Back to Google Professional Cloud Network Engineer questions

Scenario-based practice

Hard Difficulty Questions

Practise Google Professional Cloud Network Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
PCNE
exam code
Google Cloud
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCNE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Open the full BGP breakdown →

An organization is migrating to Google Cloud and requires connectivity between their on-premises network and VPC. They plan to use Cloud VPN with dynamic routing (BGP). Which VPC feature is required for this setup?

Question 2hardmultiple choice
Read the full DNS explanation →

A company is migrating on-premises DNS to Google Cloud. They have a hybrid network using Cloud VPN and want to resolve on-premises hostnames from Compute Engine instances without custom scripts. Which service should they use?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

An organization has a VPC with custom mode subnets in us-central1 and europe-west1. They create a VM instance in us-central1 with an internal IP 10.0.1.2 and a VM in europe-west1 with internal IP 10.0.2.2. They want to enable communication between these instances using internal IPs. What must be configured?

Question 4hardmultiple choice
Full question →

A company has deployed a global application on Compute Engine instances in multiple regions. Users are experiencing high latency connecting to the application. The network team wants to use Google Cloud's global network to improve performance. Which approach should they take?

Question 5hardmulti select
Full question →

A company is designing a VPC for a production environment that must meet the following requirements: support multiple projects, centralized network administration, and allow each project to have its own firewall rules. Which THREE components should be used?

Question 6hardmultiple choice
Full question →

A company is designing a network for a critical application that requires sub-millisecond latency between two Compute Engine instances. The instances are located in different zones within the same region. Which VPC configuration will provide the lowest latency?

A company has a VPC with multiple subnets. They want to restrict traffic between two subnets (Subnet-A and Subnet-B) using VPC firewall rules. Which THREE conditions must be met for a firewall rule to block traffic from Subnet-A to Subnet-B?

Question 8hardmultiple choice
Open the full BGP breakdown →

A network engineer configured a Cloud Router with the BGP configuration shown. The on-premises router (AS 64512) is peering with the Cloud Router (AS 65001) over a Dedicated Interconnect VLAN attachment. The engineer notices that traffic from on-premises to Google Cloud is not being routed via this interconnect as expected. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
# Cloud Router BGP configuration
router bgp 65001
 neighbor 169.254.0.1 remote-as 64512
 neighbor 169.254.0.1 ebgp-multihop 2
 neighbor 169.254.0.1 update-source loopback0
 address-family ipv4 unicast
  neighbor 169.254.0.1 route-map SET-MED in
  neighbor 169.254.0.1 route-map SET-LOCAL-PREF out
!
route-map SET-MED permit 10
 set metric 100
!
route-map SET-LOCAL-PREF permit 10
 set local-preference 200
```
Question 9hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to restrict traffic between two specific subnets (10.0.1.0/24 and 10.0.2.0/24) while allowing all other traffic. They create a firewall rule with priority 1000 denying ingress from 10.0.1.0/24 to 10.0.2.0/24. However, traffic is still allowed. What is the most likely reason?

Question 10hardmultiple choice
Review the full routing breakdown →

You have a Cloud Router with the configuration shown. The on-premises network (ASN 65002) is not receiving any routes from Google Cloud. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ gcloud compute routers describe my-router --region us-central1
creationTimestamp: '2023-01-15T10:00:00.000-08:00'
description: Router for on-prem connectivity
id: '1234567890123456789'
kind: compute#router
name: my-router
network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default
region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1
bgp:
  asn: 65001
  advertiseMode: CUSTOM
  advertisedGroups:
  - ALL_SUBNETS
  advertisedIpRanges:
  - range: 10.0.1.0/24
    description: On-prem subnet
  keepaliveInterval: 20
```
Question 11hardmultiple choice
Full question →

A large enterprise is migrating to Google Cloud and needs to establish connectivity between on-premises and VPCs in two different regions (us-east1 and europe-west1). They have a single Partner Interconnect connection at a co-location facility in New York. They want to use the same interconnect for both regions. Which configuration should they use?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with subnets in us-central1 and europe-west1. They create a Private Service Connect endpoint for a managed service in us-central1. Can Compute Engine instances in europe-west1 access the endpoint?

Question 13hardmulti select
Full question →

Which THREE actions should you take to secure a VPC that hosts public-facing web applications?

Question 14hardmulti select
Read the full NAT/PAT explanation →

A company is using Cloud NAT to allow private instances to access the internet. They notice that some instances are not able to reach certain external services. Which THREE steps should they take to troubleshoot?

Question 15hardmulti select
Read the full NAT/PAT explanation →

A company uses Cloud NAT to enable outbound internet access for private instances in a VPC. They notice that some instances are unable to connect to external services, while others can. The network team has verified that all instances have the same tags and are in the same subnet. Which TWO actions should the team take to troubleshoot the issue?

Question 16hardmultiple choice
Full question →

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

Question 17hardmultiple choice
Full question →

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

Question 18hardmulti select
Read the full NAT/PAT explanation →

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

Question 19hardmultiple choice
Full question →

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

Network Topology
filter="name=allow-ssh"gcloud compute firewall-rules listfilter="name=allow-icmp"zone=us-central1-aformat="table(networkInterfaces)"networkInterfaces[0].networkIP: 10.128.0.2networkInterfaces[0].accessConfigs[0].natIP: 34.67.89.10
Question 20hardmulti select
Full question →

Which THREE of the following are requirements for implementing a Global External HTTP(S) Load Balancer with an external backend?

These PCNE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCNE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.