BGP session is established and routes from on-premises are received in Cloud Router. What is the most likely reason for the issue?

93

A company uses a Shared VPC with a host project and multiple service projects. They have deployed Cloud NAT in the host project's network to provide internet access for service project instances. The Cloud NAT is configured to use a network tag 'nat'. Instances in service projects that have the tag 'nat' can reach the internet. A new service project is added and its instances are created with the same tag 'nat' in a subnet in europe-west1. However, these instances cannot reach the internet. Other service project instances with the tag 'nat' in us-central1 work fine. The Cloud NAT is deployed in us-central1. What is the most likely cause?

94

A company has an external HTTP(S) load balancer with a backend service pointing to an instance group in us-east1. They enable Cloud CDN to improve performance for global users. After enabling, they observe that users in Asia still experience high latency. They verify that the backend instances respond with Cache-Control headers that allow caching. What is the most likely reason for the high latency?

95

A company uses Dedicated Interconnect to connect their on-premises data center to Google Cloud. They have enabled Private Google Access on the VPC subnet to allow on-premises hosts to access Google APIs via private IPs over the interconnect. Performance tests show that throughput to Google APIs is lower than expected, and the interconnect link utilization is below 30%. What should they do to improve throughput?

96

A company has two VPCs in the same project, VPC-A and VPC-B. They have set up VPC peering between them. In VPC-A, there is a subnet 10.0.1.0/24. In VPC-B, there are subnets 10.0.2.0/24 and 10.0.3.0/24. A compute instance in VPC-A can ping an instance in VPC-B with IP 10.0.2.10, but fails to ping an instance in VPC-B with IP 10.0.3.10. All subnets are in the same region. Firewall rules allow all traffic between VPC-A and VPC-B. What is the most likely cause?

97

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They have deployed Compute Engine instances that need to communicate with an on-premises database via a Cloud VPN tunnel using BGP. The on-premises network advertises the database subnet 192.168.0.0/16. The instances can reach the database for a few minutes after reboot, but then connectivity drops. The Cloud VPN logs show no errors. The BGP session remains established. What is the most likely issue?

98

A company is migrating its on-premises data center to Google Cloud. They currently have a Cloud VPN tunnel with dynamic routing (BGP) connecting their on-premises router (ASN 65001) to a Cloud Router in us-central1 (ASN 64512). The on-premises network uses IP range 10.0.0.0/8, and the Google Cloud VPC uses 172.16.0.0/12. After migration, they notice intermittent connectivity issues: traffic from on-premises to a new VM (172.16.1.2) is sometimes dropped, while other VMs in the same subnet work fine. The VM 172.16.1.2 is fine when accessed from other Google Cloud VMs. The team suspects asymmetric routing. Investigation shows that the on-premises router receives two routes for 172.16.1.2/32: one with next-hop as the Cloud VPN tunnel and another with next-hop as the internet (default route). No custom route advertisements are configured on the Cloud Router. The VPC has a default route (0.0.0.0/0) pointing to the internet gateway. What should the network engineer do to resolve the issue without breaking other connectivity?

99

A large multinational corporation uses a Shared VPC in Google Cloud with multiple service projects. They have a central Cloud NAT configured in the host project in the us-central1 region to provide internet egress for all VMs. Recently, the IT team added a new subnet (10.0.10.0/24) in a service project and deployed VMs there. All other VMs in the same project but in different subnets (e.g., 10.0.1.0/24) can reach the internet, but the new VMs in 10.0.10.0/24 cannot. The Cloud NAT gateway is configured in us-central1 with all IP ranges allowed. The VPC firewall rules allow egress traffic to the internet. The team verified that the VMs have a default route (0.0.0.0/0) with next-hop 'default-internet-gateway' and that the Cloud NAT router's NAT IPs are properly assigned. However, the new subnet's VMs are unable to connect to any external IP. The network engineer suspects that the Cloud NAT's NAT reservations might be the issue, but all NAT IPs are ephemeral. Further investigation shows that the Cloud Router used by Cloud NAT is advertising custom IP ranges via BGP to an on-premises router for a different use case. What is the most likely cause and solution?

100

A company plans to connect an on-premises network to Google Cloud using HA VPN with dynamic routing (BGP). The on-premises side supports BGP and has two independent routers for redundancy. The company wants to ensure failover within seconds if one tunnel goes down. Which configuration meets this requirement?

101

A company uses a Shared VPC host project with three service projects: Prod, Staging, and Dev. All service projects have similar network requirements except that Prod requires Private Google Access to access Google APIs from VM instances without external IP addresses. The network team creates a single subnet in the Shared VPC with Private Google Access enabled. However, Staging and Dev teams report that their VMs cannot reach external IP addresses on the internet because the subnet's route has a next hop of default internet gateway. What is the most cost-effective solution that meets all requirements?

102

Which TWO statements about VPC Network Peering are correct? (Choose TWO.)

103

Your company has a hybrid network architecture with two Cloud VPN tunnels (tunnel-a and tunnel-b) from an on-premises router to a Cloud VPN gateway in us-central1, and one Dedicated Interconnect connection from the same on-premises router to a VLAN attachment in us-east1. All connections use BGP to exchange routes. The on-premises router advertises the same CIDR block 10.0.0.0/8 to both VPN and Interconnect. Google Cloud routes for on-premises prefixes are learned via both paths with the same priority. You notice that traffic from Google Cloud VMs in us-central1 to on-premises destinations sometimes fails during periods of high load. Additionally, you observe ICMP redirects from the VMs. What is the most likely cause and recommended action?

Practice all 103 Designing, planning, and prototyping a GCP network questions

Other PCNE exam domains

Implementing hybrid interconnectivityConfiguring network servicesImplementing network securityImplementing a Virtual Private Cloud

Frequently asked questions

What does the Designing, planning, and prototyping a GCP network domain cover on the PCNE exam?

The Designing, planning, and prototyping a GCP network domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.

How many Designing, planning, and prototyping a GCP network questions are in the PCNE question bank?

The Courseiva PCNE question bank contains 103 questions in the Designing, planning, and prototyping a GCP network domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Designing, planning, and prototyping a GCP network for PCNE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Designing, planning, and prototyping a GCP network questions for PCNE?

Yes — the session launcher on this page draws questions exclusively from the Designing, planning, and prototyping a GCP network domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide