Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNEExam Questions

Google Cloud · Free Practice Questions · Last reviewed May 2026

PCNE Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

60 exam questions
120 min time limit
Pass: 720/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Designing, planning, and prototyping a GCP network2. Implementing hybrid interconnectivity3. Configuring network services4. Implementing network security5. Implementing a Virtual Private Cloud
1

Domain 1: Designing, planning, and prototyping a GCP network

All Designing, planning, and prototyping a GCP network questions
Q1
mediumFull explanation →

Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?

A

Define a Kubernetes NetworkPolicy that allows ingress to backend pods from frontend pods on port 8080.

NetworkPolicy is the native Kubernetes mechanism for pod-level traffic control.

B

Configure Private Service Connect to restrict access to backend pods.

C

Create VPC firewall rules to allow ingress from frontend pods to backend pods on port 8080.

D

Use Cloud Armor security policies to restrict traffic to backend pods.

Why: A Kubernetes NetworkPolicy is the native and most secure way to control pod-to-pod traffic within a GKE cluster. By defining an ingress rule that allows traffic only from frontend pods (selected via pod labels) to backend pods on TCP port 8080, you enforce micro-segmentation at the pod level, which is the recommended practice for multi-tier applications. This approach works regardless of the underlying node or VPC configuration and is fully integrated with GKE's network policies engine (Calico or Cilium).
Q2
hardFull explanation →

A company is designing a hybrid connectivity solution between an on-premises data center and Google Cloud. They have a high bandwidth requirement of 20 Gbps and need a service level agreement (SLA) of 99.99% availability. Which connectivity option should they choose?

A

Cloud VPN with two tunnels each using 1 Gbps

B

Dedicated Interconnect with two 10 Gbps connections

Dedicated Interconnect provides 99.99% SLA with redundant connections.

C

Direct Peering

D

Partner Interconnect with two 10 Gbps connections

Why: Dedicated Interconnect provides direct, private connections between your on-premises network and Google Cloud, supporting up to 10 Gbps per circuit. By using two 10 Gbps connections in an active-active or active-passive configuration, you can achieve the required 20 Gbps aggregate bandwidth and meet the 99.99% SLA, as Google guarantees this SLA when you have at least two redundant connections.
Q3
easyFull explanation →

A network engineer needs to design a VPC network for a global application that will have Compute Engine instances in multiple regions. The instances need to communicate with each other using internal IP addresses. What is the simplest way to enable this communication?

A

Use Dedicated Interconnect to connect regions.

B

Use Cloud VPN to connect the instances.

C

Create a single VPC network with subnets in each region.

A global VPC network inherently provides internal connectivity across regions.

D

Create separate VPC networks per region and peer them.

Why: A single VPC network is global and can contain subnets in any region. By placing subnets in each required region within the same VPC, instances can communicate using internal IP addresses (RFC 1918) without any additional connectivity services. This is the simplest and most scalable approach because VPCs inherently provide global routing between subnets.
Q4
mediumFull explanation →

Which TWO of the following are valid methods to reduce latency between users in Europe and a GCP-hosted application?

A

Establish a Cloud VPN tunnel to the user's ISP.

B

Use Cloud CDN to cache content at edge locations.

Brings content closer to users.

C

Use Premium Tier networking instead of Standard Tier.

D

Use Cloud NAT for outbound traffic.

E

Deploy Compute Engine instances in a European region.

Reduces network distance.

Why: Cloud CDN uses Google's globally distributed edge caches to serve content from locations closer to users, reducing round-trip time and latency. For users in Europe, cached static or dynamic content is delivered from a nearby edge PoP, bypassing the need to fetch from the origin server in a potentially distant region.
Q5
hardFull explanation →

Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?

A

The backend must be configured with Private Google Access.

B

The backend must support health checks from the load balancer's health check IP ranges.

Health checks are required for proper traffic routing.

C

The backend must have an SSL certificate installed.

D

Firewall rules must allow traffic from the load balancer's IP ranges.

Firewall must permit health checks and traffic from load balancer.

E

The backend must have a public IP address or be accessible via internet.

Global external load balancer requires internet connectivity to backends.

Why: Option B is correct because Global External HTTP(S) Load Balancers use Google's frontend (proxying) IP ranges to send health checks to backends. The backend must allow inbound traffic from these specific health check IP ranges (e.g., 35.191.0.0/16 and 130.211.0.0/22) to receive health probes; otherwise, the load balancer will mark the backend as unhealthy and stop forwarding traffic.
Q6
hardFull explanation →

A network engineer is troubleshooting connectivity from a Compute Engine instance in subnet-a to a Google Cloud Storage bucket. The instance has no external IP address. Based on the exhibit, what is the most likely cause of the connectivity issue?

A

The subnet purpose is PRIVATE, which blocks Google APIs.

B

Private Google Access is disabled on the subnet.

Private Google Access must be enabled for instances without external IPs to access Google APIs.

C

The subnet CIDR range is too small.

D

Flow logs are disabled, so traffic is not logged.

Why: The instance has no external IP address, so it must use Private Google Access to reach Google APIs and services like Cloud Storage. Private Google Access is enabled at the subnet level; if it is disabled, the instance cannot route traffic to the Google API VIPs through the default route (0.0.0.0/0) without a NAT gateway or external IP. Option B correctly identifies this as the most likely cause.

Want more Designing, planning, and prototyping a GCP network practice?

Practice this domain
2

Domain 2: Implementing hybrid interconnectivity

All Implementing hybrid interconnectivity questions
Q1
easyFull explanation →

A company is deploying a Dedicated Interconnect with a 10 Gbps circuit to Google Cloud. They need to ensure high availability. Which configuration is required by Google Cloud to meet the high availability SLA?

A

Combine Dedicated Interconnect with a Cloud VPN tunnel for failover

B

Use Partner Interconnect instead of Dedicated Interconnect

C

Provision two VLAN attachments on two separate Cloud Routers in different zones

Two VLAN attachments in different zones provide redundancy and meet the HA SLA.

D

Provision a single VLAN attachment on one Cloud Router

Why: To meet the high availability SLA for Dedicated Interconnect, Google Cloud requires at least two VLAN attachments, each on a separate Cloud Router in different zones. This ensures that if one zone or Cloud Router fails, traffic can still flow through the other attachment, providing redundancy. A single VLAN attachment or a single Cloud Router does not meet the 99.99% availability SLA because it creates a single point of failure.
Q2
mediumFull explanation →

A company has a Hybrid Connectivity setup using Cloud VPN with dynamic routing (BGP). They notice that traffic from their on-premises network to Google Cloud is intermittently dropping. The on-premises BGP speaker is sending routes with a higher local preference (200) than the Google Cloud router (default 100). What is the most likely cause of the intermittent drops?

A

AS path prepending is causing route flapping

B

Asymmetric routing is causing traffic to be dropped by stateful firewalls

Higher local preference can cause asymmetric routing, leading to stateful firewall drops.

C

Cloud Router is not configured for ECMP

D

The BGP MED attribute is misconfigured

Why: The on-premises BGP speaker is sending routes with a higher local preference (200) than the default on Cloud Router (100). This makes the on-premises route preferred for return traffic from Google Cloud, but the forward traffic from on-premises may still use the Cloud VPN tunnel. This asymmetry causes stateful firewalls (e.g., on-premises firewall or Google Cloud firewall) to drop packets that do not match an existing session, leading to intermittent drops.
Q3
hardFull explanation →

A multinational corporation is connecting five on-premises data centers to Google Cloud using Cloud Interconnect. Each data center has a dedicated 10 Gbps connection. They want to ensure that if one Interconnect fails, traffic is automatically redistributed across the remaining connections without manual intervention. Which solution meets this requirement?

A

Configure multiple VLAN attachments on a single Cloud Router and rely on link aggregation

B

Deploy Cloud VPN tunnels as backup and configure static routes with lower priority

C

Configure VPC Network Peering between all data centers and Google Cloud

D

Use a Cloud Router with BGP and establish multiple BGP sessions over each Interconnect

BGP with ECMP allows automatic failover across multiple Interconnects.

Why: Option D is correct because Cloud Router with BGP enables dynamic routing, allowing multiple BGP sessions over each Cloud Interconnect. When one interconnect fails, BGP withdraws the affected routes, and traffic is automatically redistributed across the remaining BGP sessions without manual intervention. This meets the requirement for automatic failover and load balancing across the five 10 Gbps connections.
Q4
easyFull explanation →

An organization wants to migrate legacy on-premises applications to Google Cloud but must maintain low-latency connectivity for real-time data synchronization. The on-premises data center is in a colocation facility that is not directly served by Google Cloud. Which hybrid connectivity option is most cost-effective while meeting the latency requirement?

A

Direct Peering

B

Cloud VPN with dynamic routing

C

Partner Interconnect

Uses a service provider to connect to Google Cloud, cost-effective and low latency.

D

Dedicated Interconnect

Why: Partner Interconnect is the most cost-effective option because it provides a dedicated, low-latency connection through a supported service provider that can extend connectivity from the colocation facility to a Google Cloud region. Unlike Dedicated Interconnect, it does not require physical cross-connects in a Google Cloud colocation facility, making it ideal when the on-premises site is not directly served by Google Cloud. It meets the real-time synchronization latency requirement by offering a reliable, high-bandwidth connection with SLA-backed uptime.
Q5
mediumFull explanation →

A company is using Cloud VPN with BGP to connect their on-premises network to Google Cloud. They have two VPN tunnels from two different on-premises VPN gateways to a single Cloud VPN gateway. They notice that during maintenance on one on-premises gateway, traffic fails over to the other tunnel, but after the maintenance, traffic does not fail back. What is the most likely cause?

A

Only one VPN tunnel can be active at a time

B

The BGP local preference on the primary tunnel is not higher than the backup tunnel

Without a higher local preference, the backup tunnel remains preferred after failover.

C

Cloud VPN gateway does not support BGP

D

The backup tunnel does not have a valid BGP session

Why: B is correct because BGP local preference is used to influence outbound traffic path selection. If the primary tunnel's local preference is not higher than the backup tunnel, BGP will not prefer the primary route after the backup session recovers, causing traffic to remain on the backup tunnel. This is a classic BGP route selection behavior where the highest local preference wins.
Q6
hardFull explanation →

A financial services company is required to encrypt all data in transit between their on-premises data center and Google Cloud. They have a Dedicated Interconnect connection. They want to meet the encryption requirement while minimizing overhead and complexity. Which solution should they implement?

A

Enable MACsec on the Dedicated Interconnect

Provides link-layer encryption with minimal overhead.

B

Enable TLS encryption on all applications

C

Use Cloud VPN over the internet instead of Dedicated Interconnect

D

Establish an IPsec VPN tunnel over the Dedicated Interconnect

Why: MACsec (IEEE 802.1AE) provides Layer 2 encryption on the Dedicated Interconnect link itself, encrypting all traffic between the on-premises router and the Google Cloud edge router without requiring any changes to applications or additional VPN gateways. This meets the encryption requirement with minimal overhead and complexity because MACsec operates transparently at the data link layer, adding negligible latency and no per-packet processing overhead compared to IPsec or TLS.

Want more Implementing hybrid interconnectivity practice?

Practice this domain
3

Domain 3: Configuring network services

All Configuring network services questions
Q1
mediumFull explanation →

A company has deployed a Global External Application Load Balancer with Premium Tier and enables Cloud CDN. Users in Europe report high latency, while users in the US have good performance. The backend is a regional NEG in us-west1. What is the most likely cause?

A

The load balancer is using Premium Tier, which routes to the nearest backend; the backend is only in us-west1.

B

Cloud CDN is not enabled on the load balancer.

C

The load balancer is using Standard Tier, which does not support global anycast.

D

The origin server is sending 'Cache-Control: private' headers, preventing Cloud CDN from caching.

Cloud CDN respects origin cache headers; private or no-store headers prevent caching, so all requests hit the backend.

Why: Option D is correct because Cloud CDN cannot cache responses that include a 'Cache-Control: private' header. This header instructs intermediate caches (including CDN nodes) not to store the response, forcing all requests to go to the origin server in us-west1. Users in Europe experience high latency because their requests must traverse the long distance to the US origin, while US users benefit from shorter paths. Enabling Cloud CDN alone does not guarantee caching; the origin must also allow caching by omitting 'private' or setting appropriate 'Cache-Control: public' and 'max-age' directives.
Q2
hardFull explanation →

A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?

A

Use Cloud DNS inbound server policy to forward queries to on-premises DNS.

Cloud DNS inbound server policy enables DNS queries from GCP to be forwarded to on-premises DNS servers via VPN or Interconnect.

B

Create a forwarding zone in Cloud DNS and associate it with the VPC.

C

Enable Private Google Access on the VPC subnet.

D

Configure Cloud NAT to forward DNS queries to on-premises DNS servers.

Why: Cloud DNS inbound server policy allows on-premises DNS servers to receive DNS queries from Compute Engine instances by creating a VPC-scoped policy that forwards queries to the IP addresses of on-premises DNS resolvers over Cloud VPN. This enables hybrid name resolution without custom scripts, as the policy automatically handles the forwarding of DNS requests from Google Cloud resources to the on-premises DNS infrastructure.
Q3
easyFull explanation →

A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?

A

169.254.0.1

Google requires BGP peer IPs to be in the 169.254.0.0/16 range for Cloud VPN tunnels.

B

10.0.0.1

C

The tunnel's external IP address

D

The on-premises router's external IP address

Why: The correct BGP peer IP is 169.254.0.1 because Cloud Router uses the first IP in the 169.254.0.0/16 link-local range for BGP peering over a VPN tunnel. This is required by Google Cloud's implementation, where the on-premises router must use a link-local address from the 169.254.0.0/16 range, and Cloud Router automatically assigns 169.254.0.1 as its own BGP peer IP. The on-premises router typically uses 169.254.0.2 as its BGP peer IP, ensuring a point-to-point link-local BGP session.
Q4
mediumFull explanation →

A company uses an internal TCP/UDP load balancer to distribute traffic to a backend service. The backend instances are in an unmanaged instance group. Some instances fail health checks and are removed. What happens to existing connections to failed instances?

A

The load balancer drains existing connections before removing the instance.

B

Existing connections are seamlessly redirected to healthy instances.

C

Existing connections are terminated immediately.

Internal TCP/UDP load balancers do not provide connection draining; connections are dropped.

D

The load balancer waits for all existing connections to close before removing the instance.

Why: When an instance in an unmanaged instance group fails a health check, the internal TCP/UDP load balancer immediately terminates all existing connections to that instance. This is because the load balancer does not support connection draining for unmanaged instance groups; it simply stops forwarding new traffic and drops existing flows to the failed instance. The abrupt termination occurs because the load balancer operates at Layer 4 and has no mechanism to gracefully close TCP connections or wait for application-level cleanup.
Q5
hardFull explanation →

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

A

Yes, if they use a global load balancer in front of the endpoint.

B

No, unless the VPC is peered with another VPC that contains the endpoint.

C

Yes, because the endpoint is accessible from any region in the VPC.

D

No, because the endpoint is only accessible from the same region.

Private Service Connect endpoints are regional; instances must be in the same region to access the endpoint.

Why: Private Service Connect (PSC) endpoints are regional resources. An endpoint created in us-central1 is only accessible from Compute Engine instances within the same region (us-central1) of the VPC. Instances in europe-west1 cannot directly reach the endpoint because traffic would need to cross regional boundaries, which PSC does not support for producer endpoints. Option D correctly identifies this regional restriction.
Q6
mediumFull explanation →

A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?

A

You must create a separate Cloud Router for each VLAN attachment.

B

You can configure the Cloud Router to advertise the same IP prefixes over both VLAN attachments.

Advertising the same prefixes over multiple VLANs enables load balancing.

C

You should use BGP MED to load balance outbound traffic from Google Cloud.

D

You can use the same BGP ASN for both VLAN attachments.

It is common to use the same ASN for multiple BGP sessions on the same Cloud Router.

E

Load balancing across VLAN attachments requires a single BGP session.

Why: Option B is correct because a Cloud Router can advertise the same IP prefixes over multiple VLAN attachments to enable load balancing. This allows Google Cloud to use ECMP (Equal-Cost Multi-Path) routing to distribute outbound traffic across the two VLAN attachments, as long as the BGP attributes (e.g., AS path length, MED) are equal.

Want more Configuring network services practice?

Practice this domain
4

Domain 4: Implementing network security

All Implementing network security questions
Q1
mediumFull explanation →

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

A

The VM is in a different zone than the Cloud NAT gateway

B

The VPC firewall rules are blocking outbound traffic from the VM to the Cloud NAT IP

C

Cloud Router is misconfigured and not advertising the Cloud NAT IP

D

The VM has a custom route that does not use the default route through Cloud NAT

Traffic must match the default route to be source NATed by Cloud NAT.

Why: Option D is correct because Cloud NAT relies on the default route (0.0.0.0/0) pointing to the Cloud Router to direct traffic through the NAT gateway. If a VM has a custom route that overrides the default route (e.g., a more specific route to an external IP or a route to a different next hop), the VM's outbound traffic will bypass Cloud NAT entirely, resulting in the source IP being the VM's private IP instead of the Cloud NAT IP. This causes external firewalls to block the traffic as the source IP is not the expected NAT IP.
Q2
hardFull explanation →

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

A

Enable Cloud NAT and configure a firewall rule to allow egress to 0.0.0.0/0

B

Configure a Service Directory endpoint and attach an IAM policy to the bucket allowing access only from that endpoint

C

Create a firewall rule allowing egress to the storage.googleapis.com service IP range and enable VPC flow logs

D

Enable Private Google Access on the subnet and create a VPC Service Controls perimeter that includes the bucket project

Private Google Access enables internal IP access to Google APIs, and VPC Service Controls restricts access to the perimeter.

Why: D is correct because VPC Service Controls create a security perimeter around the Cloud Storage bucket's project, preventing data exfiltration even if the bucket is publicly accessible. Private Google Access on the subnet allows VMs to reach Google APIs (including storage.googleapis.com) via internal IPs, avoiding the public internet. Together, they ensure only VMs within the specified VPC network can download objects, as the perimeter restricts access to authorized networks and Private Google Access provides the private connectivity path.
Q3
easyFull explanation →

A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?

A

Check VPC firewall rules to ensure ingress traffic from the on-premises subnet is allowed to the VM

Firewall rules must allow traffic from the on-premises IP range to the VM's target tags or service account.

B

Check the VM's OS firewall to see if it is blocking incoming traffic

C

Verify that the VPN tunnel is using the correct pre-shared key

D

Review Cloud Armor security policies that may be blocking the traffic

Why: Option A is correct because VPC firewall rules are the first line of defense for controlling traffic to GCE VMs. Even though the VPN tunnel is established, the default-deny ingress posture of GCP means that traffic from the on-premises subnet must be explicitly allowed by a VPC firewall rule. Without this rule, packets arriving via the tunnel are dropped before they ever reach the VM's network interface.
Q4
hardFull explanation →

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

A

Deploy the Cloud SQL Auth Proxy on each VM and configure IAM permissions for each VM's service account

B

Use Shared VPC and assign the specific VMs to a subnet with a dedicated secondary IP range, then restrict database access to that range

C

Use Private Service Connect to publish the database as a managed service and create a Private Service Connect endpoint in the spoke VPC with IAM permissions for the specific VM service accounts

Private Service Connect provides per-service account authorization and network isolation.

D

Configure firewall rules in the hub project to allow traffic only from the specific VM internal IPs

Why: Option C is correct because Private Service Connect (PSC) allows you to publish a managed service (like Cloud SQL) and create a PSC endpoint in the spoke VPC. By combining the PSC endpoint with IAM permissions on the VM service accounts, you ensure that only specific VMs can connect to the database, providing fine-grained, identity-aware access control without exposing the database to the entire network.
Q5
mediumFull explanation →

A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?

A

Remove the deny rule for that region and rely on other security measures

B

Add a new allow rule for that region with a lower priority number than the deny rule

Lower priority number means higher precedence, so the allow rule will be evaluated first.

C

Remove all rules and add a single allow rule for the legitimate region

D

Reorder the rules so that the deny rule is at the bottom of the list

Why: Cloud Armor security rules are evaluated in order of priority, where a lower priority number means higher precedence. To allow traffic from a specific region that is currently blocked by a deny rule, you must add an allow rule with a lower priority number (e.g., 100) than the deny rule (e.g., 1000). This ensures the allow rule is evaluated first, permitting the legitimate traffic before the deny rule can block it, while the deny rule still protects against attacks from other regions.
Q6
mediumFull explanation →

A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)

A

Add the project containing the service account to the VPC Service Controls perimeter

Accessible resources are limited to perimeters that include the client project.

B

Create a firewall rule in the client VPC allowing egress to the BigQuery API

C

Configure an IAM condition on the service account's roles to restrict access to the perimeter

D

Grant the appropriate IAM roles (e.g., BigQuery Data Viewer) to the service account on the BigQuery dataset

Even with perimeter, the service account still needs IAM permissions to access the dataset.

E

Enable Private Google Access on the subnet where the service account's VMs are located

Why: Option A is correct because VPC Service Controls use a perimeter to restrict access to managed services like BigQuery. Adding the project containing the service account to the perimeter allows that service account to access the protected BigQuery datasets, as the perimeter explicitly includes the project as an allowed member.

Want more Implementing network security practice?

Practice this domain
5

Domain 5: Implementing a Virtual Private Cloud

All Implementing a Virtual Private Cloud questions
Q1
mediumFull explanation →

A company is deploying a multi-tier web application on Google Cloud. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier must not have any public IP addresses. Which VPC design should be used?

A

Use a Shared VPC with separate subnets in different projects for each tier.

B

Use three separate VPCs for each tier and connect them using VPC peering.

Separate VPCs provide full isolation; peering allows controlled communication.

C

Use a single VPC and connect the database tier via Cloud VPN to on-premises.

D

Use a single VPC with separate subnets for each tier and configure firewall rules to restrict traffic.

Why: Option B is correct because using three separate VPCs with VPC peering enforces strict network segmentation: the web tier VPC has a public subnet with an internet gateway, the application tier VPC is peered only to the web tier VPC (no internet gateway), and the database tier VPC is peered only to the application tier VPC (no public IPs). This design ensures that the database tier has no public IP addresses and is only reachable through the application tier, meeting all security requirements.
Q2
hardFull explanation →

An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?

A

Ensure the VPC firewall rules allow ingress from the source subnet or instance.

Firewall rules control traffic within a VPC; by default, all internal traffic is allowed, but custom rules could block it.

B

Set up VPC peering between the two regions.

C

No additional configuration is needed because internal IPs are routable within the VPC.

D

Enable Cloud NAT for the VPC.

Why: Option A is correct because VPC firewall rules are stateful and must allow ingress traffic from the source subnet (10.0.1.0/24) or the specific source instance (10.0.1.2) to the destination VM in europe-west1. By default, VPCs have an implied deny-all ingress rule, so explicit firewall rules are required to permit traffic between subnets in different regions within the same VPC. The rule should specify the source IP range or tag and the destination protocol/port (e.g., ICMP, TCP/22) to enable communication.
Q3
easyFull explanation →

A startup wants to create a VPC with a subnet that can grow automatically as they add more VM instances. Which subnet type should they use?

A

Custom mode subnet

B

Dynamic subnet

C

Legacy network

D

Auto mode subnet

Auto mode subnets automatically allocate IP ranges and expand as needed.

Why: An auto mode subnet automatically creates subnets in each region and assigns IP address ranges from a predefined pool that can expand as you add more VM instances. This allows the subnet to grow without manual intervention, making it ideal for startups that need dynamic scaling.
Q4
mediumFull explanation →

A company has a VPC with a subnet 10.0.1.0/24 in us-central1. They need to add a new subnet for a Kubernetes cluster that requires a secondary IP range for pods. The primary IP range of the new subnet must be 10.0.2.0/24. What is the correct way to create this subnet?

A

Create the subnet with primary range 10.0.2.0/24 and specify the secondary range at creation time.

Secondary ranges must be specified at subnet creation.

B

Create the subnet with primary range 10.0.2.0/24 and then update it to add the secondary range.

C

Create two subnets: one with 10.0.2.0/24 for primary and another for the secondary range.

D

Create an auto mode subnet and let Google Cloud assign the secondary range automatically.

Why: Option A is correct because in Google Cloud VPC, a subnet can have both a primary IP range and one or more secondary IP ranges, and these secondary ranges must be specified at subnet creation time. For a Kubernetes cluster, the secondary range for pods is required, and it cannot be added after the subnet is created; it must be defined during the initial subnet creation.
Q5
hardFull explanation →

An organization is migrating to Google Cloud and requires connectivity between their on-premises network and VPC. They plan to use Cloud VPN with dynamic routing (BGP). Which VPC feature is required for this setup?

A

Cloud NAT

B

VPC peering

C

Cloud Router

Cloud Router manages BGP sessions for dynamic routing with VPN or Interconnect.

D

VPC Flow Logs

Why: Cloud Router is required when using Cloud VPN with dynamic routing (BGP) because it manages the BGP sessions between the on-premises router and the Google Cloud VPN gateway. It exchanges routes dynamically, enabling automatic route propagation and failover without manual static route configuration.
Q6
mediumFull explanation →

A company has a VPC with a subnet in us-central1 and needs to allow HTTP traffic (port 80) from the internet to a VM instance. Which TWO configurations are required?

A

Configure Cloud NAT for the VPC.

B

Assign an external IP address to the VM.

An external IP allows the VM to be reachable from the internet.

C

Enable Private Google Access on the subnet.

D

Assign a static internal IP address to the VM.

E

Create a firewall rule to allow ingress on TCP port 80 from 0.0.0.0/0.

Firewall rule must permit incoming HTTP traffic.

Why: Option B is correct because a VM must have an external (public) IP address assigned to be directly reachable from the internet. Without an external IP, the VM cannot receive inbound traffic initiated from outside the VPC, even with proper firewall rules. This is a fundamental requirement for internet-facing workloads in Google Cloud.

Want more Implementing a Virtual Private Cloud practice?

Practice this domain

Frequently asked questions

How many questions are on the PCNE exam?

The PCNE exam has 60 questions and must be completed in 120 minutes. The passing score is 720/1000.

What types of questions appear on the PCNE exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are PCNE questions organised by domain?

The exam covers 5 domains: Designing, planning, and prototyping a GCP network, Implementing hybrid interconnectivity, Configuring network services, Implementing network security, Implementing a Virtual Private Cloud. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual PCNE exam questions?

No. These are original exam-style practice questions written against the official Google Cloud PCNE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 PCNE questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all PCNE questionsTake a timed practice test