50 Cloud Network Engineer Practice Questions: Question Bank 2025

You created a new VPC with a custom subnet in us-central1. A VM in that subnet cannot reach the internet, but it can reach other VMs in the VPC. No special routes were created. What is the MOST likely missing configuration?

Your security team wants to restrict egress so that only TCP 443 to specific public IP ranges is allowed from a subnet. Which GCP feature is the BEST fit?

A workload in a private subnet without external IPs must access Google APIs (such as Cloud Storage) without using the public internet. Which configuration satisfies this requirement with the least operational overhead?

You need name resolution for VM instances using internal DNS names (for example, vm-a.c.project-id.internal) within a VPC. What should you use?

A company has two VPCs (prod and shared-services) in different projects. They want prod to access an internal TCP service in shared-services via a stable internal IP while keeping access scoped to that specific service. What is the BEST solution?

You manage a global external HTTP(S) load balancer. A new backend service is healthy in one region but shows 502 errors for users in another region. Logs show requests reaching the load balancer but failing to connect to the backend in the failing region. Which is the MOST likely cause?

Your organization uses Shared VPC. A service project team can create VM instances but cannot attach a specific subnet from the host project. What is the MOST likely missing permission/configuration?

You are designing IP addressing for a new multi-environment deployment (dev, test, prod) that will later connect to on-prem via Cloud VPN or Interconnect. The on-prem network already uses 10.0.0.0/8 extensively. What is the BEST practice for GCP VPC subnet CIDRs?

You have an existing Dedicated Interconnect with VLAN attachments to a Cloud Router. You add a second Interconnect in a different edge availability domain for redundancy. After configuring the new VLAN attachment, on-prem does not learn some GCP prefixes over the new connection. The first connection works. What should you verify FIRST?

A security incident response requires you to determine which specific VM instance generated traffic to a suspicious external IP over the last hour. The environment uses Cloud NAT for internet egress. What is the BEST approach to identify the originating VM?

You need to allow a new Compute Engine VM to access the internet for software updates, but you do not want to assign it an external IP. The VPC subnet is already created. What should you do?

Your organization wants to restrict who can create and modify firewall rules across multiple projects, while still allowing application teams to manage their own VM instances. What is the recommended approach?

A VM in subnet-a (10.10.1.0/24) cannot reach a VM in subnet-b (10.10.2.0/24) within the same VPC. Both VMs are in the same region. Routes look correct. What is the most likely cause?

You must publish an internal application to multiple consumer VPCs across the company. Consumers should not be able to reach anything except the service, and the producer should not need to manage per-consumer firewall rules. What is the best solution?

A global external HTTP(S) Load Balancer must route requests to backends in multiple regions. If a regional backend becomes unhealthy, traffic should automatically fail over to another region. Which configuration achieves this?

You have on-premises routers connected to two Cloud Interconnect VLAN attachments (one in each of two edge availability domains) using HA VLAN attachments. You need dynamic routing with BGP, and you want traffic to automatically shift if one attachment fails. What should you configure?

Your security team wants consistent, centrally managed L3/L4 policy across multiple VPCs in an organization. Policies must support hierarchical evaluation and reduce the need to duplicate firewall rules in every project. What should you use?

A workload in Project A must privately resolve and access an internal hostname hosted in Project B. Both projects are in the same organization and use separate VPCs. You want to avoid custom DNS servers. What is the best approach?

You operate a hub-and-spoke architecture using Network Connectivity Center (NCC) with a hub VPC. Two spokes must exchange routes through the hub, but you must ensure that only specific prefixes are propagated between them to meet compliance requirements. What should you do?

After migrating to Cloud VPN with dynamic routing, you notice intermittent asymmetric routing between on-prem and GCP that breaks a stateful on-prem firewall. You have two redundant VPN tunnels and BGP sessions. What is the best way to reduce asymmetric paths while keeping redundancy?

You need to quickly validate connectivity between two subnets in the same VPC without deploying additional VMs or opening firewall rules broadly. What is the recommended approach?

A security team wants to allow SSH access to a specific group of instances across multiple projects, but only from a controlled set of corporate IP ranges. They want centralized administration and consistent enforcement. What should you do?

You are configuring DNS for workloads in a VPC. Some VMs must resolve a private hostname (for example, db.internal) to an internal IP that differs by environment (dev vs prod) while keeping the same name. What is the best solution?

A shared VPC has multiple subnets used by different teams. A new compliance requirement states that logs must show which VM instance and port are responsible for outbound connections to a third-party service. Which feature should you enable and where?

You have two VPCs that must communicate privately. Both VPCs use overlapping RFC1918 ranges due to legacy constraints, and renumbering is not possible. Which option provides private connectivity while addressing the overlap?

An internal TCP application is hosted on a regional managed instance group. Clients are in the same VPC and require a single stable IP with automatic failover and health-based load distribution. Which load balancing option should you choose?

You use Cloud Interconnect with Cloud Router for dynamic routing. Your on-premises router advertises a default route (0.0.0.0/0) to Google. You want only a limited set of on-prem routes to be learned by the VPC to avoid accidental egress via on-prem. What should you configure?

You deploy a global external HTTP(S) load balancer with Cloud CDN enabled. Users in Europe report that content is always served from the origin in the US, increasing latency. Cache hit ratios are near zero. What is the most likely cause?

Your organization uses a hub-and-spoke design with Network Connectivity Center (NCC) and a central VPC that connects to on-prem via Cloud Interconnect. A spoke VPC must reach on-prem, but traffic must not traverse the public internet and must be controllable with centralized policies. What is the best architecture?

A team uses a third-party virtual appliance (NVA) in a central security VPC for packet inspection. They want all egress traffic from multiple application VPCs to be forced through the NVA, while keeping VPCs separate (no shared subnets). The design must scale and be resilient. What is the recommended approach?

You deploy a new VM without an external IP address in a private subnet. The VM must access public package repositories on the internet, but no inbound connections from the internet should be allowed. Which solution should you implement?

An application team needs to resolve Private Service Connect (PSC) endpoints via DNS using the service producer’s published private DNS zone. What is the recommended approach?

You need to create a set of firewall rules that can be reused across multiple VPC networks in the same organization, using consistent source identities based on service accounts rather than IP ranges. What should you use?

A team is experiencing intermittent packet loss for traffic traversing a Cloud VPN tunnel. They want to monitor tunnel health and be alerted when the VPN tunnel goes down. Which Google Cloud feature should they use?

You need to ensure a GKE cluster’s nodes in a private VPC can access Google APIs (for example, Artifact Registry and Container Registry/Artifact) without using public IP addresses. What should you configure?

A company uses Cloud Interconnect with Cloud Router for hybrid connectivity. They want on-premises routes to dynamically fail over between two geographically separate Cloud Routers connected to two different on-prem routers. What is the recommended design?

You are designing an internal HTTP(S) load balancing solution for microservices that must be accessible only within a VPC and from on-premises over Cloud VPN. Which load balancer type should you choose?

Your security team needs to inspect and control egress traffic from multiple projects before it reaches the internet. They want centralized policy enforcement and logging, with minimal changes to application teams. What is the best GCP design pattern?

A workload in VPC-A must reach a managed database exposed through Private Service Connect in VPC-B. You configured PSC endpoint in VPC-A, but connections fail. PSC endpoint creation succeeded. What is the most likely missing requirement?

You need to prevent overlapping RFC1918 ranges across multiple teams who independently create subnets in shared VPC networks. What should you do to reduce the risk of overlapping allocations?

You are designing a multi-project network where application teams each have their own service projects, but all egress to the internet must be inspected and NATed by a central security team. Which design best meets this requirement with minimal per-team changes?

A team created a new subnet with primary range 10.40.0.0/24. They need to add secondary IP ranges for GKE Pods and Services without recreating the subnet. What is the recommended approach?

You need to expose an internal HTTP service running on a Managed Instance Group to users on the internet. The service must be protected by Google Cloud Armor policies and use a global anycast IP. Which load balancer should you choose?

A company uses Cloud Interconnect with BGP. They want to ensure that if one on-prem router fails, traffic automatically uses the remaining router without manual intervention. Which configuration best supports this goal?

Your organization wants to restrict VM egress so that only traffic to specific external partner IP ranges is allowed, while all other internet destinations are blocked. The VMs should still be able to reach Google APIs privately. What is the best solution?

A VM in subnet-a cannot reach a Cloud SQL instance using a private IP. Both are in the same VPC but different subnets. The firewall allows TCP:3306 between the subnets. DNS resolves the Cloud SQL private hostname to an RFC1918 address. What is the most likely missing configuration?

You operate multiple internal DNS zones for different environments (dev, test, prod) in separate projects. Applications in a central shared services VPC must resolve records from all environment zones without copying records. What is the recommended approach?

You need to choose between Cloud VPN and Cloud Interconnect for connecting an on-prem data center to Google Cloud. The requirement is predictable performance and a private connection, but the data center is not in a facility with Interconnect availability. What should you recommend?

Your security team wants to reduce the blast radius of overly permissive firewall rules. They require that each application team can manage its own firewall policy but cannot affect other teams’ resources in the same VPC. Which approach best meets this requirement?

Users report intermittent latency to an internal service behind an Internal TCP Proxy Load Balancer. You need to determine whether the issue is backend capacity, unhealthy instances, or client-side retry storms. Which set of tools is most appropriate?