Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNEDomainsImplementing network security
PCNEFree — No Signup

Implementing network security

Practice PCNE Implementing network security questions with full explanations on every answer.

76questions

Start practicing

Implementing network security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNE Domains

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityConfiguring network servicesImplementing network securityImplementing a Virtual Private Cloud

Practice Implementing network security questions

10Q20Q30Q50Q

All PCNE Implementing network security questions (76)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

2

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

3

A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?

4

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

5

A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?

6

A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)

7

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

8

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

9

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

10

A company is designing a hub-and-spoke VPC architecture in Google Cloud. The hub VPC hosts a set of shared services, including a third-party firewall appliance (NGFW) in a managed instance group behind a TCP load balancer. Spoke VPCs need to send traffic to the hub's internal TCP load balancer IP (10.0.0.10) for inspection. The firewall appliance inspects traffic and forwards it to the final destination. The network team notices that traffic from one spoke to the load balancer is being dropped. They have verified that VPC peering is established, routes are propagated, and firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

11

A company uses Identity-Aware Proxy (IAP) to secure access to a group of Compute Engine instances running a web application. The instances have no external IP addresses and are accessed via IAP TCP forwarding. Recently, the security team discovered that some users can access the instances directly via SSH from other instances within the same VPC, bypassing IAP. What is the most effective way to ensure all SSH access goes through IAP?

12

A company is designing a secure multi-VPC architecture in Google Cloud. They have three VPCs: Production, Staging, and Shared Services. The Shared Services VPC hosts a Cloud NAT for outbound internet access and a set of managed instance groups. The Production and Staging VPCs are peered to the Shared Services VPC. The company wants to ensure that: (1) instances in Staging cannot initiate connections to instances in Production, (2) instances in Production cannot initiate connections to instances in Staging, (3) all VPCs can communicate with Shared Services, and (4) traffic between VPCs must be inspected by a firewall appliance in Shared Services. Which TWO actions should the company take?

13

A financial services company is deploying a new payment processing application in Google Cloud. The architecture consists of: a VPC named 'payment-vpc' with subnet 'payment-subnet' (10.1.0.0/16), a managed instance group (MIG) of backend servers in payment-subnet, an internal TCP load balancer (ILB) with IP 10.1.0.10 distributing traffic to the MIG, and a Cloud NAT for outbound internet access. The application must communicate with an external payment gateway over TLS. The security policy requires that all outbound traffic from the backend servers to the internet must egress through a single, centralized Cloud NAT instance to allow traffic inspection. To meet this requirement, the network team has configured: a Cloud Router, a Cloud NAT gateway named 'payment-nat' in payment-vpc, and a default route (0.0.0.0/0, next hop: default internet gateway) in payment-vpc. They have also configured VPC firewall rules to allow outbound HTTPS traffic. During testing, the backend servers cannot connect to the external payment gateway. The team has verified that the Cloud NAT is properly configured and that the VPC firewall rules allow egress traffic. What is the most likely cause of the connectivity failure?

14

A company has deployed a globally distributed application on Google Cloud using Cloud Load Balancing and managed instance groups across multiple regions. They need to restrict access to the application's backend instances so that only traffic from the load balancer's health check ranges and the load balancer's source IP addresses is allowed. Which firewall rule configuration should be used?

15

A financial services company is migrating sensitive workloads to Google Cloud. They need to implement a defense-in-depth strategy to protect their VPC networks. Which TWO actions should they take to meet their security requirements? (Choose two.)

16

Drag and drop the steps to set up a shared VPC in Google Cloud into the correct order.

17

Drag and drop the steps to migrate an on-premises network to Google Cloud using a VPN and VPC peering into the correct order.

18

Match each Google Cloud interconnect or peering type to its description.

19

Match each Cloud DNS record type to its use.

20

A team has deployed Compute Engine instances with internal IPs only. They need to allow these instances to download updates from specific external IP ranges. Which action should they take?

21

An organization has a Shared VPC with several service projects. They want to restrict which service projects can create firewall rules in the host project. What should they do?

22

A company uses Cloud Armor with WAF rules to protect an HTTPS load balancer. They notice that legitimate traffic from certain IPs is being blocked. How should they troubleshoot?

23

A developer wants to SSH into a Compute Engine instance that has no public IP. Which service should they use?

24

An organization has multiple VPC networks and wants to allow traffic between them with fine-grained control over which VMs can communicate. Which solution should they implement?

25

A company is deploying a GKE cluster with Dataplane V2 and wants to enforce micro-segmentation using network policies. They also need to monitor policy violations. What should they do?

26

A company wants to ensure that only traffic from specific source IP ranges can reach a Cloud Load Balancer. How should they enforce this?

27

A network engineer notices that VPC Flow Logs show connections from a Compute Engine instance to an IP address that should have been blocked by firewall rules. What is the most likely cause?

28

An organization uses VPC Service Controls to protect Google Cloud APIs. They need to allow a specific service account in a peripheral project to access a managed service in a protected service perimeter. What should they configure?

29

Which TWO of the following are benefits of using Cloud NAT?

30

Which TWO of the following methods can be used to encrypt traffic between VPC networks?

31

Which THREE of the following are valid use cases for VPC Service Controls?

32

Refer to the exhibit. Users report that HTTP (port 80) traffic is still reaching instances in my-vpc despite the deny-all rule. What is the most likely reason?

33

Refer to the exhibit. A Cloud Armor security policy with the shown rules is applied to an HTTPS load balancer. Users from IP 10.0.1.1 are reporting they cannot access the website. What is the issue?

34

Refer to the exhibit. A network engineer is unable to SSH to instance-1 using IAP TCP forwarding. What is the most likely reason?

35

A company wants to restrict SSH access to a VM instance to only a specific subnet (10.0.1.0/24) and allow all traffic from the health check ranges (130.211.0.0/22 and 35.191.0.0/16) for load balancing. Which firewall rule configuration should be used for the SSH rule?

36

A company uses VPC Service Controls to protect a managed service (e.g., BigQuery) within a service perimeter. Developers need to access the service from an on-premises network via a Cloud VPN tunnel with a specific IP address. However, access is being denied. What is the most likely cause?

37

A company has a hybrid network with on-premises data center connected to Google Cloud via Dedicated Interconnect. They use Private Google Access for on-premises (on-premises hosts use the external IP addresses of Google APIs via the interconnect). However, they notice that traffic to certain Google APIs is being routed via the internet instead of the interconnect. What is a likely cause?

38

A company deploys a web application behind a global external HTTP(S) load balancer and wants to protect against SQL injection attacks. Which Google Cloud security product should they use?

39

A company uses Identity-Aware Proxy (IAP) to secure access to Compute Engine VMs. Users report that they can SSH into some VMs but not others, even though they have the IAP-secured Tunnel User role. Both VMs are in the same project and have the same network tags. What is the most likely reason?

40

A company has multiple VPC networks in the same project, each with its own Cloud NAT configuration. They notice that traffic from a VM in VPC-A that has an external IP address is being NATed through the Cloud NAT gateway, but they only want Cloud NAT to be used for VMs without external IPs. What configuration ensures this?

41

A company wants to enforce that all HTTPS load balancer traffic uses TLS 1.2 or higher. Which Google Cloud resource should they configure?

42

A company uses Shared VPC with multiple service projects. The security team wants to ensure that only specific service projects can create firewall rules that allow ingress traffic to the Shared VPC network. What is the best practice?

43

A company uses Packet Mirroring to monitor traffic from a set of VMs. They want to ensure that mirrored traffic does not interfere with the production traffic. Which statement is correct?

44

Which TWO of the following are valid use cases for Cloud IDS? (Choose TWO)

45

A network engineer is troubleshooting connectivity issues with VPC Flow Logs. Which TWO statements about VPC Flow Logs are correct? (Choose TWO)

46

Which THREE of the following are required to use Private Google Access for on-premises hosts through a Cloud VPN or Interconnect? (Choose THREE)

47

Refer to the exhibit. A VM in the default VPC with an internal IP 10.0.1.2 tries to SSH (tcp:22) from a host at 10.0.2.5. What is the result?

48

Refer to the exhibit. A request arrives with User-Agent 'GoodBot' and path '/admin'. What action does Cloud Armor take?

49

Refer to the exhibit. A user within the perimeter project '111111111111' tries to access BigQuery from a VM that has an external IP address. The request is denied. What is the most likely reason?

50

A company has two VPCs in the same project: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). They want to allow SSH from VPC-A to instances in VPC-B. The network admin creates a firewall rule with source range 10.0.0.0/16 and protocol tcp:22, but connectivity fails. What is the most likely cause?

51

A company uses Cloud Armor to protect its HTTP(S) load balancer. They need to block requests from a specific geographic region and also apply a rate limiting rule. What is the correct order of evaluation for Cloud Armor security policies?

52

A GCP environment has a VPC with a subnet that enables Private Google Access. Instances in that subnet can access Google APIs without external IPs. However, an instance cannot reach storage.googleapis.com from a private IP. Cloud NAT is configured for the subnet. What is the most likely reason for the failure?

53

A security engineer wants to allow SSH access to a VM that has no external IP. The VM is in a VPC with IAP configured. What is the simplest way to enable secure SSH without a bastion host?

54

An organization wants to restrict data exfiltration from a GCP project. They need to prevent users from copying data to external cloud storage services like AWS S3, but allow access to Google Cloud Storage. Which VPC Service Controls (VPC-SC) configuration should they use?

55

A large enterprise uses hierarchical firewall policies across multiple VPCs. They have an organization policy that requires all VPCs to block SSH from the internet. However, a development team needs SSH from a specific external IP range for a building. How can they create a firewall rule that allows that range without violating the organization policy?

56

A company uses an HTTPS load balancer with SSL certificates. They want to ensure only strong cipher suites are accepted. Which Google Cloud service should they use to enforce this?

57

A network engineer notices unexpected traffic being allowed through a VPC firewall rule. They want to analyze the logs to identify the source and destination. What is the best way to enable detailed logging for firewall rules?

58

A company has multiple on-premises networks connected to a Cloud VPN hub in GCP. Each on-premises site uses BGP to advertise its prefixes. The security team wants to ensure that only specific prefixes from each site are accepted into the VPC routes. What should they configure?

59

Which TWO of the following are valid methods to restrict access to a Compute Engine VM that has no external IP?

60

Which THREE components are required to set up Identity-Aware Proxy (IAP) for TCP forwarding to a VM?

61

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC flow logs show traffic being dropped. Firewall rules are correctly configured. Which TWO actions should the engineer take to identify the cause?

62

A company wants to allow HTTP traffic from the internet to a web server running on a Compute Engine VM in a VPC. The web server should only be accessible on port 80. Which firewall rule should be created?

63

A company uses Shared VPC with multiple service projects. The network admin wants to restrict access to certain Compute Engine instances so that only specific service accounts can SSH into them. What is the best practice to achieve this?

64

An organization has a Cloud NAT configured for a VPC network to allow outbound internet access for private instances. They notice that some instances are failing to connect to a specific external API that requires a static source IP. What should they do to resolve this?

65

A company deploys a web application on Google Kubernetes Engine (GKE) with an Ingress resource handled by an external HTTPS load balancer. They want to enforce mutual TLS (mTLS) authentication where the load balancer verifies the client certificate and then passes the client's identity to the backend using a header. Which configuration should be used?

66

A company wants to prevent data exfiltration from a Google Cloud Storage bucket that contains sensitive data. They plan to use VPC Service Controls. Which two steps are necessary to implement this? (Choose two.)

67

A network engineer needs to configure firewall rules to allow health checks from Google Cloud's health check systems to a backend service. Which two source IP ranges should they allow? (Choose two.)

68

A company is designing a network architecture with multiple VPCs and on-premises connectivity via Cloud VPN. They want to avoid IP address conflicts and ensure secure communication. Which three best practices should they follow? (Choose three.)

69

A company has a single VPC with subnets in us-central1 and europe-west1. They have Compute Engine instances in both subnets that need to communicate with each other. The security team wants to ensure that only specific instances in us-central1 can connect to a database instance in europe-west1 on port 3306. Currently, the default firewall rules allow all internal traffic (priority 65535). The network engineer first creates a new ingress firewall rule to allow TCP traffic on port 3306 from instances with the network tag 'app' to instances with the tag 'db', with priority 1000. Then, to enforce the restriction, they delete the default allow internal rule (priority 65535). However, after applying the changes, the app instances (tagged 'app') in us-central1 cannot connect to the database instance (tagged 'db') in europe-west1. The engineer verifies that the tags are correctly applied to the instances. What is the most likely cause of the connectivity failure?

70

A company has deployed a web application behind an External HTTP(S) Load Balancer with Cloud Armor. They want to restrict access to a specific URL path /admin to only users from a specific IP range (198.51.100.0/24). The engineer creates a Cloud Armor security policy with two rules: Rule 1 (priority 1000) with match expression "request.path == '/admin' && inIpRange(source.ip, '198.51.100.0/24')" and action "allow". Rule 2 (priority 2147483647) with match "request.path == '/admin'" and action "deny". After testing, users from the allowed IP range receive a 403 error when accessing /admin. The Cloud Armor logs show that the request was denied. The engineer confirms that the policy is attached to the backend service and that the source IP in the logs matches the allowed range. What is the most likely cause of the denial?

71

A large organization uses Shared VPC with hundreds of projects. They want to implement fine-grained access control for SSH access to Compute Engine instances using IAP TCP forwarding. They have created a custom IAM role with the necessary permissions (iap.tunnel.dest, iap.tunnel.getIamPolicy, compute.instances.use) and granted it to a group of developers. The developers have also been granted the iap.tunnelUser role on the project. However, when they try to use `gcloud compute ssh --tunnel-through-iap instance-name`, they get a permission error: "Permission 'iap.tunnel.dest' denied on resource 'projects/project/zones/zone/instances/instance'". The network admin has verified that the custom role includes the required permissions and that the developers are members of the group with the role. What is the most likely missing configuration?

72

A company has a VPC with a subnet in us-central1. They have several private Compute Engine instances (no external IP) that need to download updates from a public repository on the internet. The network engineer has created a Cloud NAT gateway in the same region and attached it to the subnet. However, the instances still cannot reach the internet. The engineer has confirmed that the Cloud NAT gateway is correctly configured and that the subnet's Private Google Access is not relevant for this traffic. What should the engineer check first to resolve the issue?

73

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect using VLAN attachments. They have set up a Cloud Router with BGP to exchange routes. The on-premises network advertises a prefix 10.0.0.0/8, and Google Cloud advertises the VPC's subnet ranges (10.0.0.0/24 and 10.0.1.0/24). After configuration, on-premises hosts cannot reach the Google Cloud instances in those subnets. The engineer checks the BGP session status and it is established. The Cloud Router shows that the on-premises prefix is learned, and the on-premises router shows that the specific /24 prefixes are received. However, traffic from on-premises to the Google Cloud subnets is not working. What is the most likely cause?

74

A company uses Cloud VPN tunnels to connect multiple sites to Google Cloud. They have a primary and a backup tunnel for redundancy, each with a different Cloud Router (both in the same region). BGP sessions are established on both routers. The network team notices that during a failover test, traffic fails over to the backup tunnel but then after 30 seconds, the backup tunnel traffic stops and does not recover until the primary tunnel comes back. The engineer finds that the backup Cloud Router is advertising the same routes as the primary, but the backup tunnel's BGP session shows that the routes are being withdrawn after 30 seconds. Additionally, the BGP session remains established. What is the most likely cause?

75

A company is deploying a new application across three VPCs in the same project, using Shared VPC. The security team wants to restrict traffic such that only the frontend subnet (10.0.1.0/24) can send traffic to the backend subnet (10.0.2.0/24) on TCP port 8080. The backend instances have the service account 'backend-sa@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations achieve this goal?

76

You are a cloud network engineer for a company that runs a web application on Compute Engine instances in a managed instance group (MIG) behind an external HTTP(S) load balancer. The backend instances are in a subnet with CIDR 10.0.2.0/24 and are tagged 'web-backend'. The health checks are configured to use TCP port 80. Recently, the security team added new firewall rules to restrict traffic, and now the health checks are failing. The current firewall rules (in order of priority) are: 1. Priority 100: Deny ingress from 0.0.0.0/0 to all instances (deny-all). 2. Priority 200: Allow ingress from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'health-checked' on TCP port 80. 3. Priority 300: Allow ingress from 0.0.0.0/0 to instances with tag 'web-backend' on TCP port 80. The MIG instances are tagged 'web-backend' but not 'health-checked'. The health checks are failing. What is the most efficient course of action to fix the health checks while maintaining security?

Practice all 76 Implementing network security questions

Other PCNE exam domains

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityConfiguring network servicesImplementing a Virtual Private Cloud

Frequently asked questions

What does the Implementing network security domain cover on the PCNE exam?

The Implementing network security domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.

How many Implementing network security questions are in the PCNE question bank?

The Courseiva PCNE question bank contains 76 questions in the Implementing network security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Implementing network security for PCNE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Implementing network security questions for PCNE?

Yes — the session launcher on this page draws questions exclusively from the Implementing network security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide