Google Cloud Professional Cloud Network Engineer Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Designing and planning a Google Cloud Virtual Private Cloud (VPC) network (24% of the exam)

Designing an overall network architecture

• Designing for high availability, failover, disaster recovery, and scale.
• Designing the DNS topology (e.g., on-premises, Cloud DNS).
• Choosing a load balancer for an application or solution.
• Designing for hybrid connectivity (e.g., Private Google Access for hybrid connectivity).
• Planning for Google Kubernetes Engine (GKE) networking (e.g., secondary ranges, scale potential based on IP address space, access to GKE control plane).
• Planning Identity and Access Management (IAM) roles, including managing IAM roles in a Shared VPC environment.
• Planning for connectivity to managed services (e.g., private services access, Private Service Connect, Serverless VPC Access).
• Differentiating between network tiers (e.g., Premium and Standard).

Summary: This section emphasizes how to design reliable and scalable architectures that support growth and availability across Google Cloud. You will explore how to incorporate redundancy, disaster recovery, and hybrid options for seamless operations, along with how to structure DNS and IAM within enterprise network requirements. Considerations for GKE networking and managed services connectivity are included so that your solutions align with real-world demands.

You will also learn how to leverage Google Cloud’s flexible load balancers, network tiers, and advanced access strategies to design secure, high-performance solutions. Whether it is tailoring your DNS structure, implementing shared roles, or preparing for managed services, this knowledge equips you to craft topologies that maximize performance, availability, and scalability.

Designing VPC networks

• Choosing the VPC type and quantity (e.g., standalone or Shared VPC, number of VPC environments).
• Determining how the networks interconnect based on requirements (e.g., VPC Network Peering, network connectivity with Network Connectivity Center).
• Planning the IP address management strategy (e.g., subnets, IPv6, bring your own IP (PAP/PDP)).
• Planning a global or regional network environment.
• Determining the correct MTU sizing for VPC workloads.
• Planning third-party device insertion with custom routes and load balancing.

Summary: Here you will learn how to strategically design VPC network environments that balance scalability with governance and interconnectivity. From choosing between Shared VPCs or standalone environments to handling peering and connectivity topologies, this section gives you insight into structuring networks to match business needs.

You will also explore IP address management, correct MTU sizing, and global or regional design considerations. With exposure to third-party insertion scenarios and route customization, you will be ready to design network environments that support flexibility and efficient workload performance.

Designing a resilient and performant hybrid and multi-cloud network

• Designing for hybrid connectivity including bandwidth and security constraints.
• Designing for multi-cloud connectivity (e.g., Cross-Cloud Interconnect).
• Choosing when to use Direct Peering or Verified Peering Provider.
• Designing high-availability and disaster recovery connectivity strategies.
• Accessing multiple VPCs from on-premises locations.
• Accessing Google services privately from on-premises via Private Service Connect.
• Designing DNS peering and forwarding strategies.
• Determine correct MTU sizing for hybrid connections.
• Understanding encryption options such as MACsec and HA VPN.

Summary: This section focuses on planning for hybrid and multi-cloud deployments seamlessly integrated with on-premises infrastructure. It covers approaches to designing reliable connections while meeting performance, bandwidth, and security needs. Expect to evaluate the correct interconnect, VPN, and peering strategies that ensure smooth data exchange across hybrid and multi-cloud ecosystems.

This portion also highlights how to manage IP address spaces to prevent overlap, ensure secure interconnectivity, and enable private access to managed services. With encryption, HA design, and DNS strategies woven in, you will be prepared to deliver optimal hybrid and multi-cloud connectivity solutions.

Designing for Google Kubernetes Engine (GKE)

• Choosing between public or private cluster nodes and node pools.
• Choosing between public or private control plane endpoints.
• Planning subnets: primary and secondary ranges.
• Selecting RFC 1918, non-RFC 1918, or privately used public IP (PUPI) addresses.
• Planning for IPv6.
• Designing load balancing for GKE networking.
• Adding and managing node pool configuration.

Summary: In this section you will focus on GKE networking and how to design it for efficient container orchestration within a secure and scalable environment. Choosing between public and private clusters, planning subnets, and ensuring resilient load balancing for Pods and services are key tasks here.

These lessons will prepare you to handle address planning, IPv6 adoption, and node pool expansions. By mastering these design concepts, you will be equipped to deliver Kubernetes solutions that remain reliable, flexible, and secure even in dynamic cloud ecosystems.

Domain 2: Implementing a VPC network (19% of the exam)

Configuring VPCs

• Creating Google Cloud VPC resources (networks, subnets, firewall rules).
• Configuring VPC Network Peering.
• Creating Shared VPC networks.
• Configuring access to Google APIs and managed services.
• Expanding VPC subnet ranges after creation.
• Configuring restricted services with VPC Service Controls.

Summary: This section ensures you can implement practical VPC configurations using tools provided by Google Cloud. You will learn everything from creating subnets and firewalls to setting up peering and service access, laying a strong foundation for effective cloud networking.

By mastering Shared VPC implementations and subnet expansion, you will be ready to manage both small and large environments flexibly. The section also introduces VPC Service Controls for restricted services, giving you strong governance control over network usage.

Configuring VPC routing

• Setting up static and dynamic routing with Cloud Router.
• Configuring global or regional dynamic routing.
• Applying route priorities and tags.
• Implementing internal load balancers as next hops.
• Configuring route import and export.
• Configuring policy-based routing.

Summary: Here you will dive into routing within VPCs and how to manage traffic flows intelligently. You will learn to distinguish between static and dynamic models, configure Cloud Router options, and use global vs regional routing for specific workloads.

This section also explores how to control paths with tags, route priorities, policy-based routing, and exporting or importing routes across peers. These skills ensure network traffic flows optimally across hybrid and cloud environments.

Configuring Network Connectivity Center

• Differentiating between spoke types.
• Managing star, hub-and-spoke, and mesh topology configurations.
• Configuring NAT and Private Service Connect propagation.
• Applying IP/CIDR filters.
• Monitoring and troubleshooting NCC setups.

Summary: This part emphasizes orchestrating and monitoring VPC topology with Network Connectivity Center. You will understand how to configure different spoke types and apply appropriate structures such as hub-and-spoke or mesh layouts.

Practical activities include NAT and propagation settings, CIDR-based filters, and efficient monitoring with troubleshooting approaches. This knowledge lets you maintain scalable, well-connected networks across complex enterprises.

Configuring and maintaining Google Kubernetes Engine clusters

• Creating VPC-native clusters using alias IPs.
• Configuring private clusters and private control planes.
• Adding authorized networks for endpoints.
• Enabling Dataplane V2.
• Implementing SNAT and IP masquerade policies.
• Creating GKE network policies.
• Configuring Pod and service ranges.

Summary: In this section you will learn how to integrate Kubernetes networking into real-world production environments. This includes VPC-native configurations, IP address ranges, private control plane endpoints, and Dataplane V2.

You will also master policies, IP masquerading, and range selections to align cluster deployments with workloads and security constraints. With these tools, your Kubernetes networks will be resilient and easy to maintain at scale.

Domain 3: Configuring managed network services (16% of the exam)

Configuring load balancing

• Choosing appropriate external and internal load balancers.
• Creating backend services.
• Configuring settings such as balancing methods, session affinity, and URL maps.
• Optimizing for traffic scalability.
• Configuring GKE load balancers via Gateway or Ingress controllers.

Summary: This section builds your expertise in distributing traffic reliably across workloads. You will learn all load balancer types and when to apply them, ensuring services perform efficiently.

By configuring settings ranging from health checks to URL maps, you will gain practical skills in building scalable backend services with reliable delivery. This knowledge extends into GKE environments for seamless container workloads.

Configuring Cloud CDN

• Setting up Cloud CDN origins.
• Enabling CDN for third-party external backends.
• Invalidating cached content.
• Configuring signed URLs.

Summary: This part highlights how Cloud CDN accelerates content delivery by caching assets closer to end users. You will learn to configure supported origins and third-party integrations for performant experiences.

Advanced features like signed URLs and cache invalidation are also covered. With these capabilities, you will optimize content delivery while maintaining tight security controls.

Configuring Cloud DNS

• Managing DNS zones and records.
• Migrating DNS to Cloud DNS.
• Configuring routing and failover policies.
• Enabling DNSSEC.
• Implementing split-horizon DNS.
• Cross-project binding and DNS peering.

Summary: In this section you will strengthen your skills in DNS management using Cloud DNS, covering zones, record management, policies, and security extensions. You will also learn about DNS migration for enterprises moving from legacy systems.

Capabilities such as split-horizon, DNS forwarding, and cross-project binding prepare you to support global, failover-friendly DNS designs. This allows you to deliver reliability with strong security through DNSSEC.

Domain 4: Configuring and implementing hybrid and multi-cloud network interconnectivity (15% of the exam)

Configuring Cloud Interconnect

• Creating Dedicated and Partner Interconnect connections.
• Differentiating between Layer2 and Layer3 Interconnects.
• Creating Cross-Cloud Interconnect connections.
• Configuring HA VPN over Interconnect.
• Implementing SLA-backed topologies.

Summary: This section highlights strategies for building reliable high-bandwidth links between on-premises and Google Cloud. You will compare Dedicated, Partner, and Cross-Cloud Interconnect approaches to suit your organization’s connectivity requirements.

Practical setups with VLAN attachments, HA VPN, and redundant pathways allow you to deliver enterprise-grade reliability. With SLA considerations, you will ensure business continuity under all conditions.

Configuring a site-to-site IPSec VPN

• Configuring HA VPN gateways.
• Setting up VPNs to other VPCs.
• Configuring Classic VPN.

Summary: You will explore secure communication between sites and Google Cloud, particularly through IPSec VPNs. High-availability models ensure enterprise-grade uptime while linking multiple sites to global VPCs.

Hands-on settings for both HA and Classic VPNs add to your toolkit. These implementations allow organizations to build secure hybrid networking without complexity.

Configuring Cloud Router

• Implementing BGP attributes.
• Configuring BFD.
• Creating route advertisements.
• Selecting best path evaluation.

Summary: Routing automation with Cloud Router is the focus here. You will gain knowledge in configuring BGP setups, attributes, and failover methods like BFD.

The section also includes controlling advertised and learned routes with customization. These tools let you build resilient, adaptive routing in multi-environment networks.

Configuring Network Connectivity Center

• Creating hybrid spokes such as VPNs and VLAN attachments.
• Enabling site-to-site transfers.
• Deploying router appliances.
• Solving network transitivity issues.

Summary: Here the emphasis is enterprise-scale hybrid network design and connectivity orchestration. Configuring spokes and router appliances helps enable global transitions between sites.

Solutions to transitivity issues ensure your topology scales smoothly, keeping performance and flexibility in balance as hybrid needs grow.

Domain 5: Managing, monitoring, and troubleshooting network operations (12% of the exam)

Logging and monitoring with Google Cloud Observability

• Enabling logging for VPN, Router, and VPC components.
• Monitoring metrics for load balancers, Cloud NAT, and Google Cloud Armor.

Summary: This section shows how to use Google Cloud Observability tools to log and monitor critical networking components. You will be able to spot activity like firewall insights, VPN health, and routing status using system logs.

By checking metrics from load balancers, NAT, and Armor, you will be able to proactively identify issues before they escalate. This gives confidence to operate secure, high-performing environments.

Maintaining and troubleshooting connectivity issues

• Redirecting traffic with load balancers.
• Managing VPN and Interconnect problems.
• Troubleshooting Router BGP peering.
• Using flow and firewall logs for debugging.

Summary: This section gives you practical skills for maintaining uptime with connectivity services. Tools include managing VPNs, troubleshooting routers, and redirecting traffic when congestion occurs.

Logs and packet analysis become actionable strategies for identifying and correcting issues quickly. This knowledge enables continuity and resilience in production networks.

Using Network Intelligence Center

• Visualizing throughput and traffic.
• Running connectivity and performance diagnostics.
• Detecting firewall misconfigurations.
• Using Analyzer and Network Topology tools.

Summary: Here you will explore advanced monitoring with the Network Intelligence Center. Visualization and real-time diagnostics help pinpoint issues across networks.

With Firewall Insights, connectivity tests, and traffic analyzers, you will be able to make reliable assessments. This ensures optimized network design as environments grow.

Domain 6: Configuring, implementing and managing a cloud network security solution (14% of the exam)

Configuring Google Cloud Armor policies

• Implementing WAF rules.
• Configuring advanced DDoS protections.
• Enabling traffic mirroring and splitting.
• Applying bot management and intelligence.

Summary: This section focuses on enabling Google Cloud Armor to safeguard applications. You will design protections against DDoS, SQL injections, cross-site scripting, and automated bots.

Through policies, traffic management, and advanced threat intelligence, you will gain the ability to support secure delivery at scale.

Configuring and managing Cloud NGFW and VPC Firewall rules

• Planning firewall strategies with NGFW and VPC rules.
• Configuring NGFW in support of load balancers and GKE.
• Creating hierarchical policies.
• Implementing Layer 7 packet inspection.
• Differentiating between NGFW tiers.

Summary: In this section you will configure complex firewall architectures using both NGFW and VPC controls. Strategies range from traffic segmentation to logging to hierarchical policy application.

Advanced features like enterprise packet inspection and tier-specific options ensure you can match security levels with organizational requirements.

Configuring Cloud NAT and Secure Web Proxy

• Managing NAT IP addressing policies.
• Applying static and dynamic port allocations.
• Enabling web proxy security.

Summary: This part equips you to manage secure and efficient egress to the internet using NAT and web proxy approaches. By fine-tuning NAT IP and ports, you can control costs and traffic patterns.

Proxies add security layers for safer outbound traffic, enabling enterprises to meet compliance requirements.

Configuring self-managed inspection, IDS, and Packet Mirroring

• Routing traffic through multi-NIC VMs.
• Setting up HA routing with internal load balancers.
• Configuring out-of-band inspection using NSI.
• Enabling intrusion detection and packet mirroring.

Summary: This closing section highlights deep traffic visibility and security analysis. Multi-NIC VMs and load balancers support high availability for inspection.

Combining IDS, NSI, and packet mirroring equips enterprises with the ability to internally monitor, analyze, and secure traffic flows from edge to core.