Professional Cloud Network Engineer
Certification exam guide
A Professional Cloud Network Engineer implements and manages network architectures in Google Cloud. This individual may work on networking or cloud teams with architects who design cloud infrastructure. The Cloud Network Engineer uses the Google Cloud console and/or command line interface, and leverages experience with network services, application and container networking, hybrid and multi-cloud connectivity, implementing VPCs, and security for established network architectures to ensure successful cloud implementations.
Section 1: Designing, planning, and prototyping a Google Cloud network
1.1 Designing an overall network architecture.
Considerations include: ● High availability, failover, and
disaster recovery strategies ● DNS strategy (e.g., on-premises,
Cloud DNS) ● Security and data exfiltration
requirements ● Load balancing ● Applying quotas per project and
per VPC ● Hybrid connectivity (e.g., Google
private access for hybrid connectivity) ● Container networking ● IAM roles ● SaaS, PaaS, and IaaS services ● Microsegmentation for security
purposes (e.g., using metadata, tags, service accounts)
1.2 Designing Virtual Private Cloud (VPC) instances.
Considerations include: ● IP address management and bring
your own IP (BYOIP) ● Standalone vs. Shared VPC ● Multiple vs. single ● Regional vs. multi-regional ● VPC Network Peering ● Firewalls (e.g., service
account-based, tag-based) ● Custom routes ● Using managed services (e.g.,
Cloud SQL, Memorystore) ● Third-party device insertion
(NGFW) into VPC using multi-NIC and internal load
balancer as a next hop or equal-cost multi-path (ECMP)
routes 1.3 Designing a hybrid and multi-cloud network.
Considerations include: ● Dedicated Interconnect vs.
Partner Interconnect ● Multi-cloud connectivity ● Direct Peering ● IPsec VPN ● Failover and disaster recovery
strategy ● Regional vs. global VPC routing
mode ● Accessing multiple VPCs from
on-premises locations (e.g., Shared VPC, multi-VPC
peering topologies) ● Bandwidth and constraints
provided by hybrid connectivity solutions ● Accessing Google Services/APIs
privately from on-premises locations ● IP address management across
on-premises locations and cloud ● DNS peering and forwarding 1.4 Designing an IP addressing plan for Google
Kubernetes Engine. Considerations include: ● Public and private cluster nodes
● Control plane public vs. private
endpoints ● Subnets and alias IPs ● RFC 1918, non-RFC 1918, and
privately used public IP (PUPI) address options
Section 2: Implementing Virtual Private Cloud (VPC) instances
2.1 Configuring VPCs. Considerations include: ● Google Cloud VPC resources (e.g.,
networks, subnets, firewall rules) ● VPC Network Peering ● Creating a Shared VPC network and
sharing subnets with other projects ● Configuring API access to Google
services (e.g., Private Google Access, public
interfaces) ● Expanding VPC subnet ranges after
creation 2.2 Configuring routing. Considerations include: ● Static vs. dynamic routing ● Global vs. regional dynamic
routing ● Routing policies using tags and
priority ● Internal load balancer as a next
hop ● Custom route import/export over
VPC Network Peering 2.3 Configuring and maintaining Google Kubernetes
Engine clusters. Considerations include: ● VPC-native clusters using alias
IPs ● Clusters with Shared VPC ● Creating Kubernetes Network
Policies ● Private clusters and private
control plane endpoints ● Adding authorized networks for
cluster control plane endpoints 2.4 Configuring and managing firewall rules.
Considerations include: ● Target network tags and service
accounts ● Rule priority ● Network protocols ● Ingress and egress rules ● Firewall rule logging ● Firewall Insights ● Hierarchical firewalls 2.5 Implementing VPC Service Controls. Considerations
include: ● Creating and configuring access
levels and service perimeters ● VPC accessible services ● Perimeter bridges ● Audit logging ● Dry run mode
Section 3: Configuring network services
3.1 Configuring load balancing. Considerations include:
● Backend services and network
endpoint groups (NEGs) ● Firewall rules to allow traffic
and health checks to backend services ● Health checks for backend
services and target instance groups ● Configuring backends and backend
services with balancing method (e.g., RPS, CPU, Custom),
session affinity, and capacity scaling/scaler ● TCP and SSL proxy load balancers
● Load balancers (e.g., External
TCP/UDP Network Load Balancing, Internal TCP/UDP Load
Balancing, External HTTP(S) Load Balancing, Internal
HTTP(S) Load Balancing) ● Protocol forwarding ● Accommodating workload increases
using autoscaling vs. manual scaling 3.2 Configuring Google Cloud Armor policies.
Considerations include: ● Security policies ● Web application firewall (WAF)
rules (e.g., SQL injection, cross-site scripting, remote
file inclusion) ● Attaching security policies to
load balancer backends 3.3 Configuring Cloud CDN. Considerations include: ● Enabling and disabling ● Cloud CDN ● Cache keysInvalidating cached
objects ● Signed URLs ● Custom origins 3.4 Configuring and maintaining Cloud DNS.
Considerations include: ● Managing zones and records ● Migrating to Cloud DNS ● DNS Security Extensions (DNSSEC)
● Forwarding and DNS server
policies ● Integrating on-premises DNS with
Google Cloud ● Split-horizon DNS ● DNS peering ● Private DNS logging 3.5 Configuring Cloud NAT. Considerations include: ● Addressing ● Port allocations ● Customizing timeouts ● Logging and monitoring ● Restrictions per organization
policy constraints 3.6 Configuring network packet inspection.
Considerations include: ● Packet Mirroring in single and
multi-VPC topologies ● Capturing relevant traffic using
Packet Mirroring source and traffic filters ● Routing and inspecting inter-VPC
traffic using multi-NIC VMs (e.g., next-generation
firewall appliances) ● Configuring an internal load
balancer as a next hop for highly available multi-NIC VM
routing
Section 4: Implementing hybrid interconnectivity
4.1 Configuring Cloud Interconnect. Considerations
include: ● Dedicated Interconnect
connections and VLAN attachments ● Partner Interconnect connections
and VLAN attachments 4.2 Configuring a site-to-site IPsec VPN.
Considerations include: ● High availability VPN (dynamic
routing) ● Classic VPN (e.g., route-based
routing, policy-based routing) 4.3 Configuring Cloud Router. Considerations include:
● Border Gateway Protocol (BGP)
attributes (e.g., ASN, route priority/MED, link-local
addresses) ● Custom route advertisements via
BGP ● Deploying reliable and redundant
Cloud Routers
Section 5: Managing, monitoring, and optimizing network operations
5.1 Logging and monitoring with Google Cloud’s
operations suite. Considerations include: ● Reviewing logs for networking
components (e.g., VPN, Cloud Router, VPC Service
Controls) ● Monitoring networking components
(e.g., VPN, Cloud Interconnect connections and
interconnect attachments, Cloud Router, load balancers,
Google Cloud Armor, Cloud NAT) 5.2 Managing and maintaining security. Considerations
include: ● Firewalls (e.g., cloud-based,
private) ● Diagnosing and resolving IAM
issues (e.g., Shared VPC, security/network admin) 5.3 Maintaining and troubleshooting connectivity
issues. Considerations include: ● Draining and redirecting traffic
flows with HTTP(S) Load Balancing ● Monitoring ingress and egress
traffic using VPC Flow Logs ● Monitoring firewall logs and
Firewall Insights ● Managing and troubleshooting VPNs
● Troubleshooting Cloud Router BGP
peering issues 5.4 Monitoring, maintaining, and troubleshooting
latency and traffic flow. Considerations include: ● Testing network throughput and
latency ● Diagnosing routing issues ● Using Network Intelligence Center
to visualize topology, test connectivity, and monitor
performance