Google Cloud Study Guide

Google Cloud Professional Cloud Network Engineer Study Guide

The Google Cloud Professional Cloud Network Engineer exam validates your ability to design, implement, manage, and troubleshoot Google Cloud network architectures, including VPCs, hybrid connectivity, load balancing, DNS, and network security. It is aimed at network professionals who deploy and operate GCP networks at scale, often in hybrid and multi-VPC environments. The 2-hour exam has a 700 (out of 1000) passing score and emphasizes scenario-based design trade-offs across cost, security, performance, and resilience.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice Google Cloud Professional Cloud Network Engineer questions free Create free account

Domain 1: Designing and Planning a Network

Key concepts you must know · 150 practice questions

A VPC network is a global resource that spans all regions automatically, while subnets are regional resources whose IP range is bound to one region; VMs in any zone of a region can use that region's subnets.
Custom-mode VPCs require you to manually create each subnet and choose its CIDR, whereas auto-mode VPCs auto-create one /20 subnet per region; production designs favor custom mode for explicit IP control.
VPC Network Peering connects two VPCs so VMs communicate over internal RFC 1918 IPs with no external hops, but it is non-transitive and requires completely non-overlapping subnet CIDR ranges (primary and secondary).
When CIDR ranges overlap, peering is rejected; remediate by re-IPing one VPC or by using Private Service Connect to expose only a specific service endpoint instead of the whole network.
Shared VPC designates one host project whose subnets, firewall rules, and routes are centrally managed, while service projects deploy workloads into those shared subnets - centralizing network administration across an organization.
Cloud Interconnect (Dedicated or Partner) and Cloud VPN are the two hybrid connectivity options; Interconnect provides a private physical link (10/100 Gbps for Dedicated) that never traverses the public internet.
Network Connectivity Center (NCC) provides a managed hub-and-spoke model giving transitive connectivity between multiple VPCs and on-prem sites, avoiding full-mesh peering or transit-VPC complexity.
VPC route priority uses a numeric value where a lower number wins; for firewall rules, priority ranges 0 (highest) to 65535 (lowest) and the first matching rule's action is applied immediately.
A custom static route with a VM (or internal load balancer) as the next hop steers traffic through a network virtual appliance (NVA); create with gcloud compute routes create --destination-range and --next-hop-ilb or --next-hop-instance.
Co-locating instances that communicate heavily in the same zone avoids inter-zone egress charges; cross-region and internet egress cost more than same-zone traffic.
Premium Network Service Tier routes traffic over Google's global backbone for lowest latency, while Standard Tier routes over the public internet from the source region to reduce egress cost for regional workloads.
PRIVATE_SERVICE_CONNECT and REGIONAL_MANAGED_PROXY are special subnet purposes; proxy-only subnets are required in a region before deploying regional/global Envoy-based (Application) load balancers.
Custom-mode VPCs let you expand a subnet's primary range later (gcloud compute networks subnets expand-ip-range) without recreating it, but you can only grow, never shrink, the range.
For cost-optimized regional web workloads, a regional external Application Load Balancer on Standard Tier is typically more economical than a global Premium-Tier deployment.

Domain 2: Implementing VPC Networks

Key concepts you must know · 164 practice questions

Private Google Access is a per-subnet flag that lets VMs without external IPs reach Google APIs and services (Cloud Storage, BigQuery, Pub/Sub) over internal IPs via Google's network.
Cloud NAT is a managed, distributed (non-instance-based) service that gives VMs without external IPs outbound internet access by translating internal IPs to a pool of NAT IPs; it allows no unsolicited inbound connections.
A new custom VPC has two implied rules that cannot be deleted: implied deny-all ingress and implied allow-all egress; you add higher-priority rules to override them.
VPC firewall rules can target by network tag or service account in addition to IP range; service-account-based rules follow the VM's identity even when its IP changes, making them robust in dynamic fleets.
GCP has two firewall constructs: VPC firewall rules (per-network) and hierarchical firewall policies (applied at the organization or folder level for centralized governance).
Cloud NAT port exhaustion is fixed by increasing minimum ports per VM and/or adding more NAT IP addresses; each NAT IP provides about 64,512 usable source ports per destination.
Private Service Connect lets a consumer reach a producer's published service through a private endpoint (forwarding rule) in the consumer VPC, exposing only that service and avoiding full VPC peering.
Organization Policy constraints such as constraints/compute.vmExternalIpAccess restrict external IP assignment across projects, enforcing a no-public-IP posture centrally.
Create a custom VPC with gcloud compute networks create prod-vpc --subnet-mode=custom, then add subnets with gcloud compute networks subnets create --network --region --range.
Create firewall rules with gcloud compute firewall-rules create using --source-ranges, --target-tags (or --target-service-accounts), --direction, --action, and --rules.
Enable VPC Flow Logs at subnet creation/update with --enable-flow-logs (or --logging-flow-sampling), and tune --logging-aggregation-interval (e.g., INTERVAL_5_SEC) to balance detail against log volume and cost.
To cut Flow Log cost while keeping value, lower the flow sampling rate, increase the aggregation interval, and filter to relevant traffic via metadata/filter expressions.
Consolidating many overlapping source ranges into summarized CIDR blocks in a single firewall rule reduces rule sprawl and stays within the per-network rule limits.
Centralized egress patterns place Cloud NAT (and optionally Secure Web Proxy or an NVA) in a hub VPC, with spoke custom routes directing internet-bound traffic through the hub for uniform egress control.

Domain 3: Configuring Network Services

Key concepts you must know · 168 practice questions

The global external Application Load Balancer (HTTP/S) operates at Layer 7, uses a single anycast IP advertised from Google's global edge PoPs, and routes by URL map (host/path) for globally distributed apps.
The internal passthrough Network Load Balancer keeps TCP/UDP traffic private within a region at Layer 4, does not proxy, and preserves the client source IP.
The external passthrough Network Load Balancer (Layer 4) preserves original client source IP and supports non-HTTP protocols, unlike the proxying Application Load Balancer.
Cloud CDN integrates with the external Application Load Balancer and caches HTTP(S) responses at Google edge PoPs; subsequent hits are served from the nearest edge, reducing latency and origin egress.
Cloud CDN cache modes: USE_ORIGIN_HEADERS respects Cache-Control, CACHE_ALL_STATIC caches static content by default, and FORCE_CACHE_ALL caches all responses regardless of origin headers (use carefully).
Reduce CDN origin egress by enabling negative caching for error responses, setting longer TTLs for static content, using request coalescing, and excluding unnecessary cookies and query parameters from the cache key.
Cloud DNS is Google's managed authoritative DNS (analogous to AWS Route 53); it supports public zones and private zones visible only to authorized VPCs for internal name resolution.
Cloud DNS routing policies (geolocation, weighted round robin, failover) return different answers based on client origin or health, complementing the load balancer's anycast direction of clients to the nearest backend.
Cloud Armor attaches security policies to backend services on the external Application Load Balancer, enforcing WAF rules, rate limiting, IP allow/deny lists, and adaptive DDoS protection at the Layer 7 edge.
Private Service Connect publishes a producer service behind a service attachment that consumers reach via a PSC endpoint, enabling private one-way service exposure without exposing the full network.
A backend service's balancing mode (RATE, UTILIZATION, or CONNECTION) plus the capacity scaler, combined with MIG autoscaling, control how traffic distributes and how backends absorb bursty load.
Premium Tier global backbone routing plus Cloud CDN improves performance for users far from the origin region by entering Google's network at the nearest edge.
Cross-region backend services let a global load balancer overflow traffic to backends in other regions when the closest region is at capacity, improving resilience.
Proxy-based load balancers (Application LB, proxy Network LB) replace the client IP with a Google proxy IP; preserve original client IP via the X-Forwarded-For header or use a passthrough LB instead.

Domain 4: Implementing Hybrid Connectivity

Key concepts you must know · 134 practice questions

Cloud Router uses BGP as its only dynamic routing protocol to exchange routes with on-prem peers over HA VPN tunnels or Interconnect VLAN attachments, auto-advertising new VPC subnets and learning remote prefixes.
HA VPN provides a 99.99% SLA using two gateway interfaces, each with its own external IP, establishing redundant IPsec tunnels; it requires a Cloud Router with a BGP session and does not support static routing.
Dedicated Interconnect is a direct physical 10/100 Gbps connection at a Google peering facility with no public internet traversal; Partner Interconnect connects through a service provider for smaller (50 Mbps-50 Gbps) capacities.
For resilience, deploy redundant connections across two separate metro edge availability domains with redundant Cloud Routers, and optionally use HA VPN as a backup path to Interconnect.
Path preference between Interconnect and VPN is controlled with BGP attributes via Cloud Router: advertise the preferred (Interconnect) path with higher priority / lower MED so it wins over the VPN path.
ECMP (equal-cost multipath) over BGP on Cloud Router across multiple Interconnect attachments with equal priorities load-balances traffic and increases aggregate throughput.
Create a Cloud Router with gcloud compute routers create --network=prod-vpc --region=us-central1 --asn=65001, choosing a private ASN (64512-65534 or the 4-byte ranges).
Add a BGP peer with gcloud compute routers add-bgp-peer using --interface, --peer-asn, and --peer-ip-address to establish the session over a tunnel or VLAN attachment.
Control advertised routes with --advertisement-mode=CUSTOM plus --set-advertisement-groups=ALL_SUBNETS and --set-advertisement-ranges for specific custom prefixes; the default DEFAULT mode advertises subnets automatically.
Create a Partner Interconnect VLAN attachment with gcloud compute interconnects attachments partner create using --router and --edge-availability-domain to select the redundancy zone.
Cloud DNS hybrid resolution uses outbound forwarding zones (and outbound server policy) for cloud-to-on-prem queries and an inbound server policy (which creates a forwarder IP) for on-prem-to-cloud queries.
Network Connectivity Center connects multiple on-prem sites (VPN/Interconnect spokes) and VPC spokes through a managed hub for transitive hybrid connectivity without a transit VPC.
Interconnect generally offers lower egress pricing and higher, more predictable bandwidth than Cloud VPN; right-size Partner Interconnect VLAN attachment capacity to actual demand to control cost.
HA VPN tunnels must connect to a peer gateway; for an on-prem device with two interfaces, use a two-interface peer gateway, and for cloud-to-cloud use HA VPN on both ends with BGP.

Domain 5: Managing and Monitoring Network Operations

Key concepts you must know · 152 practice questions

VPC Flow Logs record sampled metadata (5-tuple source/destination IP and port, protocol, bytes, packets, and allowed/denied disposition) per VM, GKE node, and Cloud VPN tunnel network interface.
Flow Logs export to Cloud Logging and can be sinked to BigQuery for SQL analysis to identify which subnets and VMs generate the most egress, or detect traffic anomalies.
Network Intelligence Center's Connectivity Tests run a configuration-based simulated trace (analyzing routes, firewall rules, peering, and LB config) without sending real packets, ideal for pinpointing why connectivity fails.
Network Intelligence Center centralizes Topology, Connectivity Tests, Performance Dashboard, Firewall Insights, and Network Analyzer for diagnostics and optimization.
The Performance Dashboard in Network Intelligence Center surfaces packet loss and latency between Google Cloud zones/regions and between your VMs, helping isolate performance issues.
When Flow Logs show blocked traffic, the responsible rule is in the VPC firewall rules or a hierarchical firewall policy; review rules applied to the VM's tags or service account and confirm with a Connectivity Test.
Fix blocked traffic by adding or adjusting a VPC firewall rule with the correct direction, protocol/ports, source/target, and a priority lower (higher precedence) than the blocking rule.
Cloud Armor provides edge protection for ALB backends via rate limiting, preconfigured WAF rules (OWASP/ModSecurity CRS), named IP lists, and Adaptive Protection for volumetric Layer 7 attacks.
Create a Connectivity Test with gcloud network-management connectivity-tests create specifying --source-instance, --destination-ip-address (or destination instance), --protocol, and ports.
Update Flow Log sampling on an existing subnet with gcloud compute networks subnets update --logging-flow-sampling=0.5 (a value 0.0-1.0 controlling the fraction of flows captured).
Combine Cloud Monitoring network-egress alerting policies with Cloud Billing budget alerts to catch unexpected egress spikes both technically and financially.
Cloud Monitoring CDN metrics (cache hit ratio and origin request count) reveal CDN effectiveness; a low hit ratio signals cache-key or TTL tuning is needed.
Firewall Insights and the Network Analyzer (in Network Intelligence Center) detect shadowed, overly permissive, or unused firewall rules and misconfigurations proactively.
Proactive network operations pair the Performance Dashboard for live latency/packet-loss visibility with Cloud Monitoring alerting policies on key network metrics to detect degradation before users do.

Google Cloud Professional Cloud Network Engineer exam tips

Read each scenario for the deciding constraint - cost, security, latency/performance, or resilience - because most answer choices are technically valid and only one optimizes the stated priority.
Memorize the load balancer decision tree: global vs regional, external vs internal, Layer 7 proxy (Application LB) vs Layer 4 passthrough (Network LB), and which preserve the client source IP.
Know the hybrid connectivity matrix cold: HA VPN (99.99% SLA, IPsec, BGP required) vs Dedicated vs Partner Interconnect, and how Cloud Router BGP priority/MED chooses the active path.
For routing and firewall questions, remember the rule: lower priority number wins, the first match applies, and a custom VPC defaults to deny-all ingress and allow-all egress.
When a question is about diagnosis, map the symptom to the right tool: Connectivity Tests for config/path failures, VPC Flow Logs for traffic volume and allowed/denied data, and Performance Dashboard for latency and packet loss.

Study guide FAQ

How is this exam structured and what score do I need to pass?

It is a 2-hour (120-minute) exam of roughly 50-60 multiple-choice and multiple-select questions. The passing score is 700 out of 1000, and the certification is valid for two years. Most questions are scenario-based design and troubleshooting problems rather than simple recall.

What is the difference between VPC Network Peering and Private Service Connect?

VPC Network Peering joins two entire VPCs so all their VMs can reach each other over internal IPs, but it is non-transitive and forbids overlapping CIDR ranges. Private Service Connect instead exposes only a single producer service through a private endpoint in the consumer VPC, which works even with overlapping address space and gives finer-grained, one-way access.

When should I choose Cloud Interconnect over Cloud VPN?

Choose Dedicated or Partner Interconnect when you need high, predictable bandwidth (10/100 Gbps), the lowest latency, traffic that stays off the public internet, and lower egress pricing. Choose HA VPN when you need quick setup, encryption over the public internet, lower bandwidth, or a cost-effective backup path to Interconnect. Both use Cloud Router with BGP for dynamic routing.

How do I troubleshoot why two resources cannot communicate?

Start with a Connectivity Test in Network Intelligence Center to simulate the path and reveal a blocking firewall rule, missing route, or peering/LB misconfiguration without sending packets. Then confirm with VPC Flow Logs, which show whether real traffic was allowed or denied. Fix it by adding or adjusting a VPC firewall rule (or hierarchical policy) with the correct direction, ports, and a higher-precedence (lower-number) priority.

Test yourself: 768 Google Cloud Professional Cloud Network Engineer practice questions