Overview
This training course builds on the networking concepts covered in the Networking Fundamentals in Google Cloud course. Through presentations, demonstrations, and labs, participants explore and deploy Google Cloud networking technologies.
These technologies include: Virtual Private Cloud (VPC) networks, subnets, and firewalls; Interconnection among networks; Load balancing ;Cloud DNS; Cloud CDN; Cloud NAT.
The course will also cover common network design patterns.
Skills Covered
- Configure Google VPC networks, subnets, and routers
- Control administrative access to VPC objects
- Control network access to endpoints in VPCsInterconnect networks among GCP projects
- Interconnect networks among GCP VPC networks and on-premises or other-cloud networks
- Choose among GCP load balancer and proxy options and configure them ? Use Cloud CDN to reduce latency and save money
- Optimize network spend using Network TiersConfigure Cloud NAT or Private Google Access to provide instances without public IP addresses access to other services
- Deploy networks declaratively using Cloud Deployment Manager or Terraform
- Design networks to meet common customer requirements
- Configure monitoring and logging to troubleshoot networks problems
Who Should Attend
- Network engineers and administrators who use the Google Cloud console or are planning to do so.
- Individuals who want to be exposed to software-defined networking solutions in the cloud.
Course Curriculum
Prerequisites
To get the most out of this course, participants should have:
- Completed Google Cloud Platform Fundamentals: Core Infrastructure or have equivalent experience
- Prior understanding of the OSI 7-layer model
- Prior understanding of IPv4 addressing
- Prior experience with managing IPv4 routes
Download Course Syllabus
Course Modules
- VPC networks
- Multiple Network Interfaces
- Network Service Tiers
- Create a Compute Engine VM with multiple network interfaces.
- Use the standard tier to lower cloud networking costs.
- Use the premium tier to provide lower latency and faster access to Google Cloud resources.
- Shared VPC
- VPC Network Peering
- Migrating a VM between networks
- Describe the different ways to share VPC networks that are available in Google Cloud.
- Recognize when to use Shared VPC and when to use VPC Network Peering.
- Configure peering between unrelated VPC networks.
- 1 lab
- 1 quiz
- Monitoring
- Logging
- Configure uptime checks, alerting policies, and charts for your network services.
- Monitor Google Cloud network resources.
- Use VPC Flow Logs to log and analyze network traffic behavior.
- 2 labs
- 1 quiz
- VPC Routing
- IPv6
- BYOIP
- Cloud DNS
- Define key routing and addressing concepts relevant to Google Cloud, including IP addresses, subnets, route tables, firewalls, BYOIP, and NATs.
- Describe the configuration and management options for Google Cloud DNS, including private and managed zones.
- Configure and manage route tables to control traffic flow, resolve domain names effectively, and utilize NAT rules for secure access.
- 1 lab
- 1 quiz
- Private Connection Options
- Private Google Access
- Private Services Access
- Private Service Connect
- Cloud NAT
- Define and differentiate various private connection options (e.g., Private Google Access, Private Services Access, Private Service Connect).
- Explore use cases of Private Service Connect, Private Service Access, and Private Google Access.
- Implement Private Google Access with Cloud NAT.
- 1 lab
- 1 quiz
- Cloud network architecture overview
- Key considerations
- Describe the Google Cloud provides components that create a good network architecture, such as Cloud Interconnect, VPC Network Peering, Shared VPC, and Network Tiers.
- Summarize key considerations for network design.
- 1 quiz
- Hub and spoke topology
- Other topologies
- Getting topology data
- Best practices
- Explain when to use each network topology based on specific requirements.
- Identify potential bottlenecks or security vulnerabilities in network topologies.
- Implement a meshed topology for a resilient and scalable network architecture.
- 1 lab
- 1 quiz
- How DDoS attacks work
- Google Cloud mitigations
- Types of complementary partner products
- Identify the four layers of DDoS Mitigation.
- Identify methods Google Cloud uses to mitigate the risk of DDoS for its customers.
- Use Google Cloud Armor to blocklist an IP address and restrict access to a global external Application Load Balancer.
- 1 lab
- 1 quiz
- IAM
- Cloud Firewall
- Cloud IDS
- Secure Web Proxy
- Describe how IAM policies affect VPC network access.
- Identify the benefits of using Cloud Firewall’s hierarchical policies at different levels of the cloud infrastructure hierarchy.
- Apply global and regional network firewall policies using Cloud Firewall.
- Explain the role of Cloud IDS in protecting VPC networks from malicious activity.
- Deploy Cloud IDS and configure its settings according to specific security needs.
- Describe the role of Secure Web Proxy in improving network resilience and availability.
- Describe best practices for cloud network security.
- 2 labs
- 1 quiz
- Packet Mirroring for network traffic inspection
- Network security best practices
- Define Packet Mirroring and explain its purpose in network monitoring and security.
- Learn network security best practices.
- 1 quiz
- 1 lab
- Hybrid load balancing
- Traffic management
- Describe the benefits of hybrid load balancing.
- Configure traffic management in a load balance
- 1 lab
- 1 quiz
- Internal network load balancers as next hops
- Cloud CDN
- Cloud Armor
- Load balancer optimization strategies
- Describe how to configure an internal network load balancer as a next hop.
- Use Cloud CDN configuration to optimize content delivery performance.
- Create a Google Cloud Armor edge security policy to protect content.
- 1 quiz
- 1 lab
- Google Cloud connectivity options
- Dedicated Interconnect
- Partner Interconnect
- Cross-Cloud Interconnect
- Describe the various connectivity options offered by Google Cloud for hybrid and multi-cloud environments, including Network Connectivity Center, Cloud VPN, Cloud Interconnect, and Cloud CDN.
- Define and differentiate between the various Cloud Interconnect options available in Google Cloud, including Dedicated Interconnect, Partner Interconnect, and Cross-Cloud Interconnect.
- 1 quiz
- Use case for Cloud VPN
- HA VPN topologies
- HA VPN over Cloud Interconnect
- Influence best path selection
- Implement high availability VPN (HA VPN) for redundancy and failover.
- Identify the benefits and use cases for Cloud HA VPN.
- 1 quiz
- 1 lab
Request More Information
Training Options
- ILT: Instructor-Led Training
- VILT: Virtual Instructor-Led Training
Exam & Certification
Google Cloud Professional Network Engineer.
For IT professionals seeking to further their career and take their experience to the next level, becoming a Google Cloud Professional Network Engineer is a great way to demonstrate your expertise.
The Google Cloud certification verifies that engineers have the technical skills necessary to design, develop, deploy, and maintain successful IT infrastructure solutions using Google Cloud technologies. With a proverbial stamp of approval from one of the world’s premier technology companies, you’ll be on your way towards becoming an in-demand engineer, opening new opportunities for growth and advancement.
Certifying as a Google Cloud Professional Network Engineer is more than just adding a certificate to your resume; it’s making sure all of your knowledge is certified by a trusted name in tech.
Training & Certification Guide
A Professional Cloud Network Engineer implements and manages network architectures in Google Cloud. This individual may work on networking or cloud teams with architects who design cloud infrastructure.
The Cloud Network Engineer uses the Google Cloud Console and/or command line interface, and leverages experience with network services, application and container networking, hybrid and multi-cloud connectivity, implementing VPCs, and security for established network architectures to ensure successful cloud implementations.
The Professional Cloud Network Engineer exam assesses your ability to:
-
Design, plan, and prototype a Google Cloud network
-
Implement Virtual Private Cloud (VPC) instances
-
Configure network services
-
Implement hybrid interconnectivity
-
Manage, monitor, and optimize network operations
About the current GA exam
Length: 2 hours
Registration fee: $200 (plus tax where applicable)
Languages: English
Exam format: Multiple choice and multiple select
Exam delivery method:
a) Take the online-proctored exam from a remote location, review the online testing requirements.
b) Take the onsite-proctored exam at a testing center, locate a test center near you.
Prerequisites: None
Recommended experience: 3+ years of industry experience including 1+ years designing and managing solutions using Google Cloud.
Section 1: Designing, planning, and prototyping a Google Cloud network
1.1 Designing an overall network architecture. Considerations include:
- High availability, failover, and disaster recovery strategies
- DNS strategy (e.g., on-premises, Cloud DNS)
- Security and data exfiltration requirements
- Load balancing
- Applying quotas per project and per VPC
- Hybrid connectivity (e.g., Google private access for hybrid connectivity)
- Container networking
- IAM roles
- SaaS, PaaS, and IaaS services
- Microsegmentation for security purposes (e.g., using metadata, tags, service accounts)
1.2 Designing Virtual Private Cloud (VPC) instances. Considerations include:
- IP address management and bring your own IP (BYOIP)
- Standalone vs. Shared VPC
- Multiple vs. single
- Regional vs. multi-regional
- VPC Network Peering
- Firewalls (e.g., service account-based, tag-based)
- Custom routes
- Using managed services (e.g., Cloud SQL, Memorystore)
- Third-party device insertion (NGFW) into VPC using multi-NIC and internal load balancer as a next hop or equal-cost multi-path (ECMP) routes
1.3 Designing a hybrid and multi-cloud network. Considerations include:
- Dedicated Interconnect vs. Partner Interconnect
- Multi-cloud connectivity
- Direct Peering
- IPsec VPN
- Failover and disaster recovery strategy
- Regional vs. global VPC routing mode
- Accessing multiple VPCs from on-premises locations (e.g., Shared VPC, multi-VPC peering topologies)
- Bandwidth and constraints provided by hybrid connectivity solutions
- Accessing Google Services/APIs privately from on-premises locations
- IP address management across on-premises locations and cloud
- DNS peering and forwarding
1.4 Designing an IP addressing plan for Google Kubernetes Engine. Considerations include:
- Public and private cluster nodes
- Control plane public vs. private endpoints
- Subnets and alias IPs
- RFC 1918, non-RFC 1918, and privately used public IP (PUPI) address options
Section 2: Implementing Virtual Private Cloud (VPC) instances
2.1 Configuring VPCs. Considerations include:
- Google Cloud VPC resources (e.g., networks, subnets, firewall rules)
- VPC Network Peering
- Creating a Shared VPC network and sharing subnets with other projects
- Configuring API access to Google services (e.g., Private Google Access, public interfaces)
- Expanding VPC subnet ranges after creation
2.2 Configuring routing. Considerations include:
- Static vs. dynamic routing
- Global vs. regional dynamic routing
- Routing policies using tags and priority
- Internal load balancer as a next hop
- Custom route import/export over VPC Network Peering
2.3 Configuring and maintaining Google Kubernetes Engine clusters. Considerations include:
- VPC-native clusters using alias IPs
- Clusters with Shared VPC
- Creating Kubernetes Network Policies
- Private clusters and private control plane endpoints
- Adding authorized networks for cluster control plane endpoints
2.4 Configuring and managing firewall rules. Considerations include:
- Target network tags and service accounts
- Rule priority
- Network protocols
- Ingress and egress rules
- Firewall rule logging
- Firewall Insights
- Hierarchical firewalls
2.5 Implementing VPC Service Controls. Considerations include:
- Creating and configuring access levels and service perimeters
- VPC accessible services
- Perimeter bridges
- Audit logging
- Dry run mode
Section 3: Configuring network services
3.1 Configuring load balancing. Considerations include:
- Backend services and network endpoint groups (NEGs)
- Firewall rules to allow traffic and health checks to backend services
- Health checks for backend services and target instance groups
- Configuring backends and backend services with balancing method (e.g., RPS, CPU, Custom), session affinity, and capacity scaling/scaler
- TCP and SSL proxy load balancers
- Load balancers (e.g., External TCP/UDP Network Load Balancing, Internal TCP/UDP Load Balancing, External HTTP(S) Load Balancing, Internal HTTP(S) Load Balancing)
- Protocol forwarding
- Accommodating workload increases using autoscaling vs. manual scaling
3.2 Configuring Google Cloud Armor policies. Considerations include:
- Security policies
- Web application firewall (WAF) rules (e.g., SQL injection, cross-site scripting, remote file inclusion)
- Attaching security policies to load balancer backends
3.3 Configuring Cloud CDN. Considerations include:
- Enabling and disabling Cloud CDN
- Cache keys
- Invalidating cached objects
- Signed URLs
- Custom origins
3.4 Configuring and maintaining Cloud DNS. Considerations include:
- Managing zones and records
- Migrating to Cloud DNS
- DNS Security Extensions (DNSSEC)
- Forwarding and DNS server policies
- Integrating on-premises DNS with Google Cloud
- Split-horizon DNS
- DNS peering
- Private DNS logging
3.5 Configuring Cloud NAT. Considerations include:
- Addressing
- Port allocations
- Customizing timeouts
- Logging and monitoring
- Restrictions per organization policy constraints
3.6 Configuring network packet inspection. Considerations include:
- Packet Mirroring in single and multi-VPC topologies
- Capturing relevant traffic using Packet Mirroring source and traffic filters
- Routing and inspecting inter-VPC traffic using multi-NIC VMs (e.g., next-generation firewall appliances)
- Configuring an internal load balancer as a next hop for highly available multi-NIC VM routing
Section 4: Implementing hybrid interconnectivity
4.1 Configuring Cloud Interconnect. Considerations include:
- Dedicated Interconnect connections and VLAN attachments
- Partner Interconnect connections and VLAN attachments
4.2 Configuring a site-to-site IPsec VPN. Considerations include:
- High availability VPN (dynamic routing)
- Classic VPN (e.g., route-based routing, policy-based routing)
4.3 Configuring Cloud Router. Considerations include:
- Border Gateway Protocol (BGP) attributes (e.g., ASN, route priority/MED, link-local addresses)
- Custom route advertisements via BGP
- Deploying reliable and redundant Cloud Routers
Section 5: Managing, monitoring, and optimizing network operations
5.1 Logging and monitoring with Google Cloud’s operations suite. Considerations include:
- Reviewing logs for networking components (e.g., VPN, Cloud Router, VPC Service Controls)
- Monitoring networking components (e.g., VPN, Cloud Interconnect connections and interconnect attachments, Cloud Router, load balancers, Google Cloud Armor, Cloud NAT)
5.2 Managing and maintaining security. Considerations include:
- Firewalls (e.g., cloud-based, private)
- Diagnosing and resolving IAM issues (e.g., Shared VPC, security/network admin)
5.3 Maintaining and troubleshooting connectivity issues. Considerations include:
- Draining and redirecting traffic flows with HTTP(S) Load Balancing
- Monitoring ingress and egress traffic using VPC Flow Logs
- Monitoring firewall logs and Firewall Insights
- Managing and troubleshooting VPNs
- Troubleshooting Cloud Router BGP peering issues
5.4 Monitoring, maintaining, and troubleshooting latency and traffic flow. Considerations include:
- Testing network throughput and latency
- Diagnosing routing issues
- Using Network Intelligence Center to visualize topology, test connectivity, and monitor performance
Frequently Asked Questions
Google Cloud certifications help you advance your professional skills and demonstrate your value to hiring managers. Also once you become Google Cloud certified, you unlock the following benefits:
- Distinguish yourself with a digital badge by sharing it on your social profile or resume.
- Showcase your achievement on a publicly-accessible Google Cloud Certified Directory.
- Get exclusive Google Cloud Certified swag for Professional certifications.
- Network and exchange ideas with others in the Google Cloud Certified community.
- Get access to global cloud virtual and in-person events hosted by Google Cloud.
A skill badge measures one’s knowledge of a specific product or service and tests their ability to apply that knowledge in an interactive hands on environment.
A certification measures an individual’s proficiency at performing a specific job role using Google Cloud technology. A certification exam tests one knowledge of a wide range of products and services needed to perform a job role versus one product/service. In order to prepare for a Google Cloud certification, it is recommended that an individual has multiple years of experience in the role, in addition to completing the recommended online training and skill badges.
