Edit: I’ve successfully passed this certification, landing #20 certification globally.
On Thursday 24th of January, I woke up to great news. Firstly, I’ve become GCP certified “Professional Cloud Developer” by passing my 3rd certification and 2nd beta exam. Secondly, Google announced two new beta certifications. On the same day I’ve registered for both Google Cloud Certified - Professional Cloud Network Engineer and Google Cloud Certified - Professional Cloud Security Engineer exams.
I had an opportunity to sit Professional Cloud Network Engineer BETA on 29th of January and here is an outline of my journey.
My GCP experience to date
I’ve been learning about GCP from around February 2018 and got fully committed to it from May onwards. I’ve chosen GCP cloud vs AWS as it was better suited for current and future company needs @ Loveholidays.com. We’ve successfully migrated from physical servers with KVM VMs environment to GCP where we are running most of our workloads inside of GKE. Since May I’ve worked with HTTP(S), TCP, Internal load-balancers, firewall rules, regular and hosted/service network VPCs, GKE (including VPC-Native alias IP clusters), VPNs, NAT Instances, Cloud Routers, Cloud Armor, Hybrid Connectivity with Interconnect, GCE instances with private IPs, network tagging, static routes, VPC peering, Stackdriver and few more technologies.
While hands-on experience is invaluable, sometimes you miss on a bigger picture of the available infrastructure when you find yourself working only with a subset of available GCP network technologies. Here is what I’ve used:
- Architecting with Google Cloud Platform I’ve done labs selectively due to a lack of time, but I wouldn’t recommend skipping those as they allow you to make mistakes and learn from them; also labs promote risk-free experimentation which you are less likely to perform using your personal/dev projects in GCP. https://www.coursera.org/specializations/gcp-architecture - I’ve done this Specialization while preparing for Cloud Architect Professional exam, course materials are fundamental to every GCP certification I’ve done so far.
- Security in Google Cloud Platform - brand new Specialization that I’ve started a day before the exam, but it is filled with security content related to networking and permissions which you’ll be questioned about.
I’ve covered below material in preparation for previous certifications, but find it very valuable in the networking exam too.
- Google Cloud Security Essentials
- Google Certified Professional Cloud Architect - Part 1
- Google Certified Professional Cloud Architect - Part 2
- Google Certified Professional Cloud Architect - Part 3
While I spend a considerable amount of time using GCP Documentation for my work, I haven’t done so in preparation for this exam - big mistake.
- Cloud OnAir: Google Cloud Networking 101
- VPC Deep Dive and Best Practices (Cloud Next ‘18)
- Google Cloud Networking Deep Dive
An actual exam
Beta exam is 4 hours long and consisted out of 96 questions. After going through the first two questions, I doubted if 4 hours are going to be enough. A lot of questions are very long consuming an entire screen (with occasional scrolling), filled with details and answers to a large number of questions are also very volumes. Reading questions and answers fast without losing focus was one of my challenges.
The exam was very tough but mostly fair. Majority of the questions very difficult, had a number of relevant answers, but only one most correct. There were ~3-5 questions where educated guess was used. Few questions where both question and answers had ambiguity or were misleading. One example of a misleading question was about firewall rules priority values where higher priority value and lower priority value answer options were given. Would answers only contain higher priority and lower priority options - it would be clear what answers mean. However, when you are adding word value - I am no longer certain as lower values mean higher priorities, while higher values mean lower priority. From the question, it wasn’t clear whether higher priority value actually means higher or lower priority.
At the end of the exam, I had about a third of questions marked for the revision. While slow at the start, I’ve noticed a number of patterns where a lot of questions shared descriptions (similar to how it was done with the case studies for the Professional Architect exam). Once you’ve familiarised yourself with these common descriptions, your skim straight through to the question. Overall, the exam took me 2 hours to complete.
I do not intend to share any of the actual questions as this is against certification’s mission; however, I am happy to fill the gap that latest certification left by not providing detailed exam guide as GCP did with previous certifications.
Key topics: Load-balancing, VPN, Interconnectivity, Firewall, Cloud Router
- Know available types.
- Know default firewall rules, routes, subnet sizes and IP ranges that come with each type.
- Flow logs. Get practical experience with flow logs and analyse those with BigQuery / Stackdriver Logs.
- Shared VPC - learn all you can about host/service project networking in GCP
- VPC Peering, transitive peering
- Alias IP
- Firewall Rules - experiment with logging, know all there is to firewall rules as they are essential for secure usage of the GCP.
- Know available types and key differences.
- Know how to load-balance SSL traffic without offloading at the edge.
- Know how to integrate with Cloud CDN
- Know how to use with GKE
- How to filter traffic by IP (Cloud Armor)
- How to achieve HA
- Specifications - bandwidth, supported, SLA
- Cloud VPN + Cloud Routers - how to make routing work with multiple regions, cloud, on-prem
- Load-balance VPN connections across multiple tunnels, Cloud VPNs
- How to use without BGP (static routes)
- Cloud Router
- Know the difference between Dedicated Interconnect, Partner Interconnect, Direct Peering, Carrier Peering
- Know the difference between Layer 2 and Layer 3 interconnects
- Know how to setup, how to setup with HA, monitor with Stackdriver
- Know specs and relative pricing of each solution to be able to find the most cost-effective option
- Private Google Access - from GCP, from on-prem, from NATed instances
- Interconnectivity + BGP
- Interconnectivity + Cloud Router
- VPC Native Clusters, subnet sizing.
- Private IP Clusters - how to use, how to access.
- Regional vs Global
- Handling failure
- Where to place for multi-regional usage
- Impact on latency
- Static routes
- Path rules
- Cache invalidation
- How to use with static buckets
- How to integrate with the load-balancers
- Cloud DNS - troubleshooting DNSSEC
- Migrating zones to Cloud DNS (theory, gcloud)
- IAM - least privilege, network and security admin roles, custom role manipulations
- Cloud NAT - usage and troubleshooting
- Setting up NAT instances from scratch using gcloud
- Marketplace L7 security appliances
- Analyse GCP network from on-prem
- Cloud Armor
- Various ways of SSHing as well as ways of disabling SSHing
- Instances with multiple NICs