Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNEDomainsConfiguring network services
PCNEFree — No Signup

Configuring network services

Practice PCNE Configuring network services questions with full explanations on every answer.

97questions

Start practicing

Configuring network services — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNE Domains

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityConfiguring network servicesImplementing network securityImplementing a Virtual Private Cloud

Practice Configuring network services questions

10Q20Q30Q50Q

All PCNE Configuring network services questions (97)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company has deployed a Global External Application Load Balancer with Premium Tier and enables Cloud CDN. Users in Europe report high latency, while users in the US have good performance. The backend is a regional NEG in us-west1. What is the most likely cause?

2

A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?

3

A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?

4

A company uses an internal TCP/UDP load balancer to distribute traffic to a backend service. The backend instances are in an unmanaged instance group. Some instances fail health checks and are removed. What happens to existing connections to failed instances?

5

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

6

A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?

7

A company is using Cloud NAT to allow private instances to access the internet. They notice that some instances are not able to reach certain external services. Which THREE steps should they take to troubleshoot?

8

A company uses Cloud NAT to allow private instances to reach the internet. They notice that egress traffic from Compute Engine VMs is intermittently failing. The VMs are in us-central1-a and use the default VPC network. Cloud NAT is configured with a single NAT IP address. What is the most likely cause?

9

A large enterprise is migrating to Google Cloud and needs to establish connectivity between on-premises and VPCs in two different regions (us-east1 and europe-west1). They have a single Partner Interconnect connection at a co-location facility in New York. They want to use the same interconnect for both regions. Which configuration should they use?

10

A company is using Cloud DNS for private zone resolution within their VPC. They have a private zone for 'example.internal' and have attached it to the VPC. When they create a new Compute Engine VM and try to resolve 'myapp.example.internal', it fails. What is the most likely cause?

11

You have a Cloud Router with the configuration shown. The on-premises network (ASN 65002) is not receiving any routes from Google Cloud. What is the most likely cause?

12

A company has a VPC with subnets in us-east1 and europe-west1. They have deployed a global external HTTP(S) load balancer with backend services in both regions. Users in Europe report high latency. What is the most likely cause?

13

Which TWO considerations are important when designing a VPC peering strategy between multiple projects in Google Cloud?

14

Which THREE actions should you take to secure a VPC that hosts public-facing web applications?

15

A company has a VPC with multiple subnets. They want to restrict traffic between two specific subnets (10.0.1.0/24 and 10.0.2.0/24) while allowing all other traffic. They create a firewall rule with priority 1000 denying ingress from 10.0.1.0/24 to 10.0.2.0/24. However, traffic is still allowed. What is the most likely reason?

16

Your company runs a multi-tier web application on Google Cloud. The frontend is in us-central1 (3 instances behind an external HTTP(S) Load Balancer), the backend is in us-west1 (3 instances behind an internal TCP/UDP Load Balancer). The frontend instances are in a managed instance group (MIG) with autoscaling based on CPU utilization. Recently, you noticed that during traffic spikes, the frontend instances' CPU utilization remains low, but the backend instances' CPU utilization spikes to 90% and causes timeouts. The application uses a synchronous REST API; the frontend instances make requests to the internal load balancer's IP. What should you do to resolve the backend scaling issue?

17

Your company has deployed a hybrid cloud environment with a Cloud VPN tunnel between Google Cloud VPC and an on-premises data center. The VPC has a custom mode with subnet 10.0.1.0/24 in us-east1. On-premises uses subnet 192.168.1.0/24. The VPN tunnel is established using dynamic routing (BGP). Both sides advertise the correct prefixes. A Compute Engine VM in the VPC (10.0.1.10) can ping the on-premises gateway (192.168.1.1), but cannot ping a server on-premises (192.168.1.100). The on-premises network team confirms that 192.168.1.100 is reachable from the on-premises gateway. Firewall rules in GCP allow ingress from 192.168.1.0/24 to all VMs. What is the most likely cause?

18

A company is deploying a global application on Google Cloud using Cloud Load Balancing. They want to serve traffic from multiple regions and require the lowest possible latency for users worldwide. The application serves HTTP traffic and uses a static IP address. Which load balancing solution should they use?

19

A company uses Cloud NAT to enable outbound internet access for private instances in a VPC. They notice that some instances are unable to connect to external services, while others can. The network team has verified that all instances have the same tags and are in the same subnet. Which TWO actions should the team take to troubleshoot the issue?

20

An engineer creates a Cloud NAT configuration as shown in the exhibit. The test-instance is created without an external IP address. However, the instance cannot reach the internet. What is the most likely cause?

21

Drag and drop the steps to set up a Google Cloud Armor security policy for a backend service into the correct order.

22

Drag and drop the steps to set up a Cloud Interconnect connection for dedicated on-premises connectivity into the correct order.

23

Match each Cloud Load Balancing type to its description.

24

Match each network pricing model to its description.

25

A company wants to securely connect an on-premises data center to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) that overlap with the VPC subnet (10.0.1.0/24). They need connectivity to specific workloads in the VPC without changing IP addresses on premises. What should they do?

26

A global e-commerce company has deployed a web application across multiple GCP regions using an external HTTPS load balancer. Traffic is expected to originate from users worldwide. They want to minimize latency and improve user experience, while also ensuring that traffic is served from the nearest healthy backend. Which load balancing configuration should they use?

27

An organization is migrating a legacy application to GCP. The application requires a static internal IP address for a Compute Engine VM that must persist even if the VM is stopped or deleted. Which IP address type should they assign?

28

A financial services company needs to audit all VPC firewall rule changes in real time. They want to receive notifications whenever a rule is created, modified, or deleted. What is the most efficient way to achieve this?

29

A company uses Cloud NAT to allow private VMs to access the internet. They notice that some VMs are unable to reach a specific set of external IP addresses, but other VMs can. The firewall rules are correctly configured. What is the most likely cause?

30

A company wants to connect two VPCs in the same project using VPC Network Peering. Each VPC has non-overlapping subnets. What is the minimum number of peering connections required to enable full bidirectional communication?

31

A DevOps team is configuring a VPC with a subnet in us-east1. They need to allow a specific VM (source IP 10.0.1.2) to access a database VM (destination IP 10.0.2.3) on port 3306, but only from that specific source. All other traffic should be denied. Which firewall rule configuration should they use?

32

A company has a VPC with multiple subnets and uses Cloud VPN tunnels to connect to on-premises. They want to ensure that only traffic destined for on-premises is sent through the VPN tunnels; all other traffic should use the internet. Which route configuration should they implement?

33

A startup is deploying a microservices application on Google Kubernetes Engine (GKE). They want to expose a service to the internet using a load balancer that provides SSL termination and supports WebSocket. Which type of Service should they use?

34

Which TWO network services are required to enable private Google access for on-premises hosts using a Dedicated Interconnect connection? (Choose two.)

35

Which THREE components are necessary to configure a global external HTTP(S) load balancer with Cloud CDN and an origin backend that requires authentication? (Choose three.)

36

Which TWO network services can be used to provide secure connectivity between a VPC and an on-premises data center without traversing the public internet? (Choose two.)

37

Refer to the exhibit. A VM with the 'ssh-allowed' tag is unreachable via SSH from the internet, while other VMs with the same tag work. What is the most likely cause?

38

Refer to the exhibit. The Cloud Router is configured with custom BGP advertisements. The on-premises router receives only the two advertised ranges (10.1.0.0/24 and 10.2.0.0/24) but not the VPC subnets (e.g., 10.3.0.0/24). What is the most likely reason?

39

Refer to the exhibit. A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot. What change should be made to fix this?

40

A company runs a private GKE cluster in us-central1. Pods need to access the internet for updates. Which configuration is required?

41

A company has an on-premises data center connected to GCP via Cloud VPN with dynamic routing (BGP). Recently, connectivity to a specific subnet (10.1.0.0/16) in GCP became intermittent. The VPN tunnel is up, and BGP sessions are established. What is the most likely cause?

42

An organization is deploying a Shared VPC with one host project and three service projects. Each service project has multiple VPC networks. They want to ensure that only the host project's network admin can create firewall rules affecting the shared VPC network. Which architecture satisfies this requirement?

43

A company wants to serve global static content from a Cloud Storage bucket. They need low latency worldwide and SSL termination at the edge. Which solution should they choose?

44

A company uses Private Service Connect (PSC) to access a managed SaaS application published by another company. The SaaS provider publishes a service attachment in their VPC. Which resource must the consumer create to connect to the service?

45

A company has a Dedicated Interconnect connection from their on-premises data center to GCP. They have set up BGP sessions over VLAN attachments to peer with their VPC. Traffic from on-premises to GCP works, but return traffic from GCP to on-premises is dropped at the on-premises firewall. What is the most likely cause?

46

A company is migrating an on-premises DNS service to Cloud DNS. They want to resolve on-premises hostnames from GCP VMs and resolve Google Cloud private zone names from on-premises. They have a Cloud VPN with BGP. Which architecture should they implement?

47

A network engineer notices unusual traffic patterns from a VM. They want to capture detailed information about each packet sent and received by the VM, including source and destination IPs, protocols, and ports. Which feature should they enable?

48

A company uses Cloud CDN with an external HTTP(S) load balancer. They have two origin server groups: a primary in us-central1 and a backup in europe-west1. They want traffic directed to the primary unless it is unhealthy, in which case traffic should fail over to the backup. Which configuration is required?

49

Which TWO are best practices for securing a VPC network? (Choose 2.)

50

Which THREE factors should be considered when choosing between a global external HTTP(S) load balancer and a regional external HTTP(S) load balancer? (Choose 3.)

51

Which TWO steps are required to set up a Cloud VPN with dynamic routing (BGP)? (Choose 2.)

52

A company is running workloads on Compute Engine instances without public IP addresses. They need to allow these instances to securely access the internet for software updates. Which Google Cloud service should be configured?

53

A company is deploying an internal HTTP application on Compute Engine instances. The application must be load-balanced across multiple instances in different regions, but only accessible from within the same VPC. Which load balancer type meets these requirements?

54

An organization has a Dedicated Interconnect with Cloud Router configured for BGP. The on-premises network advertises a prefix that overlaps with an existing VPC subnet. How does Google Cloud handle the overlapping prefix?

55

A company wants to forward DNS queries from their on-premises network to Google Cloud for resolution of private zone names. Which configuration is required?

56

A security team wants to allow traffic from a specific set of VMs with service account 'web-sa@project.iam.gserviceaccount.com' to access a database VM with tag 'db'. The VMs are in the same VPC. Which firewall rule configuration achieves this?

57

A large organization uses Shared VPC with multiple service projects. They have an on-premises network connected via Cloud Interconnect. They want the on-premises network to be able to reach instances in all service projects. What is the recommended configuration?

58

An e-commerce website uses Cloud CDN to cache static content. The origin is an external HTTP load balancer. What is the benefit of enabling Cloud CDN in this scenario?

59

A company wants to protect their application behind an external HTTP(S) load balancer from SQL injection attacks. Which Cloud Armor feature should be used?

60

A company has Compute Engine instances in a VPC that only have internal IP addresses. They need to access Google Cloud services like Cloud Storage and BigQuery. They also have on-premises servers that need to access the same instances via a Cloud VPN tunnel. What must be enabled for the instances to access Google APIs without public IPs?

61

Which TWO of the following are benefits of using Cloud NAT?

62

Which THREE of the following are requirements for VPC Network Peering?

63

Which TWO of the following load balancer types can distribute traffic to backends in multiple regions?

64

Refer to the exhibit. A Compute Engine instance has the network tags 'http-server' and 'ssh-server'. It also has a public IP address. Which of the following statements about traffic to this instance is true?

65

Refer to the exhibit. A Cloud Router has two BGP sessions. The first session is UP, the second is DOWN. What is the most likely cause for the second session being down?

66

Refer to the exhibit. A DNS managed zone is configured with private visibility and associated with a VPC network. A Compute Engine instance in a different VPC network tries to resolve 'test.example.com' but fails. What is the most likely reason?

67

A company uses Cloud NAT to enable outbound connectivity for private VMs. They notice that some VMs are not able to reach a specific external IP range. The VMs have no tags or service accounts. What is the most likely cause?

68

Your organization has an internal HTTP load balancer (ILB) in us-central1. The backend service is a managed instance group with a health check on port 8080. Recently, some instances are reported as unhealthy despite the application running fine. What is the most likely cause?

69

A media streaming company uses Cloud CDN with signed URLs to protect content. They want to invalidate cached content for a specific file after a security incident. The file is stored in a Cloud Storage bucket and the CDN cache key includes the URL. They run: gcloud compute url-maps invalidate-cdn-cache URL_MAP --path "/videos/incident.mp4". The invalidation succeeds but the old content is still served. What is the most likely reason?

70

You need to allow on-premises servers to access a Google Cloud VM's internal IP without using a public IP. The on-premises network is connected via Cloud VPN. What configuration is required on the Google Cloud side?

71

Your security team wants to block specific SQL injection attacks using Cloud Armor. You have configured a security policy with a preconfigured WAF rule for SQL injection (evaluatePreconfiguredExpr('sqli-stable')). The rule is set to DENY. However, legitimate traffic is being blocked intermittently. What should you adjust?

72

You are using Serverless VPC Access to connect Cloud Run services to a VPC network. The connector is in us-central1 with a /28 subnet. You have a Cloud SQL instance (private IP) in the same region but in a different VPC network (peered). The Cloud Run service cannot reach the Cloud SQL instance. What is the most likely cause?

73

You want to manage DNS records for a domain that you own in Google Cloud DNS. You create a public managed zone and add A records. After waiting several hours, the domain does not resolve. What is the most likely missing step?

74

You are configuring an SSL Proxy load balancer for HTTPS traffic. The backend service points to an instance group with a self-managed certificate. The load balancer's frontend uses a Google-managed certificate. Clients receive SSL errors indicating certificate mismatch. What is the most likely cause?

75

Your company uses Network Connectivity Center (NCC) to manage multiple on-premises sites connected via Cloud VPN and Partner Interconnect. You create a NCC hub and attach spokes (VPN tunnels and VLAN attachments). Traffic between two on-premises sites (Site A and Site B) should flow through Google Cloud. However, traffic is not passing between the sites. What is the most likely cause?

76

Which TWO actions should you take to configure Private Google Access for on-premises hosts connected via Cloud Interconnect?

77

Which TWO of the following are required when setting up an internal TCP/UDP load balancer (ILB) in a shared VPC environment?

78

Which THREE considerations are important when designing a Cloud CDN configuration for a global web application that serves both static and dynamic content?

79

Your company has a hybrid cloud architecture with two on-premises data centers: DC1 and DC2. Each DC is connected to Google Cloud via separate Cloud VPN tunnels (tunnel1 from DC1, tunnel2 from DC2) to a VPC in us-west1. The VPC has two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). DC1 has a subnet 192.168.1.0/24 and DC2 has 192.168.2.0/24. You configure BGP on both tunnels with the VPC dynamic routing, and each on-premises router advertises its local subnet. The VPC automatically imports the learned routes. You notice that traffic from DC1 to an instance in subnet-a (10.0.1.5) works, but traffic from DC2 to the same instance fails intermittently. Additionally, traffic from DC2 to DC1 (192.168.1.0/24) fails completely. You check the route tables and see that both tunnels have learned the routes for the remote subnets. What is the most likely cause and solution?

80

A company has deployed an HTTP load balancer with a backend service configured to use an unmanaged instance group. Users report that traffic is not reaching the backend instances. The backend instances are healthy and have proper firewall rules allowing traffic from the load balancer. What step should the network engineer take to resolve the issue?

81

A company uses Cloud NAT for outbound internet access. Engineering notices that some VM instances fail to connect to external services during peak hours. The network engineer suspects port exhaustion. Which action would best mitigate this issue?

82

A multinational company has a Shared VPC environment with multiple service projects. They need to allow a specific service project to use its own Cloud DNS private zone that resolves to internal IPs in the Shared VPC. Which configuration ensures this without exposing the zone to other projects?

83

A company has a Cloud VPN tunnel to on-premises. They want on-premises clients to resolve private DNS names in the VPC. Which service should they configure?

84

A gaming company uses Cloud Armor with an external HTTP(S) load balancer to protect against DDoS attacks. They need to restrict access to the load balancer based on geographic region. What should they configure?

85

Which TWO configurations can enable VM instances without external IPs to access the internet? (Choose TWO.)

86

Which THREE components are required when configuring an internal TCP/UDP load balancer? (Choose THREE.)

87

A company uses Cloud VPN with dynamic routing (BGP). The on-premises network advertises a prefix that overlaps with a subnet in the VPC. Which TWO actions can resolve this conflict? (Choose TWO.)

88

A company has a VPC with subnet 10.1.0.0/24 in us-central1. They created a Cloud NAT gateway named 'nat-us-central1' attached to that subnet. During peak hours, many VM instances in the subnet cannot connect to the internet. The NAT configuration shows only one NAT IP. Firewall rules allow egress traffic, and health checks confirm the NAT gateway is functioning. What is the most likely cause of the failure?

89

A company has two VPC networks in the same project: Network A (hosting a private zone for 'example.internal.') and Network B. They are connected via VPC peering. The network engineer created a DNS peering zone in Network B for 'example.internal.' pointing to Network A. However, instances in Network B cannot resolve 'host.example.internal.' which is defined in Network A's private zone. The engineer verified that the peering zone is active and the networks are properly peered. What is the most likely reason for the resolution failure?

90

A company uses Cloud Armor with an external HTTPS load balancer to protect their web application. They have a security policy 'my-policy' attached to the backend service. The policy includes an allow rule (priority 1000) for their corporate IP range (203.0.113.0/24) and a deny rule (priority 2000) for all other IPs. The company has an office at a remote location that uses a different IP range (198.51.100.0/24). Employees from the remote office report they cannot access the application. Meanwhile, employees from the corporate office (203.0.113.0/24) can access. The engineer checks the Cloud Armor policy and sees the rule configuration as shown. What is the most likely cause?

91

A service provider uses a Shared VPC with multiple service projects. The host project has a Cloud NAT configured for subnet 10.1.0.0/24 to provide outbound internet access to all service projects using that subnet. A new service project needs to use its own Cloud NAT for its VM instances in subnet 10.1.0.0/24 to meet compliance requirements. The network engineer attempts to create a Cloud NAT in the service project for that subnet but receives an error that the subnet already has a NAT gateway. What action should the engineer take to meet the compliance requirement?

92

A company has two VPC networks (VPC-A and VPC-B) in the same project. They are connected via VPC peering. VPC-A contains an internal TCP load balancer with IP 10.1.2.3 serving on port 80. VPC-B needs to access this load balancer. The network engineer has verified that the firewall rules allow traffic from VPC-B to the load balancer's IP and port. However, instances in VPC-B cannot connect to 10.1.2.3:80. What is the most likely reason for this failure?

93

A company has deployed an external HTTPS load balancer with a Cloud CDN backend. The load balancer uses a managed SSL certificate. Recently, the company updated their DNS record to point to a different IP address of a new load balancer. After the change, some users are still being served from the old load balancer's cache. The network engineer has confirmed that the DNS TTL has expired. What is the most likely cause of this issue?

94

A company has deployed a web application on Compute Engine instances in a VPC with subnet 10.1.0.0/20. The instances need to access an external API that whitelists IP addresses. The company uses Cloud NAT to provide outbound connectivity. The API integration tests are failing, and the operations team suspects that the source IP addresses seen by the API are not consistent. What is the most likely cause and solution?

95

A network engineer is designing a hybrid cloud architecture connecting an on-premises data center to Google Cloud via Dedicated Interconnect. The on-premises network uses BGP for dynamic routing. The engineer needs to configure Cloud Router to exchange routes with the on-premises router. Which two configuration steps are required? (Choose two.)

96

Refer to the exhibit. A network team has created this load balancer. Clients inside the VPC are unable to connect to the load balancer's IP address from a Compute Engine instance in the same VPC. What is the most likely cause?

97

A multinational corporation has deployed a multi-region application on Google Kubernetes Engine (GKE) clusters in us-central1 and europe-west1. The application serves global users and requires low-latency access to a shared database hosted on Cloud SQL in us-central1. The network team has configured Cloud VPN tunnels between each region and the on-premises data center for administrative access. The application instances in europe-west1 are experiencing high latency when connecting to the Cloud SQL instance in us-central1. The team wants to reduce latency without migrating the database. The team has already verified that the Cloud SQL instance has private IP enabled and is peered to a shared VPC that spans both regions. The GKE clusters are in the same shared VPC. What should the team do?

Practice all 97 Configuring network services questions

Other PCNE exam domains

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityImplementing network securityImplementing a Virtual Private Cloud

Frequently asked questions

What does the Configuring network services domain cover on the PCNE exam?

The Configuring network services domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.

How many Configuring network services questions are in the PCNE question bank?

The Courseiva PCNE question bank contains 97 questions in the Configuring network services domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Configuring network services for PCNE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Configuring network services questions for PCNE?

Yes — the session launcher on this page draws questions exclusively from the Configuring network services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide