Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCSEDomainsConfiguring Network Security
PCSEFree — No Signup

Configuring Network Security

Practice PCSE Configuring Network Security questions with full explanations on every answer.

110questions

Start practicing

Configuring Network Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCSE Domains

Configuring Access Within a Cloud Solution EnvironmentEnsuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentConfiguring Network SecuritySupporting Compliance Requirements

Practice Configuring Network Security questions

10Q20Q30Q50Q

All PCSE Configuring Network Security questions (110)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security engineer needs to restrict access to Cloud Storage buckets so that only resources in a specific VPC can reach the Google APIs. Which Google Cloud service should be used?

2

An organization wants to enforce a security policy that denies all egress traffic to the internet from all projects in the organization, except for traffic from a specific set of VMs tagged with 'allow-egress'. Which approach should be used?

3

A company uses VPC Service Controls to protect a BigQuery dataset. They need to allow an external on-premises application to query the dataset without being inside the service perimeter. The external application has a static IP address. Which configuration is required?

4

A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?

5

An engineer needs to block a specific IP address from accessing an HTTPS load balancer. Which Cloud Armor rule should be used?

6

A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?

7

An organization uses VPC Service Controls in dry-run mode for a project containing Google Cloud Storage. They notice that BigQuery jobs are being logged as violations. How should they interpret this?

8

A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?

9

Which Cloud Armor feature uses machine learning to detect and mitigate DDoS attacks?

10

A service provider wants to expose an internal service to external consumers in a controlled manner, without giving them direct access to the VPC. Which Google Cloud service should be used?

11

An organization uses SSL policies for their HTTPS load balancer. They need to allow TLS 1.2 and 1.3 only, and use the most secure cipher profile available. Which SSL policy configuration should they choose?

12

Which VPC firewall rule target type is recommended for security because it can be dynamically applied to instances based on their service account?

13

A company wants to detect and block SQL injection attacks targeting their web application hosted on Compute Engine behind a Cloud Load Balancer. Which TWO steps should they take? (Choose TWO.)

14

A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)

15

An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)

16

An organization wants to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can reach it, without using public IP addresses. Which solution should they implement?

17

A security engineer needs to allow HTTP (port 80) traffic from all VMs in the production environment to a specific set of VMs running a web server. The web server VMs are identified by a service account 'web-sa@...'. Which firewall rule configuration should the engineer create?

18

A company wants to enforce that all VPC firewall rules in an organization must be centrally managed and cannot be overridden by lower-level projects. Which approach should they use?

19

An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?

20

A company wants to provide private connectivity from its VPC to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs or NAT. The solution must also support on-premises connectivity via Cloud VPN. Which service should they use?

21

A web application behind an HTTPS load balancer is experiencing a high volume of malicious requests with SQL injection patterns. The security team wants to block these requests with minimal latency impact. Which Cloud Armor feature should they use?

22

An organization uses a global HTTPS load balancer with a Google-managed SSL certificate. The certificate was automatically provisioned and renewed. Recently, the certificate renewal failed and the site shows a warning. The load balancer's frontend uses the certificate. What is the most likely cause?

23

A security engineer needs to monitor network traffic for potential threats in a VPC. They want to inspect all traffic for malware signatures and alert on high-severity threats. The solution should be natively integrated with GCP. Which service should they use?

24

A company wants to enforce that traffic between two projects in the same organization must go through a central inspection VPC. They need a firewall rule that denies all traffic between the projects except through the inspection VPC. Which type of firewall rule should they use?

25

An organization needs to restrict access to Cloud Storage buckets so that only requests from a specific range of IP addresses (e.g., corporate VPN) are allowed. They also want to block all other IPs. Which combination of services should they use?

26

A company has a global HTTPS load balancer and wants to use a self-managed SSL certificate. They have uploaded the PEM-encoded certificate and private key to the load balancer. However, the certificate is about to expire. What is the correct way to renew it without downtime?

27

A security team wants to block all incoming traffic from a specific country to their web application behind a global HTTPS load balancer. They also need to allow traffic from all other countries. Which Cloud Armor feature should be used?

28

A company wants to enable private connectivity from its on-premises network to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs. They have a Cloud VPN connection to a VPC. Which TWO services or configurations are required? (Choose two.)

29

A security engineer is designing a VPC Service Controls perimeter to protect sensitive BigQuery data. They need to allow a specific on-premises application (source IP range 203.0.113.0/24) to query BigQuery, and also allow a managed instance group in another project (project 'analytics') to export data from BigQuery to Cloud Storage. Which THREE configurations are required? (Choose three.)

30

A security team wants to enforce SSL/TLS best practices for their HTTPS load balancer. They need to require TLS 1.2 or higher and restrict ciphers to strong ones only. Which TWO actions should they take? (Choose two.)

31

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only requests originating from a specific VPC network are allowed. Which Google Cloud service should they use?

32

A security team needs to apply a set of firewall rules that enforce baseline security for all VPC networks across multiple projects in an organization. These rules must be inherited and cannot be overridden by project-level rules. What should they use?

33

An engineer wants to allow egress traffic from a group of VM instances with a specific service account to a set of IP addresses. They need to choose between using tags or service accounts as targets in a VPC firewall rule. Which approach is recommended for better security and why?

34

A company uses VPC Service Controls to protect a project containing BigQuery datasets. They have an ingress rule that allows traffic from an on-premises network via a Cloud VPN tunnel. The on-premises IP range is 10.0.0.0/8. However, users on-premises are still getting access denied errors when querying BigQuery. The VPC Service Controls perimeter is in dry-run mode. What is the most likely cause?

35

An organization wants to provide private, on-premises access to Google Cloud APIs (e.g., Cloud Storage, BigQuery) without traversing the public internet. They have a Direct Connect link to Google Cloud. Which solution should they implement?

36

A company uses Cloud Armor security policies to protect their HTTP load balancer. They need to block requests from a specific geographic region (country X) and also limit requests from any IP to 1000 requests per second. They also want to use preconfigured rules for SQL injection prevention. What is the correct way to combine these requirements in a single security policy?

37

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?

38

A security engineer needs to detect and alert on network-based threats such as malware and command-and-control traffic within their Google Cloud VPC. They want a managed service that provides deep packet inspection and integrates with their existing security operations. Which service should they use?

39

An organization uses VPC Service Controls with a service perimeter that includes Cloud Storage and BigQuery. They need to allow a specific on-premises service account to write data to a Cloud Storage bucket inside the perimeter. The on-premises network connects via Cloud VPN. What must be configured in the perimeter?

40

A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?

41

A company is using Cloud Armor with adaptive protection enabled. They notice that adaptive protection has generated a rule that is blocking some legitimate traffic. What should they do to minimize false positives while still benefiting from adaptive protection?

42

An organization has multiple VPC networks in different projects. They need to centrally manage firewall rules that apply to all VPCs in the organization and ensure that project owners cannot override them. Which solution should they use?

43

A company is implementing VPC Service Controls to protect a project that contains Cloud Storage and BigQuery. They want to allow a specific on-premises service account to read data from Cloud Storage and write to BigQuery. The on-premises network connects via Cloud VPN. Which TWO components must be configured in the service perimeter? (Choose two.)

44

A security team is configuring Cloud Armor to protect a web application. They need to block requests that contain SQL injection patterns, block requests from a known malicious IP list, and limit requests from any single IP to 2000 requests per minute. Which THREE actions must they take? (Choose three.)

45

A company is deploying a new internal application on Google Cloud. They want to ensure that VM instances in a specific subnet can only communicate with each other and with a load balancer that fronts the application. They also want to allow SSH access from a bastion host. Which TWO firewall rules should they create? (Choose two.)

46

A security engineer wants to restrict access to a Cloud Storage bucket so that only requests originating from within a specific VPC network can access the bucket. Which Google Cloud service should they use?

47

An organization needs to block all inbound SSH traffic (port 22) to a set of VM instances that have a common tag 'ssh-restricted'. They want to deny this traffic at the VPC firewall level. Which firewall rule configuration should they use?

48

A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?

49

An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?

50

A company uses hierarchical firewall policies at the organization level to enforce a baseline deny-all rule. A project administrator wants to create a firewall rule that allows HTTP traffic to a specific VM. Which statement is correct?

51

A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?

52

An organization wants to use Cloud IDS to detect network threats within their VPC. They have enabled the Cloud IDS endpoint and configured packet mirroring. Which of the following is required for the packet mirroring policy to work?

53

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They do not want to manually manage certificate files. Which approach should they use?

54

A security team needs to apply a security policy that blocks requests to their HTTP load balancer from a specific geographic region (e.g., Country A). Which Cloud Armor feature should they use?

55

An organization uses VPC Service Controls to protect BigQuery. They want to test a new access level that allows access only from a specific IP range before enforcing it. Which mode should they use?

56

A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?

57

A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?

58

A security engineer is configuring a VPC Service Controls perimeter to protect a Cloud Storage bucket. They want to allow a specific on-premises network (IP range 203.0.113.0/24) to access the bucket, while still blocking other external networks. Which TWO components must they configure? (Choose TWO.)

59

An organization wants to enforce that all egress traffic from a VPC to the internet must go through a Cloud NAT gateway for logging and IP management. They also need to block all other direct outbound traffic. Which THREE steps should they take? (Choose THREE.)

60

A company wants to use Cloud IDS to detect threats in their VPC. They have created a Cloud IDS endpoint and need to configure packet mirroring. Which TWO resources must be in place for packet mirroring to work? (Choose TWO.)

61

A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?

62

An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?

63

An organization wants to allow only specific trusted IP ranges to access a web application behind a Cloud Load Balancer. Which Cloud Armor feature should be used?

64

A company is deploying an internal service on GKE that needs to be accessible privately from on-premises data centers over a VPN connection. The service should not be exposed to the internet. Which connectivity solution is MOST appropriate?

65

An organization has a security policy that requires TLS 1.2 or higher for all HTTPS traffic to their external HTTP(S) load balancer. They also need to disable weak cipher suites. Which configuration should be applied?

66

An engineer needs to allow a specific service account from another project to access a Cloud Storage bucket in the current project. The engineer wants to use the principle of least privilege. Which IAM role should be granted directly on the bucket to the service account?

67

Which GCP service provides managed intrusion detection by analyzing mirrored network traffic and using threat signatures from Palo Alto Networks?

68

A company wants to enforce that no Compute Engine firewall rule in any project under an organization can have a source range of 0.0.0.0/0 for RDP (port 3389). Which approach should be used?

69

An engineer needs to allow HTTP traffic from instances tagged 'web-server' to instances tagged 'app-server' on port 8080 within the same VPC. Which firewall rule should be created?

70

A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?

71

Which feature of Cloud Armor uses machine learning to detect and block distributed denial-of-service (DDoS) attacks?

72

An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?

73

A company wants to prevent data exfiltration by restricting access to Google APIs from only authorized VPC networks. They also need to allow a specific on-premises IP range to access BigQuery. Which TWO services should be used together? (Choose 2)

74

A security team needs to inspect all egress traffic from Compute Engine instances for malware using a third-party security appliance. They want to deploy the appliance in a separate VPC and route all egress traffic through it. Which THREE components are required? (Choose 3)

75

An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)

76

A security engineer wants to allow egress traffic from Compute Engine instances to the internet only for updates to a specific set of packages. All other egress must be denied. Which VPC firewall rule configuration should the engineer use?

77

A company wants to restrict access to Cloud Storage buckets so that only resources in a specific VPC network can reach them, and data cannot be exfiltrated to other networks. Which Google Cloud service should they use?

78

A company uses VPC Service Controls in dry-run mode to test a new service perimeter that includes BigQuery. They want to monitor any violations without actually blocking access. Where can they view the logs of these dry-run violations?

79

An organization has a hub-and-spoke VPC setup with Shared VPC. The security team wants to enforce a rule that all egress traffic from any project in the organization must pass through a central inspection appliance in the hub VPC. Which firewall configuration approach meets this requirement?

80

A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?

81

A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?

82

A company wants to use a Google-managed SSL certificate for their external HTTPS load balancer. Which step is required to provision the certificate?

83

A company uses Cloud Armor Managed Protection Plus to protect their applications. They want to automatically block IP addresses that are identified as malicious by adaptive protection. How should they configure this?

84

An organization needs to enforce a TLS minimum version of 1.2 for all traffic to their HTTPS load balancers. They have multiple load balancers serving different domains. Which Google Cloud feature should they use?

85

A security team wants to detect and block network-based threats such as malware and command-and-control traffic within their VPC. They need a managed service that provides deep packet inspection. Which Google Cloud service should they use?

86

A company has a VPC Service Controls perimeter that includes BigQuery and Cloud Storage. They need to allow a specific on-premises application (with a static IP) to access a BigQuery dataset within the perimeter. Which configuration should they use?

87

A company uses Cloud Armor to protect a web application. They want to block requests that contain SQL injection patterns based on the OWASP ModSecurity Core Rule Set. Which preconfigured rule set should they enable?

88

A security engineer needs to restrict access to a Cloud Storage bucket so that only a specific set of Compute Engine instances can read objects. The instances are in the same project and VPC network. The engineer wants to use VPC firewall rules for this purpose. Which two configurations are REQUIRED? (Choose two.)

89

A company is designing a secure multi-tenant environment in Google Cloud. Each tenant has its own VPC network and resources. The security team wants to centrally enforce a rule that denies all egress traffic to the internet from tenant VPCs, except for traffic to specific trusted IP ranges for software updates. They also want to ensure that tenant admins cannot override this rule. Which two actions should they take? (Choose two.)

90

A company is deploying a web application behind an external HTTPS load balancer. They want to protect against common web attacks such as XSS, SQLi, and LFI using preconfigured rules. They also need to allowlist specific IP addresses that belong to partners. Which three Cloud Armor features should they use? (Choose three.)

91

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?

92

A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?

93

A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?

94

A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?

95

A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?

96

A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?

97

A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?

98

An organization has a hierarchical firewall policy at the organization level that denies all ingress traffic from the internet. A project team needs to allow HTTP traffic from the internet to a specific VM. How should they achieve this?

99

A company wants to detect and alert on potential network threats, such as malware and command-and-control traffic, within their VPC. They need a managed service that integrates with packet mirroring. Which Google Cloud service should they use?

100

A company's security policy requires that all traffic to a Google Cloud load balancer use TLS 1.2 or higher and only accept strong ciphers. They want to enforce this using a Google Cloud resource. Which resource should they configure?

101

A company wants to protect a web application hosted on Google Cloud from common web attacks like SQL injection and cross-site scripting (XSS). They have deployed a global external HTTPS load balancer. Which TWO services or configurations should they use?

102

An organization wants to use VPC Service Controls to protect BigQuery data. They need to allow a group of data analysts to access BigQuery from outside the perimeter (e.g., from their laptops) while maintaining the perimeter for all other users. Which TWO configurations are necessary?

103

A company wants to deploy a web application with a global load balancer and needs to configure SSL/TLS termination. They want to use a certificate from their own CA and have the ability to manage multiple certificates for different domains. Which THREE steps should they take?

104

A security engineer is designing a network security architecture for a multi-project environment. They need to enforce a baseline set of firewall rules across all projects in the organization, but allow individual project teams to add their own specific rules. Which TWO components should they use?

105

A company wants to use Private Service Connect to publish a managed service (e.g., a custom application) so that consumers can access it privately within Google Cloud. Which THREE resources are involved in this setup?

106

Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?

107

You are designing a VPC Service Controls perimeter to protect a project containing BigQuery datasets accessible from a data analytics VPC. You need to allow a specific set of on-premises users (identified by IP range 203.0.113.0/24) to query BigQuery from outside the perimeter, but block all other external access. What is the correct configuration?

108

Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?

109

You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)

110

You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)

Practice all 110 Configuring Network Security questions

Other PCSE exam domains

Configuring Access Within a Cloud Solution EnvironmentEnsuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentSupporting Compliance Requirements

Frequently asked questions

What does the Configuring Network Security domain cover on the PCSE exam?

The Configuring Network Security domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.

How many Configuring Network Security questions are in the PCSE question bank?

The Courseiva PCSE question bank contains 110 questions in the Configuring Network Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Configuring Network Security for PCSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Configuring Network Security questions for PCSE?

Yes — the session launcher on this page draws questions exclusively from the Configuring Network Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PCAACESCS-C02