- A
Cloud DNS forwarding zone to forward requests to Google APIs' public DNS.
Why wrong: Private Google Access does not require DNS changes; it works with standard DNS resolution.
- B
Private Google Access enabled on the subnet where the VPN gateway resides.
This allows on-premises traffic to reach Google APIs via the VPN.
- C
Firewall rule allowing ingress from on-premises to 0.0.0.0/0.
Why wrong: Firewall rules need to allow only the specific Google API IP ranges, not all destinations.
- D
Cloud NAT configured in the VPC.
Why wrong: Cloud NAT is not required for private Google Access; it is for internet access.
- E
A custom route in the VPC that sends traffic to 199.36.153.4/30 and 199.36.153.8/30 to the VPN tunnel.
These are the IP ranges used for private Google Access; routes must be in place.
Quick Answer
The answer is a custom route in the VPC that sends traffic to 199.36.153.4/30 and 199.36.153.8/30 to the VPN tunnel. This is required because Private Google Access for on-premises via Cloud VPN relies on these specific IP ranges, which are Google’s private API endpoints, to route traffic from your on-premises hosts through the VPN tunnel and into the VPC without ever touching the public internet. On the Google Professional Cloud Network Engineer exam, this concept tests your understanding that enabling Private Google Access on the subnet is necessary but not sufficient—you must also create a custom static route directing the 199.36.153.4/30 and 199.36.153.8/30 prefixes to the Cloud VPN gateway. A common trap is assuming that enabling Private Google Access alone handles all routing, or confusing these ranges with the default internet gateway. Remember the mnemonic: “Four and eight, route to the gate”—the two /30 subnets must be explicitly pointed to the VPN tunnel for on-premises private access to work.
PCNE Implementing a Virtual Private Cloud Practice Question
This PCNE practice question tests your understanding of implementing a virtual private cloud. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company is setting up a VPC with private Google Access enabled for on-premises connectivity via Cloud VPN. Which TWO of the following are required for on-premises hosts to access Google APIs (e.g., Cloud Storage) using private IP addresses?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Private Google Access enabled on the subnet where the VPN gateway resides.
Private Google Access enables on-premises hosts to reach Google APIs using private IP addresses when connected via Cloud VPN. It must be enabled on the subnet where the VPN gateway resides so that the VPC routes traffic from the VPN tunnel to Google's private API endpoints. This allows the on-premises hosts to use their private IPs without needing public IPs or internet access.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Cloud DNS forwarding zone to forward requests to Google APIs' public DNS.
Why it's wrong here
Private Google Access does not require DNS changes; it works with standard DNS resolution.
- ✓
Private Google Access enabled on the subnet where the VPN gateway resides.
Why this is correct
This allows on-premises traffic to reach Google APIs via the VPN.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Firewall rule allowing ingress from on-premises to 0.0.0.0/0.
Why it's wrong here
Firewall rules need to allow only the specific Google API IP ranges, not all destinations.
- ✗
Cloud NAT configured in the VPC.
Why it's wrong here
Cloud NAT is not required for private Google Access; it is for internet access.
- ✓
A custom route in the VPC that sends traffic to 199.36.153.4/30 and 199.36.153.8/30 to the VPN tunnel.
Why this is correct
These are the IP ranges used for private Google Access; routes must be in place.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Google Cloud often tests the misconception that Cloud NAT is required for private access, but Private Google Access and custom routes to the 199.36.153.4/30 and 199.36.153.8/30 ranges are the correct components for on-premises private API access via Cloud VPN.
Detailed technical explanation
How to think about this question
Private Google Access uses RFC 1918 addresses to route traffic to Google's private API endpoints, which are reachable via the 199.36.153.4/30 and 199.36.153.8/30 IP ranges. These ranges are advertised by Google Cloud and require custom static routes in the VPC pointing to the VPN tunnel to ensure traffic from on-premises is forwarded correctly. Without these routes, traffic destined for Google APIs would be sent to the default internet gateway instead of the VPN tunnel, breaking private connectivity.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Implementing a Virtual Private Cloud — study guide chapter
Learn the concepts, then practise the questions
- →
Implementing a Virtual Private Cloud practice questions
Targeted practice on this topic area only
- →
All PCNE questions
497 questions across all exam domains
- →
Google Professional Cloud Network Engineer study guide
Full concept coverage aligned to exam objectives
- →
PCNE practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PCNE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Designing, planning, and prototyping a GCP network practice questions
Practise PCNE questions linked to Designing, planning, and prototyping a GCP network.
Implementing hybrid interconnectivity practice questions
Practise PCNE questions linked to Implementing hybrid interconnectivity.
Configuring network services practice questions
Practise PCNE questions linked to Configuring network services.
Implementing network security practice questions
Practise PCNE questions linked to Implementing network security.
Implementing a Virtual Private Cloud practice questions
Practise PCNE questions linked to Implementing a Virtual Private Cloud.
PCNE fundamentals practice questions
Practise PCNE questions linked to PCNE fundamentals.
PCNE scenario practice questions
Practise PCNE questions linked to PCNE scenario.
PCNE troubleshooting practice questions
Practise PCNE questions linked to PCNE troubleshooting.
Practice this exam
Start a free PCNE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PCNE question test?
Implementing a Virtual Private Cloud — This question tests Implementing a Virtual Private Cloud — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Private Google Access enabled on the subnet where the VPN gateway resides. — Private Google Access enables on-premises hosts to reach Google APIs using private IP addresses when connected via Cloud VPN. It must be enabled on the subnet where the VPN gateway resides so that the VPC routes traffic from the VPN tunnel to Google's private API endpoints. This allows the on-premises hosts to use their private IPs without needing public IPs or internet access.
What should I do if I get this PCNE question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
5 more ways this is tested on PCNE
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Refer to the exhibit. A VM in my-subnet without an external IP address cannot access Google APIs. What is the likely missing configuration?
medium- A.Create a Cloud NAT.
- B.Add a firewall rule to allow egress to 0.0.0.0/0.
- ✓ C.Enable Private Google Access on the subnet.
- D.Add a default route to the internet gateway.
Why C: The subnet has privateIpGoogleAccess set to false, which must be enabled for VMs without external IPs to access Google APIs via Private Google Access. Option A is correct. Option B is not needed because egress to 0.0.0.0/0 is allowed by default. Option C is not required for Private Google Access (Cloud NAT is for outbound internet to non-Google destinations). Option D is not missing; a default route exists as indicated by gatewayAddress.
Variation 2. A company wants to allow their VPC instances to access Google APIs using internal IPs without using a NAT. They have set up Private Google Access on the subnet. What else is required?
medium- A.A default route to the internet must be created.
- B.A Cloud NAT must be configured.
- ✓ C.No additional configuration is needed.
- D.The instances must have external IPs.
Why C: Option A is correct because enabling Private Google Access on the subnet allows instances without external IPs to access Google APIs via the automatically generated default route for the private Google access ranges. No additional configuration is needed. Option B is incorrect because an explicit default route to the internet would send traffic to the internet, not to Google APIs via private access. Option C is incorrect because Cloud NAT is not needed and would override private access. Option D is incorrect because instances should not have external IPs if using private access.
Variation 3. A company wants to enable Private Google Access for an on-premises network connected via Cloud VPN. Which configuration step is required?
easy- ✓ A.Enable Private Google Access on the VPC subnet that hosts the Cloud VPN gateway.
- B.Enable VPC Flow Logs for the VPN tunnel.
- C.Create a default route with next hop set to the internet gateway.
- D.Configure a Cloud NAT gateway for the on-premises network.
Why A: Option B is correct because Private Google Access must be enabled on the VPC subnet that hosts the Cloud VPN gateway. This allows on-premises hosts to use internal IPs to access Google APIs through the VPN tunnel. Option A is incorrect because a default route to the internet is not required; the traffic goes through the VPN. Option C is incorrect because Cloud NAT is for outbound internet from private instances, not for on-premises access. Option D is incorrect because VPC Flow Logs are for logging, not enabling access.
Variation 4. Which TWO of the following are required to enable Private Google Access for a subnet?
easy- A.Create a private services access connection.
- ✓ B.Enable Private Google Access on the subnet.
- C.Create a Cloud NAT.
- ✓ D.Configure a default route with next-hop internet gateway.
- E.Enable VPC flow logs.
Why B: To enable Private Google Access, you must enable the setting on the subnet (A) and have a default route with next-hop internet gateway (C) for traffic to Google APIs. Option B is incorrect because Cloud NAT is not required. Option D is incorrect because private services access is for Google managed services like Cloud SQL. Option E is incorrect because VPC flow logs are optional.
Variation 5. A security team wants to restrict which Google services can be accessed from their VPC without external IPs. They use Private Google Access. What should they use to block access to specific services?
hard- ✓ A.VPC Service Controls
- B.Firewall rules blocking destination IPs
- C.Cloud NAT with a specific IP range
- D.Private Google Access with restricted VIPs
Why A: VPC Service Controls allows creating security perimeters that restrict access to services.
Last reviewed: Jun 30, 2026
This PCNE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.