G O O G L E C E R T I F I C A T I O N
Professional Cloud Network Engineer Practice Exam
Exam Number: 1010 | Last updated April 21, 2026 | 1246+ questions across 5 vendor-aligned objectives
Professional Cloud Network Engineer is Google’s certification for practitioners who possess the practical knowledge Google expects on its platform. It is built for network engineers and architects who design hybrid, multi-cloud, and global VPC topologies on Google Cloud, and scoring rewards candidates who translate features into measurable results rather than simply recognize service names.
Heavy-weighted areas define where study time pays back fastest: 22% targets Designing, Planning, and Prototyping a Google Cloud Network (VPC design patterns, Shared VPC, IP address management, hybrid topologies); 20% targets Implementing Virtual Private Cloud Instances (subnets, routes, firewall rules, Private Service Connect); 20% targets Configuring Network Services (Cloud Load Balancing, Cloud CDN, Cloud DNS, Cloud NAT).
Supporting domains fill out the blueprint: 20% covers Implementing Hybrid Interconnectivity (Cloud VPN, Cloud Interconnect, Network Connectivity Center, BGP); 18% covers Managing, Monitoring, and Optimizing Network Operations (VPC Flow Logs, Network Intelligence Center, performance tuning). Each still appears on the exam, so none can be safely skipped. Google updates exam guides regularly, so verify domain weights on the official certification page before you finalize a study plan.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Google documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
696
practice exam users
89.8%
satisfied users
82%
passed the exam
4.6/5
quality rating
Test your Cloud Network Engineer knowledge
10 of 1246+ questions
Question #1 - Designing, Planning, and Prototyping a Google Cloud Network
A central networking team wants to own a common IP plan and firewall policy while letting ten product teams deploy workloads in their own Google Cloud projects.
Which design satisfies that separation of duties?
A) Standalone VPCs in each project with no relationship
B) Shared VPC with a host project and service projects
C) One legacy network for everyone
D) A single project for all product teams
Show solution
Correct answers: B – Explanation:
Shared VPC centralizes networking in the host project while service projects retain workload ownership, matching the stated separation of duties. Standalone VPCs break the common plan. Legacy networks are deprecated. One project for all teams eliminates separation. Source: Check Source
Question #2 - Configuring Network Services
A global HTTP(S) application needs a single anycast IP, TLS termination, and backends in multiple regions.
Which Google Cloud load balancer is the right choice?
A) Regional TCP/UDP network load balancer
B) Internal passthrough network load balancer only
C) Cloud NAT in place of a load balancer
D) Global external Application Load Balancer
Show solution
Correct answers: D – Explanation:
The global external Application Load Balancer provides a single anycast IP, TLS, and cross-region HTTP(S) backends. Regional TCP/UDP load balancers are not global HTTP. Internal passthrough is intra-VPC. Cloud NAT is egress, not a load balancer. Source: Check Source
Question #3 - Implementing Virtual Private Cloud Instances
A network engineer must allow SSH from a corporate bastion subnet to application VMs but block SSH from everywhere else.
Which Google Cloud construct expresses that rule most cleanly?
A) Allow VPC firewall rule scoped to the bastion subnet source
B) Public IP addresses on every VM
C) Cloud NAT rules on the bastion
D) Default allow-all route
Show solution
Correct answers: A – Explanation:
A VPC firewall rule that allows tcp:22 only from the bastion subnet is the direct way to express this. Public IPs expand attack surface. Cloud NAT is outbound egress. An allow-all route is the opposite of the control. Source: Check Source
Question #4 - Implementing Hybrid Interconnectivity
An enterprise needs a dedicated 10 Gbps connection between their data center and Google Cloud with an SLA, not an IPsec tunnel over the public internet.
Which option fits?
A) Classic Cloud VPN over the internet
B) Carrier Peering for general Google services
C) Dedicated Interconnect
D) Private Google Access for Cloud Storage
Show solution
Correct answers: C – Explanation:
Dedicated Interconnect provides a private 10 or 100 Gbps link with SLA. Classic VPN runs over the public internet. Carrier Peering is for Google public services, not private VPC. Private Google Access is an access pattern, not hybrid. Source: Check Source
Question #5 - Configuring Network Services
A media company wants to cache static video thumbnails at Google’s edge to reduce origin load and improve user latency globally.
Which Google Cloud feature fits?
A) Cloud NAT for inbound caching
B) Cloud DNS with TTL 0
C) VPC Flow Logs
D) Cloud CDN backed by the external Application Load Balancer
Show solution
Correct answers: D – Explanation:
Cloud CDN caches content at Google’s edge and integrates with the external Application Load Balancer. Cloud NAT does not cache. TTL 0 on DNS defeats caching. VPC Flow Logs are observability. Source: Check Source
Question #6 - Designing, Planning, and Prototyping a Google Cloud Network
A bank wants to consume a Google-managed service privately without traversing the public internet and without peering IP ranges to Google.
Which Google Cloud feature enables that?
A) Private Service Connect endpoints
B) External IPs on all resources
C) A Cloud NAT gateway only
D) Classic VPN to each Google service
Show solution
Correct answers: A – Explanation:
Private Service Connect exposes managed services as private endpoints inside the customer’s VPC without IP range peering or public internet. External IPs defeat the goal. Cloud NAT handles egress, not private consumption. VPN to Google services is not the supported pattern. Source: Check Source
Question #7 - Managing, Monitoring, and Optimizing Network Operations
A network engineer must investigate which source IPs talked to a specific Compute Engine VM over the last 24 hours.
Which Google Cloud feature provides that visibility?
A) Cloud Build history
B) VPC Flow Logs
C) BigQuery scheduled queries without any data
D) Cloud Source Repositories logs
Show solution
Correct answers: B – Explanation:
VPC Flow Logs record network flows to and from VM interfaces and can be queried to list source IPs. Cloud Build, empty scheduled queries, and source repo logs do not capture network flows. Source: Check Source
Question #8 - Implementing Hybrid Interconnectivity
A network engineer is configuring a VLAN attachment over Partner Interconnect and must advertise on-prem routes to Google Cloud.
Which Google Cloud component speaks BGP to the on-prem peer?
A) Cloud DNS
B) Cloud NAT
C) Cloud Router
D) Cloud Armor
Show solution
Correct answers: C – Explanation:
Cloud Router is the managed BGP speaker for Cloud VPN, Dedicated Interconnect, and Partner Interconnect. Cloud DNS is resolution. Cloud NAT is egress. Cloud Armor is WAF. Source: Check Source
Question #9 - Implementing Virtual Private Cloud Instances
A network engineer wants traffic from a subnet to leave through a self-managed firewall VM before reaching the internet.
Which Google Cloud construct achieves that?
A) A custom VPC route with next hop set to the firewall VM
B) Cloud DNS CNAME chain
C) Private Google Access only
D) A bucket policy
Show solution
Correct answers: A – Explanation:
A custom VPC route with next hop set to the inspection VM steers subnet traffic through it before egress. DNS, Private Google Access, and bucket policies do not change L3 routing. Source: Check Source
Question #10 - Managing, Monitoring, and Optimizing Network Operations
An architect wants to visualize topology, test connectivity between endpoints, and see firewall insights across their VPCs.
Which Google Cloud tool is purpose-built for that?
A) Cloud Build
B) Network Intelligence Center
C) Cloud Scheduler
D) Artifact Registry
Show solution
Correct answers: B – Explanation:
Network Intelligence Center provides topology, connectivity tests, and firewall insights for Google Cloud networks. Cloud Build, Scheduler, and Artifact Registry are unrelated. Source: Check Source
Get 1246+ more questions with source-linked explanations
Every answer traces to the exact Google documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 21, 2026
Learn more...
What the Cloud Network Engineer exam measures
- Designing, Planning, and Prototyping a Google Cloud Network (22%): Apply Google Cloud practices to VPC design patterns, Shared VPC, IP address management, hybrid topologies.
- Implementing Virtual Private Cloud Instances (20%): Apply Google Cloud practices to subnets, routes, firewall rules, Private Service Connect.
- Configuring Network Services (20%): Apply Google Cloud practices to Cloud Load Balancing, Cloud CDN, Cloud DNS, Cloud NAT.
- Implementing Hybrid Interconnectivity (20%): Apply Google Cloud practices to Cloud VPN, Cloud Interconnect, Network Connectivity Center, BGP.
- Managing, Monitoring, and Optimizing Network Operations (18%): Apply Google Cloud practices to VPC Flow Logs, Network Intelligence Center, performance tuning.
How to prepare for this exam
- Review the Professional Cloud Network Engineer official exam guide end to end before you commit a study plan, so every later hour is spent against the published blueprint.
- Complete the relevant Google Cloud Skills Boost learning path and treat its labs as non-optional rather than extra credit.
- Get hands-on practice in Qwiklabs sandbox, repeating the same tasks from memory until configuration feels routine.
- Apply what you learn in real-world project experience — your day job, a volunteer project, or an open-source contribution — so the concepts stick.
- Master one objective at a time, starting with the highest-weighted domain on the blueprint and moving down from there.
- Use PowerKram learn mode with feedback and sourced links to close gaps while the answer rationale is still fresh.
- Finish with PowerKram exam mode across all objectives under realistic time pressure before you book the real exam.
Career paths and salary outlook
Holding the Professional Cloud Network Engineer certification typically supports roles such as:
- Cloud Network Engineer: roughly $ 125,000 to $180,000 USD per year in the US market (range varies by region, years of experience, and specialization). See current data on Glassdoor.
- Network Architect (Cloud): roughly $ 150,000 to $210,000 USD per year in the US market (range varies by region, years of experience, and specialization). See current data on Levels.fyi.
- Hybrid Connectivity Specialist: roughly $ 130,000 to $185,000 USD per year in the US market (range varies by region, years of experience, and specialization). See current data on Payscale.
Official resources
Work directly from Google’s own preparation resources and treat third-party content as a supplement: