Google Cloud · 2026 Edition
A complete preparation guide written by Google Cloud-certified engineers. Covers the exam format,all 5 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–5 months
Prep time
Advanced
Difficulty
60
Exam questions
720/1000
Pass mark
Exam code
PCNE
Full name
Google Professional Cloud Network Engineer
Vendor
Google Cloud
Duration
120 minutes
Questions
60 items
Passing score
720/1000 (scaled)
Domains covered
5 blueprint domains
Recommended experience
3+ years of networking experience including 1+ year of GCP networking experience
Typical prep time
3–5 months
The Professional Cloud Network Engineer certification validates the ability to design, implement, and manage Google Cloud network infrastructure. It is the credential for network architects and senior network engineers building enterprise-scale GCP environments.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
VPC Architecture: VPC design, subnet modes, firewall rules, Shared VPC, VPC peering
Tip: GCP VPCs are global — a single VPC can have subnets in every region without needing VPC peering. This is fundamentally different from AWS (regional VPCs). Shared VPC allows projects to share a single VPC network: the host project owns subnets, service projects use them. Know when to use Shared VPC vs VPC peering.
Weeks 4–6
Hybrid Connectivity: Cloud Interconnect, Cloud VPN (HA VPN), Cloud Router, BGP
Tip: HA VPN provides 99.99% SLA when two VPN tunnels connect to the same Cloud Router on the GCP side and to two different on-premises devices. Know the HA VPN configuration: two external VPN gateways, two tunnels, BGP sessions on each tunnel. Active/passive and active/active configurations are both testable.
Weeks 7–9
Load Balancing and Traffic Management: Global LB, Regional LB, NEGs, Cloud CDN
Tip: GCP load balancer types by scope and protocol: Global External HTTPS (layer 7, global, supports Cloud CDN, Serverless NEGs), Regional External HTTPS (layer 7, regional), External TCP/UDP (layer 4, regional), Internal HTTPS (layer 7, VPC-internal), Internal TCP/UDP (layer 4, VPC-internal). Know which type to use given a scenario's scope and protocol requirements.
Weeks 10–13
Network Operations: Network Intelligence Center, Packet Mirroring, Private Service Connect, firewall logging
Tip: Network Intelligence Center provides four tools: Connectivity Tests (validate reachability between endpoints), Performance Dashboard (GCP network performance baselines), Firewall Insights (identify unused/overly permissive firewall rules), and Network Topology (visualise VPC topology). Know which tool you would use for each type of network investigation.
Cloud Router enables dynamic route exchange using BGP. Know that Cloud Router is required for Cloud Interconnect and is optional but recommended for HA VPN. Cloud Router advertises VPC subnets to on-premises networks and learns on-premises routes automatically — there are no static routes to maintain.
Private Google Access allows VM instances without external IPs to reach Google APIs (like Cloud Storage, BigQuery) using private IP addresses. Know the difference between Private Google Access (within VPC), Private Service Connect (connect to Google APIs or producer VPCs using private endpoints), and VPC Service Controls (restrict which identities can access APIs from which perimeter).
GCP firewall rules are stateful and evaluated against all egress and ingress traffic. Know the rule priority (lower number = higher priority, 0–65535), that the implied rules are 65534 (allow egress to all) and 65535 (deny ingress from all), and that firewall rules apply to the entire VPC (not individual subnets).
Cloud CDN caching modes: CACHE_ALL_STATIC (automatically cache static content based on content type), FORCE_CACHE_ALL (cache everything including dynamic content), USE_ORIGIN_HEADERS (respect Cache-Control headers from the origin — recommended for dynamic content with proper caching headers).
Packet Mirroring copies traffic from specified VM instances and sends it to a collector (IDS appliance, Packet Mirroring policy destination). Know that it mirrors entire packet payloads (unlike VPC Flow Logs which only capture metadata), and that it requires a destination Mirroring policy pointing to an ILB that distributes to collector VMs.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on PCNE — with exam key points and common misconceptions.