[PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
**Question 1.** Which VPC topology allows multiple projects to share a common network
while retaining centralized control of firewall rules?
A) Standalone VPC
B) Shared VPC
C) VPC Network Peering
D) Cloud VPN
**Answer:** B
**Explanation:** Shared VPC lets several projects use the same VPC network, enabling
centralized security and routing management while each project maintains its own resources.
**Question 2.** When planning a multi‑regional deployment, which design principle best
ensures low latency for users across continents?
A) Deploy a single regional VPC and use Cloud CDN
B) Use a single global load balancer with a single backend pool
C) Deploy separate VPCs per region and interconnect them via Cloud Interconnect
D) Deploy GKE clusters in each region and use global external HTTP(S) load balancing
**Answer:** D
**Explanation:** Deploying GKE clusters in each region and front‑ending them with a global
external HTTP(S) load balancer routes traffic to the nearest healthy backend, minimizing latency.
**Question 3.** Which CIDR block size is recommended for a subnet that will host up to 500
VM instances, assuming IPv4 only?
A) /24
B) /22
C) /20
,[PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
D) /26
**Answer:** A
**Explanation:** A /24 provides 256 IP addresses; with GCP reserving a few, it comfortably
supports up to 500 instances when combined with alias IP ranges or secondary ranges.
**Question 4.** In a dual‑stack VPC, which setting enables IPv6 address assignment to VM
instances automatically?
A) Enable Private Google Access
B) Enable IPv6 access type “External” on the subnet
C) Set “IPv6 address range” on the subnet and enable “Automatic” allocation
D) Use BYOIP for IPv6 blocks only
**Answer:** C
**Explanation:** Defining an IPv6 address range on the subnet and selecting automatic
allocation allows GCP to assign IPv6 addresses to VMs without manual configuration.
**Question 5.** Which feature allows you to bring a publicly routable IPv4 block that you own
into a GCP VPC?
A) Cloud NAT
B) Private Service Connect
C) Bring Your Own IP (BYOIP)
D) VPC Peering
**Answer:** C
**Explanation:** BYOIP lets customers import IP ranges they already own and use them as
external or internal addresses within GCP.
,[PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
**Question 6.** When designing DNS architecture for a hybrid environment, which
configuration provides split‑horizon DNS resolution?
A) Public Cloud DNS zone only
B) Private Cloud DNS zone only
C) Both public and private zones with identical names, using DNS peering for on‑prem
resolution
D) Using Cloud DNS forwarding zones pointing to on‑prem DNS servers
**Answer:** C
**Explanation:** Split‑horizon DNS uses separate public and private zones with the same name;
DNS peering or forwarding ensures on‑prem clients resolve internal names correctly while
external clients see the public zone.
**Question 7.** What is the primary benefit of using VPC‑native GKE clusters with Alias IP
ranges?
A) Enables direct internet access without NAT
B) Allows Pods to have IPs from a secondary range, avoiding subnet exhaustion
C) Provides automatic firewall rule creation for each Pod
D) Guarantees zero‑downtime upgrades
**Answer:** B
**Explanation:** Alias IP ranges allocate a secondary CIDR for Pods, preventing IP exhaustion of
the primary subnet and simplifying routing.
**Question 8.** Which GKE setting restricts control‑plane access to a specific set of CIDR
blocks?
A) Private cluster
B) Control plane authorized networks
, [PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
C) Network policy enforcement
D) Node‑local DNS cache
**Answer:** B
**Explanation:** Control plane authorized networks limit which IP ranges can reach the GKE
master endpoint, enhancing security for private clusters.
**Question 9.** How can you dynamically expand a subnet’s IP range without recreating
resources?
A) Delete and recreate the subnet with a larger CIDR
B) Use the “Resize subnet” API to add a secondary IP range
C) Create a new subnet and migrate workloads manually
D) Use VPC Network Peering to combine multiple subnets
**Answer:** B
**Explanation:** GCP allows you to resize a subnet’s primary IP range via the API/Console,
automatically updating routes and preserving existing resources.
**Question 10.** Which GCP feature enables VMs without external IPs to reach Google APIs
and services?
A) Cloud NAT
B) Private Google Access
C) Cloud VPN
D) VPC Service Controls
**Answer:** B
**Explanation:** Private Google Access lets instances without external IPs send traffic to
Google APIs over the internal network.
Cloud Network Engineer Certification Exam
Guide
**Question 1.** Which VPC topology allows multiple projects to share a common network
while retaining centralized control of firewall rules?
A) Standalone VPC
B) Shared VPC
C) VPC Network Peering
D) Cloud VPN
**Answer:** B
**Explanation:** Shared VPC lets several projects use the same VPC network, enabling
centralized security and routing management while each project maintains its own resources.
**Question 2.** When planning a multi‑regional deployment, which design principle best
ensures low latency for users across continents?
A) Deploy a single regional VPC and use Cloud CDN
B) Use a single global load balancer with a single backend pool
C) Deploy separate VPCs per region and interconnect them via Cloud Interconnect
D) Deploy GKE clusters in each region and use global external HTTP(S) load balancing
**Answer:** D
**Explanation:** Deploying GKE clusters in each region and front‑ending them with a global
external HTTP(S) load balancer routes traffic to the nearest healthy backend, minimizing latency.
**Question 3.** Which CIDR block size is recommended for a subnet that will host up to 500
VM instances, assuming IPv4 only?
A) /24
B) /22
C) /20
,[PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
D) /26
**Answer:** A
**Explanation:** A /24 provides 256 IP addresses; with GCP reserving a few, it comfortably
supports up to 500 instances when combined with alias IP ranges or secondary ranges.
**Question 4.** In a dual‑stack VPC, which setting enables IPv6 address assignment to VM
instances automatically?
A) Enable Private Google Access
B) Enable IPv6 access type “External” on the subnet
C) Set “IPv6 address range” on the subnet and enable “Automatic” allocation
D) Use BYOIP for IPv6 blocks only
**Answer:** C
**Explanation:** Defining an IPv6 address range on the subnet and selecting automatic
allocation allows GCP to assign IPv6 addresses to VMs without manual configuration.
**Question 5.** Which feature allows you to bring a publicly routable IPv4 block that you own
into a GCP VPC?
A) Cloud NAT
B) Private Service Connect
C) Bring Your Own IP (BYOIP)
D) VPC Peering
**Answer:** C
**Explanation:** BYOIP lets customers import IP ranges they already own and use them as
external or internal addresses within GCP.
,[PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
**Question 6.** When designing DNS architecture for a hybrid environment, which
configuration provides split‑horizon DNS resolution?
A) Public Cloud DNS zone only
B) Private Cloud DNS zone only
C) Both public and private zones with identical names, using DNS peering for on‑prem
resolution
D) Using Cloud DNS forwarding zones pointing to on‑prem DNS servers
**Answer:** C
**Explanation:** Split‑horizon DNS uses separate public and private zones with the same name;
DNS peering or forwarding ensures on‑prem clients resolve internal names correctly while
external clients see the public zone.
**Question 7.** What is the primary benefit of using VPC‑native GKE clusters with Alias IP
ranges?
A) Enables direct internet access without NAT
B) Allows Pods to have IPs from a secondary range, avoiding subnet exhaustion
C) Provides automatic firewall rule creation for each Pod
D) Guarantees zero‑downtime upgrades
**Answer:** B
**Explanation:** Alias IP ranges allocate a secondary CIDR for Pods, preventing IP exhaustion of
the primary subnet and simplifying routing.
**Question 8.** Which GKE setting restricts control‑plane access to a specific set of CIDR
blocks?
A) Private cluster
B) Control plane authorized networks
, [PCNE] Google Cloud Certified Professional
Cloud Network Engineer Certification Exam
Guide
C) Network policy enforcement
D) Node‑local DNS cache
**Answer:** B
**Explanation:** Control plane authorized networks limit which IP ranges can reach the GKE
master endpoint, enhancing security for private clusters.
**Question 9.** How can you dynamically expand a subnet’s IP range without recreating
resources?
A) Delete and recreate the subnet with a larger CIDR
B) Use the “Resize subnet” API to add a secondary IP range
C) Create a new subnet and migrate workloads manually
D) Use VPC Network Peering to combine multiple subnets
**Answer:** B
**Explanation:** GCP allows you to resize a subnet’s primary IP range via the API/Console,
automatically updating routes and preserving existing resources.
**Question 10.** Which GCP feature enables VMs without external IPs to reach Google APIs
and services?
A) Cloud NAT
B) Private Google Access
C) Cloud VPN
D) VPC Service Controls
**Answer:** B
**Explanation:** Private Google Access lets instances without external IPs send traffic to
Google APIs over the internal network.
