Passing the Google cloud professional networking engineer exam

When I passed my 1st professional networking engineer exam, it was at a testing center. There were many network VPC design related questions I struggled to answer. 2 years have gone by. I’ve designed and troubleshooted many enterprise network architectures. I took the online exam and felt it was easier. Here are the topics covered in the exam:

• Understand classic VPN tunnel routing options between Dynamic BGP routing, policy-based routing, route-based VPN. Policy-based routing allows custom local traffic selectors to route selected subnets or internal IP addresses. Route-based VPN always select 0.0.0.0/0 in local and remote traffic selector.
• Understand how to invalidate Cloud CDN with patterns.
• Learn how to use URL maps in load balancing to create path matcher and host rule. Be aware that path matcher of format /*/anything/ is invalid. It needs to follow /prefix/*. Practice with cloud console to understand better.
• Learn the basics of configure cloud armor security policy. Use the rule’s preview feature to test the rule in cloud logging. Higher rule’s priority number means lower logical priority. Cloud armor works with external HTTP(s) load balancing’s backends by adding them as targets, not other types of load balancing backends.
• When to use shared VPC vs VPC peering? Usually the organization with centralized networking administration would prefer shared VPC.
• Learn the differences and consequences of binding roles/compute.networkUser on selected subnets or on the host project at the project level. If 2 different service projects don’t want to share a subnet, avoid binding roles/compute.networkUser to the infrastructure team’s Google group bound as Owner in the 2 projects.
• Binding roles/compute.networkUser to The Google APIs service account having this format: SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com is required to create a managed instance group in a shared VPC service project
• learn the IAM role bindings required for GKE clusters to use the VPC in the shared VPC host project.
• Learned how to calculate how many nodes a GKE cluster can scale up to from the defaults: 110 pods per node means GKE needs 220 pod IPs on each node. A minimum /24 range is required for pods. If pod’s secondary IP range is /14. That calculates to 2¹⁰ as the maximum number of nodes. If the pod’s secondary IP range is /20, max is only 2⁴ as (24–20 => 4). The formula is 2^($IP_range_of_pods_on_1node - $Pod_IP_Range). First row in the table at CIDR ranges for standard clusters shows 8 maximum pod per node gives /28 CIDR range per node, giving higher numbers of nodes to scale up to than other rows.
• learn load balancing’s session affinity. use cases include using client IP in session affinity to force clients on premises to connect with different ports, protocols to the same instances in the backend.
• learn to enable global dynamic routing to achieve higher available interconnects in 2 regions.
• get to know some uncommon protocols such as VoIP, TFTP which both use UDP. Check which load balancing supports UDP.
• Know that Cloud CDN does not compress or decompress web server responses. Learn how to troubleshoot why CDN responses are NOT compressed.
• learn how to create a custom role; test what error you’d see in the gcloud command when you try to add an invalid typo permission from a predefined role.
• Learn VPC service control’s VPC accessible services, service perimeter bridge, access context manager’s access policy, access level. how to configure them. Can 2 projects be in the same service perimeter? No. Are service perimeters transitive? No. If the hub project with interconnect VLAN attachments has its own service perimeter, can you create perimeter 2 bridges where 1 bridges to perimeter-prod and the other bridges to perimeter-test? Yes.
• Understand the following scenario: you configure private Google access for on-prem hosts. there are 2 projects with interconnect VLAN attachments to the same data center’s on-prem router: production-project, test-project. The 2 projects are in different VPC service control perimeters. When you execute gsutil cp data-center-file.txt gs://production-bucket/ or to gs://test-bucket/ from a host on premises, why’d you get 403 forbidden? The reason is the confusion of the on-prem VM belonging to which service perimeter as both projects have VLAN attachments to the same on-prem router. The solution is to use 2 VPC service control perimeter bridges.

• learn how to make compute engine instances of private IP addresses access cloud storage or BigQuery with private Google access in the subnet or just use Cloud NAT.
• learn how to create a Palo Alto firewall instance of 2 NICs across 2 different VPCs for HTTP traffic inspection in the traffic flow: client on the internet > VPC1’s external https load balancing > Palo Alto backend > VPC2’s managed instance group.
• how to route traffic from compute engine instance A to instance B with 2 NICs?
• how to configure ingress, egress firewall rules with tags? higher firewall rule priority integer number mean lower logical priority. What are the implied firewall rules? how to use VPC flow logs and firewall logs?
• learn the 3 types of GKE cluster public, private IP on nodes, private master. how to secure access to the master with control plane authorized network? What does --enable-master-global-access do? to enable control plane private endpoint global access.
• Learn the default VPC auto mode vs custom mode and the default IP range created in the default auto mode VPC. I’m surprised there was a question about using deployment manager to create a VPC. So better prefer deployment manager over Terraform.
• Learn DNS peering between projects, DNS forwarding zones to configure on-prem DNS, DNS inbound policy.
• Watch and learn from Google cloud onair networking series.
• There was a question about the process of ordering interconnect including signing some kind of authorization paperwork downloaded from Google and sending to the interconnect service provider. I believe such question appeared in my 1st network engineer exam before.

Overall, there were 50 questions, not as bad as 60 in the Machine learning engineer exam. I took my time answering questions and had 3 questions marked for review at the end with 7 minutes left. Be aware of the number of questions when the exam starts. If Google changes that to 60 questions, you may need to rush through some questions to be able to finish the exam in time.