Back to Google Professional Cloud Network Engineer questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Google Professional Cloud Network Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCNE
exam code
Google Cloud
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related PCNE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

Question 2hardmultiple choice
Full question →

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

Network Topology
filter="name=allow-ssh"gcloud compute firewall-rules listfilter="name=allow-icmp"zone=us-central1-aformat="table(networkInterfaces)"networkInterfaces[0].networkIP: 10.128.0.2networkInterfaces[0].accessConfigs[0].natIP: 34.67.89.10
Question 3easymultiple choice
Open the full BGP breakdown →

Based on the exhibit, what is the purpose of Cloud Router's BGP configuration?

Exhibit

Refer to the exhibit.

```
Resource: Cloud Router
Name: router-1
Region: us-central1
Network: vpc-1
BGP: Autonomous System Number (ASN): 65001
Advertised IP ranges: 10.0.0.0/16
BGP sessions:
  - peer: on-prem-router
    peer ASN: 65002
    peer IP: 192.168.1.1
    Cloud Router IP: 169.254.0.1
    Advertised route priority: 100
    Status: Established

On-premises router BGP table:
  Network          Next Hop        Metric
  10.0.0.0/16      169.254.0.1     0
  0.0.0.0/0        192.168.1.1     0
```
Question 4easymultiple choice
Read the full NAT/PAT explanation →

An engineer creates a Cloud NAT configuration as shown in the exhibit. The test-instance is created without an external IP address. However, the instance cannot reach the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
gcloud compute routers create nat-router \
    --network=my-vpc \
    --region=us-central1

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --region=us-central1 \
    --nat-external-ip-pool=ip-address-1 \
    --nat-all-subnet-ip-ranges \
    --enable-logging

gcloud compute instances create test-instance \
    --zone=us-central1-a \
    --network=my-vpc \
    --subnet=subnet-a \
    --no-address
```
Question 5hardmultiple choice
Open the full BGP breakdown →

Refer to the exhibit. The Cloud Router shows one BGP peer as ESTABLISHED and one as IDLE. The best routes show two routes to the same destination with different priorities. What is the most likely reason the IDLE peer is not establishing?

Exhibit

Refer to the exhibit.

```
$ gcloud compute routers get-status router-1 --region=us-central1
kind: compute#routerStatus
result:
  bgpPeerStatus:
  - name: peer-1
    ipAddress: 169.254.1.1
    peerIpAddress: 169.254.1.2
    status: ESTABLISHED
    routesLearned: 120
  - name: peer-2
    ipAddress: 169.254.2.1
    peerIpAddress: 169.254.2.2
    status: IDLE
    routesLearned: 0
  bestRoutesForRouter:
  - dest: 10.0.0.0/8
    nextHop: 169.254.1.2
    priority: 100
  - dest: 10.0.0.0/8
    nextHop: 169.254.2.2
    priority: 200
```
Question 6easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot. What change should be made to fix this?

Exhibit

Refer to the exhibit.

$ gcloud compute networks subnets list

NAME          REGION       NETWORK  RANGE          PRIVATE_GOOGLE_ACCESS  STACK_TYPE
subnet-a      us-central1  vpc1     10.0.1.0/24    Enabled                IPV4_ONLY
subnet-b      us-east1     vpc1     10.0.2.0/24    Disabled               IPV4_ONLY

A VM in 'subnet-a' can access Google APIs via private IP, but a VM in 'subnet-b' cannot.
Question 7easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A company has enabled Private Google Access on the subnet. What effect does this have on VMs in the subnet?

Exhibit

gcloud compute networks subnets describe my-subnet --region us-central1
- name: my-subnet
- network: my-vpc
- ipCidrRange: 10.0.1.0/24
- privateIpGoogleAccess: true
- purpose: PRIVATE
- logConfig: {enable: true}
Question 8hardmultiple choice
Full question →

Refer to the exhibit. A Cloud Armor security policy with the shown rules is applied to an HTTPS load balancer. Users from IP 10.0.1.1 are reporting they cannot access the website. What is the issue?

Exhibit

{
  "rules": [
    {
      "action": "deny(403)",
      "priority": 1000,
      "match": {
        "versionedExpr": "SRC_IPS_V1",
        "config": {
          "srcIpRanges": ["10.0.0.0/8"]
        }
      }
    },
    {
      "action": "allow",
      "priority": 2000,
      "match": {
        "versionedExpr": "SRC_IPS_V1",
        "config": {
          "srcIpRanges": ["0.0.0.0/0"]
        }
      }
    }
  ]
}
Question 9easymultiple choice
Full question →

Refer to the exhibit. A network engineer is unable to SSH to instance-1 using IAP TCP forwarding. What is the most likely reason?

Exhibit

gcloud compute instances describe instance-1 --format="yaml(tags, serviceAccounts)"
tags:
  items:
  - web
serviceAccounts:
- email: test@project.iam.gserviceaccount.com
  scopes:
  - https://www.googleapis.com/auth/cloud-platform

---

Firewall rule:
gcloud compute firewall-rules describe allow-ssh-iap
allowed:
- IPProtocol: tcp
  ports:
  - '22'
direction: INGRESS
priority: 1000
sourceRanges:
- 35.235.240.0/20
targetTags:
- ssh-iap
Question 10easymultiple choice
Full question →

Refer to the exhibit. A user within the perimeter project '111111111111' tries to access BigQuery from a VM that has an external IP address. The request is denied. What is the most likely reason?

Exhibit

{
  "name": "my-perimeter",
  "status": {
    "accessLevels": [
      "accessPolicies/12345/accessLevels/trusted_ips"
    ],
    "resources": ["projects/111111111111"],
    "restrictedServices": ["bigquery.googleapis.com"],
    "vpcAccessibleServices": {
      "allowedServices": ["bigquery.googleapis.com"],
      "enableRestriction": true
    }
  }
}
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A request arrives with User-Agent 'GoodBot' and path '/admin'. What action does Cloud Armor take?

Exhibit

Cloud Armor security policy 'my-policy' with rules:
- priority: 100, match: request headers: User-Agent: *BadBot*, action: deny(403)
- priority: 200, match: request headers: User-Agent: *GoodBot*, action: allow
- priority: 300, match: request path: /admin, action: deny(403)
- priority: 1000, default rule: allow
Question 12hardmultiple choice
Open the full BGP breakdown →

Refer to the exhibit. A Cloud VPN tunnel is configured between an on-premises router and Google Cloud. The BGP session is not established. The on-premises router shows 'Connection refused'. What is the most likely cause?

Exhibit

Refer to the exhibit.

Output from an on-premises router:
```
show bgp vpnv4 unicast neighbors 169.254.1.1
BGP neighbor is 169.254.1.1, vrf default
 BGP version 4, remote router ID 10.0.0.1
 BGP state = Connect
 Last read never, last write never
 Hold time is 90, keepalive interval is 30 seconds
 No using MD5 authentication
 Error: Connection refused
```
Question 13mediummultiple choice
Full question →

Refer to the exhibit. A VM with the 'ssh-allowed' tag is unreachable via SSH from the internet, while other VMs with the same tag work. What is the most likely cause?

Exhibit

Refer to the exhibit.

gcloud compute firewall-rules describe allow-ssh

Allowed:
  IPProtocol: tcp
  ports: ['22']
Direction: INGRESS
Source ranges: ['0.0.0.0/0']
Target tags: ['ssh-allowed']
Priority: 1000

A VM with network tag 'ssh-allowed' cannot be reached via SSH from the internet. Other VMs with the same tag work fine.
Question 14easymultiple choice
Full question →

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.securityAdmin",
      "members": [
        "user:alice@example.com"
      ]
    },
    {
      "role": "roles/compute.networkAdmin",
      "members": [
        "user:bob@example.com"
      ]
    }
  ]
}
Question 15hardmultiple choice
Full question →

An organization wants to implement a hub-and-spoke network topology in Google Cloud using VPC Network Peering. The hub VPC hosts shared services and the spoke VPCs host application workloads. They need to ensure that spokes can communicate with each other through the hub. Which additional configuration is required?

These PCNE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCNE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.