Google Cloud · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?
Define a Kubernetes NetworkPolicy that allows ingress to backend pods from frontend pods on port 8080.
NetworkPolicy is the native Kubernetes mechanism for pod-level traffic control.
Configure Private Service Connect to restrict access to backend pods.
Create VPC firewall rules to allow ingress from frontend pods to backend pods on port 8080.
Use Cloud Armor security policies to restrict traffic to backend pods.
A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?
Cloud VPN with two tunnels each using 1 Gbps
Dedicated Interconnect with two 10 Gbps connections
Dedicated Interconnect provides 99.99% SLA with redundant connections.
Direct Peering
Partner Interconnect with two 10 Gbps connections
A network engineer needs to design a VPC network for a global application that will have Compute Engine instances in multiple regions. The instances need to communicate with each other using internal IP addresses. What is the simplest way to enable this communication?
Use Dedicated Interconnect to connect regions.
Use Cloud VPN to connect the instances.
Create a single VPC network with subnets in each region.
A global VPC network inherently provides internal connectivity across regions.
Create separate VPC networks per region and peer them.
Which TWO of the following are valid methods to reduce latency between users in Europe and a GCP-hosted application?
Establish a Cloud VPN tunnel to the user's ISP.
Use Cloud CDN to cache content at edge locations.
Brings content closer to users.
Use Premium Tier networking instead of Standard Tier.
Use Cloud NAT for outbound traffic.
Deploy Compute Engine instances in a European region.
Reduces network distance.
Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?
The backend must be configured with Private Google Access.
The backend must support health checks from the load balancer's health check IP ranges.
Health checks are required for proper traffic routing.
The backend must have an SSL certificate installed.
Firewall rules must allow traffic from the load balancer's IP ranges.
Firewall must permit health checks and traffic from load balancer.
The backend must have a public IP address or be accessible via internet.
Global external load balancer requires internet connectivity to backends.
A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?
The subnet purpose is PRIVATE, which blocks Google APIs.
Private Google Access is disabled on the subnet.
Private Google Access must be enabled for instances without external IPs to access Google APIs.
The subnet CIDR range is too small.
Flow logs are disabled, so traffic is not logged.
Want more Designing, planning, and prototyping a GCP network practice?
Practice this domainA company is deploying a Dedicated Interconnect with a 10 Gbps circuit to Google Cloud. They need to ensure high availability. Which configuration is required by Google Cloud to meet the high availability SLA?
Combine Dedicated Interconnect with a Cloud VPN tunnel for failover
Use Partner Interconnect instead of Dedicated Interconnect
Provision two VLAN attachments on two separate Cloud Routers in different zones
Two VLAN attachments in different zones provide redundancy and meet the HA SLA.
Provision a single VLAN attachment on one Cloud Router
A company has a Hybrid Connectivity setup using Cloud VPN with dynamic routing (BGP). They notice that traffic from their on-premises network to Google Cloud is intermittently dropping. The on-premises BGP speaker is sending routes with a higher local preference (200) than the Google Cloud router (default 100). What is the most likely cause of the intermittent drops?
AS path prepending is causing route flapping
Asymmetric routing is causing traffic to be dropped by stateful firewalls
Higher local preference can cause asymmetric routing, leading to stateful firewall drops.
Cloud Router is not configured for ECMP
The BGP MED attribute is misconfigured
A multinational corporation is connecting five on-premises data centers to Google Cloud using Cloud Interconnect. Each data center has a dedicated 10 Gbps connection. They want to ensure that if one Interconnect fails, traffic is automatically redistributed across the remaining connections without manual intervention. Which solution meets this requirement?
Configure multiple VLAN attachments on a single Cloud Router and rely on link aggregation
Deploy Cloud VPN tunnels as backup and configure static routes with lower priority
Configure VPC Network Peering between all data centers and Google Cloud
Use a Cloud Router with BGP and establish multiple BGP sessions over each Interconnect
BGP with ECMP allows automatic failover across multiple Interconnects.
An organization wants to migrate legacy on-premises applications to Google Cloud but must maintain low-latency connectivity for real-time data synchronization. The on-premises data center is in a colocation facility that is not directly served by Google Cloud. Which hybrid connectivity option is most cost-effective while meeting the latency requirement?
Direct Peering
Cloud VPN with dynamic routing
Partner Interconnect
Uses a service provider to connect to Google Cloud, cost-effective and low latency.
Dedicated Interconnect
A company is using Cloud VPN with BGP to connect their on-premises network to Google Cloud. They have two VPN tunnels from two different on-premises VPN gateways to a single Cloud VPN gateway. They notice that during maintenance on one on-premises gateway, traffic fails over to the other tunnel, but after the maintenance, traffic does not fail back. What is the most likely cause?
Only one VPN tunnel can be active at a time
The BGP local preference on the primary tunnel is not higher than the backup tunnel
Without a higher local preference, the backup tunnel remains preferred after failover.
Cloud VPN gateway does not support BGP
The backup tunnel does not have a valid BGP session
A financial services company is required to encrypt all data in transit between their on-premises data center and Google Cloud. They have a Dedicated Interconnect connection. They want to meet the encryption requirement while minimizing overhead and complexity. Which solution should they implement?
Enable MACsec on the Dedicated Interconnect
Provides link-layer encryption with minimal overhead.
Enable TLS encryption on all applications
Use Cloud VPN over the internet instead of Dedicated Interconnect
Establish an IPsec VPN tunnel over the Dedicated Interconnect
Want more Implementing hybrid interconnectivity practice?
Practice this domainA company has deployed a Global External Application Load Balancer with Premium Tier and enables Cloud CDN. Users in Europe report high latency, while users in the US have good performance. The backend is a regional NEG in us-west1. What is the most likely cause?
The load balancer is using Premium Tier, which routes to the nearest backend; the backend is only in us-west1.
Cloud CDN is not enabled on the load balancer.
The load balancer is using Standard Tier, which does not support global anycast.
The origin server is sending 'Cache-Control: private' headers, preventing Cloud CDN from caching.
Cloud CDN respects origin cache headers; private or no-store headers prevent caching, so all requests hit the backend.
A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?
Use Cloud DNS inbound server policy to forward queries to on-premises DNS.
Cloud DNS inbound server policy enables DNS queries from GCP to be forwarded to on-premises DNS servers via VPN or Interconnect.
Create a forwarding zone in Cloud DNS and associate it with the VPC.
Enable Private Google Access on the VPC subnet.
Configure Cloud NAT to forward DNS queries to on-premises DNS servers.
A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?
169.254.0.1
Google requires BGP peer IPs to be in the 169.254.0.0/16 range for Cloud VPN tunnels.
10.0.0.1
The tunnel's external IP address
The on-premises router's external IP address
A company uses an internal TCP/UDP load balancer to distribute traffic to a backend service. The backend instances are in an unmanaged instance group. Some instances fail health checks and are removed. What happens to existing connections to failed instances?
The load balancer drains existing connections before removing the instance.
Existing connections are seamlessly redirected to healthy instances.
Existing connections are terminated immediately.
Internal TCP/UDP load balancers do not provide connection draining; connections are dropped.
The load balancer waits for all existing connections to close before removing the instance.
A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?
Yes, if they use a global load balancer in front of the endpoint.
No, unless the VPC is peered with another VPC that contains the endpoint.
Yes, because the endpoint is accessible from any region in the VPC.
No, because the endpoint is only accessible from the same region.
Private Service Connect endpoints are regional; instances must be in the same region to access the endpoint.
A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?
You must create a separate Cloud Router for each VLAN attachment.
You can configure the Cloud Router to advertise the same IP prefixes over both VLAN attachments.
Advertising the same prefixes over multiple VLANs enables load balancing.
You should use BGP MED to load balance outbound traffic from Google Cloud.
You can use the same BGP ASN for both VLAN attachments.
It is common to use the same ASN for multiple BGP sessions on the same Cloud Router.
Load balancing across VLAN attachments requires a single BGP session.
Want more Configuring network services practice?
Practice this domainA company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?
The VM is in a different zone than the Cloud NAT gateway
The VPC firewall rules are blocking outbound traffic from the VM to the Cloud NAT IP
Cloud Router is misconfigured and not advertising the Cloud NAT IP
The VM has a custom route that does not use the default route through Cloud NAT
Traffic must match the default route to be source NATed by Cloud NAT.
An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?
Enable Cloud NAT and configure a firewall rule to allow egress to 0.0.0.0/0
Configure a Service Directory endpoint and attach an IAM policy to the bucket allowing access only from that endpoint
Create a firewall rule allowing egress to the storage.googleapis.com service IP range and enable VPC flow logs
Enable Private Google Access on the subnet and create a VPC Service Controls perimeter that includes the bucket project
Private Google Access enables internal IP access to Google APIs, and VPC Service Controls restricts access to the perimeter.
A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?
Check VPC firewall rules to ensure ingress traffic from the on-premises subnet is allowed to the VM
Firewall rules must allow traffic from the on-premises IP range to the VM's target tags or service account.
Check the VM's OS firewall to see if it is blocking incoming traffic
Verify that the VPN tunnel is using the correct pre-shared key
Review Cloud Armor security policies that may be blocking the traffic
A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?
Deploy the Cloud SQL Auth Proxy on each VM and configure IAM permissions for each VM's service account
Use Shared VPC and assign the specific VMs to a subnet with a dedicated secondary IP range, then restrict database access to that range
Use Private Service Connect to publish the database as a managed service and create a Private Service Connect endpoint in the spoke VPC with IAM permissions for the specific VM service accounts
Private Service Connect provides per-service account authorization and network isolation.
Configure firewall rules in the hub project to allow traffic only from the specific VM internal IPs
A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?
Remove the deny rule for that region and rely on other security measures
Add a new allow rule for that region with a lower priority number than the deny rule
Lower priority number means higher precedence, so the allow rule will be evaluated first.
Remove all rules and add a single allow rule for the legitimate region
Reorder the rules so that the deny rule is at the bottom of the list
A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)
Add the project containing the service account to the VPC Service Controls perimeter
Accessible resources are limited to perimeters that include the client project.
Create a firewall rule in the client VPC allowing egress to the BigQuery API
Configure an IAM condition on the service account's roles to restrict access to the perimeter
Grant the appropriate IAM roles (e.g., BigQuery Data Viewer) to the service account on the BigQuery dataset
Even with perimeter, the service account still needs IAM permissions to access the dataset.
Enable Private Google Access on the subnet where the service account's VMs are located
Want more Implementing network security practice?
Practice this domainA company is deploying a multi-tier web application on Google Cloud. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier must not have any public IP addresses. Which VPC design should be used?
Use a Shared VPC with separate subnets in different projects for each tier.
Use three separate VPCs for each tier and connect them using VPC peering.
Separate VPCs provide full isolation; peering allows controlled communication.
Use a single VPC and connect the database tier via Cloud VPN to on-premises.
Use a single VPC with separate subnets for each tier and configure firewall rules to restrict traffic.
An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?
Ensure the VPC firewall rules allow ingress from the source subnet or instance.
Firewall rules control traffic within a VPC; by default, all internal traffic is allowed, but custom rules could block it.
Set up VPC peering between the two regions.
No additional configuration is needed because internal IPs are routable within the VPC.
Enable Cloud NAT for the VPC.
A startup wants to create a VPC with a subnet that can grow automatically as they add more VM instances. Which subnet type should they use?
Custom mode subnet
Dynamic subnet
Legacy network
Auto mode subnet
Auto mode subnets automatically allocate IP ranges and expand as needed.
A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They need to add a new subnet for a Kubernetes cluster that requires a secondary IP range for pods. The primary IP range of the new subnet must be 10.0.2.0/24. What is the correct way to create this subnet?
Create the subnet with primary range 10.0.2.0/24 and specify the secondary range at creation time.
Secondary ranges must be specified at subnet creation.
Create the subnet with primary range 10.0.2.0/24 and then update it to add the secondary range.
Create two subnets: one with 10.0.2.0/24 for primary and another for the secondary range.
Create an auto mode subnet and let Google Cloud assign the secondary range automatically.
An organization is migrating to Google Cloud and requires connectivity between their on-premises network and VPC. They plan to use Cloud VPN with dynamic routing (BGP). Which VPC feature is required for this setup?
Cloud NAT
VPC peering
Cloud Router
Cloud Router manages BGP sessions for dynamic routing with VPN or Interconnect.
VPC Flow Logs
A company has a VPC with a subnet in us-central1 and needs to allow HTTP traffic (port 80) from the internet to a VM instance. Which TWO configurations are required?
Configure Cloud NAT for the VPC.
Assign an external IP address to the VM.
An external IP allows the VM to be reachable from the internet.
Enable Private Google Access on the subnet.
Assign a static internal IP address to the VM.
Create a firewall rule to allow ingress on TCP port 80 from 0.0.0.0/0.
Firewall rule must permit incoming HTTP traffic.
Want more Implementing a Virtual Private Cloud practice?
Practice this domainThe PCNE exam has 60 questions and must be completed in 120 minutes. The passing score is 720/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 5 domains: Designing, planning, and prototyping a GCP network, Implementing hybrid interconnectivity, Configuring network services, Implementing network security, Implementing a Virtual Private Cloud. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Google Cloud PCNE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.