Practice PCNE Configuring network services questions with full explanations on every answer.
Start practicing
Configuring network services — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company has deployed a Global External Application Load Balancer with Premium Tier and enables Cloud CDN. Users in Europe report high latency, while users in the US have good performance. The backend is a regional NEG in us-west1. What is the most likely cause?
2A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?
3A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?
4A company uses an internal TCP/UDP load balancer to distribute traffic to a backend service. The backend instances are in an unmanaged instance group. Some instances fail health checks and are removed. What happens to existing connections to failed instances?
5A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?
6A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?
7A company is using Cloud NAT to allow private instances to access the internet. They notice that some instances are not able to reach certain external services. Which THREE steps should they take to troubleshoot?
8A company uses Cloud NAT to allow private instances to reach the internet. They notice that egress traffic from Compute Engine VMs is intermittently failing. The VMs are in us-central1-a and use the default VPC network. Cloud NAT is configured with a single NAT IP address. What is the most likely cause?
9A large enterprise is migrating to Google Cloud and needs to establish connectivity between on-premises and VPCs in two different regions (us-east1 and europe-west1). They have a single Partner Interconnect connection at a co-location facility in New York. They want to use the same interconnect for both regions. Which configuration should they use?
10A company is using Cloud DNS for private zone resolution within their VPC. They have a private zone for 'example.internal' and have attached it to the VPC. When they create a new Compute Engine VM and try to resolve 'myapp.example.internal', it fails. What is the most likely cause?
11You have a Cloud Router with the configuration shown. The on-premises network (ASN 65002) is not receiving any routes from Google Cloud. What is the most likely cause?
12A company has a VPC with subnets in us-east1 and europe-west1. They have deployed a global external HTTP(S) load balancer with backend services in both regions. Users in Europe report high latency. What is the most likely cause?
13Which TWO considerations are important when designing a VPC peering strategy between multiple projects in Google Cloud?
14Which THREE actions should you take to secure a VPC that hosts public-facing web applications?
15A company has a VPC with multiple subnets. They want to restrict traffic between two specific subnets (10.0.1.0/24 and 10.0.2.0/24) while allowing all other traffic. They create a firewall rule with priority 1000 denying ingress from 10.0.1.0/24 to 10.0.2.0/24. However, traffic is still allowed. What is the most likely reason?
16Your company runs a multi-tier web application on Google Cloud. The frontend is in us-central1 (3 instances behind an external HTTP(S) Load Balancer), the backend is in us-west1 (3 instances behind an internal TCP/UDP Load Balancer). The frontend instances are in a managed instance group (MIG) with autoscaling based on CPU utilization. Recently, you noticed that during traffic spikes, the frontend instances' CPU utilization remains low, but the backend instances' CPU utilization spikes to 90% and causes timeouts. The application uses a synchronous REST API; the frontend instances make requests to the internal load balancer's IP. What should you do to resolve the backend scaling issue?
17Your company has deployed a hybrid cloud environment with a Cloud VPN tunnel between Google Cloud VPC and an on-premises data center. The VPC has a custom mode with subnet 10.0.1.0/24 in us-east1. On-premises uses subnet 192.168.1.0/24. The VPN tunnel is established using dynamic routing (BGP). Both sides advertise the correct prefixes. A Compute Engine VM in the VPC (10.0.1.10) can ping the on-premises gateway (192.168.1.1), but cannot ping a server on-premises (192.168.1.100). The on-premises network team confirms that 192.168.1.100 is reachable from the on-premises gateway. Firewall rules in GCP allow ingress from 192.168.1.0/24 to all VMs. What is the most likely cause?
18A company is deploying a global application on Google Cloud using Cloud Load Balancing. They want to serve traffic from multiple regions and require the lowest possible latency for users worldwide. The application serves HTTP traffic and uses a static IP address. Which load balancing solution should they use?
19A company uses Cloud NAT to enable outbound internet access for private instances in a VPC. They notice that some instances are unable to connect to external services, while others can. The network team has verified that all instances have the same tags and are in the same subnet. Which TWO actions should the team take to troubleshoot the issue?
20An engineer creates a Cloud NAT configuration as shown in the exhibit. The test-instance is created without an external IP address. However, the instance cannot reach the internet. What is the most likely cause?
21Drag and drop the steps to set up a Google Cloud Armor security policy for a backend service into the correct order.
22Drag and drop the steps to set up a Cloud Interconnect connection for dedicated on-premises connectivity into the correct order.
23Match each Cloud Load Balancing type to its description.
24Match each network pricing model to its description.
25A company wants to securely connect an on-premises data center to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) that overlap with the VPC subnet (10.0.1.0/24). They need connectivity to specific workloads in the VPC without changing IP addresses on premises. What should they do?
26A global e-commerce company has deployed a web application across multiple GCP regions using an external HTTPS load balancer. Traffic is expected to originate from users worldwide. They want to minimize latency and improve user experience, while also ensuring that traffic is served from the nearest healthy backend. Which load balancing configuration should they use?
27An organization is migrating a legacy application to GCP. The application requires a static internal IP address for a Compute Engine VM that must persist even if the VM is stopped or deleted. Which IP address type should they assign?
28A financial services company needs to audit all VPC firewall rule changes in real time. They want to receive notifications whenever a rule is created, modified, or deleted. What is the most efficient way to achieve this?
29A company uses Cloud NAT to allow private VMs to access the internet. They notice that some VMs are unable to reach a specific set of external IP addresses, but other VMs can. The firewall rules are correctly configured. What is the most likely cause?
30A company wants to connect two VPCs in the same project using VPC Network Peering. Each VPC has non-overlapping subnets. What is the minimum number of peering connections required to enable full bidirectional communication?
31A DevOps team is configuring a VPC with a subnet in us-east1. They need to allow a specific VM (source IP 10.0.1.2) to access a database VM (destination IP 10.0.2.3) on port 3306, but only from that specific source. All other traffic should be denied. Which firewall rule configuration should they use?
32A company has a VPC with multiple subnets and uses Cloud VPN tunnels to connect to on-premises. They want to ensure that only traffic destined for on-premises is sent through the VPN tunnels; all other traffic should use the internet. Which route configuration should they implement?
33A startup is deploying a microservices application on Google Kubernetes Engine (GKE). They want to expose a service to the internet using a load balancer that provides SSL termination and supports WebSocket. Which type of Service should they use?
34Which TWO network services are required to enable private Google access for on-premises hosts using a Dedicated Interconnect connection? (Choose two.)
35Which THREE components are necessary to configure a global external HTTP(S) load balancer with Cloud CDN and an origin backend that requires authentication? (Choose three.)
36Which TWO network services can be used to provide secure connectivity between a VPC and an on-premises data center without traversing the public internet? (Choose two.)
37Refer to the exhibit. A VM with the 'ssh-allowed' tag is unreachable via SSH from the internet, while other VMs with the same tag work. What is the most likely cause?
38Refer to the exhibit. The Cloud Router is configured with custom BGP advertisements. The on-premises router receives only the two advertised ranges (10.1.0.0/24 and 10.2.0.0/24) but not the VPC subnets (e.g., 10.3.0.0/24). What is the most likely reason?
39Refer to the exhibit. A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot. What change should be made to fix this?
40A company runs a private GKE cluster in us-central1. Pods need to access the internet for updates. Which configuration is required?
41A company has an on-premises data center connected to GCP via Cloud VPN with dynamic routing (BGP). Recently, connectivity to a specific subnet (10.1.0.0/16) in GCP became intermittent. The VPN tunnel is up, and BGP sessions are established. What is the most likely cause?
42An organization is deploying a Shared VPC with one host project and three service projects. Each service project has multiple VPC networks. They want to ensure that only the host project's network admin can create firewall rules affecting the shared VPC network. Which architecture satisfies this requirement?
43A company wants to serve global static content from a Cloud Storage bucket. They need low latency worldwide and SSL termination at the edge. Which solution should they choose?
44A company uses Private Service Connect (PSC) to access a managed SaaS application published by another company. The SaaS provider publishes a service attachment in their VPC. Which resource must the consumer create to connect to the service?
45A company has a Dedicated Interconnect connection from their on-premises data center to GCP. They have set up BGP sessions over VLAN attachments to peer with their VPC. Traffic from on-premises to GCP works, but return traffic from GCP to on-premises is dropped at the on-premises firewall. What is the most likely cause?
46A company is migrating an on-premises DNS service to Cloud DNS. They want to resolve on-premises hostnames from GCP VMs and resolve Google Cloud private zone names from on-premises. They have a Cloud VPN with BGP. Which architecture should they implement?
47A network engineer notices unusual traffic patterns from a VM. They want to capture detailed information about each packet sent and received by the VM, including source and destination IPs, protocols, and ports. Which feature should they enable?
48A company uses Cloud CDN with an external HTTP(S) load balancer. They have two origin server groups: a primary in us-central1 and a backup in europe-west1. They want traffic directed to the primary unless it is unhealthy, in which case traffic should fail over to the backup. Which configuration is required?
49Which TWO are best practices for securing a VPC network? (Choose 2.)
50Which THREE factors should be considered when choosing between a global external HTTP(S) load balancer and a regional external HTTP(S) load balancer? (Choose 3.)
51Which TWO steps are required to set up a Cloud VPN with dynamic routing (BGP)? (Choose 2.)
52A company is running workloads on Compute Engine instances without public IP addresses. They need to allow these instances to securely access the internet for software updates. Which Google Cloud service should be configured?
53A company is deploying an internal HTTP application on Compute Engine instances. The application must be load-balanced across multiple instances in different regions, but only accessible from within the same VPC. Which load balancer type meets these requirements?
54An organization has a Dedicated Interconnect with Cloud Router configured for BGP. The on-premises network advertises a prefix that overlaps with an existing VPC subnet. How does Google Cloud handle the overlapping prefix?
55A company wants to forward DNS queries from their on-premises network to Google Cloud for resolution of private zone names. Which configuration is required?
56A security team wants to allow traffic from a specific set of VMs with service account 'web-sa@project.iam.gserviceaccount.com' to access a database VM with tag 'db'. The VMs are in the same VPC. Which firewall rule configuration achieves this?
57A large organization uses Shared VPC with multiple service projects. They have an on-premises network connected via Cloud Interconnect. They want the on-premises network to be able to reach instances in all service projects. What is the recommended configuration?
58An e-commerce website uses Cloud CDN to cache static content. The origin is an external HTTP load balancer. What is the benefit of enabling Cloud CDN in this scenario?
59A company wants to protect their application behind an external HTTP(S) load balancer from SQL injection attacks. Which Cloud Armor feature should be used?
60A company has Compute Engine instances in a VPC that only have internal IP addresses. They need to access Google Cloud services like Cloud Storage and BigQuery. They also have on-premises servers that need to access the same instances via a Cloud VPN tunnel. What must be enabled for the instances to access Google APIs without public IPs?
61Which TWO of the following are benefits of using Cloud NAT?
62Which THREE of the following are requirements for VPC Network Peering?
63Which TWO of the following load balancer types can distribute traffic to backends in multiple regions?
64Refer to the exhibit. A Compute Engine instance has the network tags 'http-server' and 'ssh-server'. It also has a public IP address. Which of the following statements about traffic to this instance is true?
65Refer to the exhibit. A Cloud Router has two BGP sessions. The first session is UP, the second is DOWN. What is the most likely cause for the second session being down?
66Refer to the exhibit. A DNS managed zone is configured with private visibility and associated with a VPC network. A Compute Engine instance in a different VPC network tries to resolve 'test.example.com' but fails. What is the most likely reason?
67A company uses Cloud NAT to enable outbound connectivity for private VMs. They notice that some VMs are not able to reach a specific external IP range. The VMs have no tags or service accounts. What is the most likely cause?
68Your organization has an internal HTTP load balancer (ILB) in us-central1. The backend service is a managed instance group with a health check on port 8080. Recently, some instances are reported as unhealthy despite the application running fine. What is the most likely cause?
69A media streaming company uses Cloud CDN with signed URLs to protect content. They want to invalidate cached content for a specific file after a security incident. The file is stored in a Cloud Storage bucket and the CDN cache key includes the URL. They run: gcloud compute url-maps invalidate-cdn-cache URL_MAP --path "/videos/incident.mp4". The invalidation succeeds but the old content is still served. What is the most likely reason?
70You need to allow on-premises servers to access a Google Cloud VM's internal IP without using a public IP. The on-premises network is connected via Cloud VPN. What configuration is required on the Google Cloud side?
71Your security team wants to block specific SQL injection attacks using Cloud Armor. You have configured a security policy with a preconfigured WAF rule for SQL injection (evaluatePreconfiguredExpr('sqli-stable')). The rule is set to DENY. However, legitimate traffic is being blocked intermittently. What should you adjust?
72You are using Serverless VPC Access to connect Cloud Run services to a VPC network. The connector is in us-central1 with a /28 subnet. You have a Cloud SQL instance (private IP) in the same region but in a different VPC network (peered). The Cloud Run service cannot reach the Cloud SQL instance. What is the most likely cause?
73You want to manage DNS records for a domain that you own in Google Cloud DNS. You create a public managed zone and add A records. After waiting several hours, the domain does not resolve. What is the most likely missing step?
74You are configuring an SSL Proxy load balancer for HTTPS traffic. The backend service points to an instance group with a self-managed certificate. The load balancer's frontend uses a Google-managed certificate. Clients receive SSL errors indicating certificate mismatch. What is the most likely cause?
75Your company uses Network Connectivity Center (NCC) to manage multiple on-premises sites connected via Cloud VPN and Partner Interconnect. You create a NCC hub and attach spokes (VPN tunnels and VLAN attachments). Traffic between two on-premises sites (Site A and Site B) should flow through Google Cloud. However, traffic is not passing between the sites. What is the most likely cause?
76Which TWO actions should you take to configure Private Google Access for on-premises hosts connected via Cloud Interconnect?
77Which TWO of the following are required when setting up an internal TCP/UDP load balancer (ILB) in a shared VPC environment?
78Which THREE considerations are important when designing a Cloud CDN configuration for a global web application that serves both static and dynamic content?
79Your company has a hybrid cloud architecture with two on-premises data centers: DC1 and DC2. Each DC is connected to Google Cloud via separate Cloud VPN tunnels (tunnel1 from DC1, tunnel2 from DC2) to a VPC in us-west1. The VPC has two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). DC1 has a subnet 192.168.1.0/24 and DC2 has 192.168.2.0/24. You configure BGP on both tunnels with the VPC dynamic routing, and each on-premises router advertises its local subnet. The VPC automatically imports the learned routes. You notice that traffic from DC1 to an instance in subnet-a (10.0.1.5) works, but traffic from DC2 to the same instance fails intermittently. Additionally, traffic from DC2 to DC1 (192.168.1.0/24) fails completely. You check the route tables and see that both tunnels have learned the routes for the remote subnets. What is the most likely cause and solution?
80A company has deployed an HTTP load balancer with a backend service configured to use an unmanaged instance group. Users report that traffic is not reaching the backend instances. The backend instances are healthy and have proper firewall rules allowing traffic from the load balancer. What step should the network engineer take to resolve the issue?
81A company uses Cloud NAT for outbound internet access. Engineering notices that some VM instances fail to connect to external services during peak hours. The network engineer suspects port exhaustion. Which action would best mitigate this issue?
82A multinational company has a Shared VPC environment with multiple service projects. They need to allow a specific service project to use its own Cloud DNS private zone that resolves to internal IPs in the Shared VPC. Which configuration ensures this without exposing the zone to other projects?
83A company has a Cloud VPN tunnel to on-premises. They want on-premises clients to resolve private DNS names in the VPC. Which service should they configure?
84A gaming company uses Cloud Armor with an external HTTP(S) load balancer to protect against DDoS attacks. They need to restrict access to the load balancer based on geographic region. What should they configure?
85Which TWO configurations can enable VM instances without external IPs to access the internet? (Choose TWO.)
86Which THREE components are required when configuring an internal TCP/UDP load balancer? (Choose THREE.)
87A company uses Cloud VPN with dynamic routing (BGP). The on-premises network advertises a prefix that overlaps with a subnet in the VPC. Which TWO actions can resolve this conflict? (Choose TWO.)
88A company has a VPC with subnet 10.1.0.0/24 in us-central1. They created a Cloud NAT gateway named 'nat-us-central1' attached to that subnet. During peak hours, many VM instances in the subnet cannot connect to the internet. The NAT configuration shows only one NAT IP. Firewall rules allow egress traffic, and health checks confirm the NAT gateway is functioning. What is the most likely cause of the failure?
89A company has two VPC networks in the same project: Network A (hosting a private zone for 'example.internal.') and Network B. They are connected via VPC peering. The network engineer created a DNS peering zone in Network B for 'example.internal.' pointing to Network A. However, instances in Network B cannot resolve 'host.example.internal.' which is defined in Network A's private zone. The engineer verified that the peering zone is active and the networks are properly peered. What is the most likely reason for the resolution failure?
90A company uses Cloud Armor with an external HTTPS load balancer to protect their web application. They have a security policy 'my-policy' attached to the backend service. The policy includes an allow rule (priority 1000) for their corporate IP range (203.0.113.0/24) and a deny rule (priority 2000) for all other IPs. The company has an office at a remote location that uses a different IP range (198.51.100.0/24). Employees from the remote office report they cannot access the application. Meanwhile, employees from the corporate office (203.0.113.0/24) can access. The engineer checks the Cloud Armor policy and sees the rule configuration as shown. What is the most likely cause?
91A service provider uses a Shared VPC with multiple service projects. The host project has a Cloud NAT configured for subnet 10.1.0.0/24 to provide outbound internet access to all service projects using that subnet. A new service project needs to use its own Cloud NAT for its VM instances in subnet 10.1.0.0/24 to meet compliance requirements. The network engineer attempts to create a Cloud NAT in the service project for that subnet but receives an error that the subnet already has a NAT gateway. What action should the engineer take to meet the compliance requirement?
92A company has two VPC networks (VPC-A and VPC-B) in the same project. They are connected via VPC peering. VPC-A contains an internal TCP load balancer with IP 10.1.2.3 serving on port 80. VPC-B needs to access this load balancer. The network engineer has verified that the firewall rules allow traffic from VPC-B to the load balancer's IP and port. However, instances in VPC-B cannot connect to 10.1.2.3:80. What is the most likely reason for this failure?
93A company has deployed an external HTTPS load balancer with a Cloud CDN backend. The load balancer uses a managed SSL certificate. Recently, the company updated their DNS record to point to a different IP address of a new load balancer. After the change, some users are still being served from the old load balancer's cache. The network engineer has confirmed that the DNS TTL has expired. What is the most likely cause of this issue?
94A company has deployed a web application on Compute Engine instances in a VPC with subnet 10.1.0.0/20. The instances need to access an external API that whitelists IP addresses. The company uses Cloud NAT to provide outbound connectivity. The API integration tests are failing, and the operations team suspects that the source IP addresses seen by the API are not consistent. What is the most likely cause and solution?
95A network engineer is designing a hybrid cloud architecture connecting an on-premises data center to Google Cloud via Dedicated Interconnect. The on-premises network uses BGP for dynamic routing. The engineer needs to configure Cloud Router to exchange routes with the on-premises router. Which two configuration steps are required? (Choose two.)
96Refer to the exhibit. A network team has created this load balancer. Clients inside the VPC are unable to connect to the load balancer's IP address from a Compute Engine instance in the same VPC. What is the most likely cause?
97A multinational corporation has deployed a multi-region application on Google Kubernetes Engine (GKE) clusters in us-central1 and europe-west1. The application serves global users and requires low-latency access to a shared database hosted on Cloud SQL in us-central1. The network team has configured Cloud VPN tunnels between each region and the on-premises data center for administrative access. The application instances in europe-west1 are experiencing high latency when connecting to the Cloud SQL instance in us-central1. The team wants to reduce latency without migrating the database. The team has already verified that the Cloud SQL instance has private IP enabled and is peered to a shared VPC that spans both regions. The GKE clusters are in the same shared VPC. What should the team do?
The Configuring network services domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.
The Courseiva PCNE question bank contains 97 questions in the Configuring network services domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Configuring network services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included