Google PCNE: Professional Cloud Network Engineer for GCP

PCNE-level VPC design covers the full connectivity model. VPC sharing: Shared VPC (host project owns the VPC network, service projects attach to it and create resources in shared subnets — centralised network governance, reduces the number of VPC networks to manage). VPC peering: connect two VPCs — routes exchanged automatically, non-transitive (A-B and B-C does not give A-C connectivity). Private Service Connect: create private endpoints for Google APIs and third-party services inside your VPC — traffic stays on Google's private network, DNS resolves to a private IP. Cloud DNS: managed authoritative DNS — public zones (serve external DNS), private zones (resolve within VPC — visible only to VMs in the VPC or peered VPCs), forwarding zones (forward queries to on-premises DNS servers via hybrid connectivity). DNS Server Policy: configure the VPC to use Cloud DNS as the DNS resolver for on-premises hosts connecting via VPN or Interconnect. Network Connectivity Center: hub-and-spoke topology for connecting VPCs, VPN tunnels, and Interconnect attachments — similar to AWS Transit Gateway but designed for Google's network model.

Hybrid connectivity for PCNE. Cloud VPN: IPSec-based VPN — HA VPN (two tunnels, BGP routing, 99.99% SLA), Classic VPN (single tunnel, legacy). HA VPN requires Cloud Router for dynamic BGP routing. Cloud Interconnect: Dedicated (direct 10G or 100G private circuit to Google) and Partner (through a partner, 50 Mbps to 10 Gbps). Cloud Router: manages BGP sessions for VPN and Interconnect — announces VPC subnet routes to on-premises, learns on-premises routes dynamically. MED (Multi-Exit Discriminator): BGP attribute that influences inbound path selection — lower MED preferred. Google Cloud load balancers: Global External HTTP(S) Load Balancer (anycast IP, CDN integration, URL-based routing, backend services with health checks — used for web applications with global users), Regional External HTTP(S) LB (single region, lower cost), External TCP/UDP Network LB (pass-through, preserves client IP, no SSL termination — for non-HTTP protocols), Internal HTTP(S) LB (for internal microservices — Envoy-based, supports traffic management policies), Internal TCP/UDP LB (pass-through for internal L4 traffic). Cloud CDN: integrated with Global HTTP(S) LB — caches responses at Google's edge PoPs worldwide.

Network security at PCNE level. Hierarchical firewall policies: apply firewall rules at organisation or folder level — enforced before VPC-level firewall rules, cannot be overridden by projects. VPC firewall rules: stateful rules applied per instance (via network tag or service account) — implied deny-all inbound, implied allow-all outbound. Best practice: replace tag-based rules with service-account-based rules (more precise — a tag can be applied by anyone with Compute access, but service account assignment is IAM-controlled). Cloud Armor security policies: layer 7 rules for HTTPS traffic — rate limiting, geo-blocking, OWASP CRS, custom IP/header/URI match rules. Threat Intelligence integration: automatically blocks known malicious IPs from Mandiant's threat intelligence database. Network Intelligence Center: suite of tools for network visibility and monitoring — Network Topology (visualise VPC connectivity and traffic flow), Connectivity Tests (diagnose packet paths and identify routing issues — similar to AWS Reachability Analyser), Flow Logs Analyser (query VPC Flow Logs with aggregation and filtering). Packet Mirroring: clone traffic from specific instances to an IDS for deep packet inspection.