PCSE · topic practice

Configuring network security practice questions

Practise Google Professional Cloud Security Engineer Configuring network security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Configuring network security

What the exam tests

What to know about Configuring network security

Configuring network security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Configuring network security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Configuring network security questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Review the full subnetting walkthrough →

Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?

Question 2mediummultiple choice
Read the full VPN explanation →

Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?

You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest):

Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow

A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?

Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

Question 9easymultiple choice
Review the full routing breakdown →

Your organization requires that all egress traffic from a VPC network be inspected by a third-party security appliance before leaving the network. The appliance is deployed in a separate VPC. What is the most scalable and maintainable way to route traffic through the appliance?

Question 10mediummultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?

Which TWO options are valid methods to secure data in transit between an on-premises data center and a Google Cloud VPC?

Which THREE components are required to configure VPC Flow Logs for a Compute Engine instance?

Your organization wants to ensure that no Compute Engine instance can have a public IP address. What is the best way to enforce this policy?

A company is using a Shared VPC in Google Cloud with multiple service projects. The security team wants to restrict egress traffic from a specific service project to only allowed external IP addresses. The network project hosts the VPC. What is the best approach?

Question 15hardmultiple choice
Open the full BGP breakdown →

Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?

Question 16hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a financial services company that processes sensitive customer data. Your architecture includes two VPCs: 'data-vpc' (10.1.0.0/16) containing BigQuery datasets and Cloud Storage buckets, and 'app-vpc' (10.2.0.0/16) containing Compute Engine instances running a customer-facing application. The application needs to read from BigQuery and write to Cloud Storage. You have configured VPC Network Peering between the VPCs. Additionally, you have set up Private Google Access on all subnets in 'data-vpc' and 'app-vpc'. The application instances cannot connect to BigQuery or Cloud Storage. You have verified that firewall rules allow egress traffic to the Google APIs IP range (199.36.153.4/30) and that DNS resolution works correctly. What is the most likely cause of the connectivity failure?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. The perimeter is defined with the project as a protected project. Which TWO actions are valid to restrict data exfiltration while maintaining necessary access?

Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to respond to a data breach involving a Cloud Storage bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Configuring network security sessions

Start a Configuring network security only practice session

Every question in these sessions is drawn from the Configuring network security domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Configuring network security?
Configuring network security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Configuring network security questions in a focused session?
Yes — the session launcher on this page draws every question from the Configuring network security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.