Practice PCNE Implementing VPC Instances questions with full explanations on every answer.
Start practicing
Implementing VPC Instances — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An engineer needs to provide outbound internet access to a set of Compute Engine instances that have only internal IP addresses. The instances must use a static IP address for outbound traffic. Which solution should they implement?
2A security team wants to enforce a policy that blocks all egress traffic to the internet from a specific set of VMs across multiple projects in an organization. The policy should be centrally managed and override VPC-level firewall rules. Which approach should they use?
3An organization needs to restrict access to Google Cloud APIs such that only traffic from a specific set of VMs inside a VPC can reach the APIs, and all other traffic (including from other VPCs) must be denied. The VMs do not have external IPs. Which combination of services should they use?
4A developer wants to allow HTTP (port 80) traffic from the internet to a set of Compute Engine instances that have a tag "web-server". Which firewall rule should they create?
5A company has a VPC with a subnet in us-central1. They launched a Compute Engine instance named "app-server" in that subnet without an external IP. They need the instance to be able to download updates from the internet. Which two steps must be taken?
6An organization uses a hierarchical firewall policy at the organization level with a deny-all egress rule (priority 100). They also have a VPC-level firewall rule allowing egress to a specific external IP (priority 1000). Will traffic to that external IP be allowed?
7An engineer wants to allow traffic from a specific service account to a Compute Engine instance. Which firewall rule option should they use for the source?
8What is the default MTU for Compute Engine instances on Google Cloud?
9A company wants to publish a service running on Compute Engine instances in their VPC so that consumers in other VPCs can access it via private IPs without needing VPC peering. Which service should they use?
10An organization needs to protect a web application behind an HTTPS Load Balancer from SQL injection attacks. They want to use a managed WAF solution. Which Google Cloud service should they configure?
11An engineer needs to configure DNS resolution for a Compute Engine instance named "web-1" in zone us-central1-a of project my-project. What is the internal DNS name for this instance?
12A Compute Engine instance has multiple network interfaces. Which interface is considered the primary (NIC0)?
13A company wants to restrict access to Google Cloud Storage so that only traffic originating from a specific VPC network is allowed. They also need to prevent data exfiltration to other VPCs. Which two services should they use? (Choose two.)
14An organization has a VPC with multiple subnets. They want to log all outbound connections from instances to the internet for compliance. They also want to use a cost-effective solution that doesn't require a proxy. Which three components are needed? (Choose three.)
15An engineer needs to allow HTTP health checks from the Google Cloud health checker IP ranges to a set of instances. Which two methods can be used to target the firewall rule correctly? (Choose two.)
16A company has Compute Engine instances without external IPs in a VPC. They need to reach Google APIs such as Cloud Storage and BigQuery. Which configuration will meet this requirement with minimal cost and operational overhead?
17A network engineer wants to restrict access to a Cloud Storage bucket from only a specific set of Compute Engine instances in a VPC. The instances have no external IPs. What is the most effective way to enforce this restriction?
18A company wants to protect its HTTP(S) Load Balancer against DDoS attacks and common web exploits like SQL injection and cross-site scripting. Which Google Cloud service should they use?
19An organization has multiple VPCs in different projects that need to consume a common internal service hosted in a central project. The service runs on a set of Compute Engine instances with internal IPs. Which architecture allows the consumers to access the service using private IPs without VPC peering?
20A company has a VPC with a subnet in us-central1. Compute Engine instances in that subnet have no external IPs but need to reach the internet for software updates. The engineer configured Cloud NAT with the default settings. However, instances fail to reach the internet. What is the most likely cause?
21A network engineer needs to create a firewall rule that blocks all ingress traffic from the internet to Compute Engine instances tagged 'web-server', except for traffic from the organization's VPN gateway at IP 203.0.113.1. The engineer creates a rule with priority 1000, deny ingress, source IP ranges 0.0.0.0/0, and targets 'web-server'. To allow the VPN IP, what should the engineer do?
22A company wants to ensure that Compute Engine instances in a VPC can resolve internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. What is required for this to work?
23A company has deployed a network appliance (e.g., firewall) as a Compute Engine instance with two NICs: NIC0 for management and NIC1 for data traffic. The appliance must forward traffic from instances in subnet A to subnet B. The engineer has enabled IP forwarding on the appliance. What additional configuration is required on the VPC for the appliance to route traffic between subnets?
24A company wants to apply consistent firewall rules across all projects in an organization. They need to block all traffic to ports 22 and 3389 from the internet to any VMs in any project. Which approach is most scalable and maintainable?
25A developer is configuring a Compute Engine VM to host a web server. They want to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the internet is allowed. Which firewall rule should they create?
26A company is using Cloud NAT to provide outbound internet access for instances without external IPs. They notice that the NAT gateway is running out of ports for connections to a single external IP address. To minimize port exhaustion, what should the engineer configure?
27An organization needs to prevent exfiltration of data from a Cloud Storage bucket to external IPs. The bucket is accessed by Compute Engine instances in a VPC. The instances need to read and write data to the bucket but should not be able to copy data to external networks. Which combination of controls meets this requirement?
28A company wants to allow access to a Cloud Storage bucket only from Compute Engine instances that have a specific service account and are within a specific VPC. They also want to prevent access from other networks. Which TWO services or features should they use together?
29A company has an HTTP Load Balancer that distributes traffic to a backend service consisting of Compute Engine instance groups. They need to block traffic from specific geographic regions and also rate-limit requests from any IP. Which THREE Cloud Armor features should they configure?
30An organization wants to publish an internal web service running on Compute Engine to consumers in different VPCs. The service must be accessible via private IPs without VPC peering. Which THREE components are required to set this up using Private Service Connect?
31An engineer needs to provide outbound internet access to Compute Engine instances that do not have external IP addresses. The solution must allow instances to access a specific set of external IPs only. What should the engineer configure?
32You need to configure firewall rules to allow HTTP (TCP 80) traffic from the internet to instances in a VPC. The instances are in different subnets and have a network tag 'web-server'. You want to minimize the number of rules. Which rule configuration is correct?
33An organization has two VPCs in the same project: VPC-A and VPC-B. They want instances in VPC-A to reach Cloud Storage buckets without external IPs. What is the simplest solution?
34A company uses hierarchical firewall policies at the organization level. They need to allow SSH (TCP 22) access from a specific range 10.0.0.0/8 to all VMs, but a child folder has a policy that denies all ingress traffic. Which rule priority ordering ensures SSH access is allowed?
35Your VPC has instances with internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. You need to ensure that DNS resolution works for instances in the same zone using short names (e.g., 'instance1'). Which condition must be met?
36You are deploying a third-party network appliance (e.g., firewall) in a GCP VPC. The appliance requires multiple network interfaces for traffic isolation. You create a VM with three NICs in different subnets. What is a key consideration for routing traffic through the appliance?
37You need to protect an HTTPS load-balanced application from SQL injection and cross-site scripting attacks. Which Google Cloud service should you use?
38An organization wants to prevent data exfiltration from a project that uses Google Cloud Storage and BigQuery. They need to restrict access to these services from only the authorized VPC networks. Which service should they use?
39You have a Cloud NAT gateway configured in a region with 256 available ports. You allocate static NAT ports to a specific VM for outbound connections. What is the minimum number of ports you should allocate to ensure the VM can handle 500 concurrent connections?
40An engineer is troubleshooting connectivity from a Compute Engine instance (internal IP: 10.0.0.2) to an on-premises server (IP: 203.0.113.5) over a Cloud VPN tunnel. The traffic reaches the on-premises network, but the return traffic is dropped. What is the most likely cause?
41A company wants to publish an internal service (e.g., a database) in their VPC so that consumers in other VPCs can connect to it privately via Private Service Connect (PSC). What must be created on the producer side?
42Which statement about Cloud Armor security policies is true?
43You need to allow instances with network tag 'db' in subnet-a to only accept connections on TCP port 3306 from instances with network tag 'app' in subnet-b. Which TWO firewall rules should you create? (Choose 2)
44You are configuring a VPC Service Controls perimeter to protect a project containing BigQuery datasets. Access should be allowed only from a specific VPC network and only for users with a specific access level. Which THREE components must you define? (Choose 3)
45An engineer needs to deploy a VM that acts as a internet gateway for other instances in the same VPC. The VM must have IP forwarding enabled and must be able to accept traffic on multiple NICs. Which TWO actions are required? (Choose 2)
46An engineer is configuring a Google Compute Engine instance that needs to send traffic to the internet. The instance has no external IP address. Which service must be configured to allow this outbound connectivity?
47A company wants to restrict access to Google Cloud APIs from a specific set of VMs based on the VM's service account. Which type of firewall rule target should be used?
48A network engineer needs to create a firewall rule that denies all inbound traffic to instances with the tag 'web-server' from source IP range 10.0.0.0/8. They also have an existing allow rule with priority 1000 that permits traffic from 10.0.0.0/8 to those instances. To ensure the deny rule takes precedence, what priority should the new rule have?
49An organization has multiple projects and wants to apply a consistent set of firewall rules across all VPC networks in the organization. Which approach should they use?
50What is the default Maximum Transmission Unit (MTU) for Compute Engine virtual machines?
51A company wants to protect its external HTTPS load balancer from SQL injection and cross-site scripting attacks. Which Google Cloud service should they use?
52A Compute Engine instance is running a network appliance that requires multiple network interfaces. What is the primary purpose of attaching additional NICs (e.g., NIC1, NIC2) to the instance?
53An organization wants to allow on-premises hosts to connect to a Cloud SQL instance privately without traversing the public internet. They have a Cloud VPN tunnel set up. What additional step is required?
54A company wants to restrict which Google Cloud APIs can be accessed by its VMs in a specific project. They also want to prevent data exfiltration. Which service should they use?
55A company uses Cloud NAT with a static NAT IP address. They notice that connections from their instances are failing after a few minutes. What is the most likely cause?
56What is the internal DNS name format for a Compute Engine instance named 'web-server' in zone 'us-central1-a' within project 'my-project'?
57An organization wants to allow only certain users to access a service published via Private Service Connect. They need to restrict access based on the source VPC network. What should they use?
58Which TWO of the following are valid ways to target firewall rules in Google Cloud? (Select 2)
59Which THREE of the following are benefits of using hierarchical firewall policies? (Select 3)
60A company wants to use Cloud Armor to block traffic from a specific IP range (198.51.100.0/24) and also apply rate limiting. Which TWO components are needed? (Select 2)
61A network engineer needs to ensure that Compute Engine instances without external IP addresses can access Google APIs such as BigQuery and Cloud Storage. Which feature should be enabled on the subnet where the instances reside?
62An engineer is configuring a Compute Engine instance with multiple network interfaces for use as a network appliance. Which interface is considered the primary interface for default routes and instance metadata?
63A company wants to protect its HTTPS Load Balancer from DDoS attacks and common web application attacks like SQL injection and cross-site scripting (XSS). Which Google Cloud service should be used?
64An organization has multiple VPCs in the same project. They want to apply consistent firewall rules to all VPCs at the project level. What is the most efficient way to achieve this?
65An engineer is troubleshooting outbound connectivity from a Compute Engine instance that has no external IP. The instance needs to reach an external service on the internet. Cloud NAT is configured on the VPC network. However, the instance cannot connect. What is the most likely cause?
66A company wants to publish a custom internal service running in their VPC so that consumers in other VPCs can access it using private IP addresses. Which service should they use?
67An organization wants to restrict which Google APIs can be accessed by resources in a specific VPC. They also want to prevent data exfiltration to unauthorized projects. Which Google Cloud service should they use?
68An engineer has configured a firewall rule with priority 1000 that allows ingress traffic on TCP port 443 from source IP range 10.0.0.0/8. Another rule with priority 500 denies ingress on TCP port 443 from source IP 10.0.1.0/24. What will happen to traffic from 10.0.1.5 destined to the instance on port 443?
69A company wants to provide outbound internet access to Compute Engine instances without external IPs, while minimizing IP address consumption. Which Cloud NAT feature should be used to achieve minimal static IP usage?
70An engineer needs to create a firewall rule that applies only to instances with the tag 'web-server' in a specific VPC network. The rule should allow ingress from any source on TCP port 80. Which combination of fields must be set in the gcloud command?
71A company uses VPC Service Controls with a service perimeter that includes Project A. They want to allow an external identity from Project B (outside the perimeter) to access a Cloud Storage bucket in Project A, but only during business hours. Which VPC Service Controls feature should they use?
72An engineer needs to configure Cloud Armor to block requests from a specific IP address (10.1.2.3) while allowing all other traffic. They create a security policy with a deny rule for that IP and an allow rule for all traffic. What priority should the deny rule have relative to the allow rule?
73A company runs a web application on Compute Engine instances without external IPs. They need to ensure the instances can access Google APIs (e.g., Cloud Storage) and also provide outbound internet access for software updates. Which two features should be configured? (Choose two.)
74An organization wants to enforce that only instances with specific service accounts can be accessed via SSH (TCP 22) from the internet. Which two attributes should be used in the firewall rule to achieve this? (Choose two.)
75A company wants to deploy a network appliance (e.g., firewall) on a Compute Engine instance that requires inspecting traffic between two VPCs. The instance must have interfaces in both VPCs. Which three configurations are required? (Choose three.)
76A company wants to allow instances in a VPC without external IPs to access Google APIs like BigQuery and Cloud Storage. Which configuration is required?
77An engineer needs to set up a firewall rule that allows health check probes from Google Cloud's health check ranges (130.211.0.0/22 and 35.191.0.0/16) to a backend instance group. The rule should apply only to instances with the 'backend' network tag. What is the correct configuration?
78An organization has multiple projects under an organization node. They need to enforce a security policy that denies all inbound SSH traffic (tcp:22) to all VMs across all projects, but must allow certain projects to override this. Which approach should be used?
79An engineer is deploying a network appliance (e.g., a firewall) in a VPC. The appliance needs to handle traffic between different subnets. How many network interfaces should the appliance VM have, and why?
80A company has an application running on Compute Engine that needs to send traffic to a third-party SaaS service on the internet. The VMs have no external IPs. Which solution provides outbound connectivity with minimal configuration and allows source IP preservation?
81An engineer is troubleshooting a firewall rule issue. A VM with network tag 'web' is unable to receive HTTP traffic from the internet. The VPC has an ingress firewall rule allowing tcp:80 from 0.0.0.0/0 to targets with tag 'web' at priority 1000. Another ingress rule denies all ingress traffic at priority 65535. What is the likely cause?
82What is the default MTU for Compute Engine virtual machines?
83An organization wants to consume a third-party SaaS service via a private endpoint in their VPC, using Private Service Connect. Which type of Private Service Connect endpoint should they create?
84A security team wants to block traffic from specific geographic regions (e.g., Country A) to their HTTP(S) load balancer. Which Google Cloud service should they use?
85An engineer has multiple projects with overlapping IP ranges. They want to create a single Cloud NAT gateway to provide outbound internet access for instances in two different VPCs that are connected via VPC Network Peering. Is this possible?
86What is the internal DNS name format for a Compute Engine instance named 'web-server' in the 'us-central1-a' zone within the project 'my-project'?
87A company has deployed a Cloud Armor security policy with the following rules: Rule 1: allow from IP range 10.0.0.0/8 (priority 1000); Rule 2: deny from all (priority 2000). What will be the action for traffic from IP 10.1.1.1?
88A company wants to restrict access to Google Cloud Storage from a specific VPC only, using VPC Service Controls. Which TWO components are required to create a service perimeter? (Choose two.)
89An organization needs to deploy a multi-tier web application on Compute Engine. The web tier must be accessible from the internet, while the database tier must only be accessible from the web tier. The security team requires a defense-in-depth approach. Which THREE measures should be implemented? (Choose three.)
90A company uses Cloud NAT for outbound internet access. They want to ensure that all connections from their VMs use a predictable public IP address for whitelisting with third-party services. Which TWO configurations should be applied? (Choose two.)
91An engineer needs to provide outbound internet access to a set of Compute Engine instances that do not have external IP addresses. The instances are in a VPC subnet with a Cloud NAT configured. However, the instances still cannot reach the internet. The engineer verified that Cloud NAT is configured on the same region and VPC as the instances. What is the most likely cause?
92A company wants to restrict access to Google Cloud APIs from a specific VPC network so that only the Google APIs listed in the VPC Service Controls perimeter can be accessed. Which configuration should be used?
93A network engineer configured a hierarchical firewall policy at the organization level with a priority 100 rule that denies all ingress traffic. At the folder level, a policy with priority 110 allows ingress from a specific IP range. At the VPC level, a network firewall policy with priority 90 allows ingress from a different IP range. Which traffic will be allowed?
94An engineer needs to configure a Compute Engine instance as a network appliance that routes traffic between two subnets within the same VPC. The instance must handle traffic for both subnets. Which TWO actions are required? (Choose TWO.)
95A company wants to protect its HTTP(S) Load Balancer from layer 7 attacks, including SQL injection and cross-site scripting (XSS). Which TWO Google Cloud services or features should be used together? (Choose TWO.)
96An organization wants to publish a private service using Private Service Connect (PSC) so that consumers in other VPCs can access it via private IPs. Which TWO resources are required on the producer side? (Choose TWO.)
97A security team needs to block traffic from a specific geographic region (country) from reaching their HTTP Load Balancer. Additionally, they need to allow traffic from specific IP ranges that are known to be legitimate, even if they originate from that blocked region. Which THREE steps should they take? (Choose THREE.)
98A company has a VPC with subnets in us-central1 and europe-west1. They need to allow Compute Engine instances in us-central1 (without external IPs) to access Google Cloud Storage buckets in the US multi-region. They also need to ensure the traffic does not traverse the public internet. Which TWO configurations are required? (Choose TWO.)
99An engineer needs to configure Cloud NAT with logging enabled to monitor traffic from a specific subnet. The NAT gateway uses automatic NAT IP allocation. The engineer wants to ensure that if a single VM uses many connections, it does not exhaust the available ports for other VMs. Which THREE settings should be configured? (Choose THREE.)
100A company wants to allow traffic to a specific set of Compute Engine instances only from a single management instance that uses a service account. The management instance has the service account 'sa-mgmt@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations can achieve this? (Choose TWO.)
The Implementing VPC Instances domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.
The Courseiva PCNE question bank contains 100 questions in the Implementing VPC Instances domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Implementing VPC Instances domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included