Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring Network Security practice sets

PCSE Configuring Network Security • Complete Question Bank

PCSE Configuring Network Security — All Questions With Answers

Complete PCSE Configuring Network Security question bank — all 0 questions with answers and detailed explanations.

110
Questions
Free
No signup
Certifications/PCSE/Practice Test/Configuring Network Security/All Questions
Question 1easymultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to restrict access to Cloud Storage buckets so that only resources in a specific VPC can reach the Google APIs. Which Google Cloud service should be used?

Question 2mediummultiple choice
Read the full Configuring Network Security explanation →

An organization wants to enforce a security policy that denies all egress traffic to the internet from all projects in the organization, except for traffic from a specific set of VMs tagged with 'allow-egress'. Which approach should be used?

Question 3hardmultiple choice
Read the full Configuring Network Security explanation →

A company uses VPC Service Controls to protect a BigQuery dataset. They need to allow an external on-premises application to query the dataset without being inside the service perimeter. The external application has a static IP address. Which configuration is required?

Question 4mediummultiple choice
Read the full Configuring Network Security explanation →

A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?

Question 5easymultiple choice
Read the full Configuring Network Security explanation →

An engineer needs to block a specific IP address from accessing an HTTPS load balancer. Which Cloud Armor rule should be used?

Question 6mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?

Question 7hardmultiple choice
Read the full Configuring Network Security explanation →

An organization uses VPC Service Controls in dry-run mode for a project containing Google Cloud Storage. They notice that BigQuery jobs are being logged as violations. How should they interpret this?

Question 8mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?

Question 9easymultiple choice
Read the full Configuring Network Security explanation →

Which Cloud Armor feature uses machine learning to detect and mitigate DDoS attacks?

Question 10mediummultiple choice
Read the full Configuring Network Security explanation →

A service provider wants to expose an internal service to external consumers in a controlled manner, without giving them direct access to the VPC. Which Google Cloud service should be used?

Question 11hardmultiple choice
Read the full Configuring Network Security explanation →

An organization uses SSL policies for their HTTPS load balancer. They need to allow TLS 1.2 and 1.3 only, and use the most secure cipher profile available. Which SSL policy configuration should they choose?

Question 12easymultiple choice
Read the full Configuring Network Security explanation →

Which VPC firewall rule target type is recommended for security because it can be dynamically applied to instances based on their service account?

Question 13mediummulti select
Read the full Configuring Network Security explanation →

A company wants to detect and block SQL injection attacks targeting their web application hosted on Compute Engine behind a Cloud Load Balancer. Which TWO steps should they take? (Choose TWO.)

Question 14hardmulti select
Read the full Configuring Network Security explanation →

A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)

Question 15mediummulti select
Read the full Configuring Network Security explanation →

An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)

Question 16easymultiple choice
Read the full Configuring Network Security explanation →

An organization wants to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can reach it, without using public IP addresses. Which solution should they implement?

Question 17mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to allow HTTP (port 80) traffic from all VMs in the production environment to a specific set of VMs running a web server. The web server VMs are identified by a service account 'web-sa@...'. Which firewall rule configuration should the engineer create?

Question 18mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to enforce that all VPC firewall rules in an organization must be centrally managed and cannot be overridden by lower-level projects. Which approach should they use?

Question 19hardmultiple choice
Read the full Configuring Network Security explanation →

An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?

Question 20mediummultiple choice
Read the full VPN explanation →

A company wants to provide private connectivity from its VPC to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs or NAT. The solution must also support on-premises connectivity via Cloud VPN. Which service should they use?

Question 21easymultiple choice
Read the full Configuring Network Security explanation →

A web application behind an HTTPS load balancer is experiencing a high volume of malicious requests with SQL injection patterns. The security team wants to block these requests with minimal latency impact. Which Cloud Armor feature should they use?

Question 22hardmultiple choice
Read the full Configuring Network Security explanation →

An organization uses a global HTTPS load balancer with a Google-managed SSL certificate. The certificate was automatically provisioned and renewed. Recently, the certificate renewal failed and the site shows a warning. The load balancer's frontend uses the certificate. What is the most likely cause?

Question 23mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to monitor network traffic for potential threats in a VPC. They want to inspect all traffic for malware signatures and alert on high-severity threats. The solution should be natively integrated with GCP. Which service should they use?

Question 24easymultiple choice
Read the full Configuring Network Security explanation →

A company wants to enforce that traffic between two projects in the same organization must go through a central inspection VPC. They need a firewall rule that denies all traffic between the projects except through the inspection VPC. Which type of firewall rule should they use?

Question 25mediummultiple choice
Read the full VPN explanation →

An organization needs to restrict access to Cloud Storage buckets so that only requests from a specific range of IP addresses (e.g., corporate VPN) are allowed. They also want to block all other IPs. Which combination of services should they use?

Question 26hardmultiple choice
Read the full Configuring Network Security explanation →

A company has a global HTTPS load balancer and wants to use a self-managed SSL certificate. They have uploaded the PEM-encoded certificate and private key to the load balancer. However, the certificate is about to expire. What is the correct way to renew it without downtime?

Question 27mediummultiple choice
Read the full Configuring Network Security explanation →

A security team wants to block all incoming traffic from a specific country to their web application behind a global HTTPS load balancer. They also need to allow traffic from all other countries. Which Cloud Armor feature should be used?

Question 28mediummulti select
Read the full VPN explanation →

A company wants to enable private connectivity from its on-premises network to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs. They have a Cloud VPN connection to a VPC. Which TWO services or configurations are required? (Choose two.)

Question 29hardmulti select
Read the full Configuring Network Security explanation →

A security engineer is designing a VPC Service Controls perimeter to protect sensitive BigQuery data. They need to allow a specific on-premises application (source IP range 203.0.113.0/24) to query BigQuery, and also allow a managed instance group in another project (project 'analytics') to export data from BigQuery to Cloud Storage. Which THREE configurations are required? (Choose three.)

Question 30mediummulti select
Read the full Configuring Network Security explanation →

A security team wants to enforce SSL/TLS best practices for their HTTPS load balancer. They need to require TLS 1.2 or higher and restrict ciphers to strong ones only. Which TWO actions should they take? (Choose two.)

Question 31easymultiple choice
Read the full Configuring Network Security explanation →

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only requests originating from a specific VPC network are allowed. Which Google Cloud service should they use?

Question 32mediummultiple choice
Read the full Configuring Network Security explanation →

A security team needs to apply a set of firewall rules that enforce baseline security for all VPC networks across multiple projects in an organization. These rules must be inherited and cannot be overridden by project-level rules. What should they use?

Question 33mediummultiple choice
Read the full Configuring Network Security explanation →

An engineer wants to allow egress traffic from a group of VM instances with a specific service account to a set of IP addresses. They need to choose between using tags or service accounts as targets in a VPC firewall rule. Which approach is recommended for better security and why?

Question 34hardmultiple choice
Read the full VPN explanation →

A company uses VPC Service Controls to protect a project containing BigQuery datasets. They have an ingress rule that allows traffic from an on-premises network via a Cloud VPN tunnel. The on-premises IP range is 10.0.0.0/8. However, users on-premises are still getting access denied errors when querying BigQuery. The VPC Service Controls perimeter is in dry-run mode. What is the most likely cause?

Question 35mediummultiple choice
Read the full Configuring Network Security explanation →

An organization wants to provide private, on-premises access to Google Cloud APIs (e.g., Cloud Storage, BigQuery) without traversing the public internet. They have a Direct Connect link to Google Cloud. Which solution should they implement?

Question 36hardmultiple choice
Read the full Configuring Network Security explanation →

A company uses Cloud Armor security policies to protect their HTTP load balancer. They need to block requests from a specific geographic region (country X) and also limit requests from any IP to 1000 requests per second. They also want to use preconfigured rules for SQL injection prevention. What is the correct way to combine these requirements in a single security policy?

Question 37easymultiple choice
Read the full Configuring Network Security explanation →

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?

Question 38mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to detect and alert on network-based threats such as malware and command-and-control traffic within their Google Cloud VPC. They want a managed service that provides deep packet inspection and integrates with their existing security operations. Which service should they use?

Question 39hardmultiple choice
Read the full VPN explanation →

An organization uses VPC Service Controls with a service perimeter that includes Cloud Storage and BigQuery. They need to allow a specific on-premises service account to write data to a Cloud Storage bucket inside the perimeter. The on-premises network connects via Cloud VPN. What must be configured in the perimeter?

Question 40easymultiple choice
Read the full Configuring Network Security explanation →

A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?

Question 41mediummultiple choice
Read the full Configuring Network Security explanation →

A company is using Cloud Armor with adaptive protection enabled. They notice that adaptive protection has generated a rule that is blocking some legitimate traffic. What should they do to minimize false positives while still benefiting from adaptive protection?

Question 42mediummultiple choice
Read the full Configuring Network Security explanation →

An organization has multiple VPC networks in different projects. They need to centrally manage firewall rules that apply to all VPCs in the organization and ensure that project owners cannot override them. Which solution should they use?

Question 43mediummulti select
Read the full VPN explanation →

A company is implementing VPC Service Controls to protect a project that contains Cloud Storage and BigQuery. They want to allow a specific on-premises service account to read data from Cloud Storage and write to BigQuery. The on-premises network connects via Cloud VPN. Which TWO components must be configured in the service perimeter? (Choose two.)

Question 44hardmulti select
Read the full Configuring Network Security explanation →

A security team is configuring Cloud Armor to protect a web application. They need to block requests that contain SQL injection patterns, block requests from a known malicious IP list, and limit requests from any single IP to 2000 requests per minute. Which THREE actions must they take? (Choose three.)

Question 45mediummulti select
Review the full subnetting walkthrough →

A company is deploying a new internal application on Google Cloud. They want to ensure that VM instances in a specific subnet can only communicate with each other and with a load balancer that fronts the application. They also want to allow SSH access from a bastion host. Which TWO firewall rules should they create? (Choose two.)

Question 46easymultiple choice
Read the full Configuring Network Security explanation →

A security engineer wants to restrict access to a Cloud Storage bucket so that only requests originating from within a specific VPC network can access the bucket. Which Google Cloud service should they use?

Question 47easymultiple choice
Read the full Configuring Network Security explanation →

An organization needs to block all inbound SSH traffic (port 22) to a set of VM instances that have a common tag 'ssh-restricted'. They want to deny this traffic at the VPC firewall level. Which firewall rule configuration should they use?

Question 48mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?

Question 49mediummultiple choice
Read the full Configuring Network Security explanation →

An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?

Question 50mediummultiple choice
Read the full Configuring Network Security explanation →

A company uses hierarchical firewall policies at the organization level to enforce a baseline deny-all rule. A project administrator wants to create a firewall rule that allows HTTP traffic to a specific VM. Which statement is correct?

Question 51hardmultiple choice
Read the full DNS explanation →

A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?

Question 52mediummultiple choice
Read the full Configuring Network Security explanation →

An organization wants to use Cloud IDS to detect network threats within their VPC. They have enabled the Cloud IDS endpoint and configured packet mirroring. Which of the following is required for the packet mirroring policy to work?

Question 53easymultiple choice
Read the full Configuring Network Security explanation →

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They do not want to manually manage certificate files. Which approach should they use?

Question 54hardmultiple choice
Read the full Configuring Network Security explanation →

A security team needs to apply a security policy that blocks requests to their HTTP load balancer from a specific geographic region (e.g., Country A). Which Cloud Armor feature should they use?

Question 55mediummultiple choice
Read the full Configuring Network Security explanation →

An organization uses VPC Service Controls to protect BigQuery. They want to test a new access level that allows access only from a specific IP range before enforcing it. Which mode should they use?

Question 56hardmultiple choice
Read the full Configuring Network Security explanation →

A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?

Question 57easymultiple choice
Read the full Configuring Network Security explanation →

A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?

Question 58mediummulti select
Read the full Configuring Network Security explanation →

A security engineer is configuring a VPC Service Controls perimeter to protect a Cloud Storage bucket. They want to allow a specific on-premises network (IP range 203.0.113.0/24) to access the bucket, while still blocking other external networks. Which TWO components must they configure? (Choose TWO.)

Question 59hardmulti select
Read the full NAT/PAT explanation →

An organization wants to enforce that all egress traffic from a VPC to the internet must go through a Cloud NAT gateway for logging and IP management. They also need to block all other direct outbound traffic. Which THREE steps should they take? (Choose THREE.)

Question 60mediummulti select
Read the full Configuring Network Security explanation →

A company wants to use Cloud IDS to detect threats in their VPC. They have created a Cloud IDS endpoint and need to configure packet mirroring. Which TWO resources must be in place for packet mirroring to work? (Choose TWO.)

Question 61mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?

Question 62hardmultiple choice
Read the full Configuring Network Security explanation →

An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?

Question 63easymultiple choice
Read the full Configuring Network Security explanation →

An organization wants to allow only specific trusted IP ranges to access a web application behind a Cloud Load Balancer. Which Cloud Armor feature should be used?

Question 64mediummultiple choice
Read the full VPN explanation →

A company is deploying an internal service on GKE that needs to be accessible privately from on-premises data centers over a VPN connection. The service should not be exposed to the internet. Which connectivity solution is MOST appropriate?

Question 65hardmultiple choice
Read the full Configuring Network Security explanation →

An organization has a security policy that requires TLS 1.2 or higher for all HTTPS traffic to their external HTTP(S) load balancer. They also need to disable weak cipher suites. Which configuration should be applied?

Question 66mediummultiple choice
Read the full Configuring Network Security explanation →

An engineer needs to allow a specific service account from another project to access a Cloud Storage bucket in the current project. The engineer wants to use the principle of least privilege. Which IAM role should be granted directly on the bucket to the service account?

Question 67easymultiple choice
Read the full Configuring Network Security explanation →

Which GCP service provides managed intrusion detection by analyzing mirrored network traffic and using threat signatures from Palo Alto Networks?

Question 68mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to enforce that no Compute Engine firewall rule in any project under an organization can have a source range of 0.0.0.0/0 for RDP (port 3389). Which approach should be used?

Question 69mediummultiple choice
Read the full Configuring Network Security explanation →

An engineer needs to allow HTTP traffic from instances tagged 'web-server' to instances tagged 'app-server' on port 8080 within the same VPC. Which firewall rule should be created?

Question 70hardmultiple choice
Read the full Configuring Network Security explanation →

A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?

Question 71easymultiple choice
Read the full Configuring Network Security explanation →

Which feature of Cloud Armor uses machine learning to detect and block distributed denial-of-service (DDoS) attacks?

Question 72mediummultiple choice
Read the full Configuring Network Security explanation →

An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?

Question 73mediummulti select
Read the full Configuring Network Security explanation →

A company wants to prevent data exfiltration by restricting access to Google APIs from only authorized VPC networks. They also need to allow a specific on-premises IP range to access BigQuery. Which TWO services should be used together? (Choose 2)

Question 74hardmulti select
Review the full routing breakdown →

A security team needs to inspect all egress traffic from Compute Engine instances for malware using a third-party security appliance. They want to deploy the appliance in a separate VPC and route all egress traffic through it. Which THREE components are required? (Choose 3)

Question 75mediummulti select
Read the full Configuring Network Security explanation →

An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)

Question 76easymultiple choice
Read the full Configuring Network Security explanation →

A security engineer wants to allow egress traffic from Compute Engine instances to the internet only for updates to a specific set of packages. All other egress must be denied. Which VPC firewall rule configuration should the engineer use?

Question 77mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to restrict access to Cloud Storage buckets so that only resources in a specific VPC network can reach them, and data cannot be exfiltrated to other networks. Which Google Cloud service should they use?

Question 78mediummultiple choice
Read the full Configuring Network Security explanation →

A company uses VPC Service Controls in dry-run mode to test a new service perimeter that includes BigQuery. They want to monitor any violations without actually blocking access. Where can they view the logs of these dry-run violations?

Question 79hardmultiple choice
Read the full Configuring Network Security explanation →

An organization has a hub-and-spoke VPC setup with Shared VPC. The security team wants to enforce a rule that all egress traffic from any project in the organization must pass through a central inspection appliance in the hub VPC. Which firewall configuration approach meets this requirement?

Question 80mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?

Question 81hardmultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?

Question 82easymultiple choice
Read the full Configuring Network Security explanation →

A company wants to use a Google-managed SSL certificate for their external HTTPS load balancer. Which step is required to provision the certificate?

Question 83mediummultiple choice
Read the full Configuring Network Security explanation →

A company uses Cloud Armor Managed Protection Plus to protect their applications. They want to automatically block IP addresses that are identified as malicious by adaptive protection. How should they configure this?

Question 84mediummultiple choice
Read the full Configuring Network Security explanation →

An organization needs to enforce a TLS minimum version of 1.2 for all traffic to their HTTPS load balancers. They have multiple load balancers serving different domains. Which Google Cloud feature should they use?

Question 85easymultiple choice
Read the full Configuring Network Security explanation →

A security team wants to detect and block network-based threats such as malware and command-and-control traffic within their VPC. They need a managed service that provides deep packet inspection. Which Google Cloud service should they use?

Question 86hardmultiple choice
Read the full Configuring Network Security explanation →

A company has a VPC Service Controls perimeter that includes BigQuery and Cloud Storage. They need to allow a specific on-premises application (with a static IP) to access a BigQuery dataset within the perimeter. Which configuration should they use?

Question 87mediummultiple choice
Read the full Configuring Network Security explanation →

A company uses Cloud Armor to protect a web application. They want to block requests that contain SQL injection patterns based on the OWASP ModSecurity Core Rule Set. Which preconfigured rule set should they enable?

Question 88mediummulti select
Read the full Configuring Network Security explanation →

A security engineer needs to restrict access to a Cloud Storage bucket so that only a specific set of Compute Engine instances can read objects. The instances are in the same project and VPC network. The engineer wants to use VPC firewall rules for this purpose. Which two configurations are REQUIRED? (Choose two.)

Question 89hardmulti select
Read the full Configuring Network Security explanation →

A company is designing a secure multi-tenant environment in Google Cloud. Each tenant has its own VPC network and resources. The security team wants to centrally enforce a rule that denies all egress traffic to the internet from tenant VPCs, except for traffic to specific trusted IP ranges for software updates. They also want to ensure that tenant admins cannot override this rule. Which two actions should they take? (Choose two.)

Question 90mediummulti select
Read the full Configuring Network Security explanation →

A company is deploying a web application behind an external HTTPS load balancer. They want to protect against common web attacks such as XSS, SQLi, and LFI using preconfigured rules. They also need to allowlist specific IP addresses that belong to partners. Which three Cloud Armor features should they use? (Choose three.)

Question 91easymultiple choice
Read the full Configuring Network Security explanation →

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?

Question 92mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?

Question 93mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?

Question 94hardmultiple choice
Read the full Configuring Network Security explanation →

A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?

Question 95easymultiple choice
Read the full Configuring Network Security explanation →

A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?

Question 96mediummultiple choice
Read the full Configuring Network Security explanation →

A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?

Question 97mediummultiple choice
Read the full Configuring Network Security explanation →

A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?

Question 98hardmultiple choice
Read the full Configuring Network Security explanation →

An organization has a hierarchical firewall policy at the organization level that denies all ingress traffic from the internet. A project team needs to allow HTTP traffic from the internet to a specific VM. How should they achieve this?

Question 99easymultiple choice
Read the full Configuring Network Security explanation →

A company wants to detect and alert on potential network threats, such as malware and command-and-control traffic, within their VPC. They need a managed service that integrates with packet mirroring. Which Google Cloud service should they use?

Question 100hardmultiple choice
Read the full Configuring Network Security explanation →

A company's security policy requires that all traffic to a Google Cloud load balancer use TLS 1.2 or higher and only accept strong ciphers. They want to enforce this using a Google Cloud resource. Which resource should they configure?

Question 101mediummulti select
Read the full Configuring Network Security explanation →

A company wants to protect a web application hosted on Google Cloud from common web attacks like SQL injection and cross-site scripting (XSS). They have deployed a global external HTTPS load balancer. Which TWO services or configurations should they use?

Question 102hardmulti select
Read the full Configuring Network Security explanation →

An organization wants to use VPC Service Controls to protect BigQuery data. They need to allow a group of data analysts to access BigQuery from outside the perimeter (e.g., from their laptops) while maintaining the perimeter for all other users. Which TWO configurations are necessary?

Question 103mediummulti select
Read the full Configuring Network Security explanation →

A company wants to deploy a web application with a global load balancer and needs to configure SSL/TLS termination. They want to use a certificate from their own CA and have the ability to manage multiple certificates for different domains. Which THREE steps should they take?

Question 104mediummulti select
Read the full Configuring Network Security explanation →

A security engineer is designing a network security architecture for a multi-project environment. They need to enforce a baseline set of firewall rules across all projects in the organization, but allow individual project teams to add their own specific rules. Which TWO components should they use?

Question 105easymulti select
Read the full Configuring Network Security explanation →

A company wants to use Private Service Connect to publish a managed service (e.g., a custom application) so that consumers can access it privately within Google Cloud. Which THREE resources are involved in this setup?

Question 106mediummultiple choice
Read the full Configuring Network Security explanation →

Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?

Question 107hardmultiple choice
Read the full Configuring Network Security explanation →

You are designing a VPC Service Controls perimeter to protect a project containing BigQuery datasets accessible from a data analytics VPC. You need to allow a specific set of on-premises users (identified by IP range 203.0.113.0/24) to query BigQuery from outside the perimeter, but block all other external access. What is the correct configuration?

Question 108easymultiple choice
Read the full Configuring Network Security explanation →

Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?

Question 109mediummulti select
Read the full Configuring Network Security explanation →

You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)

Question 110hardmulti select
Read the full VPN explanation →

You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 25 Questions→PCSE Practice Test 2 — 25 Questions→PCSE Practice Test 3 — 25 Questions→PCSE Practice Test 4 — 25 Questions→PCSE Practice Test 5 — 25 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring Access Within a Cloud Solution EnvironmentEnsuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentConfiguring Network SecuritySupporting Compliance Requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring Network Security setsAll Configuring Network Security questionsPCSE Practice Hub