Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCSEDomainsConfiguring network security
PCSEFree — No Signup

Configuring network security

Practice PCSE Configuring network security questions with full explanations on every answer.

86questions

Start practicing

Configuring network security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCSE Domains

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice Configuring network security questions

10Q20Q30Q50Q

All PCSE Configuring network security questions (86)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?

2

Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?

3

You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest): Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?

4

Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?

5

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

6

You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?

7

Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?

8

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

9

Your organization requires that all egress traffic from a VPC network be inspected by a third-party security appliance before leaving the network. The appliance is deployed in a separate VPC. What is the most scalable and maintainable way to route traffic through the appliance?

10

A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?

11

Which TWO options are valid methods to secure data in transit between an on-premises data center and a Google Cloud VPC?

12

Which THREE components are required to configure VPC Flow Logs for a Compute Engine instance?

13

Your organization wants to ensure that no Compute Engine instance can have a public IP address. What is the best way to enforce this policy?

14

A company is using a Shared VPC in Google Cloud with multiple service projects. The security team wants to restrict egress traffic from a specific service project to only allowed external IP addresses. The network project hosts the VPC. What is the best approach?

15

Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?

16

You are a security engineer for a financial services company that processes sensitive customer data. Your architecture includes two VPCs: 'data-vpc' (10.1.0.0/16) containing BigQuery datasets and Cloud Storage buckets, and 'app-vpc' (10.2.0.0/16) containing Compute Engine instances running a customer-facing application. The application needs to read from BigQuery and write to Cloud Storage. You have configured VPC Network Peering between the VPCs. Additionally, you have set up Private Google Access on all subnets in 'data-vpc' and 'app-vpc'. The application instances cannot connect to BigQuery or Cloud Storage. You have verified that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30) and that DNS resolution works correctly. What is the most likely cause of the connectivity failure?

17

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

18

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. The perimeter is defined with the project as a protected project. Which TWO actions are valid to restrict data exfiltration while maintaining necessary access?

19

Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.

20

Drag and drop the steps to respond to a data breach involving a Cloud Storage bucket in the correct order.

21

Match each Google Cloud security tool to its primary purpose.

22

Match each encryption scope to its description.

23

A company has configured a VPC firewall rule to allow HTTP traffic from a specific source IP range 203.0.113.0/24. However, HTTP requests from that range are being denied. Which initial verification should the security engineer perform?

24

A company is using Cloud NAT to allow instances in a private subnet to access the internet. They notice that some instances are unable to reach external services. The NAT gateway is configured with a single IP address. Which action would most likely resolve the issue?

25

A company has a hybrid cloud setup with a Cloud VPN tunnel to an on-premises network. They want to ensure that traffic from on-premises to a specific VPC subnet is routed through a specific next hop appliance for inspection. How can they achieve this?

26

An organization uses Shared VPC to centrally manage network resources. They want to allow a service project to use its own firewall rules for certain instances. How should they configure the firewall rules?

27

A security engineer wants to block all SSH access from the internet to a VPC network, except for a specific bastion host. What is the most efficient way to configure this?

28

A company is using VPC Service Controls to protect their Google Cloud Storage buckets. They want to allow a specific instance to access a bucket from within a VPC. What networking configuration is required?

29

A company has multiple VPC networks that need to communicate privately. They are evaluating VPC peering and Shared VPC. Which statement correctly describes a limitation of VPC peering compared to Shared VPC?

30

A developer needs to allow a specific Compute Engine instance to communicate with a Cloud SQL database instance. Both are in the same project but different VPC networks. What is the simplest secure method?

31

A company is deploying a firewall appliance in a VPC to inspect traffic. They create custom routes to direct traffic to the appliance. Which step is necessary to ensure the appliance can forward traffic back?

32

A company is designing a network architecture for a multi-region application. They want to minimize latency and maximize availability. Which two features should they consider? (Choose two.)

33

A security engineer needs to restrict outbound traffic from a VPC to only allow specific external IP ranges. Which three components must be configured? (Choose three.)

34

A company is migrating workloads to Google Cloud and wants to ensure that their VPC network is secure by default. Which two best practices should they follow? (Choose two.)

35

A user is unable to SSH into an instance that has the tag 'ssh-access' and an internal IP 10.0.0.2. The user's IP is 198.51.100.1. What is the most likely reason?

36

An engineer has enabled Private Google Access on the subnet. However, instances in the subnet cannot access Google APIs (e.g., storage.googleapis.com) using their internal IPs. What is the most likely issue?

37

A company has a VPC network with a default route to the internet gateway. They want all egress traffic to go through a firewall appliance instead. They create a new route with a next hop to the appliance and a priority of 500. However, traffic is still going through the internet gateway. What is the most likely reason?

38

A company runs a GKE cluster with multiple node pools, including one pool of confidential VMs. The security team wants to ensure that only traffic from the internal VPC (10.0.0.0/8) can reach the nodes' metadata server. Which configuration should be applied?

39

A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (172.16.0.0/16). They have established VPC peering between them. An instance in VPC-A needs to communicate with an instance in VPC-B on TCP port 443. What is the minimal firewall configuration needed?

40

A company has a VPC with a subnet (10.1.0.0/24) in us-central1. They have a Cloud NAT configured for outbound traffic to the internet. They want instances in this subnet to access a third-party API that is only accessible over the internet and requires a specific static source IP for whitelisting. What is the recommended approach?

41

An organization uses Shared VPC with a host project and several service projects. A network administrator in a service project wants to create a firewall rule that allows traffic from a specific source CIDR to a Compute Engine instance in the service project. What is the correct way to achieve this?

42

A company wants to protect its HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they use?

43

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect. They want to allow instances in a VPC (10.0.0.0/8) to access Google APIs (e.g., Cloud Storage) without traversing the public internet. They also want to ensure that traffic from on-premises to Google APIs uses the same private path. Which configuration is required?

44

A company notices that some Compute Engine instances are making unexpected outbound connections to suspicious IP addresses. They want to investigate the traffic patterns and identify the source of these connections. Which tool should they use?

45

A security engineer needs to provide secure SSH access to a Compute Engine instance that has no external IP address. What is the recommended method?

46

A company uses hierarchical firewall policies to enforce security across all VPC networks in an organization. They have an organization policy that denies egress traffic to the internet. However, a team needs to allow outbound HTTPS traffic to a specific external API (api.example.com) for a project. What is the best way to achieve this?

47

You are designing VPC firewall rules for a multi-tier application. Which TWO considerations are important when creating firewall rules in terms of security and manageability? (Choose TWO.)

48

A company is setting up Cloud NAT for a subnet that hosts compute instances. They want to ensure high availability and efficient use of IPs. Which TWO configurations should they apply? (Choose TWO.)

49

A company wants to restrict access to a Cloud SQL instance so that only Compute Engine instances in a specific VPC subnet can connect. Which THREE methods can be used to achieve this? (Choose THREE.)

50

A company has deployed a web application on Compute Engine instances in a managed instance group behind an internal HTTP(S) load balancer. The application needs to be accessible only from the corporate office, which has a static public IP range of 203.0.113.0/24. The load balancer is in us-central1. What is the most secure way to restrict access?

51

You are configuring a new VPC network with a private subnet for Compute Engine instances that need to access the internet for updates. Which configuration is the simplest and most secure?

52

A company uses Shared VPC in a host project with multiple service projects. The security team wants to ensure that all traffic between service projects is inspected by a third-party firewall appliance deployed in the host project. Which configuration should be implemented?

53

Your organization has a VPC with several subnets and wants to enable Private Google Access for Compute Engine instances in a specific subnet to access Google APIs and services without external IP addresses. What must be configured?

54

A company uses Cloud Armor to protect an external HTTPS load balancer. They want to block requests from a specific IP address range 198.51.100.0/24, but allow all other traffic. After creating a deny rule with the source IP condition, they notice that requests from that range are still reaching the backend. What is the most likely cause?

55

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They have a firewall appliance (internal IP 10.0.1.100) that inspects all traffic between subnets. They configure a policy-based route to redirect traffic from subnet-a to subnet-b to the appliance. However, traffic from subnet-a to subnet-b still goes directly. What is missing?

56

You are designing a network for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier should only be accessible from the application tier. All tiers are in the same VPC. Which combination of firewall rules meets these requirements?

57

A company needs to securely connect two VPC networks from different projects in the same organization. Each VPC has overlapping IP ranges (10.0.0.0/16). They require high throughput and low latency. What is the recommended approach?

58

Your organization has a security requirement that all traffic to and from Compute Engine instances must be logged and analyzed. You have enabled VPC Flow Logs for all subnets. However, you notice that flow logs are not capturing all traffic between instances in the same subnet. What is the most likely reason?

59

Which TWO of the following are valid Google Cloud firewall rule components? (Choose TWO.)

60

Which THREE of the following are required to enable VPC Flow Logs for a subnet? (Choose THREE.)

61

Which TWO of the following are benefits of using Cloud NAT? (Choose TWO.)

62

A company has a VPC with several subnets. They want to allow HTTP traffic from the internet to a web server in subnet-a, but block all other inbound traffic. What is the simplest firewall rule configuration?

63

A company uses a hub-and-spoke VPC topology with Network Connectivity Center. The spoke VPCs need to reach the internet. Cloud NAT is configured in the hub VPC. Spoke VPCs have routes to the hub via a VPN tunnel. However, instances in spoke VPCs cannot reach the internet. Which configuration is most likely missing?

64

A company is implementing VPC Service Controls to protect sensitive data in Google Cloud Storage. They want to allow a private on-premises subnet (10.1.0.0/16) to access the storage buckets via a Cloud VPN tunnel, but deny all other on-premises traffic. Which configuration approach meets this requirement with least privilege?

65

A company uses Cloud Armor to protect their HTTP Load Balancer from DDoS attacks. They want to block requests from a specific malicious IP address range, 203.0.113.0/24. Which Cloud Armor policy configuration should they use?

66

A company uses Shared VPC with host project and service projects. They want to ensure that only specific service projects can create firewall rules in the host project's network. What is the correct IAM configuration?

67

A security team wants to mirror all traffic from a critical VM to a network intrusion detection system (NIDS) appliance running in the same VPC. They need to ensure that the NIDS receives both ingress and egress traffic, and that the original traffic is not impacted. Which solution should they implement?

68

A company wants to use Cloud CDN to cache content from an HTTP Load Balancer. They have a custom domain and want to serve traffic over HTTPS. What must they configure on the load balancer?

69

A company has a VPC with subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They enabled Private Google Access on subnet-a. Instances in subnet-a can access Google APIs and services using private IPs. However, instances in subnet-b cannot reach Google APIs even though subnet-b has a default route to the internet through a NAT gateway. What is the likely cause?

70

A company connects their on-premises data center to Google Cloud via Dedicated Interconnect. They have two VLAN attachments (VLAN-A and VLAN-B) to a single VPC. They use BGP over the VLAN attachments with Cloud Router. Both VLAN attachments are in the same region. They want to use both links for active-active traffic and have redundancy. Which BGP configuration is correct?

71

Which TWO of the following are valid methods for sending traffic between VPC networks in Google Cloud? (Choose two.)

72

Which TWO of the following are valid reasons to enable VPC Flow Logs? (Choose two.)

73

Which THREE of the following are valid requirements for using VPC Network Peering? (Choose three.)

74

Refer to the exhibit. An engineer wants to allow inbound SSH (tcp:22) to a VM with network tag 'ssh-access' in the 'default' VPC. Which firewall rule should they create?

75

A company has a VPC network named 'production' with subnets in us-central1 and europe-west1. They have on-premises data centers in New York and London connected via two HA VPN gateways to the respective regions. The on-premises networks use BGP with Cloud Routers in each region. The company also has a Shared VPC with service projects. Recently, they migrated a critical application to Google Cloud, which runs on Compute Engine instances in the europe-west1 subnet. The application needs to communicate with an on-premises database in London reachable via the London VPN. After the migration, the application fails to connect to the database. The Cloud Router in europe-west1 shows that it is receiving the on-premises routes. The instance has a default route to the internet via Cloud NAT. The firewall rules allow all traffic from the instance to the on-premises IP range. What is the most likely cause of the connectivity issue?

76

A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?

77

A company is using Cloud SQL with a private IP address in the same VPC as their Compute Engine web application server. The server can reach the Cloud SQL instance's IP address via ping, but the application is failing to connect with a permission error. The VPC firewall rules include the default allow internal rule. What is the most likely cause?

78

A company uses Shared VPC with a host project and multiple service projects. The security team wants to enforce that only specific VMs in service project A (using IP range 10.0.1.0/24) can communicate with specific VMs in service project B (tagged as 'app-b') on TCP port 443, and all other inter-service-project traffic should be blocked. Additionally, VMs should still be accessible via IAP TCP forwarding (SSH) on TCP port 22. Which three firewall rules should be created in the host project? (Choose three.)

79

A small company has a single VPC with subnets in us-central1 (10.0.1.0/24) and us-west1 (10.0.2.0/24). They have a Compute Engine VM (web-server) in us-central1 that needs to connect to a Cloud SQL MySQL instance also in us-central1 using its private IP address 10.0.1.3. The Cloud SQL instance is configured with private IP only and is deployed in the same VPC. The web-server can successfully ping the Cloud SQL private IP (10.0.1.3). However, the application on the web-server fails to connect to the MySQL database with an authentication error. There are no custom firewall rules; only the default VPC firewall rules are in place. What is the most likely cause of the connection failure?

80

A company has deployed an internal HTTP Load Balancer (ILB) in us-west1 within a Shared VPC. The host project contains the ILB's forwarding rule and the backend service. The backend instances are Compute Engine VMs running in a service project in us-east1. The health checks for the ILB are consistently failing with 'unhealthy' status. The firewall rules in the host project allow ingress from the Google Cloud health checker ranges (130.211.0.0/22 and 35.191.0.0/16) on TCP port 80 to all VMs in the VPC. The backend VMs are running a web server listening on port 80. What is the most likely cause of the health check failures?

81

A financial services company needs to inspect all inbound and outbound packets from a subnet containing highly sensitive data for compliance. They have enabled VPC Flow Logs on that subnet, which record metadata such as source and destination IP, ports, and protocol. However, the security team requires the actual packet payload to perform deep packet inspection (DPI) for malicious patterns. They want to capture the packets without disrupting network traffic. Which additional configuration should be implemented to meet this requirement?

82

A company has configured a HA VPN between Google Cloud and an on-premises data center using two tunnels with separate Cloud Routers and BGP sessions in active/active mode. Each Cloud Router is configured to learn routes from the on-premises side and advertise VPC subnets. Recently, one of the tunnels experienced a physical link failure and went down. The security team notices that the remaining tunnel is still up and passing traffic, but some routes that were learned via the failed tunnel are no longer present in the routing table of that Cloud Router. The on-premises administrator confirms that the routes are still being advertised from the local router. What is the impact on traffic to the on-premises network?

83

A company has a Shared VPC environment with multiple service projects. The security team wants to ensure that all Compute Engine VMs in service projects are only accessible via IAP TCP forwarding for SSH management, and direct external access is completely blocked. They have already applied an organization policy constraint that denies the attachment of external IP addresses to new VMs. However, there are several existing VMs that still have public IP addresses assigned. The team wants to remove the public IPs from these existing VMs without causing downtime for any ongoing SSH sessions or disrupting the applications running on them, but they must ensure the VMs can still reach the internet if needed (for example, to download updates). What should the team do?

84

Your VPC has a default firewall rule that allows SSH (TCP port 22) from all sources. You need to allow HTTP traffic (TCP port 80) only from instances tagged 'web-servers' to the target instances, and block all other inbound traffic including SSH. Which TWO steps should you take?

85

Refer to the exhibit. A developer created the firewall rule to allow HTTPS traffic from the API service account to instances tagged 'api-instances'. However, HTTPS requests from the API server (which runs on an instance with tag 'api-instances' and uses the default compute engine service account) are failing. What is the most likely cause?

86

Your company is deploying a multi-tier application in a single VPC with two subnets: web (10.0.1.0/24) and db (10.0.2.0/24). The web instances need to connect to a private Cloud SQL instance (MySQL) that is provisioned in a service project. The Cloud SQL instance has a private IP address 10.0.3.5 assigned using private services access. You have established VPC peering between your VPC and the service producer VPC (the Google-managed VPC hosting Cloud SQL). You verified that the peering connection is in 'ACTIVE' state. The web instances can reach internet sites, but connections to the Cloud SQL instance (using the MySQL client) are timing out. The db instances do not need to connect to Cloud SQL. What is the most likely cause and recommended solution?

Practice all 86 Configuring network security questions

Other PCSE exam domains

Configuring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Frequently asked questions

What does the Configuring network security domain cover on the PCSE exam?

The Configuring network security domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.

How many Configuring network security questions are in the PCSE question bank?

The Courseiva PCSE question bank contains 86 questions in the Configuring network security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Configuring network security for PCSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Configuring network security questions for PCSE?

Yes — the session launcher on this page draws questions exclusively from the Configuring network security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PCAACESCS-C02