Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Implementing VPC Instances practice sets

PCNE Implementing VPC Instances • Complete Question Bank

PCNE Implementing VPC Instances — All Questions With Answers

Complete PCNE Implementing VPC Instances question bank — all 0 questions with answers and detailed explanations.

100
Questions
Free
No signup
Certifications/PCNE/Practice Test/Implementing VPC Instances/All Questions
Question 1easymultiple choice
Read the full Implementing VPC Instances explanation →

An engineer needs to provide outbound internet access to a set of Compute Engine instances that have only internal IP addresses. The instances must use a static IP address for outbound traffic. Which solution should they implement?

Question 2mediummultiple choice
Read the full Implementing VPC Instances explanation →

A security team wants to enforce a policy that blocks all egress traffic to the internet from a specific set of VMs across multiple projects in an organization. The policy should be centrally managed and override VPC-level firewall rules. Which approach should they use?

Question 3hardmultiple choice
Read the full Implementing VPC Instances explanation →

An organization needs to restrict access to Google Cloud APIs such that only traffic from a specific set of VMs inside a VPC can reach the APIs, and all other traffic (including from other VPCs) must be denied. The VMs do not have external IPs. Which combination of services should they use?

Question 4easymultiple choice
Read the full Implementing VPC Instances explanation →

A developer wants to allow HTTP (port 80) traffic from the internet to a set of Compute Engine instances that have a tag "web-server". Which firewall rule should they create?

Question 5mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a subnet in us-central1. They launched a Compute Engine instance named "app-server" in that subnet without an external IP. They need the instance to be able to download updates from the internet. Which two steps must be taken?

Question 6hardmultiple choice
Read the full Implementing VPC Instances explanation →

An organization uses a hierarchical firewall policy at the organization level with a deny-all egress rule (priority 100). They also have a VPC-level firewall rule allowing egress to a specific external IP (priority 1000). Will traffic to that external IP be allowed?

Question 7mediummultiple choice
Read the full Implementing VPC Instances explanation →

An engineer wants to allow traffic from a specific service account to a Compute Engine instance. Which firewall rule option should they use for the source?

Question 8easymultiple choice
Read the full Implementing VPC Instances explanation →

What is the default MTU for Compute Engine instances on Google Cloud?

Question 9mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to publish a service running on Compute Engine instances in their VPC so that consumers in other VPCs can access it via private IPs without needing VPC peering. Which service should they use?

Question 10hardmultiple choice
Read the full Implementing VPC Instances explanation →

An organization needs to protect a web application behind an HTTPS Load Balancer from SQL injection attacks. They want to use a managed WAF solution. Which Google Cloud service should they configure?

Question 11mediummultiple choice
Read the full DNS explanation →

An engineer needs to configure DNS resolution for a Compute Engine instance named "web-1" in zone us-central1-a of project my-project. What is the internal DNS name for this instance?

Question 12easymultiple choice
Read the full Implementing VPC Instances explanation →

A Compute Engine instance has multiple network interfaces. Which interface is considered the primary (NIC0)?

Question 13mediummulti select
Read the full Implementing VPC Instances explanation →

A company wants to restrict access to Google Cloud Storage so that only traffic originating from a specific VPC network is allowed. They also need to prevent data exfiltration to other VPCs. Which two services should they use? (Choose two.)

Question 14hardmulti select
Review the full subnetting walkthrough →

An organization has a VPC with multiple subnets. They want to log all outbound connections from instances to the internet for compliance. They also want to use a cost-effective solution that doesn't require a proxy. Which three components are needed? (Choose three.)

Question 15mediummulti select
Read the full Implementing VPC Instances explanation →

An engineer needs to allow HTTP health checks from the Google Cloud health checker IP ranges to a set of instances. Which two methods can be used to target the firewall rule correctly? (Choose two.)

Question 16mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company has Compute Engine instances without external IPs in a VPC. They need to reach Google APIs such as Cloud Storage and BigQuery. Which configuration will meet this requirement with minimal cost and operational overhead?

Question 17mediummultiple choice
Read the full Implementing VPC Instances explanation →

A network engineer wants to restrict access to a Cloud Storage bucket from only a specific set of Compute Engine instances in a VPC. The instances have no external IPs. What is the most effective way to enforce this restriction?

Question 18easymultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to protect its HTTP(S) Load Balancer against DDoS attacks and common web exploits like SQL injection and cross-site scripting. Which Google Cloud service should they use?

Question 19mediummultiple choice
Read the full Implementing VPC Instances explanation →

An organization has multiple VPCs in different projects that need to consume a common internal service hosted in a central project. The service runs on a set of Compute Engine instances with internal IPs. Which architecture allows the consumers to access the service using private IPs without VPC peering?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a subnet in us-central1. Compute Engine instances in that subnet have no external IPs but need to reach the internet for software updates. The engineer configured Cloud NAT with the default settings. However, instances fail to reach the internet. What is the most likely cause?

Question 21mediummultiple choice
Read the full VPN explanation →

A network engineer needs to create a firewall rule that blocks all ingress traffic from the internet to Compute Engine instances tagged 'web-server', except for traffic from the organization's VPN gateway at IP 203.0.113.1. The engineer creates a rule with priority 1000, deny ingress, source IP ranges 0.0.0.0/0, and targets 'web-server'. To allow the VPN IP, what should the engineer do?

Question 22easymultiple choice
Read the full DNS explanation →

A company wants to ensure that Compute Engine instances in a VPC can resolve internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. What is required for this to work?

Question 23hardmultiple choice
Review the full subnetting walkthrough →

A company has deployed a network appliance (e.g., firewall) as a Compute Engine instance with two NICs: NIC0 for management and NIC1 for data traffic. The appliance must forward traffic from instances in subnet A to subnet B. The engineer has enabled IP forwarding on the appliance. What additional configuration is required on the VPC for the appliance to route traffic between subnets?

Question 24mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to apply consistent firewall rules across all projects in an organization. They need to block all traffic to ports 22 and 3389 from the internet to any VMs in any project. Which approach is most scalable and maintainable?

Question 25easymultiple choice
Read the full Implementing VPC Instances explanation →

A developer is configuring a Compute Engine VM to host a web server. They want to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the internet is allowed. Which firewall rule should they create?

Question 26mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Cloud NAT to provide outbound internet access for instances without external IPs. They notice that the NAT gateway is running out of ports for connections to a single external IP address. To minimize port exhaustion, what should the engineer configure?

Question 27hardmultiple choice
Read the full Implementing VPC Instances explanation →

An organization needs to prevent exfiltration of data from a Cloud Storage bucket to external IPs. The bucket is accessed by Compute Engine instances in a VPC. The instances need to read and write data to the bucket but should not be able to copy data to external networks. Which combination of controls meets this requirement?

Question 28mediummulti select
Read the full Implementing VPC Instances explanation →

A company wants to allow access to a Cloud Storage bucket only from Compute Engine instances that have a specific service account and are within a specific VPC. They also want to prevent access from other networks. Which TWO services or features should they use together?

Question 29hardmulti select
Read the full Implementing VPC Instances explanation →

A company has an HTTP Load Balancer that distributes traffic to a backend service consisting of Compute Engine instance groups. They need to block traffic from specific geographic regions and also rate-limit requests from any IP. Which THREE Cloud Armor features should they configure?

Question 30mediummulti select
Read the full Implementing VPC Instances explanation →

An organization wants to publish an internal web service running on Compute Engine to consumers in different VPCs. The service must be accessible via private IPs without VPC peering. Which THREE components are required to set this up using Private Service Connect?

Question 31easymultiple choice
Read the full Implementing VPC Instances explanation →

An engineer needs to provide outbound internet access to Compute Engine instances that do not have external IP addresses. The solution must allow instances to access a specific set of external IPs only. What should the engineer configure?

Question 32mediummultiple choice
Review the full subnetting walkthrough →

You need to configure firewall rules to allow HTTP (TCP 80) traffic from the internet to instances in a VPC. The instances are in different subnets and have a network tag 'web-server'. You want to minimize the number of rules. Which rule configuration is correct?

Question 33mediummultiple choice
Read the full Implementing VPC Instances explanation →

An organization has two VPCs in the same project: VPC-A and VPC-B. They want instances in VPC-A to reach Cloud Storage buckets without external IPs. What is the simplest solution?

Question 34hardmultiple choice
Read the full Implementing VPC Instances explanation →

A company uses hierarchical firewall policies at the organization level. They need to allow SSH (TCP 22) access from a specific range 10.0.0.0/8 to all VMs, but a child folder has a policy that denies all ingress traffic. Which rule priority ordering ensures SSH access is allowed?

Question 35mediummultiple choice
Read the full DNS explanation →

Your VPC has instances with internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. You need to ensure that DNS resolution works for instances in the same zone using short names (e.g., 'instance1'). Which condition must be met?

Question 36hardmultiple choice
Review the full subnetting walkthrough →

You are deploying a third-party network appliance (e.g., firewall) in a GCP VPC. The appliance requires multiple network interfaces for traffic isolation. You create a VM with three NICs in different subnets. What is a key consideration for routing traffic through the appliance?

Question 37mediummultiple choice
Read the full Implementing VPC Instances explanation →

You need to protect an HTTPS load-balanced application from SQL injection and cross-site scripting attacks. Which Google Cloud service should you use?

Question 38easymultiple choice
Read the full Implementing VPC Instances explanation →

An organization wants to prevent data exfiltration from a project that uses Google Cloud Storage and BigQuery. They need to restrict access to these services from only the authorized VPC networks. Which service should they use?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

You have a Cloud NAT gateway configured in a region with 256 available ports. You allocate static NAT ports to a specific VM for outbound connections. What is the minimum number of ports you should allocate to ensure the VM can handle 500 concurrent connections?

Question 40hardmultiple choice
Read the full VPN explanation →

An engineer is troubleshooting connectivity from a Compute Engine instance (internal IP: 10.0.0.2) to an on-premises server (IP: 203.0.113.5) over a Cloud VPN tunnel. The traffic reaches the on-premises network, but the return traffic is dropped. What is the most likely cause?

Question 41mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to publish an internal service (e.g., a database) in their VPC so that consumers in other VPCs can connect to it privately via Private Service Connect (PSC). What must be created on the producer side?

Question 42easymultiple choice
Read the full Implementing VPC Instances explanation →

Which statement about Cloud Armor security policies is true?

Question 43mediummulti select
Review the full subnetting walkthrough →

You need to allow instances with network tag 'db' in subnet-a to only accept connections on TCP port 3306 from instances with network tag 'app' in subnet-b. Which TWO firewall rules should you create? (Choose 2)

Question 44hardmulti select
Read the full Implementing VPC Instances explanation →

You are configuring a VPC Service Controls perimeter to protect a project containing BigQuery datasets. Access should be allowed only from a specific VPC network and only for users with a specific access level. Which THREE components must you define? (Choose 3)

Question 45easymulti select
Read the full Implementing VPC Instances explanation →

An engineer needs to deploy a VM that acts as a internet gateway for other instances in the same VPC. The VM must have IP forwarding enabled and must be able to accept traffic on multiple NICs. Which TWO actions are required? (Choose 2)

Question 46easymultiple choice
Read the full Implementing VPC Instances explanation →

An engineer is configuring a Google Compute Engine instance that needs to send traffic to the internet. The instance has no external IP address. Which service must be configured to allow this outbound connectivity?

Question 47easymultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to restrict access to Google Cloud APIs from a specific set of VMs based on the VM's service account. Which type of firewall rule target should be used?

Question 48mediummultiple choice
Read the full Implementing VPC Instances explanation →

A network engineer needs to create a firewall rule that denies all inbound traffic to instances with the tag 'web-server' from source IP range 10.0.0.0/8. They also have an existing allow rule with priority 1000 that permits traffic from 10.0.0.0/8 to those instances. To ensure the deny rule takes precedence, what priority should the new rule have?

Question 49mediummultiple choice
Read the full Implementing VPC Instances explanation →

An organization has multiple projects and wants to apply a consistent set of firewall rules across all VPC networks in the organization. Which approach should they use?

Question 50easymultiple choice
Read the full Implementing VPC Instances explanation →

What is the default Maximum Transmission Unit (MTU) for Compute Engine virtual machines?

Question 51mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to protect its external HTTPS load balancer from SQL injection and cross-site scripting attacks. Which Google Cloud service should they use?

Question 52hardmultiple choice
Read the full Implementing VPC Instances explanation →

A Compute Engine instance is running a network appliance that requires multiple network interfaces. What is the primary purpose of attaching additional NICs (e.g., NIC1, NIC2) to the instance?

Question 53mediummultiple choice
Read the full VPN explanation →

An organization wants to allow on-premises hosts to connect to a Cloud SQL instance privately without traversing the public internet. They have a Cloud VPN tunnel set up. What additional step is required?

Question 54mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to restrict which Google Cloud APIs can be accessed by its VMs in a specific project. They also want to prevent data exfiltration. Which service should they use?

Question 55hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud NAT with a static NAT IP address. They notice that connections from their instances are failing after a few minutes. What is the most likely cause?

Question 56easymultiple choice
Read the full DNS explanation →

What is the internal DNS name format for a Compute Engine instance named 'web-server' in zone 'us-central1-a' within project 'my-project'?

Question 57hardmultiple choice
Read the full Implementing VPC Instances explanation →

An organization wants to allow only certain users to access a service published via Private Service Connect. They need to restrict access based on the source VPC network. What should they use?

Question 58mediummulti select
Read the full Implementing VPC Instances explanation →

Which TWO of the following are valid ways to target firewall rules in Google Cloud? (Select 2)

Question 59mediummulti select
Read the full Implementing VPC Instances explanation →

Which THREE of the following are benefits of using hierarchical firewall policies? (Select 3)

Question 60hardmulti select
Read the full Implementing VPC Instances explanation →

A company wants to use Cloud Armor to block traffic from a specific IP range (198.51.100.0/24) and also apply rate limiting. Which TWO components are needed? (Select 2)

Question 61easymultiple choice
Review the full subnetting walkthrough →

A network engineer needs to ensure that Compute Engine instances without external IP addresses can access Google APIs such as BigQuery and Cloud Storage. Which feature should be enabled on the subnet where the instances reside?

Question 62easymultiple choice
Review the full routing breakdown →

An engineer is configuring a Compute Engine instance with multiple network interfaces for use as a network appliance. Which interface is considered the primary interface for default routes and instance metadata?

Question 63easymultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to protect its HTTPS Load Balancer from DDoS attacks and common web application attacks like SQL injection and cross-site scripting (XSS). Which Google Cloud service should be used?

Question 64mediummultiple choice
Read the full Implementing VPC Instances explanation →

An organization has multiple VPCs in the same project. They want to apply consistent firewall rules to all VPCs at the project level. What is the most efficient way to achieve this?

Question 65mediummultiple choice
Read the full NAT/PAT explanation →

An engineer is troubleshooting outbound connectivity from a Compute Engine instance that has no external IP. The instance needs to reach an external service on the internet. Cloud NAT is configured on the VPC network. However, the instance cannot connect. What is the most likely cause?

Question 66mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to publish a custom internal service running in their VPC so that consumers in other VPCs can access it using private IP addresses. Which service should they use?

Question 67mediummultiple choice
Read the full Implementing VPC Instances explanation →

An organization wants to restrict which Google APIs can be accessed by resources in a specific VPC. They also want to prevent data exfiltration to unauthorized projects. Which Google Cloud service should they use?

Question 68mediummultiple choice
Read the full Implementing VPC Instances explanation →

An engineer has configured a firewall rule with priority 1000 that allows ingress traffic on TCP port 443 from source IP range 10.0.0.0/8. Another rule with priority 500 denies ingress on TCP port 443 from source IP 10.0.1.0/24. What will happen to traffic from 10.0.1.5 destined to the instance on port 443?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to provide outbound internet access to Compute Engine instances without external IPs, while minimizing IP address consumption. Which Cloud NAT feature should be used to achieve minimal static IP usage?

Question 70hardmultiple choice
Read the full Implementing VPC Instances explanation →

An engineer needs to create a firewall rule that applies only to instances with the tag 'web-server' in a specific VPC network. The rule should allow ingress from any source on TCP port 80. Which combination of fields must be set in the gcloud command?

Question 71hardmultiple choice
Read the full Implementing VPC Instances explanation →

A company uses VPC Service Controls with a service perimeter that includes Project A. They want to allow an external identity from Project B (outside the perimeter) to access a Cloud Storage bucket in Project A, but only during business hours. Which VPC Service Controls feature should they use?

Question 72hardmultiple choice
Read the full Implementing VPC Instances explanation →

An engineer needs to configure Cloud Armor to block requests from a specific IP address (10.1.2.3) while allowing all other traffic. They create a security policy with a deny rule for that IP and an allow rule for all traffic. What priority should the deny rule have relative to the allow rule?

Question 73mediummulti select
Read the full Implementing VPC Instances explanation →

A company runs a web application on Compute Engine instances without external IPs. They need to ensure the instances can access Google APIs (e.g., Cloud Storage) and also provide outbound internet access for software updates. Which two features should be configured? (Choose two.)

Question 74mediummulti select
Read the full Implementing VPC Instances explanation →

An organization wants to enforce that only instances with specific service accounts can be accessed via SSH (TCP 22) from the internet. Which two attributes should be used in the firewall rule to achieve this? (Choose two.)

Question 75hardmulti select
Read the full Implementing VPC Instances explanation →

A company wants to deploy a network appliance (e.g., firewall) on a Compute Engine instance that requires inspecting traffic between two VPCs. The instance must have interfaces in both VPCs. Which three configurations are required? (Choose three.)

Question 76easymultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to allow instances in a VPC without external IPs to access Google APIs like BigQuery and Cloud Storage. Which configuration is required?

Question 77mediummultiple choice
Read the full Implementing VPC Instances explanation →

An engineer needs to set up a firewall rule that allows health check probes from Google Cloud's health check ranges (130.211.0.0/22 and 35.191.0.0/16) to a backend instance group. The rule should apply only to instances with the 'backend' network tag. What is the correct configuration?

Question 78hardmultiple choice
Read the full Implementing VPC Instances explanation →

An organization has multiple projects under an organization node. They need to enforce a security policy that denies all inbound SSH traffic (tcp:22) to all VMs across all projects, but must allow certain projects to override this. Which approach should be used?

Question 79mediummultiple choice
Review the full subnetting walkthrough →

An engineer is deploying a network appliance (e.g., a firewall) in a VPC. The appliance needs to handle traffic between different subnets. How many network interfaces should the appliance VM have, and why?

Question 80mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company has an application running on Compute Engine that needs to send traffic to a third-party SaaS service on the internet. The VMs have no external IPs. Which solution provides outbound connectivity with minimal configuration and allows source IP preservation?

Question 81hardmultiple choice
Read the full Implementing VPC Instances explanation →

An engineer is troubleshooting a firewall rule issue. A VM with network tag 'web' is unable to receive HTTP traffic from the internet. The VPC has an ingress firewall rule allowing tcp:80 from 0.0.0.0/0 to targets with tag 'web' at priority 1000. Another ingress rule denies all ingress traffic at priority 65535. What is the likely cause?

Question 82easymultiple choice
Read the full Implementing VPC Instances explanation →

What is the default MTU for Compute Engine virtual machines?

Question 83mediummultiple choice
Read the full Implementing VPC Instances explanation →

An organization wants to consume a third-party SaaS service via a private endpoint in their VPC, using Private Service Connect. Which type of Private Service Connect endpoint should they create?

Question 84mediummultiple choice
Read the full Implementing VPC Instances explanation →

A security team wants to block traffic from specific geographic regions (e.g., Country A) to their HTTP(S) load balancer. Which Google Cloud service should they use?

Question 85hardmultiple choice
Read the full NAT/PAT explanation →

An engineer has multiple projects with overlapping IP ranges. They want to create a single Cloud NAT gateway to provide outbound internet access for instances in two different VPCs that are connected via VPC Network Peering. Is this possible?

Question 86easymultiple choice
Read the full DNS explanation →

What is the internal DNS name format for a Compute Engine instance named 'web-server' in the 'us-central1-a' zone within the project 'my-project'?

Question 87mediummultiple choice
Read the full Implementing VPC Instances explanation →

A company has deployed a Cloud Armor security policy with the following rules: Rule 1: allow from IP range 10.0.0.0/8 (priority 1000); Rule 2: deny from all (priority 2000). What will be the action for traffic from IP 10.1.1.1?

Question 88mediummulti select
Read the full Implementing VPC Instances explanation →

A company wants to restrict access to Google Cloud Storage from a specific VPC only, using VPC Service Controls. Which TWO components are required to create a service perimeter? (Choose two.)

Question 89hardmulti select
Read the full Implementing VPC Instances explanation →

An organization needs to deploy a multi-tier web application on Compute Engine. The web tier must be accessible from the internet, while the database tier must only be accessible from the web tier. The security team requires a defense-in-depth approach. Which THREE measures should be implemented? (Choose three.)

Question 90mediummulti select
Read the full NAT/PAT explanation →

A company uses Cloud NAT for outbound internet access. They want to ensure that all connections from their VMs use a predictable public IP address for whitelisting with third-party services. Which TWO configurations should be applied? (Choose two.)

Question 91mediummultiple choice
Read the full NAT/PAT explanation →

An engineer needs to provide outbound internet access to a set of Compute Engine instances that do not have external IP addresses. The instances are in a VPC subnet with a Cloud NAT configured. However, the instances still cannot reach the internet. The engineer verified that Cloud NAT is configured on the same region and VPC as the instances. What is the most likely cause?

Question 92easymultiple choice
Read the full Implementing VPC Instances explanation →

A company wants to restrict access to Google Cloud APIs from a specific VPC network so that only the Google APIs listed in the VPC Service Controls perimeter can be accessed. Which configuration should be used?

Question 93hardmultiple choice
Read the full Implementing VPC Instances explanation →

A network engineer configured a hierarchical firewall policy at the organization level with a priority 100 rule that denies all ingress traffic. At the folder level, a policy with priority 110 allows ingress from a specific IP range. At the VPC level, a network firewall policy with priority 90 allows ingress from a different IP range. Which traffic will be allowed?

Question 94mediummulti select
Review the full subnetting walkthrough →

An engineer needs to configure a Compute Engine instance as a network appliance that routes traffic between two subnets within the same VPC. The instance must handle traffic for both subnets. Which TWO actions are required? (Choose TWO.)

Question 95easymulti select
Read the full Implementing VPC Instances explanation →

A company wants to protect its HTTP(S) Load Balancer from layer 7 attacks, including SQL injection and cross-site scripting (XSS). Which TWO Google Cloud services or features should be used together? (Choose TWO.)

Question 96mediummulti select
Read the full Implementing VPC Instances explanation →

An organization wants to publish a private service using Private Service Connect (PSC) so that consumers in other VPCs can access it via private IPs. Which TWO resources are required on the producer side? (Choose TWO.)

Question 97hardmulti select
Read the full Implementing VPC Instances explanation →

A security team needs to block traffic from a specific geographic region (country) from reaching their HTTP Load Balancer. Additionally, they need to allow traffic from specific IP ranges that are known to be legitimate, even if they originate from that blocked region. Which THREE steps should they take? (Choose THREE.)

Question 98mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with subnets in us-central1 and europe-west1. They need to allow Compute Engine instances in us-central1 (without external IPs) to access Google Cloud Storage buckets in the US multi-region. They also need to ensure the traffic does not traverse the public internet. Which TWO configurations are required? (Choose TWO.)

Question 99hardmulti select
Read the full NAT/PAT explanation →

An engineer needs to configure Cloud NAT with logging enabled to monitor traffic from a specific subnet. The NAT gateway uses automatic NAT IP allocation. The engineer wants to ensure that if a single VM uses many connections, it does not exhaust the available ports for other VMs. Which THREE settings should be configured? (Choose THREE.)

Question 100easymulti select
Read the full Implementing VPC Instances explanation →

A company wants to allow traffic to a specific set of Compute Engine instances only from a single management instance that uses a service account. The management instance has the service account 'sa-mgmt@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations can achieve this? (Choose TWO.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNE Practice Test 1 — 25 Questions→PCNE Practice Test 2 — 25 Questions→PCNE Practice Test 3 — 25 Questions→PCNE Practice Test 4 — 25 Questions→PCNE Practice Test 5 — 25 Questions→PCNE Practice Exam 1 — 20 Questions→PCNE Practice Exam 2 — 20 Questions→PCNE Practice Exam 3 — 20 Questions→PCNE Practice Exam 4 — 20 Questions→Free PCNE Practice Test 1 — 30 Questions→Free PCNE Practice Test 2 — 30 Questions→Free PCNE Practice Test 3 — 30 Questions→PCNE Practice Questions 1 — 50 Questions→PCNE Practice Questions 2 — 50 Questions→PCNE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring Network ServicesImplementing Hybrid InterconnectivityManaging, Monitoring, and Optimising Network OperationsDesigning, Planning, and Prototyping a GCP NetworkImplementing VPC InstancesImplementing network securityImplementing a Virtual Private Cloud

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Implementing VPC Instances setsAll Implementing VPC Instances questionsPCNE Practice Hub