Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCSETopicsConfiguring network security
Free · No Signup RequiredGoogle Cloud · PCSE

PCSE Configuring network security Practice Questions

20+ practice questions focused on Configuring network security — one of the most tested topics on the Google Professional Cloud Security Engineer exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Configuring network security Practice

Exam Domains

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirementsAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Configuring network security Questions

Practice all 20+ →
1.

Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?

A.Create an ingress rule with target tag 'management', source IP range 0.0.0.0/0, protocol tcp:22, action allow
B.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action deny
C.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action allow
D.Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol all, action allow

Explanation: Option C is correct because it creates an ingress firewall rule that explicitly allows TCP port 22 traffic from the office's static IP range (203.0.113.0/24) to instances tagged 'management'. In Google Cloud VPC firewall rules, the default action is to deny all ingress traffic unless an allow rule matches, so this single allow rule satisfies the requirement: only SSH from the office IP range is permitted, and all other ingress is implicitly blocked.

2.

Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?

A.Configure a VPC firewall rule to deny all ingress traffic to the ILB's forwarding rule IP address, and then create a higher-priority allow rule for the VPC and on-premises ranges
B.Configure the backend service's firewall rules to only allow traffic from the ILB's health check ranges and from the VPC and on-premises source ranges
C.Use GKE Network Policy to restrict ingress traffic to the application pods from the VPC and on-premises ranges
D.Use Cloud Armor to create a security policy that allows traffic only from the VPC and on-premises ranges, and attach it to the ILB

Explanation: Option B is correct because the most secure way to restrict access to an Internal Load Balancer (ILB) is to apply firewall rules directly on the backend service (the instance group or NEG). This ensures that only traffic from the ILB's health check probe ranges (130.211.0.0/22 and 35.191.0.0/16 for GKE) and the allowed source ranges (VPC and on-premises) can reach the backend instances. This approach prevents any traffic from reaching the backend except through the ILB, which is the intended secure design for an internal-only application.

3.

You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest): Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?

A.Denied, because Rule 2 has a lower priority number and explicitly denies traffic from 10.0.0.0/8
B.Denied, because Rule 3 has a higher priority number and denies traffic from 192.168.0.0/16
C.Allowed, because Rule 1 has a lower priority number and allows all traffic
D.Allowed, because Rule 3 has a higher priority number and allows traffic from 192.168.0.0/16

Explanation: Rule 2 has a priority of 500, which is lower (higher priority) than Rule 1 (priority 1000) and Rule 3 (priority 2000). Since the source IP 10.0.0.5 falls within the 10.0.0.0/8 range, Rule 2 matches first and explicitly denies the traffic. In Google Cloud VPC firewall rules, lower priority numbers are evaluated first, and the first matching rule determines the action.

4.

Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?

A.Create a firewall rule in the host project that denies all egress traffic except to the Cloud NAT IP
B.Set the instances to use a custom route with next-hop as the Cloud NAT IP address
C.Configure a Cloud NAT on the Cloud Router in the host project for the subnet that is shared with the service project
D.Configure a Cloud NAT in each service project and associate it with the subnet that the instances use

Explanation: Option C is correct because a Cloud NAT configured on the Cloud Router in the host project for the shared subnet allows all Compute Engine instances in service projects attached to that subnet to use the host project's NAT IP for outbound traffic. This is the only way to centralize egress traffic through the host project's Cloud NAT while respecting Shared VPC architecture, as the NAT is tied to the subnet and Cloud Router in the host project.

5.

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

A.Ingress rule on frontend: allow tcp:8080 from backend's service account; Egress rule on backend: allow all to internet
B.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on backend: allow all to internet
C.Ingress rule on frontend: allow tcp:8080 from subnet B; Egress rule on backend: allow all to internet
D.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on frontend: deny all to internet

Explanation: Option B is correct because the frontend in subnet A initiates connections to the backend on TCP port 8080, so an ingress rule on the backend allowing traffic from subnet A permits this. An egress rule on the backend allowing all traffic to the internet enables patch downloads. This setup prevents the backend from initiating connections to the frontend, as no egress rule on the backend targets the frontend, and no ingress rule on the frontend allows unsolicited traffic from the backend.

+15 more Configuring network security questions available

Practice all Configuring network security questions

How to master Configuring network security for PCSE

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Configuring network security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Configuring network security questions on the PCSE frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many PCSE Configuring network security questions are on the real exam?

The exact number varies per candidate. Configuring network security is tested as part of the Google Professional Cloud Security Engineer blueprint. Practicing with targeted Configuring network security questions ensures you can handle any format or difficulty that appears.

Are these PCSE Configuring network security practice questions free?

Yes. Courseiva provides free PCSE practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Configuring network security one of the harder PCSE topics?

Difficulty is subjective, but Configuring network security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Configuring network security practice session with instant scoring and detailed explanations.

Start Configuring network security Practice →

Topic Info

Topic

Configuring network security

Exam

PCSE

Questions available

20+