Professional Cloud Network Engineer Prep:
The Professional Cloud Network Engineer (PCNE) certification validates your ability to design, implement, and manage network architectures on Google Cloud, from VPC design to hybrid connectivity and network security. This guide maps every domain, task, and objective from the official PCNE exam guide to verified, current Google Cloud documentation.
You can also explore more GCP certification study guides on the GCP category to keep building your skills.
Google Cloud Network Engineer Materials:
| Coursera | Google Cloud Network Engr Professional Certificate |
| Udemy | GCP – Google Cloud Professional Cloud Network Engineer |
| Whizlabs | Google Cloud Professional Cloud Network Engineer |
Section 1: Designing and planning a Google Cloud VPC network (~21% of the exam)
1.1 Designing an overall network architecture. Considerations include:
Differentiating between network tiers (e.g., Premium and Standard).
Network Service Tiers overview
Designing for high availability, failover, disaster recovery, and scale.
Disaster recovery planning guide
Disaster recovery building blocks
Architecting disaster recovery for cloud infrastructure outages
Designing the DNS topology (e.g., on-premises and Cloud DNS).
Choosing an appropriate load balancer for network implementation.
Load balancer feature comparison
Cloud Load Balancing resource model
Planning for Google Kubernetes Engine (GKE) networking (e.g., secondary ranges, scale potential based on IP address space, and access to GKE control plane).
Best practices for GKE networking
Understand IP addressing in GKE
About network isolation in GKE
Learn GKE networking architecture
Identifying the most appropriate Identity and Access Management (IAM) roles suited to specific network architecture designs (e.g. load balancer provisioning and Shared VPC subnet permissions).
IAM roles for Networking-related Job Functions
Compute Engine IAM roles and permissions
Planning for connectivity to managed services (e.g., private services access, Private Service Connect [PSC], and Serverless VPC Access).
Private access options for services
Send serverless traffic to a VPC network
Planning for quotas and limits.
1.2 Designing VPC networks. Considerations include:
Choosing the VPC type and quantity (e.g., standalone or Shared VPC and the number of VPC environments).
Determining how the networks interconnect based on requirements (e.g., VPC Network Peering, network connectivity [mesh and star topology] with Network Connectivity Center, and PSC).
Preset connectivity topologies
Planning the IP address management (IPAM) strategy (e.g., subnets, IPv6, bring your own IP, privately used public IP [PUPI], Private NAT, non-RFC 1918 addresses, managed services, and IPAM automation techniques).
Planning for bring your own IP addresses
Planning a global or regional network environment (or variations of these).
Set routing and best path selection modes
Determining the correct maximum transmission unit (MTU) sizing for VPC for workloads.
Change the MTU setting of a VPC network
Create and verify a jumbo frame MTU network
Planning third-party device insertion (e.g., network virtual appliance) with custom routes (static or policy-based) and load balancing.
1.3 Designing a resilient and performant hybrid and multi-cloud network. Considerations include:
Designing for hybrid (e.g., on-premises and cloud, branch office) connectivity, including bandwidth and security constraints (e.g., Dedicated Interconnect, Partner Interconnect, Cloud VPN, and SD-WAN appliances).
Choosing a Network Connectivity product
Designing for multicloud connectivity (e.g., Cloud VPN and Cross-Cloud Interconnect).
Cross-Cloud Interconnect overview
Choosing a Network Connectivity product
Choosing when to use Direct Peering or Verified Peering Provider.
Choosing a Network Connectivity product
Designing high-availability and disaster recovery connectivity strategies for multiple regions (e.g., regional or global dynamic routing mode).
Establish 99.99% availability for Dedicated Interconnect
Set routing and best path selection modes
Accessing multiple VPCs from on-premises locations (e.g., Shared VPC, multi-VPC peering, and Network Connectivity Center topologies).
Accessing Google services like Vertex AI and application programming interfaces (APIs) privately from on-premises locations.
Private access options for services
Accessing managed services through PSC and VPC Network Peering connections (e.g., private services access).
Enabling private services access
Designing the IP address space across on-premises locations and cloud environments (e.g., internal ranges, planning to avoid overlaps, and Private NAT).
Architecting hybrid DNS topology: Define forwarding paths, inbound policies, cross-project binding, and DNS peering strategy.
Create a zone with cross-project binding
Determining the correct MTU sizing for hybrid connections (Cloud Interconnect and HA VPN) for workloads.
Understanding interconnect encryption options, such as MACsec and HA VPN, over Cloud Interconnect.
HA VPN over Cloud Interconnect overview
Deploy HA VPN over Cloud Interconnect
1.4 Designing for Google Kubernetes Engine (GKE). Considerations include:
Choosing between public or private cluster nodes and node pools.
About network isolation in GKE
Customize your network isolation in GKE
Choosing between public or private control plane endpoints.
About network isolation in GKE
Customize your network isolation in GKE
Planning subnets: Primary and secondary ranges.
Understand IP addressing in GKE
Best practices for GKE networking
Planning for GKE IP addresses using (RFC 1918, non-RFC 1918, Google-managed services range, PSC, shared IP ranges, and PUPI).
Manage IP address migration in GKE
Understand IP addressing in GKE
Planning for IPv6.
Create and use IPv6 sub-prefixes
Understand IP addressing in GKE
Designing load balancing for GKE networking.
Container-native load balancing
GKE Ingress for Application Load Balancers
Adding and managing node pool configuration.
Configure maximum Pods per node
Best practices for GKE networking
Section 2: Implementing a VPC network (~20% of the exam)
2.1 Configuring VPCs. Considerations include::
Creating Google Cloud VPC resources (e.g., networks, subnets, firewall rules or policies, private services access subnet, and private pools).
Quickstart: Create and manage VPC networks
Configuring VPC Network Peering.
Creating a Shared VPC network and sharing subnets with other projects.
Assigning the correct IAM permissions to use Shared VPC subnets from service projects.
IAM roles for Networking-related Job Functions
Configuring access to Google APIs and Google-managed services (e.g., Private Google Access and public interfaces).
Private access options for services
Expanding VPC subnet ranges after creation.
Configuring restricted Google Cloud services with VPC Service Controls perimeters.
Supported products and limitations
2.2 Configuring VPC routing. Considerations include:
Setting up static and dynamic routing (e.g., Cloud Router).
Configuring global or regional dynamic routing.
Set routing and best path selection modes
Implementing routing using network tags and priority.
Implementing route priorities with global dynamic routing, including policy-based routing and dynamic routing.
Set routing and best path selection modes
Implementing an internal load balancer as a next hop.
Configuring custom route import/export over VPC Network Peering and Network Connectivity Center.
Configuring policy-based routing.
2.3 Configuring Network Connectivity Center. Considerations include:
Differentiating between spoke types (VPC spoke, hybrid spoke, and producer spoke).
Managing VPC topology (e.g., star topology, hub and spokes, and mesh topology).
Preset connectivity topologies
Configuring Private NAT and PSC propagation.
Private NAT for Network Connectivity Center spokes
Set up and manage network address translation with Private NAT
Configuring IP/CIDR range filters for Network Connectivity Center spokes.
Monitoring and troubleshooting Network Connectivity Center.
2.4 Configuring and maintaining GKE clusters. Considerations include:
Creating VPC-native clusters using alias IPs.
Setting up clusters with Shared VPC.
Setting up clusters with Shared VPC
Configuring private clusters and private control plane endpoints.
About network isolation in GKE
Customize your network isolation in GKE
Adding authorized networks for cluster control plane endpoints.
Customize your network isolation in GKE
Using DNS-based endpoint for control plane access.
About network isolation in GKE
Customize your network isolation in GKE
Enabling GKE Dataplane V2.
Configuring source NAT (SNAT) and IP Masquerade policies.
Configuring an IP masquerade agent in Standard clusters
Use Egress NAT Policy to configure IP masquerade in Autopilot clusters
Creating GKE network policies.
Control communication between Pods and Services using network policies
Configuring Pod ranges and service ranges.
Understand IP addressing in GKE
Deploying additional Pod ranges for GKE clusters.
Manage IP address migration in GKE
Configure maximum Pods per node
Configuring DNS (local DNS cache, Cloud DNS, and kube-dns).
Section 3: Configuring managed network services (~16% of the exam)
3.1 Configuring load balancing. Considerations include:
Determining the load balancing solution for your network (internal/external, regional/global, application/proxy/passthrough, etc.).
Configuring backend services, including autoscaling (e.g., network endpoint groups [NEGs] and managed instance groups).
Cloud Load Balancing resource model
Internet network endpoint groups overview
Configuring various load balancers and backend settings, such as the balancing method, session affinity, serving capacity, URL maps, health checks, and global access.
Load balancer feature comparison
Cloud Load Balancing resource model
Application Load Balancer overview
Understanding load balancers in GKE (e.g., GKE Gateway controller, GKE Ingress controller, and NEGs).
Container-native load balancing
GKE Ingress for Application Load Balancers
Setting up traffic management on Application Load Balancer (e.g., traffic splitting, traffic mirroring, and URL rewrites).
Application Load Balancer overview
Cloud Load Balancing resource model
3.2 Configuring Cloud CDN. Considerations include:
Setting up Cloud CDN for supported origins (e.g., managed instance groups, Cloud Storage buckets, and Cloud Run).
Setting up Cloud CDN for external backends (internet NEGs) and third-party object storage.
External backends specified by using internet NEGs
Set up an external backend with an internet NEG
Set up third-party object storage
Invalidating cached content.
3.3 Configuring Cloud DNS. Considerations include:
Managing Cloud DNS zones and records.
Create, modify, and delete zones
Migrating to Cloud DNS.
Configuring Cloud DNS routing policies, such as geolocation and failover policies.
DNS routing policies and health checks
Configure DNS routing policies and health checks
Enabling DNS Security Extensions (DNSSEC).
DNS Security Extensions (DNSSEC) overview
Setting up self-hosted DNS integration with Cloud DNS, including configuring DNS forwarding and DNS server policies.
Understanding DNS private and public zones and setting up split-horizon DNS.
Create, modify, and delete zones
Setting up DNS cross-project binding and DNS peering.
Create a zone with cross-project binding
Configuring Cloud DNS and external-DNS operator for GKE.
Section 4: Configuring and implementing hybrid and multicloud network interconnectivity (~16% of the exam)
4.1 Configuring Cloud Interconnect. Considerations include:
Creating Dedicated Interconnect connections and configuring VLAN attachments.
Creating Partner Interconnect connections, configuring VLAN attachments, and differentiating between layer 2 and layer 3 type interconnects.
Creating Cross-Cloud Interconnect connections and configuring VLAN attachments.
Cross-Cloud Interconnect overview
Partner Cross-Cloud Interconnect for OCI overview
Configuring HA VPN over Cloud Interconnect.
HA VPN over Cloud Interconnect overview
Deploy HA VPN over Cloud Interconnect
Implementing 99.9% and 99.99% service-level agreements (SLAs) for interconnect topologies.
Establish 99.99% availability for Dedicated Interconnect
4.2 Configuring a site-to-site IPSec VPN. Considerations include:
Configuring HA VPN toward on-premise VPN gateways.
Create an HA VPN gateway to a peer VPN gateway
Configure the peer VPN gateway
Configuring HA VPN toward other Google Cloud VPCs.
Create an HA VPN gateway to a peer VPN gateway
Configuring Classic VPN (e.g., route-based and policy-based).
4.3 Configuring Cloud Router. Considerations include:
Implementing Border Gateway Protocol (BGP) attributes (e.g., ASN, route priority/MED, link-local addresses, and authentication).
Configuring Bidirectional Forwarding Detection (BFD).
Bidirectional Forwarding Detection (BFD) overview
Configure BFD for Cloud Router
Creating custom-advertised routes and custom-learned routes.
Specify and manage custom learned routes
Selecting between legacy and standard best path selection at the VPC.
Set routing and best path selection modes
4.4 Configuring Network Connectivity Center. Considerations include:
Creating hybrid spokes (e.g., VPN and VLAN attachment).
Establishing site-to-site data transfer.
Creating router appliances (RAs).
Site-to-cloud topologies that use a third-party appliance
Solving common transitivity networking issues.
Preset connectivity topologies
Section 5: Managing, monitoring, and troubleshooting network operations (~14% of the exam)
5.1 Logging and monitoring with Google Cloud Observability. Considerations include:
Enabling and reviewing Cloud Logging for networking components (e.g., Cloud VPN, Cloud Router, VPC Service Controls, Cloud Next Generation Firewall [NGFW], Firewall Insights, VPC Flow Logs, Cloud DNS, Cloud NAT, and Network Connectivity Center).
VPC firewall rules logging overview
Firewall policy rules logging overview
Monitoring networking metrics (e.g., Cloud VPN, Cloud Interconnect and VLAN attachments, Cloud Router, load balancers, Google Cloud Armor, and Cloud NAT).
Performance Dashboard overview
Network Intelligence Center overview
5.2 Maintaining and troubleshooting connectivity issues. Considerations include:
Draining and redirecting traffic flows with Application Load Balancer.
Failover for external Application Load Balancers
Application Load Balancer overview
Managing and troubleshooting VPNs.
Managing and troubleshooting Cloud Interconnect issues.
Troubleshooting Cloud Router BGP peering issues.
Troubleshoot BGP routes and route selection
BFD diagnostic messages and session states
Troubleshooting with VPC Flow Logs, firewall logs, and Packet Mirroring.
VPC firewall rules logging overview
5.3 Using Network Intelligence Center to monitor and troubleshoot common networking issues. Considerations include:
Using Network Topology to visualize throughput and traffic flows.
Using Connectivity Tests to diagnose route and firewall misconfigurations.
Test connectivity within VPC networks
Test connectivity to and from non-Google Cloud networks
Using Performance Dashboard to identify packet loss and latency (e.g., Google-wide and project scoped).
Performance Dashboard overview
Using Firewall Insights to monitor, identify, and improve rules.
Using Network Analyzer to identify network failures, suboptimal configurations, and utilization warnings.
GKE IP address utilization insights
Using Flow Analyzer and VPC Flow Logs to evaluate network traffic.
Section 6: Configuring, implementing and managing a cloud network security solution (~13% of the exam)
6.1 Configuring Google Cloud Armor policies. Considerations include:
Configuring and attaching edge and backend security policies.
Implementing web application firewall (WAF) rules (e.g., SQL injection, cross-site scripting, and remote file inclusion).
Preconfigured WAF rules overview
Configuring advanced network distributed denial of service (DDoS) and Adaptive Protection.
Best practices for Cloud Armor
Configuring rate limiting.
Best practices for Cloud Armor
Configuring bot management.
Best practices for Cloud Armor
Applying Google Threat Intelligence.
6.2 Configuring and managing NGFW policies and VPC Firewall rules. Considerations include:
Planning the firewall strategy (e.g., VPC firewall rules, Cloud NGFW, hierarchical firewall rules, and third-party integration).
Understanding the effective policy rules for hierarchical firewall situations.
Hierarchical firewall policies
Evaluation order for firewall policies and rules
Hierarchical firewall policy examples
Configuring Cloud NGFW to support GKE and Cloud Load Balancing.
Selectively enforce firewall policies in GKE
Creating and troubleshooting VPC firewall rules and Cloud NGFW regional/global/hierarchical policies.
Create global network firewall policies and rules
Create hierarchical firewall policies and rules
Manage hierarchical firewall policies and rules
Enabling layer 7 packet inspection with Cloud NGFW Enterprise.
Hierarchical firewall policies
Migrating from VPC firewall rules to Cloud NGFW policies.
VPC firewall rules migration overview
Migrate VPC firewall rules that use network tags and service accounts
Configuring VPC and NGFW rule criteria (e.g., rule priority, network protocols, direction [ingress and egress], source, and destination).
Configuring VPC and Firewall Rules Logging.
VPC firewall rules logging overview
Firewall policy rules logging overview
Manage firewall policy rules logging
Incorporating micro-segmentation for security purposes (e.g., using metadata, [secure] tags, service accounts, and network tags).
VPC firewall rules migration overview
Differentiating between the different tiers of Cloud NGFW: Essentials, Standard, and Enterprise.
6.3 Configuring and securing internet egress traffic using Public Cloud NAT and Secure Web Proxy. Considerations include:
Configuring public Cloud NAT IP addressing and assigning automatic and manual Cloud NAT IP addresses.
Configuring static and dynamic port allocation for Cloud NAT.
Configuring Secure Web Proxy.
Secure Web Proxy policies overview
Publish Secure Web Proxy as a Private Service Connect service
6.4 Configuring self-managed network virtual appliance and Packet Mirroring. Considerations include:
Routing and inspecting inter-VPC traffic using multi-network interface card (NIC) virtual machines (VMs) (e.g., NGFW appliances).
Create VMs with multiple network interfaces
Configuring an internal load balancer as a next hop for HA multi-NIC VM routing.
Configure policy-based routes for HA multi-NIC VM routing.
Developing a strategy for out-of-band Network Security Integration.
Out-of-band integration overview
Mirroring endpoint groups overview
Mirroring deployment groups overview
Configuring Packet Mirroring for VPC traffic toward self-managed collectors.
Cloud Network Engineer – Final Thoughts
This guide covered all six domains of the PCNE exam guide — VPC design, implementation, managed network services, hybrid and multicloud connectivity, network operations, and network security — each linked to official Google Cloud documentation. Work through Cloud Router, Cloud Interconnect, Cloud DNS, and Cloud NGFW hands-on as you study, and revisit this guide as your practice deepens.
You can also explore more GCP certification study guides on the GCP category to keep building your skills. Have a question or tip? Leave a comment below.
Receive Updates on Google Professional Cloud Network Engineer Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.