Back to Google Professional Cloud Security Engineer questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Google Professional Cloud Security Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCSE
exam code
Google Cloud
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?

Question 2hardmultiple choice
Full question →

A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?

Question 4hardmultiple choice
Full question →

A security engineer is troubleshooting access to a Cloud Storage bucket. The bucket has uniform bucket-level access enabled. The engineer's user account has the roles/storage.objectViewer role at the project level, but they get a 403 error when trying to download an object. What is the most likely cause?

Question 5hardmultiple choice
Full question →

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

Exhibit

{
  "bindings": [
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:analyst@example.com"
      ]
    },
    {
      "role": "roles/bigquery.dataOwner",
      "members": [
        "group:data-team@example.com"
      ]
    }
  ],
  "etag": "ABC"
}
Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A company notices that some Compute Engine instances are making unexpected outbound connections to suspicious IP addresses. They want to investigate the traffic patterns and identify the source of these connections. Which tool should they use?

Question 7mediummultiple choice
Full question →

A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?

Question 8hardmultiple choice
Open the full BGP breakdown →

A company has a VPC network named 'production' with subnets in us-central1 and europe-west1. They have on-premises data centers in New York and London connected via two HA VPN gateways to the respective regions. The on-premises networks use BGP with Cloud Routers in each region. The company also has a Shared VPC with service projects. Recently, they migrated a critical application to Google Cloud, which runs on Compute Engine instances in the europe-west1 subnet. The application needs to communicate with an on-premises database in London reachable via the London VPN. After the migration, the application fails to connect to the database. The Cloud Router in europe-west1 shows that it is receiving the on-premises routes. The instance has a default route to the internet via Cloud NAT. The firewall rules allow all traffic from the instance to the on-premises IP range. What is the most likely cause of the connectivity issue?

Question 9mediummultiple choice
Read the full VPN explanation →

A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?

Question 10easymultiple choice
Review the full subnetting walkthrough →

A small company has a single VPC with subnets in us-central1 (10.0.1.0/24) and us-west1 (10.0.2.0/24). They have a Compute Engine VM (web-server) in us-central1 that needs to connect to a Cloud SQL MySQL instance also in us-central1 using its private IP address 10.0.1.3. The Cloud SQL instance is configured with private IP only and is deployed in the same VPC. The web-server can successfully ping the Cloud SQL private IP (10.0.1.3). However, the application on the web-server fails to connect to the MySQL database with an authentication error. There are no custom firewall rules; only the default VPC firewall rules are in place. What is the most likely cause of the connection failure?

Question 11mediummultiple choice
Full question →

A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?

Question 12mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?

Question 13mediummultiple choice
Full question →

Refer to the exhibit. A security engineer runs the gcloud command to analyze IAM policy for a user in an organization. The output shows that the user has the 'compute.instances.create' permission via a role at the organization level. However, the user is unable to create Compute Engine instances in a specific project. What is the most likely cause?

Network Topology
gcloud asset analyze-iam-policyproject=my-project \organization=123456789012 \resource='//cloudresourcemanager.googleapis.com/projects/123456789012' \identity='user:alice@example.com' \permissions='compute.instances.create'Refer to the exhibit.
Question 14easymultiple choice
Full question →

A company uses Cloud Storage buckets to store customer uploads. Recently, a customer reported that a file they uploaded yesterday is missing. The bucket has object versioning enabled. The security team wants to investigate how the file went missing and whether any other files have been affected. The company's compliance requirements mandate that all object deletions must be logged and reviewed. What should the admin do first to investigate the missing file?

Question 15easymultiple choice
Full question →

A user is unable to create a Compute Engine instance using a custom image from a family. What is the missing permission?

Network Topology
image-family=my-imageimage-project=my-image-projectRefer to the exhibit.```

These PCSE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.