Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Implementing network security practice sets

PCNE Implementing network security • Complete Question Bank

PCNE Implementing network security — All Questions With Answers

Complete PCNE Implementing network security question bank — all 0 questions with answers and detailed explanations.

76
Questions
Free
No signup
Certifications/PCNE/Practice Test/Implementing network security/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

Question 2hardmultiple choice
Read the full Implementing network security explanation →

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

Question 3easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?

Question 4hardmultiple choice
Read the full Implementing network security explanation →

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

Question 5mediummultiple choice
Read the full Implementing network security explanation →

A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?

Question 6mediummulti select
Read the full Implementing network security explanation →

A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)

Question 7hardmulti select
Read the full NAT/PAT explanation →

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

Question 8hardmultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

Network Topology
filter="name=allow-ssh"gcloud compute firewall-rules listfilter="name=allow-icmp"zone=us-central1-aformat="table(networkInterfaces)"networkInterfaces[0].networkIP: 10.128.0.2networkInterfaces[0].accessConfigs[0].natIP: 34.67.89.10
Question 9easymultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.securityAdmin",
      "members": [
        "user:alice@example.com"
      ]
    },
    {
      "role": "roles/compute.networkAdmin",
      "members": [
        "user:bob@example.com"
      ]
    }
  ]
}
Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a hub-and-spoke VPC architecture in Google Cloud. The hub VPC hosts a set of shared services, including a third-party firewall appliance (NGFW) in a managed instance group behind a TCP load balancer. Spoke VPCs need to send traffic to the hub's internal TCP load balancer IP (10.0.0.10) for inspection. The firewall appliance inspects traffic and forwards it to the final destination. The network team notices that traffic from one spoke to the load balancer is being dropped. They have verified that VPC peering is established, routes are propagated, and firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

Question 11mediummultiple choice
Read the full Implementing network security explanation →

A company uses Identity-Aware Proxy (IAP) to secure access to a group of Compute Engine instances running a web application. The instances have no external IP addresses and are accessed via IAP TCP forwarding. Recently, the security team discovered that some users can access the instances directly via SSH from other instances within the same VPC, bypassing IAP. What is the most effective way to ensure all SSH access goes through IAP?

Question 12mediummulti select
Read the full NAT/PAT explanation →

A company is designing a secure multi-VPC architecture in Google Cloud. They have three VPCs: Production, Staging, and Shared Services. The Shared Services VPC hosts a Cloud NAT for outbound internet access and a set of managed instance groups. The Production and Staging VPCs are peered to the Shared Services VPC. The company wants to ensure that: (1) instances in Staging cannot initiate connections to instances in Production, (2) instances in Production cannot initiate connections to instances in Staging, (3) all VPCs can communicate with Shared Services, and (4) traffic between VPCs must be inspected by a firewall appliance in Shared Services. Which TWO actions should the company take?

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company is deploying a new payment processing application in Google Cloud. The architecture consists of: a VPC named 'payment-vpc' with subnet 'payment-subnet' (10.1.0.0/16), a managed instance group (MIG) of backend servers in payment-subnet, an internal TCP load balancer (ILB) with IP 10.1.0.10 distributing traffic to the MIG, and a Cloud NAT for outbound internet access. The application must communicate with an external payment gateway over TLS. The security policy requires that all outbound traffic from the backend servers to the internet must egress through a single, centralized Cloud NAT instance to allow traffic inspection. To meet this requirement, the network team has configured: a Cloud Router, a Cloud NAT gateway named 'payment-nat' in payment-vpc, and a default route (0.0.0.0/0, next hop: default internet gateway) in payment-vpc. They have also configured VPC firewall rules to allow outbound HTTPS traffic. During testing, the backend servers cannot connect to the external payment gateway. The team has verified that the Cloud NAT is properly configured and that the VPC firewall rules allow egress traffic. What is the most likely cause of the connectivity failure?

Question 14mediummultiple choice
Read the full Implementing network security explanation →

A company has deployed a globally distributed application on Google Cloud using Cloud Load Balancing and managed instance groups across multiple regions. They need to restrict access to the application's backend instances so that only traffic from the load balancer's health check ranges and the load balancer's source IP addresses is allowed. Which firewall rule configuration should be used?

Question 15hardmulti select
Read the full Implementing network security explanation →

A financial services company is migrating sensitive workloads to Google Cloud. They need to implement a defense-in-depth strategy to protect their VPC networks. Which TWO actions should they take to meet their security requirements? (Choose two.)

Question 16mediumdrag order
Read the full Implementing network security explanation →

Drag and drop the steps to set up a shared VPC in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to migrate an on-premises network to Google Cloud using a VPN and VPC peering into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full Implementing network security explanation →

Match each Google Cloud interconnect or peering type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Direct physical connection between on-premises and Google

Connection via a supported service provider

Direct BGP peering between on-premises and Google edge

Peering via a carrier's network

Encrypted tunnel over the internet to your VPC

Question 19mediummatching
Read the full DNS explanation →

Match each Cloud DNS record type to its use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Alias of one hostname to another

Specifies mail servers for a domain

Holds arbitrary text, often for verification

Question 20easymultiple choice
Read the full Implementing network security explanation →

A team has deployed Compute Engine instances with internal IPs only. They need to allow these instances to download updates from specific external IP ranges. Which action should they take?

Question 21mediummultiple choice
Read the full Implementing network security explanation →

An organization has a Shared VPC with several service projects. They want to restrict which service projects can create firewall rules in the host project. What should they do?

Question 22hardmultiple choice
Read the full Implementing network security explanation →

A company uses Cloud Armor with WAF rules to protect an HTTPS load balancer. They notice that legitimate traffic from certain IPs is being blocked. How should they troubleshoot?

Question 23easymultiple choice
Read the full Implementing network security explanation →

A developer wants to SSH into a Compute Engine instance that has no public IP. Which service should they use?

Question 24mediummultiple choice
Read the full Implementing network security explanation →

An organization has multiple VPC networks and wants to allow traffic between them with fine-grained control over which VMs can communicate. Which solution should they implement?

Question 25hardmultiple choice
Read the full Implementing network security explanation →

A company is deploying a GKE cluster with Dataplane V2 and wants to enforce micro-segmentation using network policies. They also need to monitor policy violations. What should they do?

Question 26easymultiple choice
Read the full Implementing network security explanation →

A company wants to ensure that only traffic from specific source IP ranges can reach a Cloud Load Balancer. How should they enforce this?

Question 27mediummultiple choice
Read the full Implementing network security explanation →

A network engineer notices that VPC Flow Logs show connections from a Compute Engine instance to an IP address that should have been blocked by firewall rules. What is the most likely cause?

Question 28hardmultiple choice
Read the full Implementing network security explanation →

An organization uses VPC Service Controls to protect Google Cloud APIs. They need to allow a specific service account in a peripheral project to access a managed service in a protected service perimeter. What should they configure?

Question 29mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are benefits of using Cloud NAT?

Question 30easymulti select
Read the full Implementing network security explanation →

Which TWO of the following methods can be used to encrypt traffic between VPC networks?

Question 31hardmulti select
Read the full Implementing network security explanation →

Which THREE of the following are valid use cases for VPC Service Controls?

Question 32mediummultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. Users report that HTTP (port 80) traffic is still reaching instances in my-vpc despite the deny-all rule. What is the most likely reason?

Network Topology
gcloud compute firewall-rules listfilter="name:allow-ssh OR name:deny-all"format="table(NAME,NETWORK,DIRECTION,PRIORITY,ALLOW,DENY)"allow-ssh my-vpc INGRESS 1000 tcp:22deny-all my-vpc INGRESS 2000 tcp:80,icmp
Question 33hardmultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. A Cloud Armor security policy with the shown rules is applied to an HTTPS load balancer. Users from IP 10.0.1.1 are reporting they cannot access the website. What is the issue?

Exhibit

{
  "rules": [
    {
      "action": "deny(403)",
      "priority": 1000,
      "match": {
        "versionedExpr": "SRC_IPS_V1",
        "config": {
          "srcIpRanges": ["10.0.0.0/8"]
        }
      }
    },
    {
      "action": "allow",
      "priority": 2000,
      "match": {
        "versionedExpr": "SRC_IPS_V1",
        "config": {
          "srcIpRanges": ["0.0.0.0/0"]
        }
      }
    }
  ]
}
Question 34easymultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. A network engineer is unable to SSH to instance-1 using IAP TCP forwarding. What is the most likely reason?

Exhibit

gcloud compute instances describe instance-1 --format="yaml(tags, serviceAccounts)"
tags:
  items:
  - web
serviceAccounts:
- email: test@project.iam.gserviceaccount.com
  scopes:
  - https://www.googleapis.com/auth/cloud-platform

---

Firewall rule:
gcloud compute firewall-rules describe allow-ssh-iap
allowed:
- IPProtocol: tcp
  ports:
  - '22'
direction: INGRESS
priority: 1000
sourceRanges:
- 35.235.240.0/20
targetTags:
- ssh-iap
Question 35easymultiple choice
Review the full subnetting walkthrough →

A company wants to restrict SSH access to a VM instance to only a specific subnet (10.0.1.0/24) and allow all traffic from the health check ranges (130.211.0.0/22 and 35.191.0.0/16) for load balancing. Which firewall rule configuration should be used for the SSH rule?

Question 36mediummultiple choice
Read the full VPN explanation →

A company uses VPC Service Controls to protect a managed service (e.g., BigQuery) within a service perimeter. Developers need to access the service from an on-premises network via a Cloud VPN tunnel with a specific IP address. However, access is being denied. What is the most likely cause?

Question 37hardmultiple choice
Review the full routing breakdown →

A company has a hybrid network with on-premises data center connected to Google Cloud via Dedicated Interconnect. They use Private Google Access for on-premises (on-premises hosts use the external IP addresses of Google APIs via the interconnect). However, they notice that traffic to certain Google APIs is being routed via the internet instead of the interconnect. What is a likely cause?

Question 38easymultiple choice
Read the full Implementing network security explanation →

A company deploys a web application behind a global external HTTP(S) load balancer and wants to protect against SQL injection attacks. Which Google Cloud security product should they use?

Question 39mediummultiple choice
Read the full Implementing network security explanation →

A company uses Identity-Aware Proxy (IAP) to secure access to Compute Engine VMs. Users report that they can SSH into some VMs but not others, even though they have the IAP-secured Tunnel User role. Both VMs are in the same project and have the same network tags. What is the most likely reason?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

A company has multiple VPC networks in the same project, each with its own Cloud NAT configuration. They notice that traffic from a VM in VPC-A that has an external IP address is being NATed through the Cloud NAT gateway, but they only want Cloud NAT to be used for VMs without external IPs. What configuration ensures this?

Question 41easymultiple choice
Read the full Implementing network security explanation →

A company wants to enforce that all HTTPS load balancer traffic uses TLS 1.2 or higher. Which Google Cloud resource should they configure?

Question 42mediummultiple choice
Read the full Implementing network security explanation →

A company uses Shared VPC with multiple service projects. The security team wants to ensure that only specific service projects can create firewall rules that allow ingress traffic to the Shared VPC network. What is the best practice?

Question 43hardmultiple choice
Read the full Implementing network security explanation →

A company uses Packet Mirroring to monitor traffic from a set of VMs. They want to ensure that mirrored traffic does not interfere with the production traffic. Which statement is correct?

Question 44mediummulti select
Read the full Implementing network security explanation →

Which TWO of the following are valid use cases for Cloud IDS? (Choose TWO)

Question 45hardmulti select
Read the full Implementing network security explanation →

A network engineer is troubleshooting connectivity issues with VPC Flow Logs. Which TWO statements about VPC Flow Logs are correct? (Choose TWO)

Question 46easymulti select
Read the full VPN explanation →

Which THREE of the following are required to use Private Google Access for on-premises hosts through a Cloud VPN or Interconnect? (Choose THREE)

Question 47mediummultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. A VM in the default VPC with an internal IP 10.0.1.2 tries to SSH (tcp:22) from a host at 10.0.2.5. What is the result?

Exhibit

gcloud compute firewall-rules list --format="table(name, network, direction, priority, sourceRanges, allowed, denied)"
NAME           NETWORK  DIRECTION  PRIORITY  SOURCE_RANGES    ALLOWED          DENIED
allow-http     default  INGRESS    1000      0.0.0.0/0        tcp:80
deny-ssh       default  INGRESS    100       10.0.1.0/24      tcp:22
default-allow-ssh default INGRESS 65535     0.0.0.0/0        tcp:22
allow-internal default  INGRESS    65535     10.0.0.0/8       all
Question 48hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A request arrives with User-Agent 'GoodBot' and path '/admin'. What action does Cloud Armor take?

Exhibit

Cloud Armor security policy 'my-policy' with rules:
- priority: 100, match: request headers: User-Agent: *BadBot*, action: deny(403)
- priority: 200, match: request headers: User-Agent: *GoodBot*, action: allow
- priority: 300, match: request path: /admin, action: deny(403)
- priority: 1000, default rule: allow
Question 49easymultiple choice
Read the full Implementing network security explanation →

Refer to the exhibit. A user within the perimeter project '111111111111' tries to access BigQuery from a VM that has an external IP address. The request is denied. What is the most likely reason?

Exhibit

{
  "name": "my-perimeter",
  "status": {
    "accessLevels": [
      "accessPolicies/12345/accessLevels/trusted_ips"
    ],
    "resources": ["projects/111111111111"],
    "restrictedServices": ["bigquery.googleapis.com"],
    "vpcAccessibleServices": {
      "allowedServices": ["bigquery.googleapis.com"],
      "enableRestriction": true
    }
  }
}
Question 50easymultiple choice
Read the full Implementing network security explanation →

A company has two VPCs in the same project: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). They want to allow SSH from VPC-A to instances in VPC-B. The network admin creates a firewall rule with source range 10.0.0.0/16 and protocol tcp:22, but connectivity fails. What is the most likely cause?

Question 51mediummultiple choice
Read the full Implementing network security explanation →

A company uses Cloud Armor to protect its HTTP(S) load balancer. They need to block requests from a specific geographic region and also apply a rate limiting rule. What is the correct order of evaluation for Cloud Armor security policies?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A GCP environment has a VPC with a subnet that enables Private Google Access. Instances in that subnet can access Google APIs without external IPs. However, an instance cannot reach storage.googleapis.com from a private IP. Cloud NAT is configured for the subnet. What is the most likely reason for the failure?

Question 53easymultiple choice
Read the full Implementing network security explanation →

A security engineer wants to allow SSH access to a VM that has no external IP. The VM is in a VPC with IAP configured. What is the simplest way to enable secure SSH without a bastion host?

Question 54mediummultiple choice
Read the full Implementing network security explanation →

An organization wants to restrict data exfiltration from a GCP project. They need to prevent users from copying data to external cloud storage services like AWS S3, but allow access to Google Cloud Storage. Which VPC Service Controls (VPC-SC) configuration should they use?

Question 55hardmultiple choice
Read the full Implementing network security explanation →

A large enterprise uses hierarchical firewall policies across multiple VPCs. They have an organization policy that requires all VPCs to block SSH from the internet. However, a development team needs SSH from a specific external IP range for a building. How can they create a firewall rule that allows that range without violating the organization policy?

Question 56easymultiple choice
Read the full Implementing network security explanation →

A company uses an HTTPS load balancer with SSL certificates. They want to ensure only strong cipher suites are accepted. Which Google Cloud service should they use to enforce this?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer notices unexpected traffic being allowed through a VPC firewall rule. They want to analyze the logs to identify the source and destination. What is the best way to enable detailed logging for firewall rules?

Question 58hardmultiple choice
Open the full BGP breakdown →

A company has multiple on-premises networks connected to a Cloud VPN hub in GCP. Each on-premises site uses BGP to advertise its prefixes. The security team wants to ensure that only specific prefixes from each site are accepted into the VPC routes. What should they configure?

Question 59easymulti select
Read the full Implementing network security explanation →

Which TWO of the following are valid methods to restrict access to a Compute Engine VM that has no external IP?

Question 60mediummulti select
Read the full Implementing network security explanation →

Which THREE components are required to set up Identity-Aware Proxy (IAP) for TCP forwarding to a VM?

Question 61hardmulti select
Read the full Implementing network security explanation →

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC flow logs show traffic being dropped. Firewall rules are correctly configured. Which TWO actions should the engineer take to identify the cause?

Question 62easymultiple choice
Read the full Implementing network security explanation →

A company wants to allow HTTP traffic from the internet to a web server running on a Compute Engine VM in a VPC. The web server should only be accessible on port 80. Which firewall rule should be created?

Question 63mediummultiple choice
Read the full Implementing network security explanation →

A company uses Shared VPC with multiple service projects. The network admin wants to restrict access to certain Compute Engine instances so that only specific service accounts can SSH into them. What is the best practice to achieve this?

Question 64mediummultiple choice
Read the full NAT/PAT explanation →

An organization has a Cloud NAT configured for a VPC network to allow outbound internet access for private instances. They notice that some instances are failing to connect to a specific external API that requires a static source IP. What should they do to resolve this?

Question 65hardmultiple choice
Read the full Implementing network security explanation →

A company deploys a web application on Google Kubernetes Engine (GKE) with an Ingress resource handled by an external HTTPS load balancer. They want to enforce mutual TLS (mTLS) authentication where the load balancer verifies the client certificate and then passes the client's identity to the backend using a header. Which configuration should be used?

Question 66hardmulti select
Read the full Implementing network security explanation →

A company wants to prevent data exfiltration from a Google Cloud Storage bucket that contains sensitive data. They plan to use VPC Service Controls. Which two steps are necessary to implement this? (Choose two.)

Question 67easymulti select
Read the full Implementing network security explanation →

A network engineer needs to configure firewall rules to allow health checks from Google Cloud's health check systems to a backend service. Which two source IP ranges should they allow? (Choose two.)

Question 68mediummulti select
Read the full VPN explanation →

A company is designing a network architecture with multiple VPCs and on-premises connectivity via Cloud VPN. They want to avoid IP address conflicts and ensure secure communication. Which three best practices should they follow? (Choose three.)

Question 69easymultiple choice
Review the full subnetting walkthrough →

A company has a single VPC with subnets in us-central1 and europe-west1. They have Compute Engine instances in both subnets that need to communicate with each other. The security team wants to ensure that only specific instances in us-central1 can connect to a database instance in europe-west1 on port 3306. Currently, the default firewall rules allow all internal traffic (priority 65535). The network engineer first creates a new ingress firewall rule to allow TCP traffic on port 3306 from instances with the network tag 'app' to instances with the tag 'db', with priority 1000. Then, to enforce the restriction, they delete the default allow internal rule (priority 65535). However, after applying the changes, the app instances (tagged 'app') in us-central1 cannot connect to the database instance (tagged 'db') in europe-west1. The engineer verifies that the tags are correctly applied to the instances. What is the most likely cause of the connectivity failure?

Question 70mediummultiple choice
Read the full NAT/PAT explanation →

A company has deployed a web application behind an External HTTP(S) Load Balancer with Cloud Armor. They want to restrict access to a specific URL path /admin to only users from a specific IP range (198.51.100.0/24). The engineer creates a Cloud Armor security policy with two rules: Rule 1 (priority 1000) with match expression "request.path == '/admin' && inIpRange(source.ip, '198.51.100.0/24')" and action "allow". Rule 2 (priority 2147483647) with match "request.path == '/admin'" and action "deny". After testing, users from the allowed IP range receive a 403 error when accessing /admin. The Cloud Armor logs show that the request was denied. The engineer confirms that the policy is attached to the backend service and that the source IP in the logs matches the allowed range. What is the most likely cause of the denial?

Question 71hardmultiple choice
Read the full Implementing network security explanation →

A large organization uses Shared VPC with hundreds of projects. They want to implement fine-grained access control for SSH access to Compute Engine instances using IAP TCP forwarding. They have created a custom IAM role with the necessary permissions (iap.tunnel.dest, iap.tunnel.getIamPolicy, compute.instances.use) and granted it to a group of developers. The developers have also been granted the iap.tunnelUser role on the project. However, when they try to use `gcloud compute ssh --tunnel-through-iap instance-name`, they get a permission error: "Permission 'iap.tunnel.dest' denied on resource 'projects/project/zones/zone/instances/instance'". The network admin has verified that the custom role includes the required permissions and that the developers are members of the group with the role. What is the most likely missing configuration?

Question 72easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a subnet in us-central1. They have several private Compute Engine instances (no external IP) that need to download updates from a public repository on the internet. The network engineer has created a Cloud NAT gateway in the same region and attached it to the subnet. However, the instances still cannot reach the internet. The engineer has confirmed that the Cloud NAT gateway is correctly configured and that the subnet's Private Google Access is not relevant for this traffic. What should the engineer check first to resolve the issue?

Question 73mediummultiple choice
Open the full BGP breakdown →

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect using VLAN attachments. They have set up a Cloud Router with BGP to exchange routes. The on-premises network advertises a prefix 10.0.0.0/8, and Google Cloud advertises the VPC's subnet ranges (10.0.0.0/24 and 10.0.1.0/24). After configuration, on-premises hosts cannot reach the Google Cloud instances in those subnets. The engineer checks the BGP session status and it is established. The Cloud Router shows that the on-premises prefix is learned, and the on-premises router shows that the specific /24 prefixes are received. However, traffic from on-premises to the Google Cloud subnets is not working. What is the most likely cause?

Question 74hardmultiple choice
Open the full BGP breakdown →

A company uses Cloud VPN tunnels to connect multiple sites to Google Cloud. They have a primary and a backup tunnel for redundancy, each with a different Cloud Router (both in the same region). BGP sessions are established on both routers. The network team notices that during a failover test, traffic fails over to the backup tunnel but then after 30 seconds, the backup tunnel traffic stops and does not recover until the primary tunnel comes back. The engineer finds that the backup Cloud Router is advertising the same routes as the primary, but the backup tunnel's BGP session shows that the routes are being withdrawn after 30 seconds. Additionally, the BGP session remains established. What is the most likely cause?

Question 75mediummulti select
Review the full subnetting walkthrough →

A company is deploying a new application across three VPCs in the same project, using Shared VPC. The security team wants to restrict traffic such that only the frontend subnet (10.0.1.0/24) can send traffic to the backend subnet (10.0.2.0/24) on TCP port 8080. The backend instances have the service account 'backend-sa@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations achieve this goal?

Question 76easymultiple choice
Review the full subnetting walkthrough →

You are a cloud network engineer for a company that runs a web application on Compute Engine instances in a managed instance group (MIG) behind an external HTTP(S) load balancer. The backend instances are in a subnet with CIDR 10.0.2.0/24 and are tagged 'web-backend'. The health checks are configured to use TCP port 80. Recently, the security team added new firewall rules to restrict traffic, and now the health checks are failing. The current firewall rules (in order of priority) are:

1. Priority 100: Deny ingress from 0.0.0.0/0 to all instances (deny-all). 2. Priority 200: Allow ingress from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'health-checked' on TCP port 80. 3. Priority 300: Allow ingress from 0.0.0.0/0 to instances with tag 'web-backend' on TCP port 80.

The MIG instances are tagged 'web-backend' but not 'health-checked'. The health checks are failing. What is the most efficient course of action to fix the health checks while maintaining security?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNE Practice Test 1 — 10 Questions→PCNE Practice Test 2 — 10 Questions→PCNE Practice Test 3 — 10 Questions→PCNE Practice Test 4 — 10 Questions→PCNE Practice Test 5 — 10 Questions→PCNE Practice Exam 1 — 20 Questions→PCNE Practice Exam 2 — 20 Questions→PCNE Practice Exam 3 — 20 Questions→PCNE Practice Exam 4 — 20 Questions→Free PCNE Practice Test 1 — 30 Questions→Free PCNE Practice Test 2 — 30 Questions→Free PCNE Practice Test 3 — 30 Questions→PCNE Practice Questions 1 — 50 Questions→PCNE Practice Questions 2 — 50 Questions→PCNE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityConfiguring network servicesImplementing network securityImplementing a Virtual Private Cloud

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Implementing network security setsAll Implementing network security questionsPCNE Practice Hub