Practice PCNE Configuring Network Services questions with full explanations on every answer.
Start practicing
Configuring Network Services — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to expose a globally distributed application using Cloud Run via a single anycast IP address, with SSL termination and content-based routing to different backend services. Which load balancer should they use?
2An organization uses Traffic Director with Envoy sidecars in GKE. They want to implement fault injection to test service resilience by injecting a 5-second delay into 10% of requests to a specific backend service. Which Traffic Director configuration resource should they use?
3You need to configure Cloud CDN to cache all content from a backend bucket, ignoring any Cache-Control headers sent by the origin. Which cache mode should you use?
4A company has an on-premises data center connected to GCP via Cloud Interconnect. They want to expose an on-premises service to internet clients through Google Cloud's global load balancer. Which type of network endpoint group should they use?
5You are configuring a health check for a backend service that expects gRPC health probing. Which protocol should the health check use to verify gRPC service health?
6A company uses Cloud DNS. They want to override DNS resolution for a specific domain (e.g., mycompany.com) to point to an internal IP for all queries originating from their VPC, while leaving all other domains unaffected. Which Cloud DNS feature should they use?
7Which load balancer type preserves the client source IP address and can be used for TCP/UDP traffic on a specific port, passing traffic through to backend instances without proxy overhead?
8You want to distribute traffic across multiple GKE clusters in different regions with automatic failover if a region becomes unhealthy. Which Cloud DNS routing policy should you use?
9A company uses Cloud CDN to serve content. They need to generate signed URLs to allow temporary access to premium content. They have set up a signing key. Which command correctly generates a signed URL for the object /video.mp4 in a bucket served by a load balancer?
10You are designing a multi-tier application where an internal HTTP(S) load balancer should route requests to a backend service based on the URL path (e.g., /api/* to one service, /web/* to another). Which component is essential for this routing?
11You need to configure SSL certificates for a Global HTTPS Load Balancer. The certificate should be automatically provisioned and managed by Google. Which type of certificate should you use?
12A company wants to enable mTLS between microservices in a service mesh managed by Traffic Director. They have deployed Envoy sidecars. What must be configured to enforce mTLS?
13You are configuring a Global External HTTPS Load Balancer. Which TWO components are required to route traffic to a Cloud Run service via a serverless NEG? (Select two.)
14A company uses Traffic Director with Envoy sidecars. They want to implement traffic splitting to gradually migrate traffic from version v1 to v2 of a service. Which TWO resources must be configured? (Select two.)
15You need to configure a health check for a backend service that uses HTTP2. Which THREE settings must be configured correctly for the health check to work? (Select three.)
16A company wants to expose a web application running on Cloud Run globally with the lowest latency and automatic SSL termination. Which load balancer should they use?
17An organization needs to distribute incoming traffic across multiple GCE instances in the same region while preserving the client IP address. Which load balancer should they use?
18A company wants to serve static content from a Cloud Storage bucket and dynamic content from Compute Engine VMs behind a single external URL. Which GCP feature allows this configuration?
19A company wants to cache static content globally to reduce latency for their users. They are using a Global HTTPS Load Balancer with a backend bucket. Which Cloud CDN cache mode should they use?
20An engineer is configuring a Global HTTPS Load Balancer with a serverless NEG pointing to Cloud Run. The deployment fails with a health check error. What is the most likely cause?
21A company wants to use Cloud CDN to serve private content to authenticated users only. Which feature should they use?
22A company has a Global SSL Proxy Load Balancer handling HTTPS traffic. They want to offload SSL decryption to the load balancer and forward encrypted traffic to backends. Which backend protocol should they use?
23A company wants to route traffic to different backend services based on the geographic location of the client. Which Cloud DNS routing policy should they use?
24An organization needs to serve a TCP-based application globally with low latency but without SSL termination. Which load balancer should they use?
25A company is using Traffic Director with Envoy sidecars to manage traffic between microservices. They want to inject faults to test service resilience. Which Traffic Director feature should they use?
26An engineer wants to use Cloud DNS to override DNS responses for a specific domain within their VPC. Which feature should they use?
27A company uses a Global HTTPS Load Balancer with Cloud CDN. They need to purge specific cached objects for all users immediately after a content update. Which method should they use?
28A company wants to set up a Regional Internal HTTP(S) Load Balancer to serve an internal web application. Which two components are required? (Choose two.)
29A company is using Traffic Director with Envoy sidecars. They want to enable mutual TLS (mTLS) between services. Which two steps are required? (Choose two.)
30A company needs to cache API responses that are dynamic but cacheable for short periods. They want to use Cloud CDN with a Global HTTPS Load Balancer. Which two settings should they configure? (Choose three.)
31A company wants to expose a global web application with HTTP/HTTPS load balancing, SSL termination, and Cloud CDN. They need to route requests to different backend services based on the URL path (e.g., /api/* to a Cloud Run service, /static/* to a Cloud Storage bucket, and /* to a managed instance group). Which GCP load balancing product should they use?
32An organization runs a stateful TCP application on a group of Compute Engine instances in us-central1. Clients must connect to the service using a single anycast IP address, and the load balancer must preserve the client source IP address. Which load balancing option meets these requirements?
33A company is migrating on-premises services to Google Cloud. They have a hybrid connectivity NEG that points to an on-premises endpoint via a Cloud VPN tunnel. The Traffic Director service mesh is configured to route traffic to that NEG. However, traffic to the on-premises service is failing with connection timeouts. What is the most likely cause?
34A developer wants to use Cloud CDN to cache content from a backend bucket. They want to cache all objects regardless of cache-control headers, but need to exclude certain URL patterns (e.g., /private/*) from caching. Which cache mode should they choose?
35A media company uses Cloud CDN with signed URLs to distribute premium video content. They need to revoke access for a specific user immediately. Which approach should they take?
36You need to configure health checks for a backend service that uses gRPC for health checking. Which health check type should you use?
37An engineer manages a global application using Global external HTTP(S) Load Balancer with URL map routing to multiple backend services. They want to enable Cloud CDN for the /images/* path. What is the correct way to enable CDN for that specific path?
38A company uses Traffic Director with Envoy sidecars for service mesh. They want to gradually shift traffic from version 1 to version 2 of a service, starting with 10% traffic to version 2. Which Traffic Director feature should they use?
39A network engineer configures a Global external HTTP(S) Load Balancer with a serverless NEG backend pointing to Cloud Run. The load balancer returns 502 Bad Gateway errors. What is the most likely cause?
40Which Cloud DNS routing policy should you use to direct users to the nearest healthy backend based on their geographic location?
41You need to create a load balancer that distributes traffic across Compute Engine instances in multiple regions for a TCP application without SSL offload. The clients should connect to a single anycast IP. Which load balancer should you use?
42An organization configures a Global external HTTP(S) Load Balancer with Cloud CDN. They notice that some users are getting stale content even after they have invalidated the cache for specific objects. What is the most likely reason?
43A company wants to expose an internal HTTP service running on Compute Engine instances to other VPCs in the same project using a load balancer. The load balancer must support HTTP path-based routing and preserve the client source IP. Which two load balancer types meet these requirements? (Choose two.)
44You are deploying a microservices architecture on Google Kubernetes Engine (GKE) with Traffic Director for traffic management. You want to implement fault injection to test the resilience of your services. Which two types of fault injection does Traffic Director support? (Choose two.)
45A company wants to use Cloud DNS response policy zones (RPZ) to override DNS responses for a set of internal domains. They need to ensure that only specific VPC networks can use these overrides. Which three steps are required? (Choose three.)
46An organization wants to distribute incoming HTTPS traffic across a set of Compute Engine instances in multiple regions, with SSL termination at the Google Cloud edge. They also need to protect against DDoS attacks at the edge. Which load balancing solution should they choose?
47A company hosts a web application on Cloud Run and wants to serve content from a Cloud Storage bucket for static assets. They plan to use a global HTTPS load balancer with a URL map to route requests. Which backend type should they configure for the static content?
48A network engineer is configuring a global HTTPS load balancer with Cloud CDN. They want to cache responses based on the request origin, query parameters, and user agent. Which cache key configuration should they use?
49A company wants to expose a set of internal services running on Compute Engine instances in a private VPC to other internal services using HTTP load balancing. They require L7 features like URL-based routing and SSL termination. Which load balancer should they use?
50A developer needs to store a TLS certificate for use with a load balancer. Which Google Cloud service is used to create and manage SSL certificates?
51An engineer wants to use Traffic Director to split traffic between two versions of a microservice running on Compute Engine with Envoy sidecars. They want to send 10% of traffic to the new version. Which configuration should they apply?
52A company uses Cloud DNS with a managed zone for example.com. They want to override DNS responses for a specific subdomain, mail.example.com, to point to an internal IP address when queried from within the VPC, but external queries should resolve normally. Which feature should they use?
53An organization wants to serve private content via Cloud CDN, ensuring that only authorized users can access cached objects. They need to generate time-limited access for specific URLs. Which method should they use?
54A company wants to load balance TCP traffic (non-HTTP) across a group of Compute Engine instances in a single region, while preserving the client IP address. They also need to support session affinity based on client IP. Which load balancer should they choose?
55A team is using Traffic Director with Envoy sidecars. They want to enforce mutual TLS (mTLS) between services. Which configuration must be enabled?
56While configuring a health check for a backend service, an engineer notices that the health check is failing even though the instances are healthy. The health check is HTTP on port 80 with a request path of /health. The instances respond to curl http://localhost:80/health with 200 OK. What is a likely cause?
57A company wants to use Cloud DNS to distribute traffic across multiple regional endpoints with failover: primary in us-central1, secondary in us-west1. If the primary health check fails, traffic should go to secondary. Which routing policy should they use?
58A company runs a microservices application on Google Kubernetes Engine (GKE) and wants to expose an HTTP service to the internet using a global HTTPS load balancer. They need to enable Cloud CDN for static content and use a custom domain with a Google-managed SSL certificate. Which three resources must be created? (Choose three.)
59A network engineer is troubleshooting a global HTTPS load balancer that is not serving traffic to some users. The load balancer has a backend service with a zonal NEG in us-central1-a. Users report intermittent 502 errors. Which two checks should the engineer perform? (Choose two.)
60A company wants to use Traffic Director to implement fault injection for testing service resilience. They want to inject delays and errors into a percentage of requests. Which two configurations are required? (Choose two.)
61A company wants to expose a web application running on Cloud Run to the internet with a single global IP address, SSL termination, and Cloud CDN. Which load balancer should they use?
62An engineer is configuring a Global HTTPS Load Balancer with a backend service that points to a serverless NEG for Cloud Functions. The health checks are failing. What is the most likely cause?
63A company has a TCP-based application running on a group of Compute Engine VMs in us-central1. They need to provide a static internal IP address to clients within the VPC, while preserving the client source IP for logging. Which load balancer should they use?
64An organization uses Cloud CDN to serve static content from a backend bucket. They want to ensure that content is always served from the edge regardless of cache-control headers from the origin. Which cache mode should they set?
65A company is using Traffic Director with Envoy sidecar proxies to manage traffic between microservices. They want to gradually shift 5% of traffic from version v1 to v2 of a service for testing. Which Traffic Director resource should they configure?
66A security team wants to serve private content through Cloud CDN but restrict access to only authorized users. They need to generate time-limited URLs that do not require users to log in. Which approach should they use?
67A company needs to map multiple domain names to different backend services on a single Global HTTPS Load Balancer. Which resource should they configure to direct traffic based on the requested hostname?
68An engineer is deploying a Regional External HTTP(S) Load Balancer to serve a web application on Compute Engine. They want to maintain the highest availability by automatically rerouting traffic away from unhealthy instances. Which additional configuration is required?
69An organization uses Cloud DNS with a managed zone for example.com. They want to block or override DNS queries for a specific malicious domain (malware.com) to return a sinkhole IP address. Which Cloud DNS feature should they use?
70A company wants to expose an on-premises HTTP server to internet clients through a Global HTTPS Load Balancer using a hybrid connectivity NEG. The on-prem server is reachable via a Cloud VPN tunnel. What must the engineer configure to ensure the load balancer can reach the on-prem endpoint?
71An engineer is configuring a Global SSL Proxy Load Balancer to terminate SSL for a non-HTTP TCP application. They want to minimize latency by allowing the load balancer to reuse connections to backends. Which setting should they adjust?
72A team is using Traffic Director with Envoy sidecars. They want to enforce mutual TLS (mTLS) between all services. Which component is responsible for issuing and distributing certificates to the Envoy proxies?
73A company is designing a global web application that must serve users worldwide with low latency. They plan to use a Global HTTPS Load Balancer with Cloud CDN. Which TWO features should they enable to further reduce latency for users connecting from various regions? (Choose two.)
74An organization uses Cloud DNS with a managed zone for internal resolution. They want to implement a failover routing policy so that if the primary health-checked endpoint is unhealthy, traffic is directed to a secondary endpoint. Which THREE steps are required? (Choose three.)
75A company is migrating from an on-premises data center to Google Cloud. They have a legacy TCP application that must preserve client IP addresses when load balanced. They also need SSL termination for a different web application. Which TWO load balancers should they consider? (Choose two.)
76A company is deploying a global web application on Google Cloud. They need to serve traffic from the closest region to users, support both HTTP and HTTPS, and offload SSL/TLS termination at the load balancer. Which load balancing solution should they use?
77You need to create a serverless Network Endpoint Group (NEG) to attach to a Global HTTPS Load Balancer backend for a Cloud Run service. Which command should you use?
78A company has a global e-commerce platform using a Global HTTPS Load Balancer with Cloud CDN. They want to serve private content, such as user-specific PDFs, with CDN caching while ensuring only authorized users can access it. Which method should they use?
79An engineer configures a Global HTTPS Load Balancer with a backend service pointing to an instance group. The health check is set to HTTP on port 80, check interval 5s, timeout 5s, healthy threshold 1, unhealthy threshold 1. After deployment, instances are marked unhealthy despite the application responding correctly on port 80. What is the most likely cause?
80You need to route traffic to different backend services based on the URL path: /api/* goes to a Cloud Run service, /static/* goes to a Cloud Storage bucket, and /* goes to a Compute Engine instance group. Which component of the Global HTTPS Load Balancer should you configure?
81Which Google Cloud service provides a managed Envoy proxy control plane for traffic management, including traffic splitting and fault injection, in a service mesh?
82A company wants to use Cloud DNS with a failover routing policy. They have two IP addresses serving the same application: primary in us-east1 and secondary in us-west1. They want traffic to go to primary unless health check fails, then fail over to secondary. Which configuration is required?
83You are configuring a Regional Internal HTTP(S) Load Balancer for a service that must only be accessible from within a VPC. The backend is a zonal NEG of Compute Engine instances. The load balancer is not receiving traffic. What is a likely cause?
84You need to distribute incoming TCP traffic to a set of Compute Engine instances in the same region while preserving the client IP address. The load balancer must be used for non-HTTP(S) workloads. Which load balancer should you choose?
85A company uses Cloud CDN to cache content from a backend bucket. They want to ensure that only objects with a Cache-Control header indicating public cacheability are cached. Which cache mode should they select?
86You are using Traffic Director with Envoy sidecars for a microservices application. You want to inject artificial delays into requests from service A to service B for testing purposes. Which Traffic Director feature should you use?
87To enable DNSSEC for a Cloud DNS managed zone, what must be configured?
88A company wants to use Cloud CDN to accelerate content delivery globally. Which TWO of the following are valid cache key components that can be configured in Cloud CDN? (Choose 2)
89You are migrating an on-premises application to Google Cloud and need to connect it to Cloud Run services via a load balancer. The on-premises network uses a VPN to GCP. Which TWO components are required to route traffic from on-premises to a serverless NEG? (Choose 2)
90You need to create a DNS routing policy that routes users in Europe to one IP and users in Asia to a different IP, with a fallback to a default IP if no match. Which THREE elements are required? (Choose 3)
91A company wants to expose a web application running on Compute Engine behind a global HTTPS load balancer with Cloud CDN enabled. They need to ensure that only authenticated users can access certain content. Which approach should they use?
92An organization wants to direct traffic from a global load balancer to an on-premises data center using a hybrid connectivity NEG. Which connectivity option must be in place for this to work?
93A company runs a microservices application on Google Kubernetes Engine (GKE) with an Envoy sidecar proxy for each service. They want to use Traffic Director to apply traffic policies such as traffic splitting between versions and fault injection. Which API does Traffic Director use to configure Envoy proxies?
94A global HTTPS load balancer is configured with a backend service that points to a serverless NEG for Cloud Run services. Some requests are failing with 502 errors. What is a likely cause?
95A company wants to use Cloud CDN to cache content from a backend bucket. They need to cache all objects, including those with cookies, to maximize performance. Which cache mode should they select?
96An organization needs to set up a Regional Internal HTTPS Load Balancer for internal microservices. They want to use Envoy-based load balancing. Which backend type must the backend service use?
97Your company uses Cloud DNS with a managed zone for example.com. You need to override DNS responses for a specific domain (e.g., internal.example.com) to point to an internal IP address. Which Cloud DNS feature should you use?
98A company wants to distribute traffic across multiple backend services based on the geographic location of the user. They are using an external HTTPS load balancer. Which routing configuration should they use?
99A company is using a Global SSL Proxy Load Balancer to terminate SSL and forward traffic to a backend service on Compute Engine. They need to preserve the client IP address in the backend logs. What should they do?
100An organization has deployed an internal TCP/UDP load balancer in their VPC. They need to ensure that the load balancer preserves the client IP address when forwarding traffic to backend instances. Which configuration is required?
101A company wants to use Cloud CDN to serve content from a custom origin that is not hosted on Google Cloud. They have enabled Cloud CDN with a backend bucket pointing to an external origin URL. However, content is not being cached. What is a likely reason?
102A team needs to perform a health check for a gRPC backend service. Which health check type should they use?
103A company wants to use Traffic Director to implement circuit breaking for their microservices. Which two resources must be configured to enable circuit breaking? (Choose TWO.)
104An organization is deploying a Global HTTPS Load Balancer with Cloud Armor and Cloud CDN. They want to ensure that only requests with a valid signed cookie can access private content. Which three steps are required? (Choose THREE.)
105A company needs to load balance TCP traffic without SSL termination for a gaming application where client IP preservation is critical. The backend is a group of Compute Engine instances. Which load balancer types meet these requirements? (Choose TWO.)
106A company wants to expose a web application running on Cloud Run globally with a single anycast IP address, using HTTP(S) load balancing and Cloud CDN for static content. The application should be accessible at https://app.example.com. What is the correct configuration?
107An organization needs to route traffic to a group of Compute Engine VM instances in the same zone for a high-throughput TCP application. The solution must preserve the client source IP address and support connection draining. Which load balancer type meets these requirements?
108A company's application requires TLS termination at the load balancer, with backend instances in multiple regions running on Compute Engine. The backend instances must see the original client IP address. Which load balancer should be used?
109A developer wants to use Cloud CDN to cache static assets from an external origin (not a GCP bucket). Which backend type supports this?
110You need to configure a health check for a gRPC-based backend service. Which protocol should you use for the health check?
111A company wants to serve private content from Cloud CDN using signed URLs that expire after 1 hour. Which steps are required to enable this?
112You are using Cloud CDN with a backend bucket and want to cache all responses regardless of Cache-Control headers. Which cache mode should you set?
113You need to invalidate Cloud CDN cached content for specific URLs after updating files in Cloud Storage. Which command should you use?
114What is the purpose of a Response Policy Zone (RPZ) in Cloud DNS?
115An application running on Google Kubernetes Engine (GKE) uses Traffic Director for traffic management with Envoy sidecars. You want to implement fault injection to test resilience by injecting a 50% failure rate on a subset of traffic. Which Traffic Director configuration should you use?
116You need to migrate traffic gradually from an old version of a microservice to a new version using Traffic Director. You want to send 10% of traffic to the new version and 90% to the old version. Which configuration should you use?
117Which Traffic Director feature ensures that a service does not receive more requests than it can handle by setting a maximum number of concurrent requests or connections?
118A company wants to use Cloud DNS to route traffic to multiple IP addresses for a domain, with the ability to direct users based on their geographic location and also failover to a backup region if the primary is unhealthy. Which DNS routing policies should be combined? (Choose two.)
119You are designing a global web application that uses Cloud Run for the backend and Cloud Storage for static assets. You need to serve content securely over HTTPS with a custom domain, using Cloud CDN for caching. Which resources must be created or configured? (Choose three.)
120You are deploying a new internal HTTP(S) load balancer for a microservice that runs on Compute Engine instances within the same region. The load balancer must be accessible only from within the VPC network. Which components are required? (Choose two.)
121A company runs a global e-commerce platform with a monolithic application deployed on Compute Engine. They want to modernize by splitting the monolith into microservices running on Cloud Run and Cloud Functions, and expose them externally via a single anycast IP with Google-managed SSL certificates. Which load balancer should they use?
122An organization uses Cloud DNS private zones for internal service discovery. They want to override DNS responses for a specific domain (e.g., 'internal.example.com') to block access to malicious domains and redirect certain queries to a different IP for compliance. Which Cloud DNS feature should they use?
123A company runs a stateful TCP application on a zonal Managed Instance Group (MIG). They need to expose it to the internet using a load balancer that preserves the client IP address. Which TWO load balancer types meet this requirement? (Choose two.)
124A developer wants to use Cloud CDN to cache content from an external origin backend. Which TWO configurations are required to set this up? (Choose two.)
125A company uses Traffic Director with Envoy sidecars to manage traffic in their service mesh. They want to perform canary deployments where 10% of traffic goes to the new version and 90% to the stable version. Which TWO Traffic Director resources should they configure? (Choose two.)
126A company wants to serve private content over Cloud CDN with access control. They need to generate time-limited URLs that allow users to download files from Cloud Storage. Which TWO methods can they use? (Choose two.)
127An organization has an internal application that runs on Compute Engine and needs to be load balanced within the same region using a Layer 7 load balancer. They want the load balancer to be accessible only from within their VPC. Which THREE components are needed? (Choose three.)
128A company wants to migrate part of their on-premises workloads to Google Cloud but maintain connectivity using a hybrid NEG. Which TWO types of NEGs can be used for hybrid connectivity backends? (Choose two.)
129A cloud engineer is configuring a Global External HTTPS Load Balancer with a backend service that targets a Cloud Run service via a serverless NEG. They want to enable Cloud CDN and set cache behavior to cache all responses regardless of origin headers. Which THREE steps are required? (Choose three.)
130A company uses Traffic Director with Envoy proxies to manage east-west traffic. They want to implement fault injection to test the resilience of their service mesh. Which THREE types of faults can they inject? (Choose three.)
131A company uses Cloud DNS with a managed zone for 'example.com'. They want to implement a failover routing policy so that if the primary health check fails, traffic is sent to a secondary IP. Which THREE resources need to be configured? (Choose three.)
The Configuring Network Services domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.
The Courseiva PCNE question bank contains 131 questions in the Configuring Network Services domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Configuring Network Services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included