📐 Designing and Prototyping a Google Cloud Network - PCNE Practice Questions

Design VPC networks, subnets, firewall rules, and network architecture for Google Cloud.

16Questions Available
1Exam Domains

Practice Designing Networks Questions Now

Start a timed practice session focusing on Designing and Prototyping a Google Cloud Network topics from the PCNE question bank.

Start PCNE Practice Quiz →

PCNE Designing Networks Question Bank (16 Questions)

Browse all 16 practice questions covering Designing and Prototyping a Google Cloud Network for the PCNE certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

  1. Question 1Implementing Virtual Private Cloud (VPC) Instances

    When should you use Shared VPC vs VPC Peering?

    AThey are interchangeable
    BShared VPC: centralized network admin across projects in one org (host project owns network). VPC Peering: connect VPCs across orgs or when teams need independent network control
    CAlways use Shared VPC
    DAlways use VPC Peering
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Shared VPC: one host project manages network (subnets, firewall, routes). Service projects use subnets but don't manage them. Best for: centralized network team, consistent policies. VPC Peering: connect separate VPCs (same or different org). Each VPC independently managed. Non-transitive (A↔B, B↔C doesn't mean A↔C). Best for: inter-org, partner connectivity, team autonomy.

  2. Question 2Designing, Planning, and Prototyping a Google Cloud Network

    What is the benefit of using a Shared VPC over VPC Peering for multi-project environments?

    AHigher bandwidth
    BCentralized network administration with IAM-based subnet delegation to service projects
    CLower cost
    DFaster routing
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Shared VPC centralizes network administration in a host project while allowing service projects to use shared subnets, providing unified management with delegated resource creation.

  3. Question 3Designing, Planning, and Prototyping a Google Cloud Network

    What is Shared VPC vs VPC Peering?

    ASame thing
    BShared VPC: host project shares subnets with service projects (centralized administration). VPC Peering: two independent VPCs exchange routes (decentralized).
    CShared VPC is peer-to-peer
    DPeering requires shared project
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Shared VPC: centralized networking — host project owns VPC, service projects use subnets. Central network team controls subnets/firewall. VPC Peering: two VPCs exchange routes, each managed independently. Shared VPC for central control, peering for autonomous teams.

  4. Question 4Implementing Virtual Private Cloud (VPC) Instances

    How do you enforce organization-wide firewall policies across all VPCs?

    ACreate rules in each VPC
    BHierarchical firewall policies at the organization or folder level — rules are evaluated before VPC firewall rules, enforcing mandatory security policies across all projects
    CUse Cloud Armor instead
    DIt's not possible
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Hierarchical firewall policies: org-level or folder-level. Evaluation order: org policy → folder policy → VPC network firewall policy → VPC firewall rules. Actions: ALLOW, DENY, GOTO_NEXT (delegate to lower level). Use: enforce org-wide rules (block known-bad IPs, require specific ports), allow teams to manage their own VPC rules within guardrails. Global network firewall policies: cross-region rules.

  5. Question 5Implementing Hybrid Interconnectivity

    When should you use Private Service Connect instead of VPC peering for accessing managed services?

    AAlways use VPC peering
    BPSC: provides a private endpoint (IP) in your VPC for Google services — consumer controls the IP, no route exchange, no IP overlap concerns. VPC peering: full network connectivity with route sharing
    CThey are the same
    DPSC is only for third-party services
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    PSC vs VPC peering: PSC advantages: consumer-side IP control (you choose the IP), no route exchange (no subnet visibility), no IP overlap issues, works across orgs. VPC peering: full subnet route exchange (mutual), requires non-overlapping CIDRs, managed service can see your routes. PSC use: access Google APIs, Cloud SQL, GKE control plane, third-party services. PSC Published Service: expose your own service to consumers.

  6. Question 6Managing, Monitoring, and Optimizing Network Operations

    What is Cloud Next Generation Firewall and how does it differ from standard VPC firewall rules?

    AThey are the same
    BCloud NGFW adds FQDN-based rules, threat intelligence (block known malicious IPs), intrusion detection/prevention (IDS/IPS), and TLS inspection — beyond standard IP/port-based VPC firewall rules
    CNGFW replaces Cloud Armor
    DNGFW is third-party only
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Cloud NGFW tiers: Standard: FQDN objects (allow traffic to *.googleapis.com), geo-location filtering, threat intelligence (Google-curated malicious IP feeds). Enterprise: IDS/IPS (inspect traffic for threats, powered by Palo Alto Networks signatures), TLS inspection (decrypt/inspect HTTPS traffic). vs VPC firewall: standard rules are IP/port/protocol only. NGFW: application-aware, threat-aware. Applied via: firewall policies.

  7. Question 7Implementing Virtual Private Cloud (VPC) Instances

    Which VPC routing mode allows all subnets in all regions to communicate through the VPC's routing table?

    ARegional routing
    BGlobal routing mode
    CStatic routing
    DPolicy-based routing
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Global routing mode advertises all subnet routes to all regions in the VPC, enabling VMs in different regions to communicate directly without additional route configuration.

  8. Question 8Implementing Virtual Private Cloud (VPC) Instances

    Which firewall rule priority number is evaluated first in Google Cloud VPC?

    A65535 (default)
    B0 (highest priority)
    C1000
    D100
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Firewall rules with lower priority numbers are evaluated first. Priority 0 is the highest priority. The default rules have priority 65535 (lowest).

  9. Question 9Implementing Virtual Private Cloud (VPC) Instances

    What is the purpose of VPC Network Peering?

    AInternet connectivity
    BConnecting two VPC networks to allow private communication using internal IPs without using external IPs, VPNs, or gateways
    CDNS resolution
    DLoad balancing
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    VPC Peering connects two VPC networks (same or different projects/orgs) enabling private RFC 1918 communication. Traffic stays on Google's network without external IPs, gateways, or bandwidth bottlenecks.

  10. Question 10Designing, Planning, and Prototyping a Google Cloud Network

    What are the best practices for VPC network design?

    AOne VPC per VM
    BUse Shared VPC for centralized management, plan IP ranges for growth, use firewall policies for scalable rules, enable Private Google Access, and consider network tiers
    CRandom IP assignment
    DOne global VPC is always best
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Best practices: Shared VPC for central control, plan IP ranges (/20+ for growth, secondary for GKE), hierarchical firewall policies, Private Google Access for GCP API access, Premium tier for performance, and VPC Flow Logs for visibility.

  11. Question 11Implementing Virtual Private Cloud (VPC) Instances

    What is VPC Network Peering?

    AVPN connection
    BA networking connection between two VPC networks allowing resources to communicate using internal IP addresses across projects or organizations
    CInternet routing
    DDNS forwarding
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    VPC Peering: connect two VPCs for private communication. Features: no single point of failure (Google's infrastructure), no bandwidth bottleneck. Limitations: non-transitive (A↔B, B↔C doesn't mean A↔C), no overlapping IP ranges, max 25 peerings per VPC.

  12. Question 12Designing, Planning, and Prototyping a Google Cloud Network

    What is Shared VPC?

    AVPC Peering
    BA network model where a host project owns the VPC network and shares subnets with service projects, enabling centralized network management while allowing project autonomy
    CA duplicated VPC
    DA public VPC
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Shared VPC: host project owns VPC (subnets, firewall rules, routes). Service projects use shared subnets for their resources. Benefits: centralized network admin, consistent policies, simplified IP management. IAM: host project admin manages network, service project users deploy resources.

  13. Question 13Implementing Virtual Private Cloud (VPC) Instances

    What are firewall policy rules vs VPC firewall rules?

    ASame thing
    BVPC firewall rules apply to a single VPC. Firewall policies (hierarchical or network) allow defining rules at org/folder/VPC level with priority ordering and delegation.
    CVPC rules are hierarchical
    DPolicy rules are per-VM
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    VPC firewall rules: per-VPC, target by tag/SA, allow/deny. Hierarchical firewall policies: org/folder level, apply to all VPCs in scope. Network firewall policies: per-VPC but with policy features (groups, delegation). Evaluation: hierarchical → network → VPC rules.

  14. Question 14Implementing a GCP Network

    What are VPC firewall rules and their evaluation order?

    ARandom order
    BFirewall rules evaluated by priority (0-65535, lowest number = highest priority), with specific rules overriding more general ones, and an implied deny-all ingress and allow-all egress default
    CAlphabetical order
    DCreation order
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Firewall rules: priority (0=highest, 65535=lowest), direction (ingress/egress), action (allow/deny), target (all, tag, service account), source/destination (IP, tag, service account), protocol/port. Evaluation: highest priority match wins. Default: implied deny-all ingress, allow-all egress (can be overridden). Best practice: use service account-based targeting for GKE/managed services.

  15. Question 15Designing, Planning, and Prototyping a GCP Network

    What is Shared VPC and when should you use it?

    AA VPN
    BA networking feature that allows an organization to share a VPC network across multiple projects, centralizing network administration while maintaining project-level resource isolation
    CA load balancer
    DA firewall
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Shared VPC: host project (owns VPC, subnets, firewall rules) + service projects (deploy resources into shared subnets). Benefits: centralized network admin, consistent firewall rules, IP address management, and service project isolation. Use for: multi-team organizations with shared network requirements. IAM: network admin in host project, resource admin in service projects. Alternative: VPC peering for less tightly coupled projects.

  16. Question 16Implementing a GCP Network

    What is a VPC network peering?

    AA VPN connection
    BA networking connection between two VPC networks that enables private IP communication across projects or organizations without routing traffic through the public internet
    CA load balancer
    DA firewall rule
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    VPC peering: direct private IP connectivity between two VPCs. Features: no bandwidth bottleneck (full bandwidth), no single point of failure, works cross-project and cross-org. Limitations: no transitive peering (A↔B and B↔C doesn't mean A↔C), CIDR ranges must not overlap, and max 25 peering connections per VPC. Use for: project isolation with private connectivity. Alternative: Shared VPC for tighter coupling within an org.

Key Designing Networks Concepts for PCNE

vpcsubnetfirewallnetwork designshared vpcpeering

PCNE Designing Networks Exam Tips

Designing and Prototyping a Google Cloud Network questions in PCNE are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: vpc, subnet, firewall, network design, shared vpc, peering.

What PCNE Expects

  • Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
  • Designing Networks scenarios for PCNE are frequently mapped to Domain 1 (~21%), so read the objective carefully before picking controls or architecture.
  • Expect multi-service scenarios where Designing Networks interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value Designing Networks Concepts

  • Know the core Designing Networks building blocks cold: vpc, subnet, firewall, network design.
  • Review the edge-case features and limits for shared vpc, peering; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Designing Networks pairs with VPC Implementation, Hybrid Connectivity in real deployment patterns.
  • For PCNE, explain why the chosen Designing Networks design meets reliability, security, and cost expectations better than the alternatives.

Common PCNE Traps

  • Watch for answers that partially solve the requirement but miss operational constraints.
  • Questions in Designing and Prototyping often include distractors that look correct for Designing Networks but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Designing Networks implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Designing and Prototyping (~21%) outcomes for PCNE?
  • Can you explain security and access boundaries for Designing Networks without relying on default-open assumptions?
  • Can you describe how Designing Networks integrates with VPC Implementation and Hybrid Connectivity during failure, scaling, and monitoring events?

Exam Domains Covering Designing Networks

Domain 1Designing and Prototyping~21%

Related Resources

🎯 Free PCNE Mock Exam📝 VPC Implementation Questions📝 Hybrid Connectivity Questions

More PCNE Study Resources

← PCNE Study Hub30-Day Study PlanFull Practice Exam