Back to Google Professional Cloud Network Engineer questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Google Professional Cloud Network Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCNE
exam code
Google Cloud
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCNE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to troubleshoot a VPN tunnel that is not passing traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 2easymultiple choice
Read the full VPN explanation →

A developer created a Compute Engine instance in the default VPC network. The instance needs to communicate with an on-premises server over a Cloud VPN tunnel. The developer configured the VPN tunnel but the instances cannot ping the on-premises server. What is the most likely cause?

Question 3mediummultiple choice
Open the full BGP breakdown →

Your company has deployed a hybrid cloud environment with a Cloud VPN tunnel between Google Cloud VPC and an on-premises data center. The VPC has a custom mode with subnet 10.0.1.0/24 in us-east1. On-premises uses subnet 192.168.1.0/24. The VPN tunnel is established using dynamic routing (BGP). Both sides advertise the correct prefixes. A Compute Engine VM in the VPC (10.0.1.10) can ping the on-premises gateway (192.168.1.1), but cannot ping a server on-premises (192.168.1.100). The on-premises network team confirms that 192.168.1.100 is reachable from the on-premises gateway. Firewall rules in GCP allow ingress from 192.168.1.0/24 to all VMs. What is the most likely cause?

Question 4hardmulti select
Read the full NAT/PAT explanation →

A company is using Cloud NAT to allow private instances to access the internet. They notice that some instances are not able to reach certain external services. Which THREE steps should they take to troubleshoot?

Question 5mediummultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting a Cloud VPN tunnel that is not passing traffic. The tunnel status shows as established, and BGP sessions are up. However, traffic from an on-premises subnet (10.0.1.0/24) to a GCP subnet (192.168.1.0/24) is not working. What should the engineer check first?

Question 6hardmulti select
Read the full NAT/PAT explanation →

A company uses Cloud NAT to enable outbound internet access for private instances in a VPC. They notice that some instances are unable to connect to external services, while others can. The network team has verified that all instances have the same tags and are in the same subnet. Which TWO actions should the team take to troubleshoot the issue?

Question 7easymultiple choice
Read the full NAT/PAT explanation →

An engineer creates a Cloud NAT configuration as shown in the exhibit. The test-instance is created without an external IP address. However, the instance cannot reach the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
gcloud compute routers create nat-router \
    --network=my-vpc \
    --region=us-central1

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --region=us-central1 \
    --nat-external-ip-pool=ip-address-1 \
    --nat-all-subnet-ip-ranges \
    --enable-logging

gcloud compute instances create test-instance \
    --zone=us-central1-a \
    --network=my-vpc \
    --subnet=subnet-a \
    --no-address
```
Question 8easymulti select
Open the full VLAN trunking answer →

A company is troubleshooting connectivity issues between their on-premises network and Google Cloud over a Dedicated Interconnect. They can ping the VLAN attachment IP but cannot reach Compute Engine instances. Which TWO checks should they perform?

Question 9hardmulti select
Open the full BGP breakdown →

A Cloud Router BGP session is flapping. Which TWO actions are appropriate troubleshooting steps?

Question 10hardmulti select
Open the full BGP breakdown →

A network engineer is troubleshooting a BGP session between an on-premises router and a Cloud Router. The BGP session state is 'CONNECT' and never transitions to 'ESTABLISHED'. The engineer has verified that the Cloud Router and on-premises router have the same BGP ASN, and that the peer IP addresses are correctly configured. Which two additional steps should the engineer take to resolve this issue? (Choose TWO.)

Question 11easymultiple choice
Full question →

Refer to the exhibit. A network engineer is unable to SSH to instance-1 using IAP TCP forwarding. What is the most likely reason?

Exhibit

gcloud compute instances describe instance-1 --format="yaml(tags, serviceAccounts)"
tags:
  items:
  - web
serviceAccounts:
- email: test@project.iam.gserviceaccount.com
  scopes:
  - https://www.googleapis.com/auth/cloud-platform

---

Firewall rule:
gcloud compute firewall-rules describe allow-ssh-iap
allowed:
- IPProtocol: tcp
  ports:
  - '22'
direction: INGRESS
priority: 1000
sourceRanges:
- 35.235.240.0/20
targetTags:
- ssh-iap
Question 12hardmultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting an HA VPN setup between Google Cloud and an on-premises data center. The two tunnels are established, and BGP sessions are up on both tunnels. However, traffic from Google Cloud to the on-premises network is only using one tunnel, even though both BGP sessions are advertising the same routes. What is the most likely cause?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a subnet in us-central1. They have several private Compute Engine instances (no external IP) that need to download updates from a public repository on the internet. The network engineer has created a Cloud NAT gateway in the same region and attached it to the subnet. However, the instances still cannot reach the internet. The engineer has confirmed that the Cloud NAT gateway is correctly configured and that the subnet's Private Google Access is not relevant for this traffic. What should the engineer check first to resolve the issue?

Question 14mediummultiple choice
Open the full BGP breakdown →

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect using VLAN attachments. They have set up a Cloud Router with BGP to exchange routes. The on-premises network advertises a prefix 10.0.0.0/8, and Google Cloud advertises the VPC's subnet ranges (10.0.0.0/24 and 10.0.1.0/24). After configuration, on-premises hosts cannot reach the Google Cloud instances in those subnets. The engineer checks the BGP session status and it is established. The Cloud Router shows that the on-premises prefix is learned, and the on-premises router shows that the specific /24 prefixes are received. However, traffic from on-premises to the Google Cloud subnets is not working. What is the most likely cause?

Question 15easymultiple choice
Read the full VPN explanation →

Your organization has a site-to-site Cloud VPN connection between an on-premises network with CIDR 10.0.0.0/8 and a VPC in us-central1 with subnet 192.168.1.0/24. The VPN tunnel is established, but you cannot reach a Compute Engine instance with internal IP 192.168.1.10 from a server on-premises with IP 10.0.0.50. Cloud VPN logs show no errors. On-premises firewall rules allow all outbound traffic. What is the most likely cause of the problem?

These PCNE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCNE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.