The correct answer is that HTTP traffic from the internet is allowed. This is because the instance’s network tag ‘http-server’ matches the default VPC firewall rule ‘default-allow-http’, which explicitly permits inbound TCP traffic on port 80 from any source (0.0.0.0/0). In Google Cloud, VPC firewall rules with network tags operate on a priority-based allow system, and a public IP address does not override an applicable allow rule—it simply provides a routable endpoint. On the Google Professional Cloud Network Engineer exam, this scenario tests your understanding of how network tags act as rule selectors, not as security boundaries; a common trap is assuming a public IP or additional tags like ‘ssh-server’ somehow restrict traffic. Remember the memory tip: tags invite rules, they don’t block them—if a tag matches an allow rule, that traffic flows regardless of other tags or IPs.
PCNE Configuring network services Practice Question
This PCNE practice question tests your understanding of configuring network services. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. A Compute Engine instance has the network tags 'http-server' and 'ssh-server'. It also has a public IP address. Which of the following statements about traffic to this instance is true?
All traffic from the internet is denied because of the deny-all rule.
Why wrong: Deny-all has lower priority (65535) than allow rules (1000), so allow rules take precedence for matched traffic.
B
SSH traffic from the internet is allowed.
Why wrong: The allow-ssh rule only allows from 10.0.0.0/8 (internal IPs), so internet SSH is denied by default.
C
HTTP traffic from the internet is allowed.
The allow-http rule allows tcp:80 from 0.0.0.0/0 to tagged instances; the instance has http-server tag.
D
HTTPS traffic from the internet is allowed.
Why wrong: The allow-https rule targets https-server tag; the instance does not have this tag, so HTTPS is not allowed by that rule, and the deny-all would block it.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
HTTP traffic from the internet is allowed.
The instance has the network tag 'http-server', which is used by the default VPC firewall rule 'default-allow-http' to permit inbound TCP traffic on port 80 from any source (0.0.0.0/0). Since the instance also has a public IP address, HTTP traffic from the internet can reach it. The other tags and the public IP do not override this allow rule.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
All traffic from the internet is denied because of the deny-all rule.
Why it's wrong here
Deny-all has lower priority (65535) than allow rules (1000), so allow rules take precedence for matched traffic.
✗
SSH traffic from the internet is allowed.
Why it's wrong here
The allow-ssh rule only allows from 10.0.0.0/8 (internal IPs), so internet SSH is denied by default.
✓
HTTP traffic from the internet is allowed.
Why this is correct
The allow-http rule allows tcp:80 from 0.0.0.0/0 to tagged instances; the instance has http-server tag.
Related concept
Read the scenario before looking for a memorised answer.
✗
HTTPS traffic from the internet is allowed.
Why it's wrong here
The allow-https rule targets https-server tag; the instance does not have this tag, so HTTPS is not allowed by that rule, and the deny-all would block it.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Google Cloud often tests the misconception that having a public IP address automatically opens all ports, or that a network tag alone (without a corresponding firewall rule) permits traffic on that port.
Detailed technical explanation
How to think about this question
In Google Cloud VPC, firewall rules are stateful and evaluated in order of priority (lower number = higher priority), with an implied deny-all at the lowest priority (65535). The 'default-allow-http' rule has priority 1000 and applies to instances with the 'http-server' tag, allowing ingress TCP/80 from 0.0.0.0/0. Without a corresponding rule for SSH (TCP/22) or HTTPS (TCP/443), those protocols are blocked by the implied deny. This tag-based targeting is a common pattern for selectively applying rules to specific instances.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Configuring network services — This question tests Configuring network services — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: HTTP traffic from the internet is allowed. — The instance has the network tag 'http-server', which is used by the default VPC firewall rule 'default-allow-http' to permit inbound TCP traffic on port 80 from any source (0.0.0.0/0). Since the instance also has a public IP address, HTTP traffic from the internet can reach it. The other tags and the public IP do not override this allow rule.
What should I do if I get this PCNE question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This PCNE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.