Network Connectivity Design — GCP Professional Cloud Architect (PCA)
Subnet Ownership and Bandwidth SLA Are the Two Filters
Scan the scenario for two signals: who owns the subnets, and what is the latency or bandwidth requirement. 'Centralized network team' resolves to Shared VPC. 'Simple project-to-project connectivity, no central team' resolves to VPC Network Peering. 'On-premises extension, encrypted tunnel, tolerates internet variability' resolves to HA VPN. 'Sub-millisecond latency, guaranteed bandwidth, on-premises' resolves to Dedicated Interconnect. Candidates lose marks by treating all four as interchangeable connectivity options rather than distinct ownership and performance tiers.
What This Pattern Tests
Network connectivity questions test whether you match the connectivity model to the topology requirement. Few connections need simple peering. Many connections need a central hub. On-premises connectivity needs VPN or dedicated links depending on bandwidth and latency requirements.
Decision Axis
Topology complexity and bandwidth requirements determine the connectivity approach.
Associated Traps
More Top Traps on This Exam
Decision Rules
When a single network team must own subnet allocation and hold non-delegatable firewall authority across multiple GCP projects, choose Shared VPC (host/service project model); VPC Network Peering is disqualified because it is bilateral, non-transitive, and leaves each VPC owner in control of its own subnets and firewall rules.
Whether the network-ownership-boundary constraint — central team must author all firewall rules, service projects must not — mandates Shared VPC (host/service-project model with subnet delegation via Network User IAM) over VPC Network Peering (bilateral, project-autonomous, non-transitive).
Whether the connectivity requirement is bilateral and regional (HA VPN per VPC pair satisfies it) or requires global hub-and-spoke transitivity across heterogeneous spokes (NCC is the only primitive that satisfies it without an O(n²) tunnel mesh and manual route management).
When a service producer must publish a private endpoint to multiple consumer VPCs across GCP organizational boundaries where IP ranges are unknown or overlapping, choose Private Service Connect over VPC Network Peering because PSC isolates network namespaces via a forwarding-rule endpoint, imposes no CIDR constraints, and does not grant consumers visibility into the producer VPC — whereas peering requires non-overlapping RFC-1918 space and exposes the full producer VPC bidirectionally.
Whether the network ownership boundary requirement — a single team controlling subnet allocation and firewall enforcement across multiple projects — is satisfied by Shared VPC's host/service-project model or by VPC Network Peering's bilateral, per-VPC-autonomous topology.
Whether the 8 Gbps sustained bandwidth floor and 99.99% SLA together mandate Dedicated Interconnect — because HA VPN's aggregate throughput ceiling (~3 Gbps across tunnel pairs) and public-internet routing path disqualify it regardless of its redundant-tunnel topology.
Whether achieving the contractual 99.99% Dedicated Interconnect SLA requires two physical circuits provisioned at the same metro location (correct — dual-circuit same-metro = 99.99%) versus a single 10 Gbps circuit (which delivers only 99.9%), when the SLA tier is the binding constraint and HA VPN with Cloud Router BGP serves as the backup failover path.
Which hybrid connectivity option meets the combined constraints of sustained 8 Gbps throughput, Google-backbone routing, and 99.99% SLA when the customer already has colocation presence at a Google exchange point?
Domain Coverage
Difficulty Breakdown