Google Cloud Professional Network Engineer Study Guide

Google cloud Professional Cloud Network Engineer Exam Study Guide

Professional Cloud Network Engineer Prep:

The Professional Cloud Network Engineer (PCNE) certification validates your ability to design, implement, and manage network architectures on Google Cloud, from VPC design to hybrid connectivity and network security. This guide maps every domain, task, and objective from the official PCNE exam guide to verified, current Google Cloud documentation.

You can also explore more GCP certification study guides on the GCP category to keep building your skills.

Google Cloud Network Engineer Materials:

CourseraGoogle Cloud Network Engr Professional Certificate
UdemyGCP – Google Cloud Professional Cloud Network Engineer
WhizlabsGoogle Cloud Professional Cloud Network Engineer

Section 1: Designing and planning a Google Cloud VPC network (~21% of the exam)

1.1 Designing an overall network architecture. Considerations include:

Differentiating between network tiers (e.g., Premium and Standard).

Network Service Tiers overview

Using Network Service Tiers

Choose a load balancer

Designing for high availability, failover, disaster recovery, and scale.

Disaster recovery planning guide

Disaster recovery building blocks

Architecting disaster recovery for cloud infrastructure outages

General best practices

Designing the DNS topology (e.g., on-premises and Cloud DNS).

Best practices for Cloud DNS

DNS server policies

Design considerations

Choosing an appropriate load balancer for network implementation.

Choose a load balancer

Cloud Load Balancing overview

Load balancer feature comparison

Cloud Load Balancing resource model

Planning for Google Kubernetes Engine (GKE) networking (e.g., secondary ranges, scale potential based on IP address space, and access to GKE control plane).

Best practices for GKE networking

Understand IP addressing in GKE

VPC-native clusters

About network isolation in GKE

Learn GKE networking architecture

Identifying the most appropriate Identity and Access Management (IAM) roles suited to specific network architecture designs (e.g. load balancer provisioning and Shared VPC subnet permissions).

IAM roles for Networking-related Job Functions

Compute Engine IAM roles and permissions

Shared VPC

Provision Shared VPC

Planning for connectivity to managed services (e.g., private services access, Private Service Connect [PSC], and Serverless VPC Access).

Private access options for services

Private Service Connect

Private services access

Send serverless traffic to a VPC network

Planning for quotas and limits.

Quotas and limits

Quotas and limits

Quotas and limits

1.2 Designing VPC networks. Considerations include:

Choosing the VPC type and quantity (e.g., standalone or Shared VPC and the number of VPC environments).

Shared VPC

VPC networks

Provision Shared VPC

Determining how the networks interconnect based on requirements (e.g., VPC Network Peering, network connectivity [mesh and star topology] with Network Connectivity Center, and PSC).

VPC Network Peering

NCC overview

Preset connectivity topologies

Private Service Connect

Planning the IP address management (IPAM) strategy (e.g., subnets, IPv6, bring your own IP, privately used public IP [PUPI], Private NAT, non-RFC 1918 addresses, managed services, and IPAM automation techniques).

Subnets

Bring your own IP addresses

IP addresses

Private NAT

Planning for bring your own IP addresses

Planning a global or regional network environment (or variations of these).

VPC networks

Set routing and best path selection modes

Cloud Load Balancing overview

Determining the correct maximum transmission unit (MTU) sizing for VPC for workloads.

Maximum transmission unit

Change the MTU setting of a VPC network

Create and verify a jumbo frame MTU network

Planning third-party device insertion (e.g., network virtual appliance) with custom routes (static or policy-based) and load balancing.

Policy-based routes

Routes

Use routes

Router appliance overview

1.3 Designing a resilient and performant hybrid and multi-cloud network. Considerations include:

Designing for hybrid (e.g., on-premises and cloud, branch office) connectivity, including bandwidth and security constraints (e.g., Dedicated Interconnect, Partner Interconnect, Cloud VPN, and SD-WAN appliances).

Cloud Interconnect overview

Choosing a Network Connectivity product

Cloud VPN overview

General best practices

Designing for multicloud connectivity (e.g., Cloud VPN and Cross-Cloud Interconnect).

Cross-Cloud Interconnect overview

Choosing a Network Connectivity product

Cloud VPN overview

Choosing when to use Direct Peering or Verified Peering Provider.

Choosing a Network Connectivity product

Cloud Interconnect overview

Designing high-availability and disaster recovery connectivity strategies for multiple regions (e.g., regional or global dynamic routing mode).

Establish 99.99% availability for Dedicated Interconnect

HA VPN topologies

Set routing and best path selection modes

Accessing multiple VPCs from on-premises locations (e.g., Shared VPC, multi-VPC peering, and Network Connectivity Center topologies).

NCC overview

VPC spokes overview

Shared VPC

Best practices for Cloud DNS

Accessing Google services like Vertex AI and application programming interfaces (APIs) privately from on-premises locations.

Private access options for services

Private Service Connect

Private services access

Accessing managed services through PSC and VPC Network Peering connections (e.g., private services access).

Private services access

Private Service Connect

Enabling private services access

Designing the IP address space across on-premises locations and cloud environments (e.g., internal ranges, planning to avoid overlaps, and Private NAT).

Private NAT

Hybrid NAT

IP addresses

Architecting hybrid DNS topology: Define forwarding paths, inbound policies, cross-project binding, and DNS peering strategy.

Best practices for Cloud DNS

DNS server policies

DNS zones overview

Create a zone with cross-project binding

Determining the correct MTU sizing for hybrid connections (Cloud Interconnect and HA VPN) for workloads.

Maximum transmission unit

MTU considerations

Cloud Interconnect overview

Understanding interconnect encryption options, such as MACsec and HA VPN, over Cloud Interconnect.

HA VPN over Cloud Interconnect overview

Deploy HA VPN over Cloud Interconnect

Cloud Interconnect overview

1.4 Designing for Google Kubernetes Engine (GKE). Considerations include:

Choosing between public or private cluster nodes and node pools.

About network isolation in GKE

Creating a private cluster

Customize your network isolation in GKE

Choosing between public or private control plane endpoints.

About network isolation in GKE

About Private Service Connect

Customize your network isolation in GKE

Planning subnets: Primary and secondary ranges.

VPC-native clusters

Understand IP addressing in GKE

Best practices for GKE networking

Planning for GKE IP addresses using (RFC 1918, non-RFC 1918, Google-managed services range, PSC, shared IP ranges, and PUPI).

Manage IP address migration in GKE

VPC-native clusters

Understand IP addressing in GKE

Planning for IPv6.

Subnets

Create and use IPv6 sub-prefixes

Understand IP addressing in GKE

Designing load balancing for GKE networking.

About load balancing in GKE

Container-native load balancing

About LoadBalancer Services

GKE Ingress for Application Load Balancers

Adding and managing node pool configuration.

Configure maximum Pods per node

VPC-native clusters

Best practices for GKE networking

Section 2: Implementing a VPC network (~20% of the exam)

2.1 Configuring VPCs. Considerations include::

Creating Google Cloud VPC resources (e.g., networks, subnets, firewall rules or policies, private services access subnet, and private pools).

VPC networks

Quickstart: Create and manage VPC networks

Subnets

VPC firewall rules

Configuring VPC Network Peering.

VPC Network Peering

Creating a Shared VPC network and sharing subnets with other projects.

Shared VPC

Provision Shared VPC

Assigning the correct IAM permissions to use Shared VPC subnets from service projects.

Shared VPC

Provision Shared VPC

IAM roles for Networking-related Job Functions

Configuring access to Google APIs and Google-managed services (e.g., Private Google Access and public interfaces).

Private access options for services

Private Service Connect

Expanding VPC subnet ranges after creation.

Subnets

Configuring restricted Google Cloud services with VPC Service Controls perimeters.

Supported products and limitations

Quotas and limits

2.2 Configuring VPC routing. Considerations include:

Setting up static and dynamic routing (e.g., Cloud Router).

Routes

Cloud Router overview

Use routes

Configuring global or regional dynamic routing.

Set routing and best path selection modes

Learned routes

Implementing routing using network tags and priority.

Routes

Use routes

Implementing route priorities with global dynamic routing, including policy-based routing and dynamic routing.

Advertised routes

Policy-based routes

Set routing and best path selection modes

Implementing an internal load balancer as a next hop.

Policy-based routes

Use policy-based routes

Use routes

Configuring custom route import/export over VPC Network Peering and Network Connectivity Center.

VPC Network Peering

VPC spokes overview

Configuring policy-based routing.

Policy-based routes

Use policy-based routes

2.3 Configuring Network Connectivity Center. Considerations include:

Differentiating between spoke types (VPC spoke, hybrid spoke, and producer spoke).

NCC overview

VPC spokes overview

Managing VPC topology (e.g., star topology, hub and spokes, and mesh topology).

Preset connectivity topologies

Configure a hub

Configuring Private NAT and PSC propagation.

Private NAT for Network Connectivity Center spokes

Set up and manage network address translation with Private NAT

Configuring IP/CIDR range filters for Network Connectivity Center spokes.

Work with hubs and spokes

Monitoring and troubleshooting Network Connectivity Center.

NCC overview

Router appliance overview

2.4 Configuring and maintaining GKE clusters. Considerations include:

Creating VPC-native clusters using alias IPs.

VPC-native clusters

Setting up clusters with Shared VPC.

Setting up clusters with Shared VPC

Shared VPC

Configuring private clusters and private control plane endpoints.

About network isolation in GKE

Creating a private cluster

Customize your network isolation in GKE

Adding authorized networks for cluster control plane endpoints.

Creating a private cluster

Customize your network isolation in GKE

Using DNS-based endpoint for control plane access.

About network isolation in GKE

Customize your network isolation in GKE

Enabling GKE Dataplane V2.

GKE Dataplane V2

Using GKE Dataplane V2

Configuring source NAT (SNAT) and IP Masquerade policies.

IP masquerade agent

Configuring an IP masquerade agent in Standard clusters

Use Egress NAT Policy to configure IP masquerade in Autopilot clusters

Creating GKE network policies.

Control communication between Pods and Services using network policies

GKE Dataplane V2

Configuring Pod ranges and service ranges.

VPC-native clusters

Understand IP addressing in GKE

Deploying additional Pod ranges for GKE clusters.

Manage IP address migration in GKE

Configure maximum Pods per node

Configuring DNS (local DNS cache, Cloud DNS, and kube-dns).

About kube-dns for GKE

Set up NodeLocal DNSCache

About Cloud DNS for GKE

Use Cloud DNS for GKE

Section 3: Configuring managed network services (~16% of the exam)

3.1 Configuring load balancing. Considerations include:

Determining the load balancing solution for your network (internal/external, regional/global, application/proxy/passthrough, etc.).

Choose a load balancer

Cloud Load Balancing overview

Configuring backend services, including autoscaling (e.g., network endpoint groups [NEGs] and managed instance groups).

Cloud Load Balancing resource model

Internet network endpoint groups overview

Configuring various load balancers and backend settings, such as the balancing method, session affinity, serving capacity, URL maps, health checks, and global access.

Load balancer feature comparison

Cloud Load Balancing resource model

Application Load Balancer overview

Understanding load balancers in GKE (e.g., GKE Gateway controller, GKE Ingress controller, and NEGs).

About load balancing in GKE

Container-native load balancing

GKE Ingress for Application Load Balancers

Setting up traffic management on Application Load Balancer (e.g., traffic splitting, traffic mirroring, and URL rewrites).

Application Load Balancer overview

Cloud Load Balancing resource model

3.2 Configuring Cloud CDN. Considerations include:

Setting up Cloud CDN for supported origins (e.g., managed instance groups, Cloud Storage buckets, and Cloud Run).

Cloud CDN overview

Setup overview

Setting up Cloud CDN for external backends (internet NEGs) and third-party object storage.

External backends specified by using internet NEGs

Set up an external backend with an internet NEG

Set up third-party object storage

Invalidating cached content.

Cache invalidation overview

Invalidate cached content

3.3 Configuring Cloud DNS. Considerations include:

Managing Cloud DNS zones and records.

DNS zones overview

Create, modify, and delete zones

Key terms

Migrating to Cloud DNS.

Cloud DNS overview

Best practices for Cloud DNS

Configuring Cloud DNS routing policies, such as geolocation and failover policies.

DNS routing policies and health checks

Configure DNS routing policies and health checks

DNS policies overview

Enabling DNS Security Extensions (DNSSEC).

DNS Security Extensions (DNSSEC) overview

Manage DNSSEC configuration

Activate DNSSEC

Setting up self-hosted DNS integration with Cloud DNS, including configuring DNS forwarding and DNS server policies.

DNS server policies

Best practices for Cloud DNS

DNS zones overview

Understanding DNS private and public zones and setting up split-horizon DNS.

DNS zones overview

Key terms

Create, modify, and delete zones

Setting up DNS cross-project binding and DNS peering.

Create a zone with cross-project binding

DNS zones overview

Best practices for Cloud DNS

Configuring Cloud DNS and external-DNS operator for GKE.

About Cloud DNS for GKE

Use Cloud DNS for GKE

Service discovery and DNS

Section 4: Configuring and implementing hybrid and multicloud network interconnectivity (~16% of the exam)

4.1 Configuring Cloud Interconnect. Considerations include:

Creating Dedicated Interconnect connections and configuring VLAN attachments.

Cloud Interconnect overview

Create VLAN attachments

Creating Partner Interconnect connections, configuring VLAN attachments, and differentiating between layer 2 and layer 3 type interconnects.

Partner Interconnect overview

Cloud Interconnect FAQ

Creating Cross-Cloud Interconnect connections and configuring VLAN attachments.

Cross-Cloud Interconnect overview

Partner Cross-Cloud Interconnect for OCI overview

Configuring HA VPN over Cloud Interconnect.

HA VPN over Cloud Interconnect overview

Deploy HA VPN over Cloud Interconnect

Implementing 99.9% and 99.99% service-level agreements (SLAs) for interconnect topologies.

Establish 99.99% availability for Dedicated Interconnect

Cloud Interconnect overview

HA VPN topologies

4.2 Configuring a site-to-site IPSec VPN. Considerations include:

Configuring HA VPN toward on-premise VPN gateways.

Create an HA VPN gateway to a peer VPN gateway

Configure the peer VPN gateway

HA VPN topologies

Configuring HA VPN toward other Google Cloud VPCs.

HA VPN topologies

Create an HA VPN gateway to a peer VPN gateway

Configuring Classic VPN (e.g., route-based and policy-based).

Cloud VPN overview

Classic VPN topologies

Networks and tunnel routing

4.3 Configuring Cloud Router. Considerations include:

Implementing Border Gateway Protocol (BGP) attributes (e.g., ASN, route priority/MED, link-local addresses, and authentication).

Cloud Router overview

Advertised routes

BGP route policies overview

Configuring Bidirectional Forwarding Detection (BFD).

Bidirectional Forwarding Detection (BFD) overview

Configure BFD for Cloud Router

Creating custom-advertised routes and custom-learned routes.

Advertised routes

Specify and manage custom learned routes

Learned routes

Selecting between legacy and standard best path selection at the VPC.

Set routing and best path selection modes

Learned routes

4.4 Configuring Network Connectivity Center. Considerations include:

Creating hybrid spokes (e.g., VPN and VLAN attachment).

NCC overview

Work with hubs and spokes

Establishing site-to-site data transfer.

NCC overview

Creating router appliances (RAs).

Router appliance overview

Site-to-cloud topologies that use a third-party appliance

Solving common transitivity networking issues.

VPC spokes overview

Preset connectivity topologies

Section 5: Managing, monitoring, and troubleshooting network operations (~14% of the exam)

5.1 Logging and monitoring with Google Cloud Observability. Considerations include:

Enabling and reviewing Cloud Logging for networking components (e.g., Cloud VPN, Cloud Router, VPC Service Controls, Cloud Next Generation Firewall [NGFW], Firewall Insights, VPC Flow Logs, Cloud DNS, Cloud NAT, and Network Connectivity Center).

VPC Flow Logs

VPC firewall rules logging overview

Firewall policy rules logging overview

Firewall Insights overview

Monitoring networking metrics (e.g., Cloud VPN, Cloud Interconnect and VLAN attachments, Cloud Router, load balancers, Google Cloud Armor, and Cloud NAT).

Performance Dashboard overview

Network Intelligence Center overview

View router details

5.2 Maintaining and troubleshooting connectivity issues. Considerations include:

Draining and redirecting traffic flows with Application Load Balancer.

Failover for external Application Load Balancers

Application Load Balancer overview

Managing and troubleshooting VPNs.

Cloud VPN overview

HA VPN topologies

Managing and troubleshooting Cloud Interconnect issues.

Cloud Interconnect FAQ

Cloud Interconnect overview

Troubleshooting Cloud Router BGP peering issues.

Troubleshoot BGP routes and route selection

BFD diagnostic messages and session states

View router details

Troubleshooting with VPC Flow Logs, firewall logs, and Packet Mirroring.

VPC Flow Logs

VPC firewall rules logging overview

Packet Mirroring

Use Packet Mirroring

5.3 Using Network Intelligence Center to monitor and troubleshoot common networking issues. Considerations include:

Using Network Topology to visualize throughput and traffic flows.

Network Topology overview

Network Topology metrics

Using Connectivity Tests to diagnose route and firewall misconfigurations.

Connectivity Tests overview

Test connectivity within VPC networks

Test connectivity to and from non-Google Cloud networks

Using Performance Dashboard to identify packet loss and latency (e.g., Google-wide and project scoped).

Performance Dashboard overview

Using Firewall Insights to monitor, identify, and improve rules.

Firewall Insights overview

Using Network Analyzer to identify network failures, suboptimal configurations, and utilization warnings.

Network Analyzer overview

GKE IP address utilization insights

Using Flow Analyzer and VPC Flow Logs to evaluate network traffic.

Flow Analyzer overview

VPC Flow Logs

Section 6: Configuring, implementing and managing a cloud network security solution (~13% of the exam)

6.1 Configuring Google Cloud Armor policies. Considerations include:

Configuring and attaching edge and backend security policies.

Security policy overview

Cloud Armor overview

Implementing web application firewall (WAF) rules (e.g., SQL injection, cross-site scripting, and remote file inclusion).

Preconfigured WAF rules overview

Cloud Armor overview

Configuring advanced network distributed denial of service (DDoS) and Adaptive Protection.

Cloud Armor overview

Best practices for Cloud Armor

Configuring rate limiting.

Best practices for Cloud Armor

Security policy overview

Configuring bot management.

Security policy overview

Best practices for Cloud Armor

Applying Google Threat Intelligence.

Cloud Armor overview

6.2 Configuring and managing NGFW policies and VPC Firewall rules. Considerations include:

Planning the firewall strategy (e.g., VPC firewall rules, Cloud NGFW, hierarchical firewall rules, and third-party integration).

Cloud NGFW overview

Firewall policies and rules

VPC firewall rules

Understanding the effective policy rules for hierarchical firewall situations.

Hierarchical firewall policies

Evaluation order for firewall policies and rules

Hierarchical firewall policy examples

Configuring Cloud NGFW to support GKE and Cloud Load Balancing.

Selectively enforce firewall policies in GKE

Cloud NGFW overview

Creating and troubleshooting VPC firewall rules and Cloud NGFW regional/global/hierarchical policies.

VPC firewall rules

Create global network firewall policies and rules

Create hierarchical firewall policies and rules

Manage hierarchical firewall policies and rules

Enabling layer 7 packet inspection with Cloud NGFW Enterprise.

Cloud NGFW tiers

Hierarchical firewall policies

Migrating from VPC firewall rules to Cloud NGFW policies.

VPC firewall rules migration overview

Migrate VPC firewall rules that use network tags and service accounts

Configuring VPC and NGFW rule criteria (e.g., rule priority, network protocols, direction [ingress and egress], source, and destination).

VPC firewall rules

Firewall policies and rules

Configuring VPC and Firewall Rules Logging.

VPC firewall rules logging overview

Firewall policy rules logging overview

Manage firewall policy rules logging

Incorporating micro-segmentation for security purposes (e.g., using metadata, [secure] tags, service accounts, and network tags).

Secure tags for firewalls

VPC firewall rules migration overview

Differentiating between the different tiers of Cloud NGFW: Essentials, Standard, and Enterprise.

Cloud NGFW tiers

Cloud NGFW overview

6.3 Configuring and securing internet egress traffic using Public Cloud NAT and Secure Web Proxy. Considerations include:

Configuring public Cloud NAT IP addressing and assigning automatic and manual Cloud NAT IP addresses.

Cloud NAT overview

IP addresses and ports

Configuring static and dynamic port allocation for Cloud NAT.

IP addresses and ports

Cloud NAT overview

Configuring Secure Web Proxy.

Secure Web Proxy overview

Secure Web Proxy policies overview

Publish Secure Web Proxy as a Private Service Connect service

6.4 Configuring self-managed network virtual appliance and Packet Mirroring. Considerations include:

Routing and inspecting inter-VPC traffic using multi-network interface card (NIC) virtual machines (VMs) (e.g., NGFW appliances).

Multiple network interfaces

Create VMs with multiple network interfaces

Policy-based routes

Configuring an internal load balancer as a next hop for HA multi-NIC VM routing.

Policy-based routes

Use policy-based routes

Configure policy-based routes for HA multi-NIC VM routing.

Policy-based routes

Use policy-based routes

Developing a strategy for out-of-band Network Security Integration.

Out-of-band integration overview

Mirroring endpoint groups overview

Mirroring deployment groups overview

Configuring Packet Mirroring for VPC traffic toward self-managed collectors.

Packet Mirroring

Use Packet Mirroring

Monitor Packet Mirroring

Cloud Network Engineer – Final Thoughts

This guide covered all six domains of the PCNE exam guide — VPC design, implementation, managed network services, hybrid and multicloud connectivity, network operations, and network security — each linked to official Google Cloud documentation. Work through Cloud Router, Cloud Interconnect, Cloud DNS, and Cloud NGFW hands-on as you study, and revisit this guide as your practice deepens.

You can also explore more GCP certification study guides on the GCP category to keep building your skills. Have a question or tip? Leave a comment below.

Receive Updates on Google Professional Cloud Network Engineer Exam


Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Share the Google Professional Cloud Network Engineer Study Guide in Your Network

You may also like