top of page

Google Cloud Network Engineer Sample Questions for Certification Success

  • CertiMaan
  • Oct 24, 2025
  • 29 min read

Updated: Dec 17, 2025

Get exam-ready with expertly curated Google Cloud Network Engineer sample questions tailored to the certification exam blueprint. These practice questions cover key areas including Virtual Private Cloud (VPC) design, hybrid connectivity, network services, security, and automation. Whether you're a network professional or cloud architect aiming for the Professional Cloud Network Engineer certification, this resource provides hands-on experience through scenario-based questions that reflect the actual Google exam pattern. Perfect for validating your skills, assessing knowledge gaps, and boosting confidence before test day. Start preparing smarter and achieve success in your Google Cloud networking career.



Google Cloud Network Engineer Sample Questions List :


1. You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations and ensure there are no rules that are allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work. What should you do?

  1. Enable the Network Analyzer API and review the "VPC Network" category insights

  2. Review the firewall policy rules associated with the VPC, and filter for rules that allow ingress from 0.0.0.0/0.

  3. Run Connectivity Tests from multiple external sources to double-check ingress traffic settings

  4. Enable "Overly permissive rules insights" in Firewall Insights. Review results for rules that show allowed ingress traffic from internet sources

2. You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses. Which two methods can you use to accomplish this? (Choose two.)

  1. Enable Private Google Access on the VPC

  2. Enable Private Google Access on all the subnets

  3. Create network peering between your VPC and BigQuery

  4. Create a Cloud NAT, and route the application traffic via NAT gateway

  5. Enable Private Services Access on the VPC

3. You have two Google Cloud projects in a perimeter to prevent data exfiltration. You need to move a third project inside the perimeter; however, the move could negatively impact the existing environment. You need to validate the impact of the change. What should you do?

  1. Enable Firewall Rules Logging inside the third project

  2. Modify the existing VPC Service Controls policy to include the new project in dry run mode

  3. Enable VPC Flow Logs inside the third project, and monitor the logs for negative impact

  4. Monitor the Resource Manager audit logs inside the perimeter

4. You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic. What should you do?

  1. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs

  2. Try connecting to the instance via SSH, and check the logs

  3. Check the VPC flow logs for the instance

  4. Create a new firewall rule to allow traffic from port 22, and enable logs

5. You are implementing a VPC architecture for your organization by using a Network Connectivity Center hub and spoke topology: • There is one Network Connectivity Center hybrid spoke to receive on-premises routes. • There is one VPC spoke that needs to be added as a Network Connectivity Center spoke. Your organization has limited routable IP space for their cloud environment (192.168.0.0/20). The Network Connectivity Center spoke VPC is connected to on-premises with a Cloud Interconnect connection in the us-east4 region. The on-premises IP range is 172.16.0.0/16. You need to reach on-premises resources from multiple Google Cloud regions (us-west1,europe-central1, and asia-southeast1) and minimize the IP addresses being used. What should you do?

  1. 1. Configure a Private NAT gateway and NAT subnet in us-west1(192.168.1.0/24), europe-central1(192.168.2.0/24) and asia-southeast1(192.168.3.0/24). 2. Add the VPC as a spoke and configure an export include policy to advertise only 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub. 3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4

  2. 1. Configure a Private NAT gateway instance in us-west1(192.168.1.0/24), europe-central1(192.168.2.0/24), and asia-southeast1(192.168.3.0/24). 2. Add the VPC as a spoke and configure an export exclude policy on the VPC spoke to advertise only the NAT subnets 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub. 3. Enable global dynamic routing to allow resources in us-west1, us-central1, and asia-southeast1 to reach the on-premises location through us-east4

  3. 1. Configure a Private NAT gateway instance in us-west1(172.16.1.0/24), europe-central1(172.16.2.0/24), and asia-southeast1(172.16.3.0/24). 2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise only the NAT subnets 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 to the hub. 3. Enable global dynamic to allow resources in us-west1, us-central1, and asia-southeast1 to reach the on-premises location through us-east4

  4. 1. Configure a Private NAT gateway instance in us-east4(192.168.1.0/24). 2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise 192.168.1.0/24 to the hub. 3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4

6. You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run?

  1. gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

  2. gcloud compute instances add-access-config instance-1

  3. gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

  4. gcloud compute health-checks update http health-check --unhealthy-threshold 10

7. You recently reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in the rate of client requests. You need to limit the concurrent sessions and return an HTTP 429 Too Many Requests response back to the client while following Google-recommended practices. What should you do?

  1. Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle; conform action: allow; exceed action: deny-429

  2. Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic

  3. Create a Cloud Armor security policy, and apply the predefined Open Worldwide Security Application Project (OWASP) rules to automatically implement the rate limit per client IP address

  4. Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application

8. Your organization's current architecture has one Shared VPC host project (SH_HOST_PRJ) that contains a single VPC (SH_VPC) and two Shared VPC service projects (SP_ONE_PRJ and SP_TWO_PRJ) that do not contain any VPCs. Each Shared VPC service project belongs to a different team: TEAM_ONE manages SP_ONE_PRJ and TEAM_TWO manages SP_TWO_PRJ. You must design a solution that allows each team to create their own DNS private zones and DNS records only in their respective Shared VPC service projects. Workloads in SP_ONE_PRJ must be able to resolve all the DNS private zones defined in SP_TWO_PRJ and conversely. Your design must have the least amount of set up effort. What should you do?

  1. 1. TEAM_ONE creates a new VPC (SP_ONE_VPC) in the Shared VPC service projects (SP_ONE_PRJ). TEAM_ONE creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the new VPC (SP_ONE_VPC). TEAM_ONE creates a VPC Network Peering relationship between SP_ONE_VPC and the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ). 2. TEAM_TWO completes the same actions for the SP_TWO_PRJ project

  2. 1. TEAM_ONE uses cross-project binding and creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the Shared VPC host project (SH_HOST_PRJ). 2. TEAM_TWO creates Cloud DNS private zones and DNS records in SP_TWO_PRJ, and uses cross-project binding to connect the zones to the Shared VPC host project (SH_HOST_PRJ)

  3. 1. TEAM_ONE uses cross-project binding and creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ). 2. TEAM_TWO creates DNS private zones and DNS records in SP_TWO_PRJ and uses cross-project binding to connect the zones to the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ)

  4. 1. TEAM_ONE creates a new VPC (SP_ONE_VPC) in the Shared VPC service projects (SP_ONE_PRJ). TEAM_ONE creates Cloud DNS private zones and DNS records in SP_ONE_PRJ, and binds the zones to the new VPC (SP_ONE_VPC). TEAM_ONE creates a Cloud DNS peering relationship between SP_ONE_VPC and the VPC (SH_VPC) in the Shared VPC host project (SH_HOST_PRJ). 2. TEAM_TWO completes the same actions for the SP_TWO_PRJ project

9. You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed. What is the most likely cause of the problem?

  1. The web servers behind the load balancer are configured with different compression types

  2. You have to configure the web servers to compress responses even if the request has a Via header

  3. You have configured the web servers and Cloud CDN with different compression types

  4. You have not configured compression in Cloud CDN

10. Your company deployed a hub and spoke architecture in Google Cloud to host their workloads. They use VPC network peerings to connect the hub and the spokes. You need to replicate the design and use Network Connectivity Center. What should you do?

  1. Choose a Network Connectivity Center mesh topology. Configure the spokes as Network Connectivity Center spokes

  2. Choose a Network Connectivity Center star topology. Deploy the hub VPC in the center group. Deploy the spoke VPCs in the edge group

  3. Choose a Network Connectivity Center mesh topology. Configure the hub and the spokes as Network Connectivity Center spokes

  4. Choose a Network Connectivity Center star topology. Deploy the spoke VPCs in the center group. Deploy the hub VPC in the edge group

11. You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command: gcloud compute routes create no-ip-internet-route \ --network custom-network1 \ --destination-range 0.0.0.0/0 \ --next-hop instance nat-gateway \ --next-hop instance-zone us-central1-a \ --tags no-ip --priority 800 You want existing instances to use the new NAT gateway. Which command should you execute?

  1. gcloud compute instances add-tags [existing-instance] --tags no-ip

  2. sudo sysctl -w net.ipv4.ip_forward=1

  3. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip

  4. gcloud compute instances create example-instance --network custom-network1 \ --subnet subnet-us-central \ --no-address \ --zone us-central1-a \ --image-family debian-9 \ --image-project debian-cloud \ --tags no-ip

12. Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two VLAN attachments. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?

  1. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Use the existing Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels

  2. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Create a new Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels

  3. Enable MACsec on Partner Cloud Interconnect

  4. Enable MACsec on the VLAN attachments

13. Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue. What should you do?

  1. Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes

  2. Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment

  3. Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes

  4. Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes

14. You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services. Which session affinity should you choose?

  1. Client IP

  2. None

  3. Client IP, port and protocol

  4. Client IP and protocol

15. You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message: INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?

  1. Add the resourcemanager.projects.setIamPolicy permission, and try again

  2. Add the resourcemanager.projects.get permission, and try again

  3. Try again with a different role with a new name but the same permissions

  4. Remove the resourcemanager.projects.list permission, and try again

16. You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

  1. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

  2. Use External HTTP(S) Load Balancing with URL Maps and custom headers

  3. Use Network Load Balancing

  4. Use TCP Proxy Load Balancing with PROXY protocol enabled

17. You are responsible for designing a new connectivity solution between your organization's on-premises data center and your Google Cloud Virtual Private Cloud (VPC) network. Currently, there is no end-to-end connectivity. You must ensure a service level agreement (SLA) of 99.99% availability. What should you do?

  1. Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC

  2. Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router

  3. Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC

  4. Use HA VPN. Configure one tunnel from each interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC

18. You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

  1. Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface

  2. Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1

  3. Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

  4. Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address

19. Your organization has over 250 autonomous business units that currently operate in a decentralized manner. Due to the organization's maturity, there is limited routable private IP address space, which is insufficient to accommodate all of the necessary workloads. You need to create a cloud-first network design that uses the same IP address space across business unit workloads where possible. These business units require communication between units, and access to their on-premises data center. What should you do?

  1. Create a hub and spoke design that incorporates a centralized network virtual appliance (NVA) in the hub to perform routing and NAT between spokes

  2. Create a hub and spoke model that incorporates VPC Network Peering with hybrid connectivity centralized within the hub

  3. Create a Network Connectivity Center design that incorporates Private NAT to facilitate communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment

  4. Create a Network Connectivity Center design that incorporates Private Service Connect to provide bidirectional communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment

20. Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired. During troubleshooting you find: "¢ Each on-premises router is configured with a unique ASN. "¢ Each on-premises router is configured with the same routes and priorities. "¢ Both on-premises routers are configured with a VPN connected to a single Cloud Router. "¢ BGP sessions are established between both on-premises routers and the Cloud Router. "¢ Only 1 of the on-premises router's routes are being added to the routing table. What is the most likely cause of this problem?

  1. The on-premises routers are configured with the same routes

  2. You do not have a load balancer to load-balance the network traffic

  3. The ASNs being used on the on-premises routers are different

  4. A firewall is blocking the traffic across the second VPN connection

21. Your company uses VPC firewall rules and denies all egress traffic. You need to allow some VMs to contact external websites based on their fully qualified domain name (FQDN). You apply the new configuration, but the traffic is still denied. You need to adjust your setup to apply the new configuration. What would you do?

  1. Update the default policy and rule evaluation order to AFTER_CLASSIC_FIREWALL

  2. Raise the priority of the network firewall policy rules

  3. Lower the priority of the network firewall policy rules

  4. Update the default policy and rule evaluation order to BEFORE_CLASSIC_FIREWALL

22. You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

  1. Create a TCP proxy that uses backend services containing an instance group with two instances

  2. Create a network load balancer that uses a target pool backend with two instances

  3. Create a network load balancer that used backend services containing one instance group with two instances

  4. Create a TCP proxy that uses a zonal network endpoint group containing one instance

23. You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team’s requirements?

  1. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. 2. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop

  2. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. 2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop

  3. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range. 2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop

  4. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range. 2. Create a custom route that points Google's private API address range to the default internet gateway as the next hop

24. Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?

  1. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same encrypted Cloud Router used for the Cloud Interconnect tier

  2. Enable MACsec for Cloud Interconnect on the VLAN attachments

  3. Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels

  4. Enable MACsec on Partner Interconnect

25. You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do?

  1. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service

  2. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/

  3. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/

  4. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service

26. You are deploying your infrastructure in the us-central1 region. Your on-premises data center is located in New York City, and the Google Cloud region closest to New York City is us-east4. Your Cloud Interconnect is located in Ashburn, Virginia (VA), United States. You need to use Cloud Interconnect to connect your application infrastructure with backend systems in your data center location. You do not expect the application bandwidth to exceed 500 Mbps. You want to minimize latency and cost. What should you do?

  1. Create a Cloud Router and VLAN attachments in the us-central1 region attached to your physical Interconnect in Ashburn, VA

  2. Create a Cloud Router and VLAN attachments in the us-east4 region attached to your physical Interconnect in Ashburn, VEnable global routing in your VPC. Set the bandwidth on the VLAN attachments to 500 Mbps

  3. Create a Cloud Router in the us-central1 region and VLAN attachments in the us-east4 region attached to your physical Interconnect in Ashburn, VA. Enable global routing in your VPC

  4. Create a Cloud Router and VLAN attachments in the us-east4 region attached to your physical Interconnect in Ashburn, VA. Enable global routing in your VPC

27. You need to configure a Google Kubernetes Engine (GKE) cluster. The initial deployment should have 5 nodes with the potential to scale to 10 nodes. The maximum number of Pods per node is 8. The number of services could grow from 100 to up to 1024. How should you design the IP schema to optimally meet this requirement?

  1. Configure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services

  2. Configure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services

  3. Configure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /22 secondary IP range for the Services

  4. Configure a /28 primary IP address range for the node IP addresses. Configure a /28 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services

28. You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin. What should you do?

  1. Create a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute

  2. Add a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies

  3. Ensure that the object you don't want to be cached anymore is not shared publicly

  4. Add an appropriate lifecycle rule on the storage bucket containing the two objects

29. Your team deployed two applications in GKE that are exposed through an external Application Load Balancer. When queries are sent to www.mountkirkgames.com/sales and www.mountkirkgames.com/get-an-analysis, the correct pages are displayed. However, you have received complaints that www.mountkirkgames.com yields a 404 error. You need to resolve this error. What should you do?

  1. Review the Service YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML

  2. Review the Ingress YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML

  3. Review the Service YAML file. Define a default backend. Reapply the YAML

  4. Review the Ingress YAML file. Define the default backend. Reapply the YAML

30. Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?

  1. Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center

  2. Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center

  3. Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway

  4. Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center

31. You have two VPCs: VPC A in Project A and VPC B in Project B. The VPCs are peered, and each VPC has VM instances in four zones. You are using the Network Intelligence Center Performance Dashboard to investigate the packet loss for traffic flows that start in VPC A and terminate in VPC B. You need the reported packet loss metric to have at least a 90% confidence level. What should you do?

  1. Ensure that each zone in each of the VPC networks has at least 9 compute instances. Look in Project B for the reported metric

  2. Ensure that each zone in each of the VPC networks has at least 10 compute instances. Look in Project B for the reported metric

  3. Ensure that each zone in each of the VPC networks has at least 10 compute instances. Look in Project A for the reported metric

  4. Ensure that each zone in each of the VPC networks has at least 9 compute instances. Look in Project A for the reported metric

32. You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling. Which configuration should you use?

  1. Use global TCP Proxy Load Balancing with backends in both regions

  2. Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region

  3. Use global external HTTP(S) Load Balancing with backends in both regions

  4. Use global SSL Proxy Load Balancing with backends in both regions

33. You want to create a service in GCP using IPv6. What should you do?

  1. Configure an internal load balancer with the designated IPv6 address

  2. Configure a TCP Proxy with the designated IPv6 address

  3. Configure a global load balancer with the designated IPv6 address

  4. Create the instance with the designated IPv6 address

34. You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?

  1. Verify the network/attachment/egress_dropped_packets_count Cloud Interconnect VLAN attachment metric

  2. Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures

  3. Enable VPC Flow Logs on the subnet that the VM is deployed in with SAMPLE_RATE = 1.0, and run a query in Logs Explorer to analyze the packet flow

  4. Enable Firewall Rules Logging on your firewall rules and review the logs

35. You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. The connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights to what is occurring within Google Cloud. What should you do?

  1. Enable and review Cloud Logging on your Cloud NAT Gateway. Look for logs with errors that match the destination IP address of the public SaaS provider

  2. Create a Connectivity Test. Review the results for configuration issues in the VPC routing table

  3. Enable the Firewall Insights API. Set the Deny rule insights observation period to one day. Review Insight results to assure there are no firewall rules denying traffic

  4. Enable and review Cloud Logging for Cloud Armor. Look for logs with errors that match the destination IP address of the public SaaS provider

36. Your company uses Compute Engine instances that are exposed to the public internet. Each compute instance has a single network interface with a single public IP address. You need to block any connection attempt that originates from internet clients with IP addresses that belong to the BGP_ASN_TOBLOCK BGP ASN. What should you do?

  1. Create a new Cloud Armor edge security policy, and use the --network-src-asns parameter

  2. Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter

  3. Create a new Cloud Armor backend security policy, and use the --network-src-asns parameter

  4. Create a new firewall policy ingress rule, and use the --network-src-asns parameter

37. Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer. You need to protect the application from potential application-level attacks. What should you do?

  1. Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service

  2. Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service

  3. Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer

  4. Enable Cloud CDN on the backend service

38. You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

  1. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --enable-ip-alias and --enable-private-nodes

  2. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

  3. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-private-nodes

  4. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters, Re-use the secondary address range for the services across multiple private GKE clusters

39. You are creating a design that will connect your single on-premises data center to a VPC in Google Cloud by using an IPsec VPN connection. The connection must have a minimum SLA of 99.99%. There is a single VPN termination device located in your on-premises data center. The VPN termination device can be configured only with a single public IP address. Your design must also have the least amount of setup effort. What should you do?

  1. 1. Replace the existing on-premises VPN termination device with a new device that is configured with two different public IP addresses. 2. Create one HA VPN gateway. 3. Create one tunnel for each of the two HA VPN gateway interfaces. 4. Terminate each of the two tunnels on one of the two public IP addresses that is configured on the new VPN termination device located in your on-premises data center

  2. 1. Create one Classic VPN gateway and one HA VPN gateway. 2. Create one tunnel on the interface of the Classic VPN gateway and one tunnel on interface 1 of the HA VPN gateway. 3. Terminate each of the two tunnels on the single public IP address that is configured on the VPN termination device located in your on-premises data center

  3. 1. Create two HA VPN gateways. 2. Create one tunnel on interface 0 of one gateway and create one tunnel on interface 1 of the other gateway. 3. Terminate each of the two tunnels on the single public IP address that is configured on the VPN termination device located in your on-premises data center

  4. 1. Create one HA VPN gateway. 2. Create one tunnel for each of the two HA VPN gateway interfaces. 3. Terminate each of the two tunnels on the single public IP address that is configured on the VPN termination device located in your on-premises data center

40. Your organization is using a Shared VPC model. Service project owners want to independently manage their DNS zones in service projects. All service project workloads must be able to resolve all private zones that are defined in other service projects. You need to create a solution that meets these goals. What should you do?

  1. Create a Cloud DNS private zone in each service project. Use Cloud DNS peering zones that target the Shared VPC in the host project

  2. Create a Cloud DNS response policy zone in each service project. Use Cloud DNS peering zones that target the Shared VPC in the host project

  3. Create a Cloud DNS private zone in each service project. Use cross-project binding to associate the zones to the Shared VPC in the host project

  4. Create a Cloud DNS private zone in each service project. Use a Cloud DNS forwarding zone to forward queries to the Shared VPC in the host project

41. One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance. In the GCP Console, what should you do?

  1. Add custom metadata to the instance with key internal-address and value reserved

  2. Assign a new reserved internal IP address to the instance

  3. Change the instance's current internal IP address to static

  4. Assign a public IP address to the instance

42. You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale. How should you provision your instances?

  1. Create a single managed instance group, specify the desired region, and select Multiple zones for the location

  2. Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group

  3. Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region

  4. Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones

43. You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

  1. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. 2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24. 3. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24

  2. 1. Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com. 2. Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88. 3. Configure your on-premises firewall to accept traffic from 35.199.192.0/19. 4. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

  3. 1. Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88. 2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24. 3. Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88

  4. 1. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88. 2. Configure your on-premises firewall to accept traffic from 35.199.192.0/19 3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

44. Your organization deployed a mission critical application that is expected to be a new revenue source. As part of the planning and deployment process, you have recently implemented a security profile with the default set of threat signatures provided by Cloud Next Generation Firewall (Cloud NGFW). This application is the only application running on this project. You need to increase the security posture of the application to log the threat and drop the related packets. What should you do?

  1. Set up a Linux VM as the frontend gateway for the application. Create iptables rules to drop all packets, excluding the application port

  2. Configure Cloud Scheduler to run a task that checks the Cloud NGFW logs to verify the threats. Configure the task to create a security profile with each signature ID set to override the default action

  3. Configure a new default threat signature with Deny All to all severity options. Review the logs to understand the impact

  4. For all severity options (critical, high, medium, low and informational) in the security profile, change the default override action to Deny

45. You are creating an instance group and need to create a new health check for HTTP(s) load balancing. Which two methods can you use to accomplish this? (Choose two.)

  1. Create a new legacy health check using the gcloud command line tool

  2. Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console

  3. Create a new health check using the gcloud command line tool

  4. Create a new legacy health check using the Health checks section in the GCP Console

  5. Create a new health check using the VPC Network section in the GCP Console

46. You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements: • Your on-premises resources should resolve your Google Cloud zones. • Your Google Cloud resources should resolve your on-premises zones. • You need the ability to resolve “.internal” zones provisioned by Google Cloud. What should you do?

  1. Configure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver

  2. Configure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver

  3. Configure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

  4. Configure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

47. Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates. Which Google Cloud load balancer should you use?

  1. SSL proxy load balancer

  2. Network load balancer

  3. HTTPS load balancer

  4. TCP proxy load balancer

48. You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements: ✑ IP ranges for pods and services must be as small as possible. ✑ The nodes and the master must not be reachable from the internet. ✑ You must be able to use kubectl commands from on-premises subnets to manage the cluster. How should you create the GKE cluster?

  1. "¢ Create a private cluster that uses VPC advanced routes. "¢ Set the pod and service ranges as /24. "¢ Set up a network proxy to access the master

  2. "¢ Create a VPC-native GKE cluster using user-managed IP ranges. "¢ Enable a GKE cluster network policy, set the pod and service ranges as /24. "¢ Set up a network proxy to access the master. "¢ Enable master authorized networks

  3. "¢ Create a VPC-native GKE cluster using GKE-managed IP ranges. "¢ Set the pod IP range as /21 and service IP range as /24. "¢ Set up a network proxy to access the master

  4. "¢ Create a VPC-native GKE cluster using user-managed IP ranges. "¢ Enable privateEndpoint on the cluster master. "¢ Set the pod and service ranges as /24. "¢ Set up a network proxy to access the master. "¢ Enable master authorized networks

49. You have a storage bucket that contains the following objects: [1] [1] [1] [1] Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands. What should you do?

  1. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket

  2. Add an appropriate lifecycle rule on the storage bucket

  3. Issue a cache invalidation command with pattern /folder-a/*

  4. Make sure that all the objects with prefix folder-a are not shared publicly

50. You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

  1. Configure the maximum transmission unit (MTU) to its highest supported value

  2. Configure the remote autonomous system number (ASN) to 4096

  3. Configure a second Cloud Router to scale bandwidth in and out of the VPC

  4. Configure a second set of active/passive VPN tunnels


FAQs


1. What is the Google Professional Cloud Network Engineer certification exam?

The Google Professional Cloud Network Engineer exam validates your ability to design, implement, and manage network architectures on Google Cloud.

2. How do I become a Google Professional Cloud Network Engineer certified professional?

You must pass the Professional Cloud Network Engineer exam, which tests your skills in networking, hybrid connectivity, and optimizing Google Cloud networks.

3. What are the prerequisites for the Google Professional Cloud Network Engineer exam?

There are no formal prerequisites, but Google recommends 3+ years of industry experience including 1+ year of hands-on work with Google Cloud.

4. How much does the Google Professional Cloud Network Engineer certification cost?

The exam costs $200 USD, but pricing may vary by region or currency.

5. How many questions are in the Google Professional Cloud Network Engineer exam?

The exam consists of 50–60 multiple-choice and multiple-select questions, with a 2-hour time limit.

6. What topics are covered in the Google Professional Cloud Network Engineer exam?

It covers VPC design, hybrid connectivity, network services, security, load balancing, and automation.

7. How difficult is the Google Professional Cloud Network Engineer certification exam?

It’s an intermediate to advanced-level exam, requiring strong networking and Google Cloud experience.

8. How long does it take to prepare for the Google Professional Cloud Network Engineer exam?

Most candidates take 8–10 weeks to prepare thoroughly, depending on their background in networking.

9. What jobs can I get after earning the Google Professional Cloud Network Engineer certification?

You can work as a Cloud Network Engineer, Network Architect, or Infrastructure Engineer specializing in Google Cloud solutions.

10. How much salary can I earn with a Google Professional Cloud Network Engineer certification?

Certified professionals typically earn between $110,000–$150,000 per year, depending on role and experience.


Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
CertiMaan Logo

​​

Terms Of Use     |      Privacy Policy     |      Refund Policy    

   

 Copyright © 2011 - 2026  Ira Solutions -   All Rights Reserved

Disclaimer:: 

The content provided on this website is for educational and informational purposes only. We do not claim any affiliation with official certification bodies, including but not limited to Pega, Microsoft, AWS, IBM, SAP , Oracle , PMI, or others.

All practice questions, study materials, and dumps are intended to help learners understand exam patterns and enhance their preparation. We do not guarantee certification results and discourage the misuse of these resources for unethical purposes.

PayU logo
Razorpay logo
bottom of page