Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring network security practice sets

PCSE Configuring network security • Complete Question Bank

PCSE Configuring network security — All Questions With Answers

Complete PCSE Configuring network security question bank — all 0 questions with answers and detailed explanations.

86
Questions
Free
No signup
Certifications/PCSE/Practice Test/Configuring network security/All Questions
Question 1easymultiple choice
Review the full subnetting walkthrough →

Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?

Question 2mediummultiple choice
Read the full VPN explanation →

Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?

Question 3hardmultiple choice
Read the full Configuring network security explanation →

You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest):

Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow

A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

Question 6mediummulti select
Read the full Configuring network security explanation →

You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?

Question 7hardmulti select
Review the full subnetting walkthrough →

Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

Question 9easymultiple choice
Review the full routing breakdown →

Your organization requires that all egress traffic from a VPC network be inspected by a third-party security appliance before leaving the network. The appliance is deployed in a separate VPC. What is the most scalable and maintainable way to route traffic through the appliance?

Question 10mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?

Question 11mediummulti select
Read the full Configuring network security explanation →

Which TWO options are valid methods to secure data in transit between an on-premises data center and a Google Cloud VPC?

Question 12hardmulti select
Read the full Configuring network security explanation →

Which THREE components are required to configure VPC Flow Logs for a Compute Engine instance?

Question 13easymultiple choice
Read the full Configuring network security explanation →

Your organization wants to ensure that no Compute Engine instance can have a public IP address. What is the best way to enforce this policy?

Question 14hardmultiple choice
Read the full Configuring network security explanation →

A company is using a Shared VPC in Google Cloud with multiple service projects. The security team wants to restrict egress traffic from a specific service project to only allowed external IP addresses. The network project hosts the VPC. What is the best approach?

Question 15hardmultiple choice
Open the full BGP breakdown →

Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?

Question 16hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a financial services company that processes sensitive customer data. Your architecture includes two VPCs: 'data-vpc' (10.1.0.0/16) containing BigQuery datasets and Cloud Storage buckets, and 'app-vpc' (10.2.0.0/16) containing Compute Engine instances running a customer-facing application. The application needs to read from BigQuery and write to Cloud Storage. You have configured VPC Network Peering between the VPCs. Additionally, you have set up Private Google Access on all subnets in 'data-vpc' and 'app-vpc'. The application instances cannot connect to BigQuery or Cloud Storage. You have verified that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30) and that DNS resolution works correctly. What is the most likely cause of the connectivity failure?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

Question 18mediummulti select
Read the full Configuring network security explanation →

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. The perimeter is defined with the project as a protected project. Which TWO actions are valid to restrict data exfiltration while maintaining necessary access?

Question 19mediumdrag order
Read the full Configuring network security explanation →

Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediumdrag order
Read the full Configuring network security explanation →

Drag and drop the steps to respond to a data breach involving a Cloud Storage bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediummatching
Read the full Configuring network security explanation →

Match each Google Cloud security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DDoS protection and WAF

Centralized security and risk management

Intrusion detection for network traffic

Logs of Google staff access to customer data

Data exfiltration prevention via service perimeters

Question 22mediummatching
Read the full Configuring network security explanation →

Match each encryption scope to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data protected while traveling over networks

Data protected when stored on disk

Customer-supplied encryption keys for Google Cloud resources

Customer-managed encryption keys via Cloud KMS

Google-managed encryption keys for all data at rest

Question 23easymultiple choice
Read the full Configuring network security explanation →

A company has configured a VPC firewall rule to allow HTTP traffic from a specific source IP range 203.0.113.0/24. However, HTTP requests from that range are being denied. Which initial verification should the security engineer perform?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Cloud NAT to allow instances in a private subnet to access the internet. They notice that some instances are unable to reach external services. The NAT gateway is configured with a single IP address. Which action would most likely resolve the issue?

Question 25hardmultiple choice
Read the full VPN explanation →

A company has a hybrid cloud setup with a Cloud VPN tunnel to an on-premises network. They want to ensure that traffic from on-premises to a specific VPC subnet is routed through a specific next hop appliance for inspection. How can they achieve this?

Question 26mediummultiple choice
Read the full Configuring network security explanation →

An organization uses Shared VPC to centrally manage network resources. They want to allow a service project to use its own firewall rules for certain instances. How should they configure the firewall rules?

Question 27easymultiple choice
Read the full Configuring network security explanation →

A security engineer wants to block all SSH access from the internet to a VPC network, except for a specific bastion host. What is the most efficient way to configure this?

Question 28hardmultiple choice
Read the full Configuring network security explanation →

A company is using VPC Service Controls to protect their Google Cloud Storage buckets. They want to allow a specific instance to access a bucket from within a VPC. What networking configuration is required?

Question 29mediummultiple choice
Read the full Configuring network security explanation →

A company has multiple VPC networks that need to communicate privately. They are evaluating VPC peering and Shared VPC. Which statement correctly describes a limitation of VPC peering compared to Shared VPC?

Question 30easymultiple choice
Read the full Configuring network security explanation →

A developer needs to allow a specific Compute Engine instance to communicate with a Cloud SQL database instance. Both are in the same project but different VPC networks. What is the simplest secure method?

Question 31hardmultiple choice
Review the full routing breakdown →

A company is deploying a firewall appliance in a VPC to inspect traffic. They create custom routes to direct traffic to the appliance. Which step is necessary to ensure the appliance can forward traffic back?

Question 32mediummulti select
Read the full Configuring network security explanation →

A company is designing a network architecture for a multi-region application. They want to minimize latency and maximize availability. Which two features should they consider? (Choose two.)

Question 33hardmulti select
Read the full Configuring network security explanation →

A security engineer needs to restrict outbound traffic from a VPC to only allow specific external IP ranges. Which three components must be configured? (Choose three.)

Question 34easymulti select
Read the full Configuring network security explanation →

A company is migrating workloads to Google Cloud and wants to ensure that their VPC network is secure by default. Which two best practices should they follow? (Choose two.)

Question 35mediummultiple choice
Read the full Configuring network security explanation →

A user is unable to SSH into an instance that has the tag 'ssh-access' and an internal IP 10.0.0.2. The user's IP is 198.51.100.1. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
$ gcloud compute firewall-rules describe allow-ssh
kind: compute#firewall
name: allow-ssh
network: default
direction: INGRESS
priority: 1000
sourceRanges:
- 203.0.113.0/24
allowed:
- IPProtocol: tcp
  ports:
  - '22'
targetTags:
- ssh-access
```
Question 36easymultiple choice
Review the full subnetting walkthrough →

An engineer has enabled Private Google Access on the subnet. However, instances in the subnet cannot access Google APIs (e.g., storage.googleapis.com) using their internal IPs. What is the most likely issue?

Exhibit

Refer to the exhibit.

```
$ gcloud compute networks subnets describe my-subnet --region=us-central1
cidr: 10.0.0.0/24
privateIpGoogleAccess: true
enableFlowLogs: true
```
Question 37hardmultiple choice
Review the full routing breakdown →

A company has a VPC network with a default route to the internet gateway. They want all egress traffic to go through a firewall appliance instead. They create a new route with a next hop to the appliance and a priority of 500. However, traffic is still going through the internet gateway. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
$ gcloud compute routes describe default-route-0e1f
destRange: 0.0.0.0/0
network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default
nextHopGateway: https://www.googleapis.com/compute/v1/projects/my-project/global/gateways/default-internet-gateway
priority: 1000
tags: []
```
Question 38mediummultiple choice
Read the full Configuring network security explanation →

A company runs a GKE cluster with multiple node pools, including one pool of confidential VMs. The security team wants to ensure that only traffic from the internal VPC (10.0.0.0/8) can reach the nodes' metadata server. Which configuration should be applied?

Question 39easymultiple choice
Read the full Configuring network security explanation →

A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (172.16.0.0/16). They have established VPC peering between them. An instance in VPC-A needs to communicate with an instance in VPC-B on TCP port 443. What is the minimal firewall configuration needed?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a subnet (10.1.0.0/24) in us-central1. They have a Cloud NAT configured for outbound traffic to the internet. They want instances in this subnet to access a third-party API that is only accessible over the internet and requires a specific static source IP for whitelisting. What is the recommended approach?

Question 41mediummultiple choice
Review the full subnetting walkthrough →

An organization uses Shared VPC with a host project and several service projects. A network administrator in a service project wants to create a firewall rule that allows traffic from a specific source CIDR to a Compute Engine instance in the service project. What is the correct way to achieve this?

Question 42easymultiple choice
Read the full Configuring network security explanation →

A company wants to protect its HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they use?

Question 43hardmultiple choice
Read the full NAT/PAT explanation →

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect. They want to allow instances in a VPC (10.0.0.0/8) to access Google APIs (e.g., Cloud Storage) without traversing the public internet. They also want to ensure that traffic from on-premises to Google APIs uses the same private path. Which configuration is required?

Question 44mediummultiple choice
Read the full NAT/PAT explanation →

A company notices that some Compute Engine instances are making unexpected outbound connections to suspicious IP addresses. They want to investigate the traffic patterns and identify the source of these connections. Which tool should they use?

Question 45easymultiple choice
Read the full Configuring network security explanation →

A security engineer needs to provide secure SSH access to a Compute Engine instance that has no external IP address. What is the recommended method?

Question 46hardmultiple choice
Read the full Configuring network security explanation →

A company uses hierarchical firewall policies to enforce security across all VPC networks in an organization. They have an organization policy that denies egress traffic to the internet. However, a team needs to allow outbound HTTPS traffic to a specific external API (api.example.com) for a project. What is the best way to achieve this?

Question 47mediummulti select
Read the full Configuring network security explanation →

You are designing VPC firewall rules for a multi-tier application. Which TWO considerations are important when creating firewall rules in terms of security and manageability? (Choose TWO.)

Question 48hardmulti select
Read the full NAT/PAT explanation →

A company is setting up Cloud NAT for a subnet that hosts compute instances. They want to ensure high availability and efficient use of IPs. Which TWO configurations should they apply? (Choose TWO.)

Question 49easymulti select
Review the full subnetting walkthrough →

A company wants to restrict access to a Cloud SQL instance so that only Compute Engine instances in a specific VPC subnet can connect. Which THREE methods can be used to achieve this? (Choose THREE.)

Question 50mediummultiple choice
Read the full Configuring network security explanation →

A company has deployed a web application on Compute Engine instances in a managed instance group behind an internal HTTP(S) load balancer. The application needs to be accessible only from the corporate office, which has a static public IP range of 203.0.113.0/24. The load balancer is in us-central1. What is the most secure way to restrict access?

Question 51easymultiple choice
Review the full subnetting walkthrough →

You are configuring a new VPC network with a private subnet for Compute Engine instances that need to access the internet for updates. Which configuration is the simplest and most secure?

Question 52hardmultiple choice
Read the full Configuring network security explanation →

A company uses Shared VPC in a host project with multiple service projects. The security team wants to ensure that all traffic between service projects is inspected by a third-party firewall appliance deployed in the host project. Which configuration should be implemented?

Question 53easymultiple choice
Review the full subnetting walkthrough →

Your organization has a VPC with several subnets and wants to enable Private Google Access for Compute Engine instances in a specific subnet to access Google APIs and services without external IP addresses. What must be configured?

Question 54mediummultiple choice
Read the full Configuring network security explanation →

A company uses Cloud Armor to protect an external HTTPS load balancer. They want to block requests from a specific IP address range 198.51.100.0/24, but allow all other traffic. After creating a deny rule with the source IP condition, they notice that requests from that range are still reaching the backend. What is the most likely cause?

Question 55hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They have a firewall appliance (internal IP 10.0.1.100) that inspects all traffic between subnets. They configure a policy-based route to redirect traffic from subnet-a to subnet-b to the appliance. However, traffic from subnet-a to subnet-b still goes directly. What is missing?

Question 56mediummultiple choice
Read the full NAT/PAT explanation →

You are designing a network for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier should only be accessible from the application tier. All tiers are in the same VPC. Which combination of firewall rules meets these requirements?

Question 57mediummultiple choice
Read the full Configuring network security explanation →

A company needs to securely connect two VPC networks from different projects in the same organization. Each VPC has overlapping IP ranges (10.0.0.0/16). They require high throughput and low latency. What is the recommended approach?

Question 58hardmultiple choice
Review the full subnetting walkthrough →

Your organization has a security requirement that all traffic to and from Compute Engine instances must be logged and analyzed. You have enabled VPC Flow Logs for all subnets. However, you notice that flow logs are not capturing all traffic between instances in the same subnet. What is the most likely reason?

Question 59mediummulti select
Read the full Configuring network security explanation →

Which TWO of the following are valid Google Cloud firewall rule components? (Choose TWO.)

Question 60hardmulti select
Review the full subnetting walkthrough →

Which THREE of the following are required to enable VPC Flow Logs for a subnet? (Choose THREE.)

Question 61easymulti select
Read the full NAT/PAT explanation →

Which TWO of the following are benefits of using Cloud NAT? (Choose TWO.)

Question 62easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with several subnets. They want to allow HTTP traffic from the internet to a web server in subnet-a, but block all other inbound traffic. What is the simplest firewall rule configuration?

Question 63mediummultiple choice
Read the full VPN explanation →

A company uses a hub-and-spoke VPC topology with Network Connectivity Center. The spoke VPCs need to reach the internet. Cloud NAT is configured in the hub VPC. Spoke VPCs have routes to the hub via a VPN tunnel. However, instances in spoke VPCs cannot reach the internet. Which configuration is most likely missing?

Question 64hardmultiple choice
Read the full VPN explanation →

A company is implementing VPC Service Controls to protect sensitive data in Google Cloud Storage. They want to allow a private on-premises subnet (10.1.0.0/16) to access the storage buckets via a Cloud VPN tunnel, but deny all other on-premises traffic. Which configuration approach meets this requirement with least privilege?

Question 65easymultiple choice
Read the full Configuring network security explanation →

A company uses Cloud Armor to protect their HTTP Load Balancer from DDoS attacks. They want to block requests from a specific malicious IP address range, 203.0.113.0/24. Which Cloud Armor policy configuration should they use?

Question 66mediummultiple choice
Read the full Configuring network security explanation →

A company uses Shared VPC with host project and service projects. They want to ensure that only specific service projects can create firewall rules in the host project's network. What is the correct IAM configuration?

Question 67hardmultiple choice
Read the full Configuring network security explanation →

A security team wants to mirror all traffic from a critical VM to a network intrusion detection system (NIDS) appliance running in the same VPC. They need to ensure that the NIDS receives both ingress and egress traffic, and that the original traffic is not impacted. Which solution should they implement?

Question 68easymultiple choice
Read the full Configuring network security explanation →

A company wants to use Cloud CDN to cache content from an HTTP Load Balancer. They have a custom domain and want to serve traffic over HTTPS. What must they configure on the load balancer?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They enabled Private Google Access on subnet-a. Instances in subnet-a can access Google APIs and services using private IPs. However, instances in subnet-b cannot reach Google APIs even though subnet-b has a default route to the internet through a NAT gateway. What is the likely cause?

Question 70hardmultiple choice
Open the full BGP breakdown →

A company connects their on-premises data center to Google Cloud via Dedicated Interconnect. They have two VLAN attachments (VLAN-A and VLAN-B) to a single VPC. They use BGP over the VLAN attachments with Cloud Router. Both VLAN attachments are in the same region. They want to use both links for active-active traffic and have redundancy. Which BGP configuration is correct?

Question 71mediummulti select
Read the full Configuring network security explanation →

Which TWO of the following are valid methods for sending traffic between VPC networks in Google Cloud? (Choose two.)

Question 72mediummulti select
Read the full Configuring network security explanation →

Which TWO of the following are valid reasons to enable VPC Flow Logs? (Choose two.)

Question 73hardmulti select
Read the full Configuring network security explanation →

Which THREE of the following are valid requirements for using VPC Network Peering? (Choose three.)

Question 74mediummultiple choice
Read the full Configuring network security explanation →

Refer to the exhibit. An engineer wants to allow inbound SSH (tcp:22) to a VM with network tag 'ssh-access' in the 'default' VPC. Which firewall rule should they create?

Exhibit

Refer to the exhibit.

gcloud compute firewall-rules list --format="table(name, network, sourceRanges, allowed, direction, priority)"
NAME                    NETWORK  SOURCE_RANGES    ALLOWED          DIRECTION  PRIORITY
default-allow-http      default  0.0.0.0/0        tcp:80           INGRESS    1000
default-allow-https     default  0.0.0.0/0        tcp:443          INGRESS    1000
default-allow-icmp      default  0.0.0.0/0        icmp             INGRESS    65534
default-allow-rdp       default  0.0.0.0/0        tcp:3389         INGRESS    65534
default-allow-ssh       default  0.0.0.0/0        tcp:22           INGRESS    65534

default-deny-all-ingress default  0.0.0.0/0        all              INGRESS   [IMPLIED]
Question 75hardmultiple choice
Open the full BGP breakdown →

A company has a VPC network named 'production' with subnets in us-central1 and europe-west1. They have on-premises data centers in New York and London connected via two HA VPN gateways to the respective regions. The on-premises networks use BGP with Cloud Routers in each region. The company also has a Shared VPC with service projects. Recently, they migrated a critical application to Google Cloud, which runs on Compute Engine instances in the europe-west1 subnet. The application needs to communicate with an on-premises database in London reachable via the London VPN. After the migration, the application fails to connect to the database. The Cloud Router in europe-west1 shows that it is receiving the on-premises routes. The instance has a default route to the internet via Cloud NAT. The firewall rules allow all traffic from the instance to the on-premises IP range. What is the most likely cause of the connectivity issue?

Question 76mediummultiple choice
Read the full VPN explanation →

A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?

Question 77easymultiple choice
Read the full Configuring network security explanation →

A company is using Cloud SQL with a private IP address in the same VPC as their Compute Engine web application server. The server can reach the Cloud SQL instance's IP address via ping, but the application is failing to connect with a permission error. The VPC firewall rules include the default allow internal rule. What is the most likely cause?

Question 78hardmulti select
Read the full Configuring network security explanation →

A company uses Shared VPC with a host project and multiple service projects. The security team wants to enforce that only specific VMs in service project A (using IP range 10.0.1.0/24) can communicate with specific VMs in service project B (tagged as 'app-b') on TCP port 443, and all other inter-service-project traffic should be blocked. Additionally, VMs should still be accessible via IAP TCP forwarding (SSH) on TCP port 22. Which three firewall rules should be created in the host project? (Choose three.)

Question 79easymultiple choice
Review the full subnetting walkthrough →

A small company has a single VPC with subnets in us-central1 (10.0.1.0/24) and us-west1 (10.0.2.0/24). They have a Compute Engine VM (web-server) in us-central1 that needs to connect to a Cloud SQL MySQL instance also in us-central1 using its private IP address 10.0.1.3. The Cloud SQL instance is configured with private IP only and is deployed in the same VPC. The web-server can successfully ping the Cloud SQL private IP (10.0.1.3). However, the application on the web-server fails to connect to the MySQL database with an authentication error. There are no custom firewall rules; only the default VPC firewall rules are in place. What is the most likely cause of the connection failure?

Question 80mediummultiple choice
Read the full Configuring network security explanation →

A company has deployed an internal HTTP Load Balancer (ILB) in us-west1 within a Shared VPC. The host project contains the ILB's forwarding rule and the backend service. The backend instances are Compute Engine VMs running in a service project in us-east1. The health checks for the ILB are consistently failing with 'unhealthy' status. The firewall rules in the host project allow ingress from the Google Cloud health checker ranges (130.211.0.0/22 and 35.191.0.0/16) on TCP port 80 to all VMs in the VPC. The backend VMs are running a web server listening on port 80. What is the most likely cause of the health check failures?

Question 81hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company needs to inspect all inbound and outbound packets from a subnet containing highly sensitive data for compliance. They have enabled VPC Flow Logs on that subnet, which record metadata such as source and destination IP, ports, and protocol. However, the security team requires the actual packet payload to perform deep packet inspection (DPI) for malicious patterns. They want to capture the packets without disrupting network traffic. Which additional configuration should be implemented to meet this requirement?

Question 82mediummultiple choice
Open the full BGP breakdown →

A company has configured a HA VPN between Google Cloud and an on-premises data center using two tunnels with separate Cloud Routers and BGP sessions in active/active mode. Each Cloud Router is configured to learn routes from the on-premises side and advertise VPC subnets. Recently, one of the tunnels experienced a physical link failure and went down. The security team notices that the remaining tunnel is still up and passing traffic, but some routes that were learned via the failed tunnel are no longer present in the routing table of that Cloud Router. The on-premises administrator confirms that the routes are still being advertised from the local router. What is the impact on traffic to the on-premises network?

Question 83hardmultiple choice
Read the full Configuring network security explanation →

A company has a Shared VPC environment with multiple service projects. The security team wants to ensure that all Compute Engine VMs in service projects are only accessible via IAP TCP forwarding for SSH management, and direct external access is completely blocked. They have already applied an organization policy constraint that denies the attachment of external IP addresses to new VMs. However, there are several existing VMs that still have public IP addresses assigned. The team wants to remove the public IPs from these existing VMs without causing downtime for any ongoing SSH sessions or disrupting the applications running on them, but they must ensure the VMs can still reach the internet if needed (for example, to download updates). What should the team do?

Question 84mediummulti select
Read the full Configuring network security explanation →

Your VPC has a default firewall rule that allows SSH (TCP port 22) from all sources. You need to allow HTTP traffic (TCP port 80) only from instances tagged 'web-servers' to the target instances, and block all other inbound traffic including SSH. Which TWO steps should you take?

Question 85hardmultiple choice
Read the full Configuring network security explanation →

Refer to the exhibit. A developer created the firewall rule to allow HTTPS traffic from the API service account to instances tagged 'api-instances'. However, HTTPS requests from the API server (which runs on an instance with tag 'api-instances' and uses the default compute engine service account) are failing. What is the most likely cause?

Exhibit

{
  "name": "allow-api-traffic",
  "priority": 1000,
  "direction": "INGRESS",
  "allowed": [{"IPProtocol": "tcp", "ports": ["443"]}],
  "sourceServiceAccounts": ["api-sa@project.iam.gserviceaccount.com"],
  "targetTags": ["api-instances"]
}
Question 86easymultiple choice
Review the full subnetting walkthrough →

Your company is deploying a multi-tier application in a single VPC with two subnets: web (10.0.1.0/24) and db (10.0.2.0/24). The web instances need to connect to a private Cloud SQL instance (MySQL) that is provisioned in a service project. The Cloud SQL instance has a private IP address 10.0.3.5 assigned using private services access. You have established VPC peering between your VPC and the service producer VPC (the Google-managed VPC hosting Cloud SQL). You verified that the peering connection is in 'ACTIVE' state. The web instances can reach internet sites, but connections to the Cloud SQL instance (using the MySQL client) are timing out. The db instances do not need to connect to Cloud SQL. What is the most likely cause and recommended solution?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 10 Questions→PCSE Practice Test 2 — 10 Questions→PCSE Practice Test 3 — 10 Questions→PCSE Practice Test 4 — 10 Questions→PCSE Practice Test 5 — 10 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring network security setsAll Configuring network security questionsPCSE Practice Hub