Practice PCNE Implementing a Virtual Private Cloud questions with full explanations on every answer.
Start practicing
Implementing a Virtual Private Cloud — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is deploying a multi-tier web application on Google Cloud. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier must not have any public IP addresses. Which VPC design should be used?
2An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?
3A startup wants to create a VPC with a subnet that can grow automatically as they add more VM instances. Which subnet type should they use?
4A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They need to add a new subnet for a Kubernetes cluster that requires a secondary IP range for pods. The primary IP range of the new subnet must be 10.0.2.0/24. What is the correct way to create this subnet?
5An organization is migrating to Google Cloud and requires connectivity between their on-premises network and VPC. They plan to use Cloud VPN with dynamic routing (BGP). Which VPC feature is required for this setup?
6A company has a VPC with a subnet in us-central1 and needs to allow HTTP traffic (port 80) from the internet to a VM instance. Which TWO configurations are required?
7A company is designing a VPC for a production environment that must meet the following requirements: support multiple projects, centralized network administration, and allow each project to have its own firewall rules. Which THREE components should be used?
8A company is migrating its on-premises infrastructure to Google Cloud. They need to connect their VPC to a third-party SaaS provider that only supports IPsec VPN. The company requires high availability and automatic failover. Which solution should they implement?
9A company has deployed a global application on Compute Engine instances in multiple regions. Users are experiencing high latency connecting to the application. The network team wants to use Google Cloud's global network to improve performance. Which approach should they take?
10A developer created a Compute Engine instance in the default VPC network. The instance needs to communicate with an on-premises server over a Cloud VPN tunnel. The developer configured the VPN tunnel but the instances cannot ping the on-premises server. What is the most likely cause?
11A company is designing a network for a critical application that requires sub-millisecond latency between two Compute Engine instances. The instances are located in different zones within the same region. Which VPC configuration will provide the lowest latency?
12A company is setting up a VPC with private Google Access enabled for on-premises connectivity via Cloud VPN. Which TWO of the following are required for on-premises hosts to access Google APIs (e.g., Cloud Storage) using private IP addresses?
13A company has a VPC with multiple subnets. They want to restrict traffic between two subnets (Subnet-A and Subnet-B) using VPC firewall rules. Which THREE conditions must be met for a firewall rule to block traffic from Subnet-A to Subnet-B?
14A financial services company is deploying a multi-tier application in a custom VPC with three subnets: web (10.0.1.0/24), app (10.0.2.0/24), and db (10.0.3.0/24). They use a Cloud VPN with dynamic routing (BGP) to connect to their on-premises data center (10.1.0.0/16). The on-premises network administrator reports that traffic from the web tier (10.0.1.0/24) to on-premises is working, but traffic from the app tier (10.0.2.0/24) to on-premises is failing. The company uses an Identity-Aware Proxy (IAP) for SSH access. The following configurations are in place: - Cloud Router advertises all VPC subnets via BGP. - On-premises router advertises 10.1.0.0/16. - Firewall rules allow all traffic from 10.0.0.0/16 to 10.1.0.0/16. - The app tier instances have a network tag 'app-tier' and a service account 'app-sa@project.iam.gserviceaccount.com'. - There is a firewall rule with priority 1000 that denies egress from tags 'app-tier' to 10.1.0.0/16. What is the most likely cause of the failure?
15Your company runs a multi-tier web application on Google Cloud. The application consists of frontend instances in a managed instance group (MIG) in us-central1, backend instances in a MIG in us-west1, and a Cloud SQL database in us-central1. The frontend and backend communicate over a VPC network with custom subnet mode (10.0.0.0/16) and use internal IP addresses. Recently, the application experienced intermittent timeouts. You notice that the backend instances in us-west1 have high latency when querying the Cloud SQL database in us-central1. You suspect network congestion or suboptimal routing. You want to minimize latency between the regions for database queries while ensuring the most cost-effective solution. What should you do?
16A company is designing a VPC with multiple subnets across two regions for high availability. They want to ensure that instances in different regions can communicate using internal IP addresses without traversing the public internet. Which TWO actions should they take? (Choose two.)
17Your company has a VPC with a single subnet in us-central1 (10.0.1.0/24). You have a managed instance group (MIG) of web servers (10.0.1.2-10.0.1.10) and a standalone database instance (10.0.1.100). The web servers need to communicate with the database on TCP port 3306. You have configured a firewall rule allowing ingress from 10.0.1.0/24 to 10.0.1.100 on tcp:3306. However, the web servers cannot connect to the database. You verified that the database is running and listening on port 3306, and that the web servers can ping the database. What should you do to resolve the issue?
18Drag and drop the steps to configure a Cloud NAT for private instances to access the internet into the correct order.
19Match each Cloud Router BGP attribute to its function.
20An engineer has set up VPC Network Peering between VPC-A and VPC-B. Both VPCs have non-overlapping CIDR ranges. The peering state is ACTIVE. However, instances in VPC-A cannot reach instances in VPC-B. The engineer verified that firewall rules allow the traffic. What should the engineer check next?
21A company wants to enable Private Google Access for an on-premises network connected via Cloud VPN. Which configuration step is required?
22An organization uses a custom mode VPC with several subnets. They need to add a new subnet 192.168.1.0/24 for a new workload. After creating the subnet, they find that existing firewall rules with target tags don't apply to instances in the new subnet, even though the tags are applied. What is the most likely reason?
23A company wants to deploy a web application with a public-facing load balancer and a private backend. The backend instances must not have external IPs. Which statement about the VPC configuration is correct?
24An engineer is troubleshooting connectivity between an on-premises network and a GCP VPC over a Cloud VPN tunnel with dynamic routing (BGP). The tunnel is established and BGP session is up, but on-premises hosts cannot reach instances in the VPC. What should the engineer check first?
25A company uses Shared VPC with a host project and multiple service projects. A service project administrator wants to create a VM with an internal IP from a specific subnet in the host project. The operation fails with a permission error. What is the most likely missing permission?
26An engineer is troubleshooting high latency in a VPC and suspects packet drops. Which VPC feature should they enable to get detailed information about network traffic?
27A company wants to allow their VPC instances to access Google APIs using internal IPs without using a NAT. They have set up Private Google Access on the subnet. What else is required?
28Two organizations have their own GCP projects with VPCs that are peered. They want to allow a service in VPC-A to be consumed by VPC-B using Private Service Connect. What configuration is required in VPC-A?
29A company has a VPC with firewall rules. They want to ensure that only traffic from known IP ranges can access their web server instances. Which two firewall rule configurations are appropriate? (Choose two.)
30An organization is configuring Cloud NAT to allow private instances to access the internet. Which three statements about Cloud NAT are correct? (Choose three.)
31A company is designing a VPC routing strategy. Which three are valid route types in Google Cloud VPC? (Choose three.)
32A company has an HA VPN tunnel between on-premises and Google Cloud. They want traffic destined to 10.1.0.0/16 (a subnet in their VPC) to go through a specific next-hop VPN tunnel interface, but currently traffic is being dropped. What should they verify?
33A developer needs to allow a VM in subnet A to reach a VM in subnet B in the same VPC. What is the default behavior?
34An organization uses Shared VPC with multiple service projects. They want to ensure that only certain service projects can use a specific subnet. How can this be achieved?
35Which TWO of the following are required to enable Private Google Access for a subnet?
36Which THREE of the following are benefits of using VPC Flow Logs?
37A company has VPC peering between two VPC networks. They want to ensure that traffic from VPC A to VPC B can use a custom route in VPC A that points to a next-hop appliance in VPC A. Which TWO conditions must be met?
38Refer to the exhibit. A VM in the default VPC with tag 'internal' and IP 10.128.1.2 is unable to communicate with another VM with IP 10.132.0.3 and tag 'internal'. What is the most likely cause?
39Refer to the exhibit. A VM in my-subnet without an external IP address cannot access Google APIs. What is the likely missing configuration?
40Refer to the exhibit. A company uses a Cloud Router with two BGP sessions for an HA VPN to on-premises. Traffic is not flowing correctly to the on-premises network. What is the most likely issue?
41A company wants to connect two VPC networks using VPC Network Peering. What is required for this setup?
42A network engineer is troubleshooting connectivity from a VM to an on-premises server over a Cloud VPN. The VM can reach the on-premises server, but the return traffic is dropped. What is the most likely cause?
43A company is designing a multi-region architecture with Active/Active failover across two regions using Cloud VPN. They want to ensure that traffic from on-premises to a global external HTTPS load balancer is routed to the nearest region based on latency. What should they configure on the on-premises side?
44A developer wants to create a VM that can communicate with all Google APIs without requiring an external IP address. Which configuration is necessary?
45A company has a VPC with subnets in us-central1 and europe-west1. They want to deploy a Cloud NAT to allow VMs in both regions to access the internet. How many Cloud NAT gateways are needed?
46An organization uses Shared VPC with multiple service projects. They want to allow a service project to create a VM in a subnet that belongs to the host project. The subnet has an IAM policy that grants the compute.instanceAdmin role to the service project's service account. However, the service project is unable to create VMs in that subnet. What is the most likely reason?
47A company wants to provide internet access to their Compute Engine instances without assigning external IP addresses. Which Google Cloud service should they use?
48A network engineer is configuring VPC peering between two VPCs in the same project. The peering status is ACTIVE, but instances in one VPC cannot reach instances in the other VPC using internal IPs. The firewall rules are default (ingress deny all). What is the most likely cause?
49A company uses VPC Flow Logs for traffic analysis. They notice that logs are missing for a specific Compute Engine instance that handles high traffic. The subnet has Flow Logs enabled. What is the most likely reason?
50An organization needs to connect two VPCs in different regions using Google's backbone. What is the recommended solution?
51A network engineer wants to allow specific instances to use Cloud NAT while others should not. Which configuration step should be taken?
52An engineer runs 'gcloud compute networks peerings list' and sees state 'INACTIVE' for a peering connection. Which is the most likely cause?
53Which of the following is a benefit of using Shared VPC?
54A company needs to connect on-premises to Google Cloud with overlapping IP ranges. The on-premises network uses 10.0.0.0/16 and the VPC uses 10.0.0.0/16. What is the best approach?
55A security team wants to restrict which Google services can be accessed from their VPC without external IPs. They use Private Google Access. What should they use to block access to specific services?
56Which TWO statements about VPC peering are correct?
57Which THREE statements about Shared VPC are correct?
58Which THREE statements about VPC Flow Logs are correct?
59Refer to the exhibit. You have two VPCs, vpc-a and vpc-b, with VPC peering configured and custom route import/export enabled. An instance in subnet-a (10.0.1.2) cannot ping an instance in subnet-b (10.0.2.2) using internal IP. Firewall rules are default (deny all ingress). What is the required action?
60Refer to the exhibit. You are troubleshooting an on-premises to Cloud VPN connection with dynamic routing. The BGP session is CONNECTED, but no routes are received from the on-premises router. What is the most likely cause?
61Refer to the exhibit. Instances in subnet-b cannot access the internet through Cloud NAT. What is the most likely reason?
62A company has two VPC networks in the same project: 'vpc-a' (us-central1) and 'vpc-b' (us-east1). They are connected via VPC Network Peering. An instance in vpc-a can ping the internal IP of an instance in vpc-b, but cannot reach it on TCP port 8080. The firewall rule in vpc-b allows ingress from the peered network's subnets. What is the most likely cause?
63A company is designing a Shared VPC architecture for multiple projects. The host project hosts three VPC networks: 'prod', 'staging', 'dev'. Each service project needs access to a specific network. Some service projects require access to multiple networks. The security team wants to minimize the number of firewall rules and use IAM for centralized control. Which approach meets these requirements?
64A company has an on-premises data center connected to Google Cloud via Dedicated Interconnect. They have a VPC with subnets in us-central1 and us-west1. They want compute instances in us-central1 to access Google APIs (e.g., Cloud Storage) without traversing the internet, but the on-premises network must also be able to access those APIs via the interconnect. They have configured Private Google Access (PGA) on all subnets. However, on-premises users report that they cannot access Cloud Storage buckets using the private IP of a forward proxy in us-central1 (the proxy is configured to use the default internet gateway for egress). What is the most likely reason?
65A company wants to enable VPC Flow Logs for a subnet to troubleshoot connectivity issues. They have enabled flow logs with a sample rate of 1.0 and metadata annotation enabled. After a few hours, they notice that logs are being generated but they are missing flows from a specific application server to a database server in the same subnet. Both servers are Compute Engine instances with internal IPs only. What could be the cause?
66A company has a VPC with three tiers: web, app, and db. They want to enforce that only the web tier can communicate with the app tier on TCP port 8080, and only the app tier can communicate with the db tier on TCP port 3306. All instances are in the same region but different subnets. Which TWO firewall rules should be created? (Choose 2.)
67A company is planning to migrate its on-premises workloads to Google Cloud. They have a few dedicated servers that need to be reachable from the internet via specific public IPs. Which TWO options should they consider to assign static public IP addresses to their Compute Engine instances? (Choose 2.)
68A company has a VPC that is connected to an on-premises network via a Cloud VPN tunnel using dynamic routing (BGP). They have set up a Cloud Router with an advertised IP range of 10.0.0.0/8. The on-premises network advertises 172.16.0.0/12. They also have a custom static route in the VPC for 10.0.0.0/8 that points to a next-hop VPN tunnel (the same tunnel) with priority 100. Recently, they added a new subnet 10.1.0.0/24 in the VPC. Traffic from on-premises to 10.1.0.0/24 is not working. Which THREE steps should they take to troubleshoot and resolve the issue? (Choose 3.)
69A large enterprise has a Google Cloud environment with multiple projects under an organization. They have a Shared VPC host project with a VPC named 'shared-vpc' that has subnets in us-central1 and europe-west1. Several service projects are attached to this host project. One service project, 'proj-analytics', has a Compute Engine instance 'vm-analytics' in us-central1 that needs to connect to a Cloud SQL PostgreSQL instance (private IP) also in us-central1, but within a different service project 'proj-db'. The Cloud SQL instance is configured with a private IP address 10.0.1.5 from a subnet in 'shared-vpc' (the same VPC). The vm-analytics instance has an internal IP 10.0.0.5 from a different subnet in 'shared-vpc'. The two subnets are in the same region, and there is a firewall rule allowing all traffic from 10.0.0.0/16 (the entire VPC range) to the Cloud SQL subnet. However, vm-analytics cannot connect to the Cloud SQL instance. The error on vm-analytics is 'Connection timed out'. There are no firewall rules blocking egress from vm-analytics. What is the most likely cause and solution?
70A company is migrating from an on-premises data center to Google Cloud. They have set up a High-Availability VPN (with two tunnels) between their on-premises router and a Cloud VPN gateway in a VPC. They use static routing. The on-premises network uses RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the VPC uses 10.1.0.0/16. They have configured static routes in the VPC for the on-premises ranges pointing to the VPN gateway. However, they notice that traffic from on-premises to the VPC is intermittent: sometimes packets go through tunnel 1, sometimes through tunnel 2, and sometimes they drop. The on-premises router is configured to use both tunnels in an active-active mode with equal-cost multipath (ECMP). What is the most likely cause of the intermittent drops?
71A company uses Cloud NAT to allow instances without external IPs to access the internet. They have a managed instance group (MIG) in us-central1 with 10 instances, all using the same Cloud NAT configured with a single NAT IP address. They notice that some instances are unable to connect to a specific external API endpoint, while others can. The error on the failing instances is 'Cannot connect to host'. The NAT IP is not blacklisted by the API. The Cloud NAT gateway has default settings with a minimum port per VM of 64 and a maximum of 65536. What is the most likely cause?
72A small company has a single VPC with one subnet in us-central1 (10.0.1.0/24). They have a Compute Engine instance that needs to be reachable from the internet via HTTP (port 80) and HTTPS (port 443). The instance has an external IP address (ephemeral). They have created firewall rules allowing ingress on TCP 80 and 443 from 0.0.0.0/0, with target tags 'web-server'. The instance has been assigned the tag 'web-server'. However, external users report that they cannot access the instance's public IP on either port. The instance's OS firewall (iptables) is default allow. What is the most likely cause?
73A company has a multi-region VPC with subnets in us-central1 (10.0.0.0/24) and europe-west1 (10.0.1.0/24). They have deployed a global Application Load Balancer (ALB) with backend services in both regions. The backends are instance groups with instances in each subnet. The ALB uses internal IP addresses from a subnet in each region for the backend services. The company wants to restrict access to the ALB so that only traffic from a specific list of external IP addresses (e.g., corporate VPN) can reach the load balancer. They have created a firewall rule allowing ingress from those IP addresses to the ALB's forwarding rule IP (which is a global IP). However, external traffic from allowed IPs is still being blocked. What is the most likely reason?
74A company has a VPC with a single subnet in us-central1 (10.0.0.0/24). They have a Compute Engine instance running a database that uses an internal IP address 10.0.0.10. They need to ensure that this database instance can be accessed by a legacy on-premises application via a Cloud VPN tunnel. The on-premises network uses 192.168.0.0/16. They have set up a HA VPN gateway with two tunnels and BGP routing. The Cloud Router is configured to advertise the subnet 10.0.0.0/24. On the on-premises side, the router receives the route for 10.0.0.0/24 and has a static route for 10.0.0.0/24 pointing to the VPN tunnel. However, the on-premises application cannot reach the database. The application's server can ping the on-premises gateway, but not the database IP. The database instance's OS firewall allows all traffic from 0.0.0.0/0. What is the most likely cause?
75A company wants to establish a VPC peering connection between two VPCs in different projects. Which two steps are mandatory to create the peering connection?
76Refer to the exhibit. A VM in the my-vpc network is unable to reach an external HTTPS server. What is the most likely cause?
77A company uses a VPC with two subnets: subnet-a (10.0.1.0/24) with VMs tagged 'web', and subnet-b (10.0.2.0/24) with VMs tagged 'db'. They have a Cloud VPN tunnel to an on-premises network (172.16.0.0/16). The VPN tunnel is up and BGP is exchanging routes. A custom route for 172.16.0.0/16 with next hop VPN gateway exists, but it has a tag 'web', meaning it applies only to VMs with the 'web' tag. VMs in subnet-a can reach on-premises, but VMs in subnet-b cannot. Which step should be taken to allow subnet-b VMs to reach on-premises?
The Implementing a Virtual Private Cloud domain covers the key concepts tested in this area of the PCNE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNE domains — no account required.
The Courseiva PCNE question bank contains 77 questions in the Implementing a Virtual Private Cloud domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Implementing a Virtual Private Cloud domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included