Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring network services practice sets

PCNE Configuring network services • Complete Question Bank

PCNE Configuring network services — All Questions With Answers

Complete PCNE Configuring network services question bank — all 0 questions with answers and detailed explanations.

97
Questions
Free
No signup
Certifications/PCNE/Practice Test/Configuring network services/All Questions
Question 1mediummultiple choice
Read the full Configuring network services explanation →

A company has deployed a Global External Application Load Balancer with Premium Tier and enables Cloud CDN. Users in Europe report high latency, while users in the US have good performance. The backend is a regional NEG in us-west1. What is the most likely cause?

Question 2hardmultiple choice
Read the full DNS explanation →

A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?

Question 3easymultiple choice
Open the full BGP breakdown →

A network engineer is configuring a Cloud Router for BGP peering with an on-premises router over a VPN tunnel. The on-premises router uses 169.254.x.x link-local addresses. Which BGP peer IP should the engineer use in the Cloud Router configuration?

Question 4mediummultiple choice
Read the full Configuring network services explanation →

A company uses an internal TCP/UDP load balancer to distribute traffic to a backend service. The backend instances are in an unmanaged instance group. Some instances fail health checks and are removed. What happens to existing connections to failed instances?

Question 5hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

Question 6mediummulti select
Open the full BGP breakdown →

A company is designing a hybrid network using Dedicated Interconnect. They want to configure BGP for load balancing across multiple VLAN attachments. Which TWO statements are correct?

Question 7hardmulti select
Read the full NAT/PAT explanation →

A company is using Cloud NAT to allow private instances to access the internet. They notice that some instances are not able to reach certain external services. Which THREE steps should they take to troubleshoot?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud NAT to allow private instances to reach the internet. They notice that egress traffic from Compute Engine VMs is intermittently failing. The VMs are in us-central1-a and use the default VPC network. Cloud NAT is configured with a single NAT IP address. What is the most likely cause?

Question 9hardmultiple choice
Read the full Configuring network services explanation →

A large enterprise is migrating to Google Cloud and needs to establish connectivity between on-premises and VPCs in two different regions (us-east1 and europe-west1). They have a single Partner Interconnect connection at a co-location facility in New York. They want to use the same interconnect for both regions. Which configuration should they use?

Question 10easymultiple choice
Read the full DNS explanation →

A company is using Cloud DNS for private zone resolution within their VPC. They have a private zone for 'example.internal' and have attached it to the VPC. When they create a new Compute Engine VM and try to resolve 'myapp.example.internal', it fails. What is the most likely cause?

Question 11hardmultiple choice
Review the full routing breakdown →

You have a Cloud Router with the configuration shown. The on-premises network (ASN 65002) is not receiving any routes from Google Cloud. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ gcloud compute routers describe my-router --region us-central1
creationTimestamp: '2023-01-15T10:00:00.000-08:00'
description: Router for on-prem connectivity
id: '1234567890123456789'
kind: compute#router
name: my-router
network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default
region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1
bgp:
  asn: 65001
  advertiseMode: CUSTOM
  advertisedGroups:
  - ALL_SUBNETS
  advertisedIpRanges:
  - range: 10.0.1.0/24
    description: On-prem subnet
  keepaliveInterval: 20
```
Question 12mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with subnets in us-east1 and europe-west1. They have deployed a global external HTTP(S) load balancer with backend services in both regions. Users in Europe report high latency. What is the most likely cause?

Question 13mediummulti select
Read the full Configuring network services explanation →

Which TWO considerations are important when designing a VPC peering strategy between multiple projects in Google Cloud?

Question 14hardmulti select
Read the full Configuring network services explanation →

Which THREE actions should you take to secure a VPC that hosts public-facing web applications?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to restrict traffic between two specific subnets (10.0.1.0/24 and 10.0.2.0/24) while allowing all other traffic. They create a firewall rule with priority 1000 denying ingress from 10.0.1.0/24 to 10.0.2.0/24. However, traffic is still allowed. What is the most likely reason?

Question 16hardmultiple choice
Read the full Configuring network services explanation →

Your company runs a multi-tier web application on Google Cloud. The frontend is in us-central1 (3 instances behind an external HTTP(S) Load Balancer), the backend is in us-west1 (3 instances behind an internal TCP/UDP Load Balancer). The frontend instances are in a managed instance group (MIG) with autoscaling based on CPU utilization. Recently, you noticed that during traffic spikes, the frontend instances' CPU utilization remains low, but the backend instances' CPU utilization spikes to 90% and causes timeouts. The application uses a synchronous REST API; the frontend instances make requests to the internal load balancer's IP. What should you do to resolve the backend scaling issue?

Question 17mediummultiple choice
Open the full BGP breakdown →

Your company has deployed a hybrid cloud environment with a Cloud VPN tunnel between Google Cloud VPC and an on-premises data center. The VPC has a custom mode with subnet 10.0.1.0/24 in us-east1. On-premises uses subnet 192.168.1.0/24. The VPN tunnel is established using dynamic routing (BGP). Both sides advertise the correct prefixes. A Compute Engine VM in the VPC (10.0.1.10) can ping the on-premises gateway (192.168.1.1), but cannot ping a server on-premises (192.168.1.100). The on-premises network team confirms that 192.168.1.100 is reachable from the on-premises gateway. Firewall rules in GCP allow ingress from 192.168.1.0/24 to all VMs. What is the most likely cause?

Question 18mediummultiple choice
Read the full Configuring network services explanation →

A company is deploying a global application on Google Cloud using Cloud Load Balancing. They want to serve traffic from multiple regions and require the lowest possible latency for users worldwide. The application serves HTTP traffic and uses a static IP address. Which load balancing solution should they use?

Question 19hardmulti select
Read the full NAT/PAT explanation →

A company uses Cloud NAT to enable outbound internet access for private instances in a VPC. They notice that some instances are unable to connect to external services, while others can. The network team has verified that all instances have the same tags and are in the same subnet. Which TWO actions should the team take to troubleshoot the issue?

Question 20easymultiple choice
Read the full NAT/PAT explanation →

An engineer creates a Cloud NAT configuration as shown in the exhibit. The test-instance is created without an external IP address. However, the instance cannot reach the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
gcloud compute routers create nat-router \
    --network=my-vpc \
    --region=us-central1

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --region=us-central1 \
    --nat-external-ip-pool=ip-address-1 \
    --nat-all-subnet-ip-ranges \
    --enable-logging

gcloud compute instances create test-instance \
    --zone=us-central1-a \
    --network=my-vpc \
    --subnet=subnet-a \
    --no-address
```
Question 21mediumdrag order
Read the full Configuring network services explanation →

Drag and drop the steps to set up a Google Cloud Armor security policy for a backend service into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediumdrag order
Read the full Configuring network services explanation →

Drag and drop the steps to set up a Cloud Interconnect connection for dedicated on-premises connectivity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediummatching
Read the full Configuring network services explanation →

Match each Cloud Load Balancing type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Global, proxy-based, for HTTP/S traffic from internet

Regional, pass-through, for traffic within VPC

Regional, proxy-based, for non-HTTP/S internet traffic

Regional, proxy-based, for internal HTTP/S traffic

Global, terminates SSL, for non-HTTPS SSL traffic

Question 24mediummatching
Read the full Configuring network services explanation →

Match each network pricing model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data leaving Google Cloud to the internet

Data entering Google Cloud (typically free)

Data transferred between regions within Google Cloud

Global network with consistent performance, higher cost

Lower cost, uses ISP networks for some hops

Question 25mediummultiple choice
Review the full subnetting walkthrough →

A company wants to securely connect an on-premises data center to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) that overlap with the VPC subnet (10.0.1.0/24). They need connectivity to specific workloads in the VPC without changing IP addresses on premises. What should they do?

Question 26hardmultiple choice
Read the full NAT/PAT explanation →

A global e-commerce company has deployed a web application across multiple GCP regions using an external HTTPS load balancer. Traffic is expected to originate from users worldwide. They want to minimize latency and improve user experience, while also ensuring that traffic is served from the nearest healthy backend. Which load balancing configuration should they use?

Question 27easymultiple choice
Read the full Configuring network services explanation →

An organization is migrating a legacy application to GCP. The application requires a static internal IP address for a Compute Engine VM that must persist even if the VM is stopped or deleted. Which IP address type should they assign?

Question 28mediummultiple choice
Read the full Configuring network services explanation →

A financial services company needs to audit all VPC firewall rule changes in real time. They want to receive notifications whenever a rule is created, modified, or deleted. What is the most efficient way to achieve this?

Question 29hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud NAT to allow private VMs to access the internet. They notice that some VMs are unable to reach a specific set of external IP addresses, but other VMs can. The firewall rules are correctly configured. What is the most likely cause?

Question 30easymultiple choice
Review the full subnetting walkthrough →

A company wants to connect two VPCs in the same project using VPC Network Peering. Each VPC has non-overlapping subnets. What is the minimum number of peering connections required to enable full bidirectional communication?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps team is configuring a VPC with a subnet in us-east1. They need to allow a specific VM (source IP 10.0.1.2) to access a database VM (destination IP 10.0.2.3) on port 3306, but only from that specific source. All other traffic should be denied. Which firewall rule configuration should they use?

Question 32hardmultiple choice
Read the full VPN explanation →

A company has a VPC with multiple subnets and uses Cloud VPN tunnels to connect to on-premises. They want to ensure that only traffic destined for on-premises is sent through the VPN tunnels; all other traffic should use the internet. Which route configuration should they implement?

Question 33easymultiple choice
Read the full NAT/PAT explanation →

A startup is deploying a microservices application on Google Kubernetes Engine (GKE). They want to expose a service to the internet using a load balancer that provides SSL termination and supports WebSocket. Which type of Service should they use?

Question 34mediummulti select
Read the full Configuring network services explanation →

Which TWO network services are required to enable private Google access for on-premises hosts using a Dedicated Interconnect connection? (Choose two.)

Question 35hardmulti select
Read the full Configuring network services explanation →

Which THREE components are necessary to configure a global external HTTP(S) load balancer with Cloud CDN and an origin backend that requires authentication? (Choose three.)

Question 36easymulti select
Read the full Configuring network services explanation →

Which TWO network services can be used to provide secure connectivity between a VPC and an on-premises data center without traversing the public internet? (Choose two.)

Question 37mediummultiple choice
Read the full Configuring network services explanation →

Refer to the exhibit. A VM with the 'ssh-allowed' tag is unreachable via SSH from the internet, while other VMs with the same tag work. What is the most likely cause?

Exhibit

Refer to the exhibit.

gcloud compute firewall-rules describe allow-ssh

Allowed:
  IPProtocol: tcp
  ports: ['22']
Direction: INGRESS
Source ranges: ['0.0.0.0/0']
Target tags: ['ssh-allowed']
Priority: 1000

A VM with network tag 'ssh-allowed' cannot be reached via SSH from the internet. Other VMs with the same tag work fine.
Question 38hardmultiple choice
Open the full BGP breakdown →

Refer to the exhibit. The Cloud Router is configured with custom BGP advertisements. The on-premises router receives only the two advertised ranges (10.1.0.0/24 and 10.2.0.0/24) but not the VPC subnets (e.g., 10.3.0.0/24). What is the most likely reason?

Exhibit

Refer to the exhibit.

$ gcloud compute routers describe router-us

bgp:
  advertiseMode: CUSTOM
  advertisedGroups:
  - ALL_SUBNETS
  advertisedIpRanges:
  - range: 10.1.0.0/24
  - range: 10.2.0.0/24
  asn: 65000
  keepaliveInterval: 20
bgpPeers:
- interfaceName: if-bgp
  ipAddress: 169.254.1.1
  peerIpAddress: 169.254.1.2
  peerAsn: 65001
  advertisedRoutePriority: 100
Question 39easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot. What change should be made to fix this?

Exhibit

Refer to the exhibit.

$ gcloud compute networks subnets list

NAME          REGION       NETWORK  RANGE          PRIVATE_GOOGLE_ACCESS  STACK_TYPE
subnet-a      us-central1  vpc1     10.0.1.0/24    Enabled                IPV4_ONLY
subnet-b      us-east1     vpc1     10.0.2.0/24    Disabled               IPV4_ONLY

A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot.
Question 40easymultiple choice
Read the full Configuring network services explanation →

A company runs a private GKE cluster in us-central1. Pods need to access the internet for updates. Which configuration is required?

Question 41mediummultiple choice
Open the full BGP breakdown →

A company has an on-premises data center connected to GCP via Cloud VPN with dynamic routing (BGP). Recently, connectivity to a specific subnet (10.1.0.0/16) in GCP became intermittent. The VPN tunnel is up, and BGP sessions are established. What is the most likely cause?

Question 42hardmultiple choice
Read the full Configuring network services explanation →

An organization is deploying a Shared VPC with one host project and three service projects. Each service project has multiple VPC networks. They want to ensure that only the host project's network admin can create firewall rules affecting the shared VPC network. Which architecture satisfies this requirement?

Question 43mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to serve global static content from a Cloud Storage bucket. They need low latency worldwide and SSL termination at the edge. Which solution should they choose?

Question 44easymultiple choice
Read the full Configuring network services explanation →

A company uses Private Service Connect (PSC) to access a managed SaaS application published by another company. The SaaS provider publishes a service attachment in their VPC. Which resource must the consumer create to connect to the service?

Question 45hardmultiple choice
Open the full BGP breakdown →

A company has a Dedicated Interconnect connection from their on-premises data center to GCP. They have set up BGP sessions over VLAN attachments to peer with their VPC. Traffic from on-premises to GCP works, but return traffic from GCP to on-premises is dropped at the on-premises firewall. What is the most likely cause?

Question 46mediummultiple choice
Open the full BGP breakdown →

A company is migrating an on-premises DNS service to Cloud DNS. They want to resolve on-premises hostnames from GCP VMs and resolve Google Cloud private zone names from on-premises. They have a Cloud VPN with BGP. Which architecture should they implement?

Question 47easymultiple choice
Read the full NAT/PAT explanation →

A network engineer notices unusual traffic patterns from a VM. They want to capture detailed information about each packet sent and received by the VM, including source and destination IPs, protocols, and ports. Which feature should they enable?

Question 48hardmultiple choice
Read the full Configuring network services explanation →

A company uses Cloud CDN with an external HTTP(S) load balancer. They have two origin server groups: a primary in us-central1 and a backup in europe-west1. They want traffic directed to the primary unless it is unhealthy, in which case traffic should fail over to the backup. Which configuration is required?

Question 49mediummulti select
Read the full Configuring network services explanation →

Which TWO are best practices for securing a VPC network? (Choose 2.)

Question 50mediummulti select
Read the full Configuring network services explanation →

Which THREE factors should be considered when choosing between a global external HTTP(S) load balancer and a regional external HTTP(S) load balancer? (Choose 3.)

Question 51easymulti select
Open the full BGP breakdown →

Which TWO steps are required to set up a Cloud VPN with dynamic routing (BGP)? (Choose 2.)

Question 52easymultiple choice
Read the full Configuring network services explanation →

A company is running workloads on Compute Engine instances without public IP addresses. They need to allow these instances to securely access the internet for software updates. Which Google Cloud service should be configured?

Question 53mediummultiple choice
Read the full Configuring network services explanation →

A company is deploying an internal HTTP application on Compute Engine instances. The application must be load-balanced across multiple instances in different regions, but only accessible from within the same VPC. Which load balancer type meets these requirements?

Question 54hardmultiple choice
Open the full BGP breakdown →

An organization has a Dedicated Interconnect with Cloud Router configured for BGP. The on-premises network advertises a prefix that overlaps with an existing VPC subnet. How does Google Cloud handle the overlapping prefix?

Question 55easymultiple choice
Read the full DNS explanation →

A company wants to forward DNS queries from their on-premises network to Google Cloud for resolution of private zone names. Which configuration is required?

Question 56mediummultiple choice
Read the full Configuring network services explanation →

A security team wants to allow traffic from a specific set of VMs with service account 'web-sa@project.iam.gserviceaccount.com' to access a database VM with tag 'db'. The VMs are in the same VPC. Which firewall rule configuration achieves this?

Question 57hardmultiple choice
Read the full Configuring network services explanation →

A large organization uses Shared VPC with multiple service projects. They have an on-premises network connected via Cloud Interconnect. They want the on-premises network to be able to reach instances in all service projects. What is the recommended configuration?

Question 58easymultiple choice
Read the full Configuring network services explanation →

An e-commerce website uses Cloud CDN to cache static content. The origin is an external HTTP load balancer. What is the benefit of enabling Cloud CDN in this scenario?

Question 59mediummultiple choice
Read the full Configuring network services explanation →

A company wants to protect their application behind an external HTTP(S) load balancer from SQL injection attacks. Which Cloud Armor feature should be used?

Question 60hardmultiple choice
Read the full VPN explanation →

A company has Compute Engine instances in a VPC that only have internal IP addresses. They need to access Google Cloud services like Cloud Storage and BigQuery. They also have on-premises servers that need to access the same instances via a Cloud VPN tunnel. What must be enabled for the instances to access Google APIs without public IPs?

Question 61mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are benefits of using Cloud NAT?

Question 62hardmulti select
Read the full Configuring network services explanation →

Which THREE of the following are requirements for VPC Network Peering?

Question 63easymulti select
Read the full Configuring network services explanation →

Which TWO of the following load balancer types can distribute traffic to backends in multiple regions?

Question 64easymultiple choice
Read the full Configuring network services explanation →

Refer to the exhibit. A Compute Engine instance has the network tags 'http-server' and 'ssh-server'. It also has a public IP address. Which of the following statements about traffic to this instance is true?

Exhibit

NAME              DIRECTION  PRIORITY  ALLOW            SOURCE_RANGES    TARGET_TAGS
allow-http        INGRESS    1000      tcp:80          0.0.0.0/0        http-server
allow-https       INGRESS    1000      tcp:443         0.0.0.0/0        https-server
allow-ssh         INGRESS    1000      tcp:22          10.0.0.0/8       ssh-server
deny-all          INGRESS    65535     icmp,udp,tcp    0.0.0.0/0        *
Question 65hardmultiple choice
Open the full BGP breakdown →

Refer to the exhibit. A Cloud Router has two BGP sessions. The first session is UP, the second is DOWN. What is the most likely cause for the second session being down?

Network Topology
cloud_routers describe my-routerregion us-central1bgpPeers:- ipAddress: 169.254.0.1peerIpAddress: 169.254.0.2advertisedRoutePriority: 100bfd:sessionInitializationMode: ACTIVEminTransmitInterval: 500minReceiveInterval: 500multiplier: 5status: UPsessionDuration: 7d- ipAddress: 169.254.1.1peerIpAddress: 169.254.1.2sessionInitializationMode: PASSIVEminTransmitInterval: 1000minReceiveInterval: 1000multiplier: 3status: DOWNsessionDuration: 0s
Question 66mediummultiple choice
Read the full DNS explanation →

Refer to the exhibit. A DNS managed zone is configured with private visibility and associated with a VPC network. A Compute Engine instance in a different VPC network tries to resolve 'test.example.com' but fails. What is the most likely reason?

Exhibit

gcloud dns managed-zones describe example-zone
creationTime: '2023-01-01T12:00:00.000Z'
description: Example private zone
dnsName: example.com.
id: '1234567890'
kind: dns#managedZone
name: example-zone
nameServers:
- ns-cloud-c1.googledomains.com
- ns-cloud-c2.googledomains.com
- ns-cloud-c3.googledomains.com
- ns-cloud-c4.googledomains.com
privateVisibilityConfig:
  networks:
  - networkUrl: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/vpc1
visibility: private
Question 67easymultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud NAT to enable outbound connectivity for private VMs. They notice that some VMs are not able to reach a specific external IP range. The VMs have no tags or service accounts. What is the most likely cause?

Question 68mediummultiple choice
Read the full Configuring network services explanation →

Your organization has an internal HTTP load balancer (ILB) in us-central1. The backend service is a managed instance group with a health check on port 8080. Recently, some instances are reported as unhealthy despite the application running fine. What is the most likely cause?

Question 69hardmultiple choice
Read the full NAT/PAT explanation →

A media streaming company uses Cloud CDN with signed URLs to protect content. They want to invalidate cached content for a specific file after a security incident. The file is stored in a Cloud Storage bucket and the CDN cache key includes the URL. They run: gcloud compute url-maps invalidate-cdn-cache URL_MAP --path "/videos/incident.mp4". The invalidation succeeds but the old content is still served. What is the most likely reason?

Question 70easymultiple choice
Read the full VPN explanation →

You need to allow on-premises servers to access a Google Cloud VM's internal IP without using a public IP. The on-premises network is connected via Cloud VPN. What configuration is required on the Google Cloud side?

Question 71mediummultiple choice
Read the full Configuring network services explanation →

Your security team wants to block specific SQL injection attacks using Cloud Armor. You have configured a security policy with a preconfigured WAF rule for SQL injection (evaluatePreconfiguredExpr('sqli-stable')). The rule is set to DENY. However, legitimate traffic is being blocked intermittently. What should you adjust?

Question 72hardmultiple choice
Review the full subnetting walkthrough →

You are using Serverless VPC Access to connect Cloud Run services to a VPC network. The connector is in us-central1 with a /28 subnet. You have a Cloud SQL instance (private IP) in the same region but in a different VPC network (peered). The Cloud Run service cannot reach the Cloud SQL instance. What is the most likely cause?

Question 73easymultiple choice
Read the full DNS explanation →

You want to manage DNS records for a domain that you own in Google Cloud DNS. You create a public managed zone and add A records. After waiting several hours, the domain does not resolve. What is the most likely missing step?

Question 74mediummultiple choice
Read the full Configuring network services explanation →

You are configuring an SSL Proxy load balancer for HTTPS traffic. The backend service points to an instance group with a self-managed certificate. The load balancer's frontend uses a Google-managed certificate. Clients receive SSL errors indicating certificate mismatch. What is the most likely cause?

Question 75hardmultiple choice
Open the full VLAN trunking answer →

Your company uses Network Connectivity Center (NCC) to manage multiple on-premises sites connected via Cloud VPN and Partner Interconnect. You create a NCC hub and attach spokes (VPN tunnels and VLAN attachments). Traffic between two on-premises sites (Site A and Site B) should flow through Google Cloud. However, traffic is not passing between the sites. What is the most likely cause?

Question 76easymulti select
Read the full Configuring network services explanation →

Which TWO actions should you take to configure Private Google Access for on-premises hosts connected via Cloud Interconnect?

Question 77mediummulti select
Read the full Configuring network services explanation →

Which TWO of the following are required when setting up an internal TCP/UDP load balancer (ILB) in a shared VPC environment?

Question 78hardmulti select
Read the full Configuring network services explanation →

Which THREE considerations are important when designing a Cloud CDN configuration for a global web application that serves both static and dynamic content?

Question 79hardmultiple choice
Open the full BGP breakdown →

Your company has a hybrid cloud architecture with two on-premises data centers: DC1 and DC2. Each DC is connected to Google Cloud via separate Cloud VPN tunnels (tunnel1 from DC1, tunnel2 from DC2) to a VPC in us-west1. The VPC has two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). DC1 has a subnet 192.168.1.0/24 and DC2 has 192.168.2.0/24. You configure BGP on both tunnels with the VPC dynamic routing, and each on-premises router advertises its local subnet. The VPC automatically imports the learned routes. You notice that traffic from DC1 to an instance in subnet-a (10.0.1.5) works, but traffic from DC2 to the same instance fails intermittently. Additionally, traffic from DC2 to DC1 (192.168.1.0/24) fails completely. You check the route tables and see that both tunnels have learned the routes for the remote subnets. What is the most likely cause and solution?

Question 80easymultiple choice
Read the full Configuring network services explanation →

A company has deployed an HTTP load balancer with a backend service configured to use an unmanaged instance group. Users report that traffic is not reaching the backend instances. The backend instances are healthy and have proper firewall rules allowing traffic from the load balancer. What step should the network engineer take to resolve the issue?

Question 81mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud NAT for outbound internet access. Engineering notices that some VM instances fail to connect to external services during peak hours. The network engineer suspects port exhaustion. Which action would best mitigate this issue?

Question 82hardmultiple choice
Read the full DNS explanation →

A multinational company has a Shared VPC environment with multiple service projects. They need to allow a specific service project to use its own Cloud DNS private zone that resolves to internal IPs in the Shared VPC. Which configuration ensures this without exposing the zone to other projects?

Question 83easymultiple choice
Read the full DNS explanation →

A company has a Cloud VPN tunnel to on-premises. They want on-premises clients to resolve private DNS names in the VPC. Which service should they configure?

Question 84mediummultiple choice
Read the full Configuring network services explanation →

A gaming company uses Cloud Armor with an external HTTP(S) load balancer to protect against DDoS attacks. They need to restrict access to the load balancer based on geographic region. What should they configure?

Question 85easymulti select
Read the full Configuring network services explanation →

Which TWO configurations can enable VM instances without external IPs to access the internet? (Choose TWO.)

Question 86mediummulti select
Read the full Configuring network services explanation →

Which THREE components are required when configuring an internal TCP/UDP load balancer? (Choose THREE.)

Question 87hardmulti select
Open the full BGP breakdown →

A company uses Cloud VPN with dynamic routing (BGP). The on-premises network advertises a prefix that overlaps with a subnet in the VPC. Which TWO actions can resolve this conflict? (Choose TWO.)

Question 88easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with subnet 10.1.0.0/24 in us-central1. They created a Cloud NAT gateway named 'nat-us-central1' attached to that subnet. During peak hours, many VM instances in the subnet cannot connect to the internet. The NAT configuration shows only one NAT IP. Firewall rules allow egress traffic, and health checks confirm the NAT gateway is functioning. What is the most likely cause of the failure?

Network Topology
router=router-1region=us-central1output:ipNatIpRange: ['35.193.128.1/32']udpIdleTimeoutSec: 30tcpEstablishedIdleTimeoutSec: 1200tcpTransitoryIdleTimeoutSec: 30
Question 89mediummultiple choice
Read the full DNS explanation →

A company has two VPC networks in the same project: Network A (hosting a private zone for 'example.internal.') and Network B. They are connected via VPC peering. The network engineer created a DNS peering zone in Network B for 'example.internal.' pointing to Network A. However, instances in Network B cannot resolve 'host.example.internal.' which is defined in Network A's private zone. The engineer verified that the peering zone is active and the networks are properly peered. What is the most likely reason for the resolution failure?

Question 90hardmultiple choice
Read the full Configuring network services explanation →

A company uses Cloud Armor with an external HTTPS load balancer to protect their web application. They have a security policy 'my-policy' attached to the backend service. The policy includes an allow rule (priority 1000) for their corporate IP range (203.0.113.0/24) and a deny rule (priority 2000) for all other IPs. The company has an office at a remote location that uses a different IP range (198.51.100.0/24). Employees from the remote office report they cannot access the application. Meanwhile, employees from the corporate office (203.0.113.0/24) can access. The engineer checks the Cloud Armor policy and sees the rule configuration as shown. What is the most likely cause?

Exhibit

gcloud compute security-policies describe my-policy --format=json | jq '.rules[] | {priority: .priority, match: .match.config.srcIpRanges, action: .action}'

output:
{"priority":1000,"match":{"config":{"srcIpRanges":["203.0.113.0/24"]}},"action":"allow"}
{"priority":2000,"match":{"config":{"srcIpRanges":["*"],"versionedExpr":"SRC_IPS_V2"}},"action":"deny(403)"}
Question 91easymultiple choice
Read the full NAT/PAT explanation →

A service provider uses a Shared VPC with multiple service projects. The host project has a Cloud NAT configured for subnet 10.1.0.0/24 to provide outbound internet access to all service projects using that subnet. A new service project needs to use its own Cloud NAT for its VM instances in subnet 10.1.0.0/24 to meet compliance requirements. The network engineer attempts to create a Cloud NAT in the service project for that subnet but receives an error that the subnet already has a NAT gateway. What action should the engineer take to meet the compliance requirement?

Question 92mediummultiple choice
Read the full Configuring network services explanation →

A company has two VPC networks (VPC-A and VPC-B) in the same project. They are connected via VPC peering. VPC-A contains an internal TCP load balancer with IP 10.1.2.3 serving on port 80. VPC-B needs to access this load balancer. The network engineer has verified that the firewall rules allow traffic from VPC-B to the load balancer's IP and port. However, instances in VPC-B cannot connect to 10.1.2.3:80. What is the most likely reason for this failure?

Question 93hardmultiple choice
Read the full DNS explanation →

A company has deployed an external HTTPS load balancer with a Cloud CDN backend. The load balancer uses a managed SSL certificate. Recently, the company updated their DNS record to point to a different IP address of a new load balancer. After the change, some users are still being served from the old load balancer's cache. The network engineer has confirmed that the DNS TTL has expired. What is the most likely cause of this issue?

Question 94mediummultiple choice
Read the full NAT/PAT explanation →

A company has deployed a web application on Compute Engine instances in a VPC with subnet 10.1.0.0/20. The instances need to access an external API that whitelists IP addresses. The company uses Cloud NAT to provide outbound connectivity. The API integration tests are failing, and the operations team suspects that the source IP addresses seen by the API are not consistent. What is the most likely cause and solution?

Question 95easymulti select
Open the full BGP breakdown →

A network engineer is designing a hybrid cloud architecture connecting an on-premises data center to Google Cloud via Dedicated Interconnect. The on-premises network uses BGP for dynamic routing. The engineer needs to configure Cloud Router to exchange routes with the on-premises router. Which two configuration steps are required? (Choose two.)

Question 96hardmultiple choice
Read the full Configuring network services explanation →

Refer to the exhibit. A network team has created this load balancer. Clients inside the VPC are unable to connect to the load balancer's IP address from a Compute Engine instance in the same VPC. What is the most likely cause?

Exhibit

$ gcloud compute forwarding-rules describe my-https-lb --region=us-central1
---
creationTimestamp: '2024-01-15T10:30:00.000-08:00'
description: ''
IPAddress: 34.123.45.67
IPProtocol: TCP
loadBalancingScheme: INTERNAL_MANAGED
name: my-https-lb
networkTier: STANDARD
portRange: 443-443
region: us-central1
target: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/targetHttpsProxies/my-https-proxy
Question 97mediummultiple choice
Read the full VPN explanation →

A multinational corporation has deployed a multi-region application on Google Kubernetes Engine (GKE) clusters in us-central1 and europe-west1. The application serves global users and requires low-latency access to a shared database hosted on Cloud SQL in us-central1. The network team has configured Cloud VPN tunnels between each region and the on-premises data center for administrative access. The application instances in europe-west1 are experiencing high latency when connecting to the Cloud SQL instance in us-central1. The team wants to reduce latency without migrating the database. The team has already verified that the Cloud SQL instance has private IP enabled and is peered to a shared VPC that spans both regions. The GKE clusters are in the same shared VPC. What should the team do?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNE Practice Test 1 — 10 Questions→PCNE Practice Test 2 — 10 Questions→PCNE Practice Test 3 — 10 Questions→PCNE Practice Test 4 — 10 Questions→PCNE Practice Test 5 — 10 Questions→PCNE Practice Exam 1 — 20 Questions→PCNE Practice Exam 2 — 20 Questions→PCNE Practice Exam 3 — 20 Questions→PCNE Practice Exam 4 — 20 Questions→Free PCNE Practice Test 1 — 30 Questions→Free PCNE Practice Test 2 — 30 Questions→Free PCNE Practice Test 3 — 30 Questions→PCNE Practice Questions 1 — 50 Questions→PCNE Practice Questions 2 — 50 Questions→PCNE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Designing, planning, and prototyping a GCP networkImplementing hybrid interconnectivityConfiguring network servicesImplementing network securityImplementing a Virtual Private Cloud

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring network services setsAll Configuring network services questionsPCNE Practice Hub