An overview of Google Cloud certifications - Part 2
Posted on
December 19, 2019

NOTE: This is Part 2 of 2. To read Part 1, click here.

If you're thinking about getting a Google Cloud certification, then here's some relevant info to get you started.

Google Cloud Certified — Professional Cloud Security Engineer

This certification is designed to authenticate the skill set of any individual who designs, develops, and manages a secure infrastructure leveraging Google security technologies. The exam is multiple choice/multiple response, 2 hours in length, and priced at $200.

Here's a breakdown of what's covered in this certification:

SECTION 1 — Configuring Access Within a Cloud Solution Environment
1.1 Configuring Cloud Identity. Considerations include:

  • Managing Cloud Identity
  • Configuring Google Cloud Directory Sync
  • Management of super administrative account

1.2 Managing use accounts. Considerations include:

  • Designing identity roles at the project and organization level
  • Automation of user lifecycle management process
  • API usage

1.3 Managing service accounts. Considerations include:

  • Auditing service accounts and keys
  • Automating the rotation of user managed service account keys
  • Identification of scenarios requiring service accounts
  • Creating, authorizing and securing service accounts
  • Securely managed API access management

1.4 Managing authentication. Considerations include:

  • Creating a password policy for user accounts
  • Establishing Security Assertion Markup Language (SAML)
  • Configuring and enforcing two-factor authentication

1.5 Managing and implementing authorization controls. Considerations include:

  • Using Resource Hierarchy for Access Control
  • Privileged roles and separation of duties
  • Managing IAM permissions with primitive, predefined, and custom roles
  • Granting permissions to different types of identities
  • Understanding difference between Google Cloud Storage IAM and ACLs

1.6 Defining Resource Hierarchy. Considerations include:

  • Creating and managing organizations
  • Resource structures (orgs, folders, and projects)
  • Defining and managing Organization constraints
  • Using Resource Hierarchy for Access Control and permissions inheritance
  • Trust and security boundaries within GCP projects

SECTION 2 — Configuring Network Security
2.1 Designing network security. Considerations include:

  • Security properties of a VPC Network, VPC Peering, Shared VPC, and Firewall Rules
  • Network isolation and data encapsulation for N tier application design
  • Use of DNSSEC
  • Private vs. public addressing
  • App-to-app security policy

2.2 Configuring network segmentation. Considerations include:

  • Network perimeter controls (firewall rules; IAP)
  • Load balancing (global, network, HTTP(S), SSL Proxy, and TCP Proxy load balancers)

2.3 Establish private connectivity. Considerations include:

  • Private RFC1918 connectivity between VPC networks and GCP Projects (Shared VPC, VPC Peering)
  • Private RFC1918 connectivity between data centers and VPC network (IPSEC and Cloud Interconnect)
  • Enable private connectivity between VPC and Google APIs (Private Access)

SECTION 3 — Ensuring Data Protection
3.1 Preventing data loss with the DLP API. Considerations include:

  • Identification and redaction of PII
  • Configuring tokenization
  • Configure format preserving substitution
  • Restricting access to DLP Datasets

3.2 Managing encryption at rest. Considerations include:

  • Understanding use cases for Default Encryption, Customer-Managed Encryption Keys (CMEK), and Customer-Supplied Encryption Keys (CSEK)
  • Creating and managing encryption keys for CMEK and CSEK
  • Managing application secrets
  • Object lifecycle policies for Cloud Storage
  • Enclave computing
  • Envelope encryption

SECTION 4 — Managing Operations Within a Cloud Solution Environment
4.1 Building and deploying infrastructure. Considerations include:

  • Backup and data loss strategy
  • Creating and automating an incident response plan
  • Log sinks, audit logs, and data access logs for near-realtime monitoring
  • Standby models
  • Automate security scanning for Common Vulnerabilities and Exploits (CVEs) through a CI/CD pipeline
  • Virtual machine image creation, hardening, and maintenance
  • Container image creation, hardening, maintenance, and patch management

4.2 Building and deploying applications. Considerations include:

  • Application logs near-realtime monitoring
  • Static code analysis
  • Automate security scanning through a CI/CD pipeline

4.3 Monitoring for security events. Considerations include:

  • Logging, monitoring, testing and altering for security incidents
  • Exporting logs to external security systems
  • Automated and manual analysis of access logs
  • Understanding capabilities of Cloud Security Scanner and Forseti

SECTION 5 — Ensuring Compliance
5.1 Comprehension of regulatory concerns. Considerations include:

  • Evaluation of concerns relative to compute, data, and network
  • Security shared responsibility model
  • Security guarantees within cloud execution environments
  • Limiting compute and data for regulatory compliance

5.2 Comprehension of compute environment concerns. Considerations include:

  • Security guarantees and constraints for each compute environment (Compute Engine, Kubernetes Engine, App Engine)
  • Determining which compute environment is appropriate based on company compliance standards

Google Cloud Certified —  Professional Cloud Developer

The professional cloud developer certification is aimed at the individual who "has experience with next generation databases, runtime environments and developer tools. They also have proficiency with at least one general purpose programming language and are skilled with using Stackdriver..."

The exam is multiple choice/multiple response, 2 hours in length, and priced at $200. A number of the questions asked will refer to case studies involving the fictional company HipLocal and you can find that case study ahead of time on the Google certification site.

Here's a breakdown of what's covered in this certification:

SECTION 1 — Designing Highly Scalable, Available, and Reliable Cloud-Native Applications
1.1 Designing performant applications and APIs. Considerations include:

  • Infrastructure as a Service vs. Container as a Service vs. Platform as a Service
  • Portability vs. platform-specific design
  • Evaluating different services and technologies
  • Operating system versions and base runtimes of services
  • Geographic distribution of Google Cloud services
  • Microservices
  • Defining a key structure for high write applications using Cloud Storage, Cloud Bigtable, Cloud Spanner, or Cloud SQL
  • Session management
  • Deploying and securing an API with cloud endpoints
  • Loosely coupled applications using asynchronous Cloud Pub/Sub events
  • Health checks
  • Google-recommended practices and documentation

1.2 Designing secure applications. Considerations include:

  • Applicable regulatory requirements and legislation
  • Security mechanisms that protect services and resources
  • Storing and rotating secrets
  • IAM roles for users/groups/service accounts
  • HTTPs certificates
  • Google-recommended practices and documentation

1.3 Managing application data. Tasks include:

  • Defining database schemas for Google-managed databases
  • Choosing data storage options based on use case considerations, such as:
  • Cloud Storage signed URLs for user-uploaded content
  • Using Cloud Storage to run a static website
  • Structured vs. unstructured data
  • ACID transactions vs. analytics processing
  • Data volume
  • Frequency of data access in Cloud Storage
  • Working with data ingestion systems
  • Following Google-recommended practices and documentation

1.4 Re-architecting applications from local services to Google Cloud Platform. Tasks include:

  • Using managed services
  • Using the strangler pattern for migration
  • Google-recommended practices and documentation

SECTION 2 — Building and Testing Applications
2.1 Setting up your development environment. Considerations include:

  • Emulating GCP services for local application development
  • Creating GCP projects

2.2 Building a continuous integration pipeline. Considerations include:

  • Creating a Cloud Source Repository and committing code to it
  • Creating container images from code
  • Developing unit tests for all code written
  • Developing an integration pipeline using services to deploy the application to the target environment
  • Reviewing test results of continuous integration pipeline

2.3 Testing. Considerations include:

  • Performance testing
  • Integration testing
  • Load testing

2.4 Writing code. Considerations include:

  • Algorithm design
  • Modern application patterns
  • Efficiency
  • Agile methodology

SECTION 3 — Deploying Applications
3.1 Implementing appropriate deployment strategies based on the target compute environment (Compute Engine, Google Kubernetes Engine, App Engine). Strategies include:

  • Blue/green deployments
  • Traffic-splitting deployments
  • Rolling deployments
  • Canary deployments

3.2 Deploying applications and services on Compute Engine. Tasks include:

  • Launching a compute instance using GCP Console and Cloud SDK (gcloud)
  • Moving a persistent disk to different VM
  • Creating an autoscaled managed instance group using an instance template
  • Generating/uploading a custom SSH key for instances
  • Configuring a VM for Stackdriver monitoring and logging
  • Creating an instance with a startup script that installs software
  • Creating custom metadata tags
  • Creating a load balancer for Compute Engine instances

3.3 Deploying applications and services on Google Kubernetes Engine. Tasks include:

  • Deploying a GKE cluster
  • Deploying a containerized application to GKE
  • Configuring GKE application monitoring and logging
  • Creating a load balancer for GKE instances
  • Building a container image using Cloud Build

3.4 Deploying an application to App Engine. Considerations include:

  • Scaling configuration
  • Versions
  • Traffic splitting
  • Blue/green deployment

3.5 Deploying a Cloud Function. Types include:

  • Cloud Functions that are triggered via an event
  • Cloud Functions that are invoked via HTTP

3.6 Creating data storage resources. Tasks include:

  • Creating a Cloud Repository
  • Creating a Cloud SQL instance
  • Creating composite indexes in Cloud Datastore
  • Creating BigQuery datasets
  • Planning and deploying Cloud Spanner
  • Creating a Cloud Storage bucket
  • Creating a Cloud Storage bucket and selecting appropriate storage class
  • Creating a Cloud Pub/Sub topic

3.7 Deploying and implementing networking resources. Tasks include:

  • Creating an auto mode VPC with subnets
  • Creating ingress and egress firewall rules for a VPC
  • Setting up a domain using Cloud DNS

3.8 Automating resource provisioning with Deployment Manager
3.9 Managing Service accounts. Tasks include:

  • Creating a service account with a minimum number of scopes required
  • Downloading and using a service account private key file

SECTION 4 — Integrating Google Cloud Platform Services
4.1 Integrating an application with Data and Storage services. Tasks include:

  • Enabling BigQuery and setting permissions on a dataset
  • Writing an SQL query to retrieve data from relational databases
  • Analyzing data using BigQuery
  • Fetching data from various databases
  • Enabling Cloud SQL and configuring an instance
  • Connecting to a Cloud SQL instance
  • Enabling Cloud Spanner and configuring an instance
  • Creating an application that uses Cloud Spanner
  • Configuring a Cloud Pub/Sub push subscription to call an endpoint
  • Connecting to and running a CloudSQL query
  • Storing and retrieving objects from Google Storage
  • Publishing and consuming from Data Ingestion sources
  • Reading and updating an entity in a Cloud Datastore transaction from an application
  • Using the CLI tools
  • Provisioning and configuring networks

4.2 Integrating an application with Compute services. Tasks include:

  • Implementing service discovery in Google Kubernetes Engine, App Engine, and Compute Engine
  • Writing an application that publishes/consumes from Cloud Pub/Sub
  • Reading instance metadata to obtain application configuration
  • Authenticating users by using Oaath2 Web Flow and Identity Aware Proxy
  • Using the CLI tools
  • Configuring Compute services network settings

4.3 Integrating Google Cloud APIs with applications. Tasks include:

  • Enabling a GCP API
  • Using pre-trained Google ML APIs
  • Making API calls with a Cloud Client Library, the REST API, or the APIs Explorer, taking into consideration:
  • Batching requests
  • Restricting return data
  • Paginating results
  • Caching results
  • Using service accounts to make Google API calls
  • Using APIs to read/write to data services (BigQuery, Cloud Spanner)
  • Using the Cloud SDK to perform basic tasks

SECTION 5 — Managing Application Performance Monitoring
5.1 Installing the logging and monitoring agent
5.2 Managing VMs. Tasks include:

  • Debugging a custom VM image using the serial port
  • Analyzing a failed Compute Engine VM startup
  • Sending logs from a VM to Stackdriver

5.3 Viewing application performance metrics using Stackdriver. Tasks include:

  • Creating a monitoring dashboard
  • Viewing syslogs from a VM
  • Writing custom metrics and creating metrics from logs
  • Graphing metrics
  • Using Stackdriver Debugger
  • Streaming logs from the GCP Console
  • Reviewing stack traces for error analysis
  • Setting up log sinks
  • Viewing logs in the GCP console
  • Profiling performance of request-response
  • Profiling services
  • Reviewing application performance using Stackdriver Trace and Stackdriver Logging
  • Monitoring and profiling a running application

5.4 Diagnosing and resolving application performance issues. Tasks include:

  • Setting up time checks and other basic alerts
  • Setting up logging and tracing
  • Setting up resources monitoring
  • Troubleshooting network issues
  • Debugging/tracing cloud apps
  • Troubleshooting issues with the image/OS
  • Using documentation, forums, and Google support

Google Cloud Certified — Professional Cloud Network Engineer

If you're thinking about getting a Google Cloud certification, then here's some relevant info to get you started.

The professional cloud network engineer certification assesses and authenticates one's ability to design, plan, and prototype a GCP network, implement a GCP Virtual Private Cloud (VPC), configure network services, implement hybrid interconnectivity, and implement network security. The exam is multiple choice/multiple response, 2 hours in length, and priced at $200.

Here's a breakdown of what's covered in this certification:

SECTION 1 — Designing, Planning, and Prototyping a GCP Network
1.1 Designing the overall network architecture. Considerations include:

  • Failover and disaster recovery strategy
  • Options for high availability
  • DNS strategy
  • Meeting business requirements
  • Meeting availability SLAs
  • Choosing the appropriate load balancing options
  • Optimizing for latency
  • Understanding how quotas are applied per project and per VPC
  • Hybrid connectivity
  • Container networking
  • IAM and security
  • SaaS, PaaS, and IaaS services
  • Microsegmentation for security purposes

1.2 Designing a Virtual Private Cloud (VPC). Considerations include:

  • CIDR range for subnets
  • IP addressing
  • Standalone or shared
  • Multiple vs. single
  • Multi-zone and multi-region
  • Peering
  • Firewall
  • Routes
  • Differences between Google Cloud Networking and other cloud platforms

1.3 Designing a hybrid network. Considerations include:

  • Using Interconnect
  • Peering options
  • IPsec VPN
  • Cloud Router
  • Failover and disaster recovery strategy
  • Shared vs. standalone VPC Interconnect access
  • Cross-organizational access
  • Bandwidth

1.4 Designing a Container IP Addressing plan for Google Kubernetes Engine

SECTION 2 — Implementing a GCP Virtual Private Cloud (VPC)
2.1 Configuring VPCs. Considerations include:

  • Configuring GCP VPC resources (CIDR range, subnets, firewall rules, etc.)
  • Configuring VPC Peering
  • Creating a shared VPC and explaining how to share subnets with other projects
  • Configuring API access (Private, Public, NAT GW, Proxy)
  • Configuring VPC flow logs

2.2 Configuring routing. Tasks include:

  • Configuring internal static/dynamic routing
  • Configuring routing policies using tags and priority
  • Configuring NAT

2.3 Configuring and maintaining Google Kubernetes Engine clusters. Considerations include:

  • VPC-native Clusters using Alias IPs
  • Clusters with Shared VPC
  • Private Clusters
  • Cluster Network policy
  • Adding authorized networks for Cluster Master Access

2.4 Configuring and managing firewall rules. Considerations include:

  • Target network tags and service accounts
  • Priority
  • Network protocols
  • Ingress and egress rules
  • Firewall logs

SECTION 3 — Configuring Network Services
3.1 Configuring load balancing. Considerations include:

  • Creating backend services
  • Firewall and security rules
  • HTTP(S) load balancer: including changing URL maps, backend groups, health checks, CDN, and SSL certs
  • TCP and SSL Proxy Load Balancers
  • Network load balancer
  • Internal load balancer
  • Session affinity
  • Capacity scaling

3.2 Configuring Cloud CDN. Considerations include:

  • Enabling and disabling Cloud CDN
  • Using cache keys
  • Cache invalidation
  • Signed URLs

3.3 Configuring and maintaining Cloud DNS. Considerations include:

  • Managing zones and records
  • Migrating to Cloud DNS
  • DNS Security (DNSSEC)
  • Global serving with Anycast
  • Cloud DNS
  • Internal DNS
  • Integrating on-premises DNS with GCP

3.4 Enabling other network services. Considerations include:

  • Health checks for your instance groups
  • Canary (A/B) releases
  • Distributing backend instances using regional managed instance groups
  • Enabling private API access

SECTION 4 — Implementing Hybrid Interconnectivity
4.1 Configuring Interconnect. Considerations include:

  • Partner
  • Virtualizing using VLAN attachments
  • Bulk storage uploads

4.2 Configuring a site-to-site IPsec VPN
4.3 Configuring Cloud Router for reliability

SECTION 5 — Implementing Network Security
5.1 Configuring Identity and Access Management (IAM). Tasks include:

  • Viewing account IAM assignments
  • Assigning AIM roles to accounts or Google Groups
  • Defining custom IAM roles
  • Using pre-defined IAM roles

5.2 Configuring Cloud Armor policies. Considerations include:

  • IP-based access control

5.3 Configuring third-party device insertion into VPC using multi-NIC (NGFW)
5.4 Managing keys for SSH access

SECTION 6 — Managing and Monitoring Network Operations
6.1 Logging and monitoring with Stackdriver or GCP Console
6.2 Managing and monitoring security. Considerations include:

  • Firewalls
  • Diagnosing and resolving IAM issues (shared VPC, security/network admin)

6.3 Maintaining and troubleshooting connectivity issues. Considerations include:

  • Identifying traffic flow topology
  • Draining and redirecting traffic flows
  • Cross-connect handoff for Interconnect
  • Monitoring ingress and egress traffic using flow logs
  • Monitoring firewall logs
  • Managing and troubleshooting VPNs
  • Troubleshooting Cloud Router BGP peering issues

6.4 Monitoring, maintaining, and troubleshooting latency and traffic flow. Considerations include:

  • Network throughput and latency testing
  • Routing issues
  • Tracing traffic flow

SECTION 7 — Optimizing Network Resources
7.1 Optimizing traffic flow. Considerations include:

  • Load balancer and CDN location
  • Global vs. Regional dynamic routing
  • Expanding subnet CIDR ranges in service
  • Accommodating workload increases

7.2 Optimizing for cost and efficiency. Considerations include:

  • Cost optimization (Network Service Tiers, Cloud CDN, autoscaler (max instances))
  • Automation
  • VPN vs. Interconnect
  • Bandwidth utilization


This month, we looked at six exams offered by Google that are centered around cloud technologies. Next month, we will have some Test Yourself questions to see how well you know the Google Cloud Platform and how ready you might be to schedule one of the exams.

About the Author

Emmett Dulaney is a professor at Anderson University and the author of several books including Linux All-in-One For Dummies and the CompTIA Network+ N10-008 Exam Cram, Seventh Edition.

Posted to topic:

Important Update: We have updated our Privacy Policy to comply with the California Consumer Privacy Act (CCPA)

CompTIA IT Project Management - Project+ - Advance Your IT Career by adding IT Project Manager to your resume - Learn More