20+ practice questions focused on Configuring network security — one of the most tested topics on the Google Professional Cloud Security Engineer exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Configuring network security PracticeYour organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?
Explanation: Option C is correct because it creates an ingress firewall rule that explicitly allows TCP port 22 traffic from the office's static IP range (203.0.113.0/24) to instances tagged 'management'. In Google Cloud VPC firewall rules, the default action is to deny all ingress traffic unless an allow rule matches, so this single allow rule satisfies the requirement: only SSH from the office IP range is permitted, and all other ingress is implicitly blocked.
Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?
Explanation: Option B is correct because the most secure way to restrict access to an Internal Load Balancer (ILB) is to apply firewall rules directly on the backend service (the instance group or NEG). This ensures that only traffic from the ILB's health check probe ranges (130.211.0.0/22 and 35.191.0.0/16 for GKE) and the allowed source ranges (VPC and on-premises) can reach the backend instances. This approach prevents any traffic from reaching the backend except through the ILB, which is the intended secure design for an internal-only application.
You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest): Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?
Explanation: Rule 2 has a priority of 500, which is lower (higher priority) than Rule 1 (priority 1000) and Rule 3 (priority 2000). Since the source IP 10.0.0.5 falls within the 10.0.0.0/8 range, Rule 2 matches first and explicitly denies the traffic. In Google Cloud VPC firewall rules, lower priority numbers are evaluated first, and the first matching rule determines the action.
Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?
Explanation: Option C is correct because a Cloud NAT configured on the Cloud Router in the host project for the shared subnet allows all Compute Engine instances in service projects attached to that subnet to use the host project's NAT IP for outbound traffic. This is the only way to centralize egress traffic through the host project's Cloud NAT while respecting Shared VPC architecture, as the NAT is tied to the subnet and Cloud Router in the host project.
You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?
Explanation: Option B is correct because the frontend in subnet A initiates connections to the backend on TCP port 8080, so an ingress rule on the backend allowing traffic from subnet A permits this. An egress rule on the backend allowing all traffic to the internet enables patch downloads. This setup prevents the backend from initiating connections to the frontend, as no egress rule on the backend targets the frontend, and no ingress rule on the frontend allows unsolicited traffic from the backend.
+15 more Configuring network security questions available
Practice all Configuring network security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Configuring network security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Configuring network security questions on the PCSE frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Configuring network security is tested as part of the Google Professional Cloud Security Engineer blueprint. Practicing with targeted Configuring network security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free PCSE practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Configuring network security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Configuring network security practice session with instant scoring and detailed explanations.
Start Configuring network security Practice →