PCNE · topic practice

Implementing network security practice questions

Practise Google Professional Cloud Network Engineer Implementing network security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Implementing network security

What the exam tests

What to know about Implementing network security

Implementing network security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Implementing network security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Implementing network security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

Question 3easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?

A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)

Question 7hardmulti select
Read the full NAT/PAT explanation →

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

Network Topology
filter="name=allow-ssh"gcloud compute firewall-rules listfilter="name=allow-icmp"zone=us-central1-aformat="table(networkInterfaces)"networkInterfaces[0].networkIP: 10.128.0.2networkInterfaces[0].accessConfigs[0].natIP: 34.67.89.10

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.securityAdmin",
      "members": [
        "user:alice@example.com"
      ]
    },
    {
      "role": "roles/compute.networkAdmin",
      "members": [
        "user:bob@example.com"
      ]
    }
  ]
}
Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a hub-and-spoke VPC architecture in Google Cloud. The hub VPC hosts a set of shared services, including a third-party firewall appliance (NGFW) in a managed instance group behind a TCP load balancer. Spoke VPCs need to send traffic to the hub's internal TCP load balancer IP (10.0.0.10) for inspection. The firewall appliance inspects traffic and forwards it to the final destination. The network team notices that traffic from one spoke to the load balancer is being dropped. They have verified that VPC peering is established, routes are propagated, and firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

A company uses Identity-Aware Proxy (IAP) to secure access to a group of Compute Engine instances running a web application. The instances have no external IP addresses and are accessed via IAP TCP forwarding. Recently, the security team discovered that some users can access the instances directly via SSH from other instances within the same VPC, bypassing IAP. What is the most effective way to ensure all SSH access goes through IAP?

Question 12mediummulti select
Read the full NAT/PAT explanation →

A company is designing a secure multi-VPC architecture in Google Cloud. They have three VPCs: Production, Staging, and Shared Services. The Shared Services VPC hosts a Cloud NAT for outbound internet access and a set of managed instance groups. The Production and Staging VPCs are peered to the Shared Services VPC. The company wants to ensure that: (1) instances in Staging cannot initiate connections to instances in Production, (2) instances in Production cannot initiate connections to instances in Staging, (3) all VPCs can communicate with Shared Services, and (4) traffic between VPCs must be inspected by a firewall appliance in Shared Services. Which TWO actions should the company take?

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company is deploying a new payment processing application in Google Cloud. The architecture consists of: a VPC named 'payment-vpc' with subnet 'payment-subnet' (10.1.0.0/16), a managed instance group (MIG) of backend servers in payment-subnet, an internal TCP load balancer (ILB) with IP 10.1.0.10 distributing traffic to the MIG, and a Cloud NAT for outbound internet access. The application must communicate with an external payment gateway over TLS. The security policy requires that all outbound traffic from the backend servers to the internet must egress through a single, centralized Cloud NAT instance to allow traffic inspection. To meet this requirement, the network team has configured: a Cloud Router, a Cloud NAT gateway named 'payment-nat' in payment-vpc, and a default route (0.0.0.0/0, next hop: default internet gateway) in payment-vpc. They have also configured VPC firewall rules to allow outbound HTTPS traffic. During testing, the backend servers cannot connect to the external payment gateway. The team has verified that the Cloud NAT is properly configured and that the VPC firewall rules allow egress traffic. What is the most likely cause of the connectivity failure?

A company has deployed a globally distributed application on Google Cloud using Cloud Load Balancing and managed instance groups across multiple regions. They need to restrict access to the application's backend instances so that only traffic from the load balancer's health check ranges and the load balancer's source IP addresses is allowed. Which firewall rule configuration should be used?

A financial services company is migrating sensitive workloads to Google Cloud. They need to implement a defense-in-depth strategy to protect their VPC networks. Which TWO actions should they take to meet their security requirements? (Choose two.)

Drag and drop the steps to set up a shared VPC in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to migrate an on-premises network to Google Cloud using a VPN and VPC peering into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Google Cloud interconnect or peering type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Direct physical connection between on-premises and Google

Connection via a supported service provider

Direct BGP peering between on-premises and Google edge

Peering via a carrier's network

Encrypted tunnel over the internet to your VPC

Question 19mediummatching
Read the full DNS explanation →

Match each Cloud DNS record type to its use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Alias of one hostname to another

Specifies mail servers for a domain

Holds arbitrary text, often for verification

A team has deployed Compute Engine instances with internal IPs only. They need to allow these instances to download updates from specific external IP ranges. Which action should they take?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Implementing network security sessions

Start a Implementing network security only practice session

Every question in these sessions is drawn from the Implementing network security domain — nothing else.

Related practice questions

Related PCNE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNE exam test about Implementing network security?
Implementing network security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Implementing network security questions in a focused session?
Yes — the session launcher on this page draws every question from the Implementing network security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNE topics?
Use the topic links above to move to related areas, or go back to the PCNE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNE exam covers. They are not copied from any real exam or dump site.