Practice PCSE Configuring Network Security questions with full explanations on every answer.
Start practicing
Configuring Network Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer needs to restrict access to Cloud Storage buckets so that only resources in a specific VPC can reach the Google APIs. Which Google Cloud service should be used?
2An organization wants to enforce a security policy that denies all egress traffic to the internet from all projects in the organization, except for traffic from a specific set of VMs tagged with 'allow-egress'. Which approach should be used?
3A company uses VPC Service Controls to protect a BigQuery dataset. They need to allow an external on-premises application to query the dataset without being inside the service perimeter. The external application has a static IP address. Which configuration is required?
4A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?
5An engineer needs to block a specific IP address from accessing an HTTPS load balancer. Which Cloud Armor rule should be used?
6A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?
7An organization uses VPC Service Controls in dry-run mode for a project containing Google Cloud Storage. They notice that BigQuery jobs are being logged as violations. How should they interpret this?
8A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?
9Which Cloud Armor feature uses machine learning to detect and mitigate DDoS attacks?
10A service provider wants to expose an internal service to external consumers in a controlled manner, without giving them direct access to the VPC. Which Google Cloud service should be used?
11An organization uses SSL policies for their HTTPS load balancer. They need to allow TLS 1.2 and 1.3 only, and use the most secure cipher profile available. Which SSL policy configuration should they choose?
12Which VPC firewall rule target type is recommended for security because it can be dynamically applied to instances based on their service account?
13A company wants to detect and block SQL injection attacks targeting their web application hosted on Compute Engine behind a Cloud Load Balancer. Which TWO steps should they take? (Choose TWO.)
14A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)
15An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)
16An organization wants to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can reach it, without using public IP addresses. Which solution should they implement?
17A security engineer needs to allow HTTP (port 80) traffic from all VMs in the production environment to a specific set of VMs running a web server. The web server VMs are identified by a service account 'web-sa@...'. Which firewall rule configuration should the engineer create?
18A company wants to enforce that all VPC firewall rules in an organization must be centrally managed and cannot be overridden by lower-level projects. Which approach should they use?
19An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?
20A company wants to provide private connectivity from its VPC to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs or NAT. The solution must also support on-premises connectivity via Cloud VPN. Which service should they use?
21A web application behind an HTTPS load balancer is experiencing a high volume of malicious requests with SQL injection patterns. The security team wants to block these requests with minimal latency impact. Which Cloud Armor feature should they use?
22An organization uses a global HTTPS load balancer with a Google-managed SSL certificate. The certificate was automatically provisioned and renewed. Recently, the certificate renewal failed and the site shows a warning. The load balancer's frontend uses the certificate. What is the most likely cause?
23A security engineer needs to monitor network traffic for potential threats in a VPC. They want to inspect all traffic for malware signatures and alert on high-severity threats. The solution should be natively integrated with GCP. Which service should they use?
24A company wants to enforce that traffic between two projects in the same organization must go through a central inspection VPC. They need a firewall rule that denies all traffic between the projects except through the inspection VPC. Which type of firewall rule should they use?
25An organization needs to restrict access to Cloud Storage buckets so that only requests from a specific range of IP addresses (e.g., corporate VPN) are allowed. They also want to block all other IPs. Which combination of services should they use?
26A company has a global HTTPS load balancer and wants to use a self-managed SSL certificate. They have uploaded the PEM-encoded certificate and private key to the load balancer. However, the certificate is about to expire. What is the correct way to renew it without downtime?
27A security team wants to block all incoming traffic from a specific country to their web application behind a global HTTPS load balancer. They also need to allow traffic from all other countries. Which Cloud Armor feature should be used?
28A company wants to enable private connectivity from its on-premises network to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs. They have a Cloud VPN connection to a VPC. Which TWO services or configurations are required? (Choose two.)
29A security engineer is designing a VPC Service Controls perimeter to protect sensitive BigQuery data. They need to allow a specific on-premises application (source IP range 203.0.113.0/24) to query BigQuery, and also allow a managed instance group in another project (project 'analytics') to export data from BigQuery to Cloud Storage. Which THREE configurations are required? (Choose three.)
30A security team wants to enforce SSL/TLS best practices for their HTTPS load balancer. They need to require TLS 1.2 or higher and restrict ciphers to strong ones only. Which TWO actions should they take? (Choose two.)
31An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only requests originating from a specific VPC network are allowed. Which Google Cloud service should they use?
32A security team needs to apply a set of firewall rules that enforce baseline security for all VPC networks across multiple projects in an organization. These rules must be inherited and cannot be overridden by project-level rules. What should they use?
33An engineer wants to allow egress traffic from a group of VM instances with a specific service account to a set of IP addresses. They need to choose between using tags or service accounts as targets in a VPC firewall rule. Which approach is recommended for better security and why?
34A company uses VPC Service Controls to protect a project containing BigQuery datasets. They have an ingress rule that allows traffic from an on-premises network via a Cloud VPN tunnel. The on-premises IP range is 10.0.0.0/8. However, users on-premises are still getting access denied errors when querying BigQuery. The VPC Service Controls perimeter is in dry-run mode. What is the most likely cause?
35An organization wants to provide private, on-premises access to Google Cloud APIs (e.g., Cloud Storage, BigQuery) without traversing the public internet. They have a Direct Connect link to Google Cloud. Which solution should they implement?
36A company uses Cloud Armor security policies to protect their HTTP load balancer. They need to block requests from a specific geographic region (country X) and also limit requests from any IP to 1000 requests per second. They also want to use preconfigured rules for SQL injection prevention. What is the correct way to combine these requirements in a single security policy?
37A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?
38A security engineer needs to detect and alert on network-based threats such as malware and command-and-control traffic within their Google Cloud VPC. They want a managed service that provides deep packet inspection and integrates with their existing security operations. Which service should they use?
39An organization uses VPC Service Controls with a service perimeter that includes Cloud Storage and BigQuery. They need to allow a specific on-premises service account to write data to a Cloud Storage bucket inside the perimeter. The on-premises network connects via Cloud VPN. What must be configured in the perimeter?
40A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?
41A company is using Cloud Armor with adaptive protection enabled. They notice that adaptive protection has generated a rule that is blocking some legitimate traffic. What should they do to minimize false positives while still benefiting from adaptive protection?
42An organization has multiple VPC networks in different projects. They need to centrally manage firewall rules that apply to all VPCs in the organization and ensure that project owners cannot override them. Which solution should they use?
43A company is implementing VPC Service Controls to protect a project that contains Cloud Storage and BigQuery. They want to allow a specific on-premises service account to read data from Cloud Storage and write to BigQuery. The on-premises network connects via Cloud VPN. Which TWO components must be configured in the service perimeter? (Choose two.)
44A security team is configuring Cloud Armor to protect a web application. They need to block requests that contain SQL injection patterns, block requests from a known malicious IP list, and limit requests from any single IP to 2000 requests per minute. Which THREE actions must they take? (Choose three.)
45A company is deploying a new internal application on Google Cloud. They want to ensure that VM instances in a specific subnet can only communicate with each other and with a load balancer that fronts the application. They also want to allow SSH access from a bastion host. Which TWO firewall rules should they create? (Choose two.)
46A security engineer wants to restrict access to a Cloud Storage bucket so that only requests originating from within a specific VPC network can access the bucket. Which Google Cloud service should they use?
47An organization needs to block all inbound SSH traffic (port 22) to a set of VM instances that have a common tag 'ssh-restricted'. They want to deny this traffic at the VPC firewall level. Which firewall rule configuration should they use?
48A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?
49An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?
50A company uses hierarchical firewall policies at the organization level to enforce a baseline deny-all rule. A project administrator wants to create a firewall rule that allows HTTP traffic to a specific VM. Which statement is correct?
51A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?
52An organization wants to use Cloud IDS to detect network threats within their VPC. They have enabled the Cloud IDS endpoint and configured packet mirroring. Which of the following is required for the packet mirroring policy to work?
53A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They do not want to manually manage certificate files. Which approach should they use?
54A security team needs to apply a security policy that blocks requests to their HTTP load balancer from a specific geographic region (e.g., Country A). Which Cloud Armor feature should they use?
55An organization uses VPC Service Controls to protect BigQuery. They want to test a new access level that allows access only from a specific IP range before enforcing it. Which mode should they use?
56A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?
57A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?
58A security engineer is configuring a VPC Service Controls perimeter to protect a Cloud Storage bucket. They want to allow a specific on-premises network (IP range 203.0.113.0/24) to access the bucket, while still blocking other external networks. Which TWO components must they configure? (Choose TWO.)
59An organization wants to enforce that all egress traffic from a VPC to the internet must go through a Cloud NAT gateway for logging and IP management. They also need to block all other direct outbound traffic. Which THREE steps should they take? (Choose THREE.)
60A company wants to use Cloud IDS to detect threats in their VPC. They have created a Cloud IDS endpoint and need to configure packet mirroring. Which TWO resources must be in place for packet mirroring to work? (Choose TWO.)
61A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?
62An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?
63An organization wants to allow only specific trusted IP ranges to access a web application behind a Cloud Load Balancer. Which Cloud Armor feature should be used?
64A company is deploying an internal service on GKE that needs to be accessible privately from on-premises data centers over a VPN connection. The service should not be exposed to the internet. Which connectivity solution is MOST appropriate?
65An organization has a security policy that requires TLS 1.2 or higher for all HTTPS traffic to their external HTTP(S) load balancer. They also need to disable weak cipher suites. Which configuration should be applied?
66An engineer needs to allow a specific service account from another project to access a Cloud Storage bucket in the current project. The engineer wants to use the principle of least privilege. Which IAM role should be granted directly on the bucket to the service account?
67Which GCP service provides managed intrusion detection by analyzing mirrored network traffic and using threat signatures from Palo Alto Networks?
68A company wants to enforce that no Compute Engine firewall rule in any project under an organization can have a source range of 0.0.0.0/0 for RDP (port 3389). Which approach should be used?
69An engineer needs to allow HTTP traffic from instances tagged 'web-server' to instances tagged 'app-server' on port 8080 within the same VPC. Which firewall rule should be created?
70A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?
71Which feature of Cloud Armor uses machine learning to detect and block distributed denial-of-service (DDoS) attacks?
72An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?
73A company wants to prevent data exfiltration by restricting access to Google APIs from only authorized VPC networks. They also need to allow a specific on-premises IP range to access BigQuery. Which TWO services should be used together? (Choose 2)
74A security team needs to inspect all egress traffic from Compute Engine instances for malware using a third-party security appliance. They want to deploy the appliance in a separate VPC and route all egress traffic through it. Which THREE components are required? (Choose 3)
75An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)
76A security engineer wants to allow egress traffic from Compute Engine instances to the internet only for updates to a specific set of packages. All other egress must be denied. Which VPC firewall rule configuration should the engineer use?
77A company wants to restrict access to Cloud Storage buckets so that only resources in a specific VPC network can reach them, and data cannot be exfiltrated to other networks. Which Google Cloud service should they use?
78A company uses VPC Service Controls in dry-run mode to test a new service perimeter that includes BigQuery. They want to monitor any violations without actually blocking access. Where can they view the logs of these dry-run violations?
79An organization has a hub-and-spoke VPC setup with Shared VPC. The security team wants to enforce a rule that all egress traffic from any project in the organization must pass through a central inspection appliance in the hub VPC. Which firewall configuration approach meets this requirement?
80A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?
81A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?
82A company wants to use a Google-managed SSL certificate for their external HTTPS load balancer. Which step is required to provision the certificate?
83A company uses Cloud Armor Managed Protection Plus to protect their applications. They want to automatically block IP addresses that are identified as malicious by adaptive protection. How should they configure this?
84An organization needs to enforce a TLS minimum version of 1.2 for all traffic to their HTTPS load balancers. They have multiple load balancers serving different domains. Which Google Cloud feature should they use?
85A security team wants to detect and block network-based threats such as malware and command-and-control traffic within their VPC. They need a managed service that provides deep packet inspection. Which Google Cloud service should they use?
86A company has a VPC Service Controls perimeter that includes BigQuery and Cloud Storage. They need to allow a specific on-premises application (with a static IP) to access a BigQuery dataset within the perimeter. Which configuration should they use?
87A company uses Cloud Armor to protect a web application. They want to block requests that contain SQL injection patterns based on the OWASP ModSecurity Core Rule Set. Which preconfigured rule set should they enable?
88A security engineer needs to restrict access to a Cloud Storage bucket so that only a specific set of Compute Engine instances can read objects. The instances are in the same project and VPC network. The engineer wants to use VPC firewall rules for this purpose. Which two configurations are REQUIRED? (Choose two.)
89A company is designing a secure multi-tenant environment in Google Cloud. Each tenant has its own VPC network and resources. The security team wants to centrally enforce a rule that denies all egress traffic to the internet from tenant VPCs, except for traffic to specific trusted IP ranges for software updates. They also want to ensure that tenant admins cannot override this rule. Which two actions should they take? (Choose two.)
90A company is deploying a web application behind an external HTTPS load balancer. They want to protect against common web attacks such as XSS, SQLi, and LFI using preconfigured rules. They also need to allowlist specific IP addresses that belong to partners. Which three Cloud Armor features should they use? (Choose three.)
91An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?
92A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?
93A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?
94A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?
95A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?
96A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?
97A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?
98An organization has a hierarchical firewall policy at the organization level that denies all ingress traffic from the internet. A project team needs to allow HTTP traffic from the internet to a specific VM. How should they achieve this?
99A company wants to detect and alert on potential network threats, such as malware and command-and-control traffic, within their VPC. They need a managed service that integrates with packet mirroring. Which Google Cloud service should they use?
100A company's security policy requires that all traffic to a Google Cloud load balancer use TLS 1.2 or higher and only accept strong ciphers. They want to enforce this using a Google Cloud resource. Which resource should they configure?
101A company wants to protect a web application hosted on Google Cloud from common web attacks like SQL injection and cross-site scripting (XSS). They have deployed a global external HTTPS load balancer. Which TWO services or configurations should they use?
102An organization wants to use VPC Service Controls to protect BigQuery data. They need to allow a group of data analysts to access BigQuery from outside the perimeter (e.g., from their laptops) while maintaining the perimeter for all other users. Which TWO configurations are necessary?
103A company wants to deploy a web application with a global load balancer and needs to configure SSL/TLS termination. They want to use a certificate from their own CA and have the ability to manage multiple certificates for different domains. Which THREE steps should they take?
104A security engineer is designing a network security architecture for a multi-project environment. They need to enforce a baseline set of firewall rules across all projects in the organization, but allow individual project teams to add their own specific rules. Which TWO components should they use?
105A company wants to use Private Service Connect to publish a managed service (e.g., a custom application) so that consumers can access it privately within Google Cloud. Which THREE resources are involved in this setup?
106Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?
107You are designing a VPC Service Controls perimeter to protect a project containing BigQuery datasets accessible from a data analytics VPC. You need to allow a specific set of on-premises users (identified by IP range 203.0.113.0/24) to query BigQuery from outside the perimeter, but block all other external access. What is the correct configuration?
108Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?
109You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)
110You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)
The Configuring Network Security domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.
The Courseiva PCSE question bank contains 110 questions in the Configuring Network Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Configuring Network Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included