Practice PCSE Configuring network security questions with full explanations on every answer.
Start practicing
Configuring network security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?
2Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?
3You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest): Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?
4Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?
5You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?
6You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?
7Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?
8You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?
9Your organization requires that all egress traffic from a VPC network be inspected by a third-party security appliance before leaving the network. The appliance is deployed in a separate VPC. What is the most scalable and maintainable way to route traffic through the appliance?
10A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?
11Which TWO options are valid methods to secure data in transit between an on-premises data center and a Google Cloud VPC?
12Which THREE components are required to configure VPC Flow Logs for a Compute Engine instance?
13Your organization wants to ensure that no Compute Engine instance can have a public IP address. What is the best way to enforce this policy?
14A company is using a Shared VPC in Google Cloud with multiple service projects. The security team wants to restrict egress traffic from a specific service project to only allowed external IP addresses. The network project hosts the VPC. What is the best approach?
15Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?
16You are a security engineer for a financial services company that processes sensitive customer data. Your architecture includes two VPCs: 'data-vpc' (10.1.0.0/16) containing BigQuery datasets and Cloud Storage buckets, and 'app-vpc' (10.2.0.0/16) containing Compute Engine instances running a customer-facing application. The application needs to read from BigQuery and write to Cloud Storage. You have configured VPC Network Peering between the VPCs. Additionally, you have set up Private Google Access on all subnets in 'data-vpc' and 'app-vpc'. The application instances cannot connect to BigQuery or Cloud Storage. You have verified that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30) and that DNS resolution works correctly. What is the most likely cause of the connectivity failure?
17A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?
18A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. The perimeter is defined with the project as a protected project. Which TWO actions are valid to restrict data exfiltration while maintaining necessary access?
19Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.
20Drag and drop the steps to respond to a data breach involving a Cloud Storage bucket in the correct order.
21Match each Google Cloud security tool to its primary purpose.
22Match each encryption scope to its description.
23A company has configured a VPC firewall rule to allow HTTP traffic from a specific source IP range 203.0.113.0/24. However, HTTP requests from that range are being denied. Which initial verification should the security engineer perform?
24A company is using Cloud NAT to allow instances in a private subnet to access the internet. They notice that some instances are unable to reach external services. The NAT gateway is configured with a single IP address. Which action would most likely resolve the issue?
25A company has a hybrid cloud setup with a Cloud VPN tunnel to an on-premises network. They want to ensure that traffic from on-premises to a specific VPC subnet is routed through a specific next hop appliance for inspection. How can they achieve this?
26An organization uses Shared VPC to centrally manage network resources. They want to allow a service project to use its own firewall rules for certain instances. How should they configure the firewall rules?
27A security engineer wants to block all SSH access from the internet to a VPC network, except for a specific bastion host. What is the most efficient way to configure this?
28A company is using VPC Service Controls to protect their Google Cloud Storage buckets. They want to allow a specific instance to access a bucket from within a VPC. What networking configuration is required?
29A company has multiple VPC networks that need to communicate privately. They are evaluating VPC peering and Shared VPC. Which statement correctly describes a limitation of VPC peering compared to Shared VPC?
30A developer needs to allow a specific Compute Engine instance to communicate with a Cloud SQL database instance. Both are in the same project but different VPC networks. What is the simplest secure method?
31A company is deploying a firewall appliance in a VPC to inspect traffic. They create custom routes to direct traffic to the appliance. Which step is necessary to ensure the appliance can forward traffic back?
32A company is designing a network architecture for a multi-region application. They want to minimize latency and maximize availability. Which two features should they consider? (Choose two.)
33A security engineer needs to restrict outbound traffic from a VPC to only allow specific external IP ranges. Which three components must be configured? (Choose three.)
34A company is migrating workloads to Google Cloud and wants to ensure that their VPC network is secure by default. Which two best practices should they follow? (Choose two.)
35A user is unable to SSH into an instance that has the tag 'ssh-access' and an internal IP 10.0.0.2. The user's IP is 198.51.100.1. What is the most likely reason?
36An engineer has enabled Private Google Access on the subnet. However, instances in the subnet cannot access Google APIs (e.g., storage.googleapis.com) using their internal IPs. What is the most likely issue?
37A company has a VPC network with a default route to the internet gateway. They want all egress traffic to go through a firewall appliance instead. They create a new route with a next hop to the appliance and a priority of 500. However, traffic is still going through the internet gateway. What is the most likely reason?
38A company runs a GKE cluster with multiple node pools, including one pool of confidential VMs. The security team wants to ensure that only traffic from the internal VPC (10.0.0.0/8) can reach the nodes' metadata server. Which configuration should be applied?
39A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (172.16.0.0/16). They have established VPC peering between them. An instance in VPC-A needs to communicate with an instance in VPC-B on TCP port 443. What is the minimal firewall configuration needed?
40A company has a VPC with a subnet (10.1.0.0/24) in us-central1. They have a Cloud NAT configured for outbound traffic to the internet. They want instances in this subnet to access a third-party API that is only accessible over the internet and requires a specific static source IP for whitelisting. What is the recommended approach?
41An organization uses Shared VPC with a host project and several service projects. A network administrator in a service project wants to create a firewall rule that allows traffic from a specific source CIDR to a Compute Engine instance in the service project. What is the correct way to achieve this?
42A company wants to protect its HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they use?
43A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect. They want to allow instances in a VPC (10.0.0.0/8) to access Google APIs (e.g., Cloud Storage) without traversing the public internet. They also want to ensure that traffic from on-premises to Google APIs uses the same private path. Which configuration is required?
44A company notices that some Compute Engine instances are making unexpected outbound connections to suspicious IP addresses. They want to investigate the traffic patterns and identify the source of these connections. Which tool should they use?
45A security engineer needs to provide secure SSH access to a Compute Engine instance that has no external IP address. What is the recommended method?
46A company uses hierarchical firewall policies to enforce security across all VPC networks in an organization. They have an organization policy that denies egress traffic to the internet. However, a team needs to allow outbound HTTPS traffic to a specific external API (api.example.com) for a project. What is the best way to achieve this?
47You are designing VPC firewall rules for a multi-tier application. Which TWO considerations are important when creating firewall rules in terms of security and manageability? (Choose TWO.)
48A company is setting up Cloud NAT for a subnet that hosts compute instances. They want to ensure high availability and efficient use of IPs. Which TWO configurations should they apply? (Choose TWO.)
49A company wants to restrict access to a Cloud SQL instance so that only Compute Engine instances in a specific VPC subnet can connect. Which THREE methods can be used to achieve this? (Choose THREE.)
50A company has deployed a web application on Compute Engine instances in a managed instance group behind an internal HTTP(S) load balancer. The application needs to be accessible only from the corporate office, which has a static public IP range of 203.0.113.0/24. The load balancer is in us-central1. What is the most secure way to restrict access?
51You are configuring a new VPC network with a private subnet for Compute Engine instances that need to access the internet for updates. Which configuration is the simplest and most secure?
52A company uses Shared VPC in a host project with multiple service projects. The security team wants to ensure that all traffic between service projects is inspected by a third-party firewall appliance deployed in the host project. Which configuration should be implemented?
53Your organization has a VPC with several subnets and wants to enable Private Google Access for Compute Engine instances in a specific subnet to access Google APIs and services without external IP addresses. What must be configured?
54A company uses Cloud Armor to protect an external HTTPS load balancer. They want to block requests from a specific IP address range 198.51.100.0/24, but allow all other traffic. After creating a deny rule with the source IP condition, they notice that requests from that range are still reaching the backend. What is the most likely cause?
55A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They have a firewall appliance (internal IP 10.0.1.100) that inspects all traffic between subnets. They configure a policy-based route to redirect traffic from subnet-a to subnet-b to the appliance. However, traffic from subnet-a to subnet-b still goes directly. What is missing?
56You are designing a network for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier should only be accessible from the application tier. All tiers are in the same VPC. Which combination of firewall rules meets these requirements?
57A company needs to securely connect two VPC networks from different projects in the same organization. Each VPC has overlapping IP ranges (10.0.0.0/16). They require high throughput and low latency. What is the recommended approach?
58Your organization has a security requirement that all traffic to and from Compute Engine instances must be logged and analyzed. You have enabled VPC Flow Logs for all subnets. However, you notice that flow logs are not capturing all traffic between instances in the same subnet. What is the most likely reason?
59Which TWO of the following are valid Google Cloud firewall rule components? (Choose TWO.)
60Which THREE of the following are required to enable VPC Flow Logs for a subnet? (Choose THREE.)
61Which TWO of the following are benefits of using Cloud NAT? (Choose TWO.)
62A company has a VPC with several subnets. They want to allow HTTP traffic from the internet to a web server in subnet-a, but block all other inbound traffic. What is the simplest firewall rule configuration?
63A company uses a hub-and-spoke VPC topology with Network Connectivity Center. The spoke VPCs need to reach the internet. Cloud NAT is configured in the hub VPC. Spoke VPCs have routes to the hub via a VPN tunnel. However, instances in spoke VPCs cannot reach the internet. Which configuration is most likely missing?
64A company is implementing VPC Service Controls to protect sensitive data in Google Cloud Storage. They want to allow a private on-premises subnet (10.1.0.0/16) to access the storage buckets via a Cloud VPN tunnel, but deny all other on-premises traffic. Which configuration approach meets this requirement with least privilege?
65A company uses Cloud Armor to protect their HTTP Load Balancer from DDoS attacks. They want to block requests from a specific malicious IP address range, 203.0.113.0/24. Which Cloud Armor policy configuration should they use?
66A company uses Shared VPC with host project and service projects. They want to ensure that only specific service projects can create firewall rules in the host project's network. What is the correct IAM configuration?
67A security team wants to mirror all traffic from a critical VM to a network intrusion detection system (NIDS) appliance running in the same VPC. They need to ensure that the NIDS receives both ingress and egress traffic, and that the original traffic is not impacted. Which solution should they implement?
68A company wants to use Cloud CDN to cache content from an HTTP Load Balancer. They have a custom domain and want to serve traffic over HTTPS. What must they configure on the load balancer?
69A company has a VPC with subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They enabled Private Google Access on subnet-a. Instances in subnet-a can access Google APIs and services using private IPs. However, instances in subnet-b cannot reach Google APIs even though subnet-b has a default route to the internet through a NAT gateway. What is the likely cause?
70A company connects their on-premises data center to Google Cloud via Dedicated Interconnect. They have two VLAN attachments (VLAN-A and VLAN-B) to a single VPC. They use BGP over the VLAN attachments with Cloud Router. Both VLAN attachments are in the same region. They want to use both links for active-active traffic and have redundancy. Which BGP configuration is correct?
71Which TWO of the following are valid methods for sending traffic between VPC networks in Google Cloud? (Choose two.)
72Which TWO of the following are valid reasons to enable VPC Flow Logs? (Choose two.)
73Which THREE of the following are valid requirements for using VPC Network Peering? (Choose three.)
74Refer to the exhibit. An engineer wants to allow inbound SSH (tcp:22) to a VM with network tag 'ssh-access' in the 'default' VPC. Which firewall rule should they create?
75A company has a VPC network named 'production' with subnets in us-central1 and europe-west1. They have on-premises data centers in New York and London connected via two HA VPN gateways to the respective regions. The on-premises networks use BGP with Cloud Routers in each region. The company also has a Shared VPC with service projects. Recently, they migrated a critical application to Google Cloud, which runs on Compute Engine instances in the europe-west1 subnet. The application needs to communicate with an on-premises database in London reachable via the London VPN. After the migration, the application fails to connect to the database. The Cloud Router in europe-west1 shows that it is receiving the on-premises routes. The instance has a default route to the internet via Cloud NAT. The firewall rules allow all traffic from the instance to the on-premises IP range. What is the most likely cause of the connectivity issue?
76A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?
77A company is using Cloud SQL with a private IP address in the same VPC as their Compute Engine web application server. The server can reach the Cloud SQL instance's IP address via ping, but the application is failing to connect with a permission error. The VPC firewall rules include the default allow internal rule. What is the most likely cause?
78A company uses Shared VPC with a host project and multiple service projects. The security team wants to enforce that only specific VMs in service project A (using IP range 10.0.1.0/24) can communicate with specific VMs in service project B (tagged as 'app-b') on TCP port 443, and all other inter-service-project traffic should be blocked. Additionally, VMs should still be accessible via IAP TCP forwarding (SSH) on TCP port 22. Which three firewall rules should be created in the host project? (Choose three.)
79A small company has a single VPC with subnets in us-central1 (10.0.1.0/24) and us-west1 (10.0.2.0/24). They have a Compute Engine VM (web-server) in us-central1 that needs to connect to a Cloud SQL MySQL instance also in us-central1 using its private IP address 10.0.1.3. The Cloud SQL instance is configured with private IP only and is deployed in the same VPC. The web-server can successfully ping the Cloud SQL private IP (10.0.1.3). However, the application on the web-server fails to connect to the MySQL database with an authentication error. There are no custom firewall rules; only the default VPC firewall rules are in place. What is the most likely cause of the connection failure?
80A company has deployed an internal HTTP Load Balancer (ILB) in us-west1 within a Shared VPC. The host project contains the ILB's forwarding rule and the backend service. The backend instances are Compute Engine VMs running in a service project in us-east1. The health checks for the ILB are consistently failing with 'unhealthy' status. The firewall rules in the host project allow ingress from the Google Cloud health checker ranges (130.211.0.0/22 and 35.191.0.0/16) on TCP port 80 to all VMs in the VPC. The backend VMs are running a web server listening on port 80. What is the most likely cause of the health check failures?
81A financial services company needs to inspect all inbound and outbound packets from a subnet containing highly sensitive data for compliance. They have enabled VPC Flow Logs on that subnet, which record metadata such as source and destination IP, ports, and protocol. However, the security team requires the actual packet payload to perform deep packet inspection (DPI) for malicious patterns. They want to capture the packets without disrupting network traffic. Which additional configuration should be implemented to meet this requirement?
82A company has configured a HA VPN between Google Cloud and an on-premises data center using two tunnels with separate Cloud Routers and BGP sessions in active/active mode. Each Cloud Router is configured to learn routes from the on-premises side and advertise VPC subnets. Recently, one of the tunnels experienced a physical link failure and went down. The security team notices that the remaining tunnel is still up and passing traffic, but some routes that were learned via the failed tunnel are no longer present in the routing table of that Cloud Router. The on-premises administrator confirms that the routes are still being advertised from the local router. What is the impact on traffic to the on-premises network?
83A company has a Shared VPC environment with multiple service projects. The security team wants to ensure that all Compute Engine VMs in service projects are only accessible via IAP TCP forwarding for SSH management, and direct external access is completely blocked. They have already applied an organization policy constraint that denies the attachment of external IP addresses to new VMs. However, there are several existing VMs that still have public IP addresses assigned. The team wants to remove the public IPs from these existing VMs without causing downtime for any ongoing SSH sessions or disrupting the applications running on them, but they must ensure the VMs can still reach the internet if needed (for example, to download updates). What should the team do?
84Your VPC has a default firewall rule that allows SSH (TCP port 22) from all sources. You need to allow HTTP traffic (TCP port 80) only from instances tagged 'web-servers' to the target instances, and block all other inbound traffic including SSH. Which TWO steps should you take?
85Refer to the exhibit. A developer created the firewall rule to allow HTTPS traffic from the API service account to instances tagged 'api-instances'. However, HTTPS requests from the API server (which runs on an instance with tag 'api-instances' and uses the default compute engine service account) are failing. What is the most likely cause?
86Your company is deploying a multi-tier application in a single VPC with two subnets: web (10.0.1.0/24) and db (10.0.2.0/24). The web instances need to connect to a private Cloud SQL instance (MySQL) that is provisioned in a service project. The Cloud SQL instance has a private IP address 10.0.3.5 assigned using private services access. You have established VPC peering between your VPC and the service producer VPC (the Google-managed VPC hosting Cloud SQL). You verified that the peering connection is in 'ACTIVE' state. The web instances can reach internet sites, but connections to the Cloud SQL instance (using the MySQL client) are timing out. The db instances do not need to connect to Cloud SQL. What is the most likely cause and recommended solution?
The Configuring network security domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.
The Courseiva PCSE question bank contains 86 questions in the Configuring network security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Configuring network security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included