A Professional Cloud Network Engineer implements and manages network architectures in Google Cloud. This individual may work on networking or cloud teams with architects who design cloud infrastructure. The Cloud Network Engineer uses the Google Cloud Console and/or command line interface, and leverages experience with network services, application and container networking, hybrid and multi-cloud connectivity, implementing VPCs, and security for established network architectures to ensure successful cloud implementations.
The exam is 2 hours long and costs $200.
Exam Content & Outline – What Will You Be Tested On?
There are FIVE main crucial capabilities that the exam will test you on:
- Designing, planning, and prototyping a Google Cloud network
- Implementing VPC (Virtual Private Cloud) instances
- Configuring network services
- Implementing hybrid interconnectivity
- Managing, monitoring, and optimizing network operations
Let’s look at each of these in more detail and find out what exactly to study in order to be certified as a Professional Cloud Network Engineer.
Designing, Planning, and Prototyping a Google Cloud Network
- Designing an overall network architecture
- High availability, failover, and disaster recovery strategies
- DNS strategy (e.g., on-premises, Cloud DNS)
- Security and data exfiltration requirements
- Load balancing
- Applying quotas per project and per VPC
- Hybrid connectivity (e.g., Google private access)
- Container networking
- IAM roles
- SaaS, PaaS, IaaS services
- Microsegmentation for security purposes (e.g., using metadata, tags, service accounts)
- Designing VPC instances
- IP address management and Bring-Your-Own-IP (BYOIP)
- Standalone vs. Shared VPC
- Multiple vs. single
- Regional vs. multi-regional
- VPC Network Peering
- Firewalls (e.g., service account-based, tag-based)
- Custom routes
- Using managed services (e.g., Cloud SQL, Memorystore)
- Third-party device insertion (NGFW) into VPC using multi-NIC and internal load balancer as a next hop or equal-cost multi-path (ECMP) routes
- Designing a hybrid and multi-cloud network
- Dedicated Interconnect vs. Partner Interconnect
- Multi-cloud connectivity
- Direct Peering
- IPsec VPN
- Failover and disaster recovery strategy
- Regional vs. global VPC routing mode
- Accessing multiple VPCs from on-premises locations (e.g., Shared VPC, multi-VPC peering)
- Bandwidth and constraints provided by hybrid connectivity solutions
- Accessing Google Services/APIs privately from on-premises locations
- IP address management across on-premises locations and cloud
- DNS peering and forwarding
- Designing an IP addressing plan for GKE (Google Kubernetes Engine)
- Public and private cluster nodes
- Control plane public vs. private endpoints
- Subnets and alias IPs
- RFC 1918, non-RFC 1918, and privately used public IP (PUPI) address options
Implementing VPC (Virtual Private Cloud) Instances
- Configuring VPCs
- Google Cloud VPC resources (e.g., networks, subnets, firewall rules)
- VPC Network Peering
- Creating a Shared VPC network and sharing subnets with other projects
- Configuring API access to Google services (e.g., Private Google Access, public interfaces)
- Expanding VPC subnet ranges after creation
- Configuring routing
- Static vs. dynamic routing
- Global vs. regional dynamic routing
- Routing policies using tags and priority
- Internal load balancer as a next hop
- Custom route import/export over VPC Network Peering
- Configuring and maintaining GKE clusters
- VPC-native clusters using alias IPs
- Clusters with Shared VPC
- Creating Kubernetes Network Policies
- Private clusters and private control plane endpoints
- Adding authorized networks for cluster control plane endpoints
- Configuring and managing firewall rules
- Target network tags and service accounts
- Rule priority
- Network protocols
- Ingress and egress rules
- Firewall rule logging
- Firewall Insights
- Hierarchical firewalls
- Implementing VPC Service Controls
- Creating and configuring access levels and service perimeters
- VPC accessible services
- Perimeter bridges
- Audit logging
- Dry run mode
Configuring Network Services
- Configuring load balancing
- Backend services and network endpoint groups (NEGs)
- Firewall rules to allow traffic and health checks to backend services
- Health checks for backend services and target instance groups
- Configuring backends and backend services with balancing method (e.g., RPS, CPU, Custom), session affinity, and capacity scaling/scaler
- TCP and SSL proxy load balancers
- Load balancers (e.g., External HTTP(S), TCP/UDP, etc.)
- Protocol forwarding
- Accommodating workload increases using autoscaling vs. manual scaling
- Configuring Google Cloud Armor policies
- Security policies
- Web application firewall (WAF) rules (e.g., SQL injection, XSS, remote file inclusion)
- Attaching security policies to load balancer backends
- Configuring Cloud CDN
- Enabling and disabling
- Cloud CDN
- Cache keys
- Invalidating cached objects
- Signed URLs
- Custom origins
- Configuring and maintaining Cloud DNS
- Managing zones and records
- Migrating to Cloud DNS
- DNS Security Extensions (DNSSEC)
- Forwarding and DNS server policies
- Integrating on-premises DNS with Google Cloud
- Split-horizon DNS
- DNS peering
- Private DNS logging
- Configuring Cloud NAT
- Addressing
- Port allocations
- Customizing timeouts
- Logging and monitoring
- Restrictions per organization policy constraints
- Configuring network packet inspection
- Packet Mirroring in single and multi-VPC topologies
- Capturing relevant traffic using Packet Mirroring source and traffic filters
- Routing and inspecting inter-VPC traffic using multi-NIC VMs (e.g., next-generation firewall appliances)
- Configuring an internal load balancer as a next hop for highly available multi-NIC VM routing
Implementing Hybrid Interconnectivity
- Configuring Cloud Interconnect
- Dedicated Interconnect connections and VLAN attachments
- Partner Interconnect connections and VLAN attachments
- Configuring a site-to-site IPsec VPN
- HA VPN (dynamic routing)
- Classic VPN (e.g., route-based routing, policy-based routing)
- Configuring Cloud Router
- Border Gateway Protocol (BGP) attributes (e.g., ASN, route priority/MED, link-local addresses)
- Custom route advertisements via BGP
- Deploying reliable and redundant Cloud Routers
Managing, Monitoring, and Optimizing Network Operations
- Logging and monitoring with Google Cloud’s operations suite
- Reviewing logs for networking components (e.g., VPN, Cloud Router, VPC Service Controls)
- Monitoring networking components (e.g., VPN, Cloud Interconnect connections and Interconnect attachments, Cloud Router, Load Balancer, Cloud Armor, Cloud NAT)
- Managing and maintaining security
- Firewalls (e.g., cloud-based, private)
- Diagnosing and resolving IAM issues (e.g., Shared VPC, security/network admin)
- Maintaining and troubleshooting connectivity issues
- Draining and redirecting traffic flows with HTTPS load balancing
- Monitoring ingress and egress traffic using VPC Flow Logs
- Monitoring firewall logs (Firewall Insights)
- Managing and troubleshooting VPNs
- Troubleshooting Cloud Router BGP peering issues
- Monitoring, maintaining, and troubleshooting latency and traffic flow
- Testing network throughput and latency
- Diagnosing routing issues
- Using Network Intelligence Center to visualize topology, test connectivity, and monitor performance
Recommended Study Materials
- Books
- Google Cloud Certified Professional Cloud Network Engineer Guide: Design, implement, manage, and secure a network architecture in Google Cloud
- Google Cloud Platform – Networking: Beginner to Skilled Practitioner in One Book
- Google Cloud Certified Professional Cloud Network Engineer 2022: 240+ Latest Exam practice Questions
