Cloud VPN is one of the hybrid connectivity options I cover in the networking section of my Professional Cloud Architect material. It connects an on-prem network, another cloud provider's network, or a remote office to a Google Cloud VPC. The traffic is encrypted, but the connection itself rides over the public internet, which is the key thing that distinguishes it from Cloud Interconnect.
For the Professional Cloud Architect exam, I'd focus on three things: the use cases Cloud VPN was built for, how it handles overlapping IP ranges as an interim tool, and the difference between the Classic VPN Gateway and the HA VPN Gateway.
Cloud VPN supports three main scenarios.
Hybrid. An on-prem data center connects to a Google Cloud VPC. This is the classic case where a company is moving workloads to GCP but still has infrastructure in its own data centers, and needs the two networks to communicate.
Multi-cloud. A VPC in Google Cloud connects to a VPC in another provider, like AWS or Azure. This lets you build across clouds and avoid lock-in to any single provider.
Remote office. A branch office network connects to GCP so that workers in that office have secure access to applications and resources running in Google Cloud.
In all three, Cloud VPN extends the reach of your VPC outside of GCP using encrypted tunnels. It also integrates with Cloud Router for dynamic routing and with Shared VPC for cross-project resource sharing, which is why it shows up so often in hybrid architectures on the exam.
One detail worth remembering: Cloud VPN is a reasonable backup option when your primary path is Cloud Interconnect. If the dedicated or partner interconnect link goes down, a VPN tunnel can keep traffic flowing while you fix the underlying issue.
Overlapping IP ranges show up in mergers, acquisitions, and reorganizations, and they are a real pain when two networks both think they own 10.10.0.0/16. You cannot route directly between networks whose address space conflicts.
Cloud VPN can be used as an interim bridge in these situations. It does not resolve the overlap. It gives you a way to keep critical applications talking to each other while the longer re-engineering work to renumber IP ranges happens in the background.
The exam framing here is important. If you see a question about two networks with conflicting CIDR ranges and an immediate need to communicate, Cloud VPN as a temporary solution is reasonable. The long-term answer is always to reconfigure the IP ranges so the networks integrate cleanly. Do not pick Cloud VPN as a permanent fix for an overlap.
The Classic VPN Gateway is the older, simpler option. A few characteristics define it for the Professional Cloud Architect exam:
The Classic Gateway works for non-critical workloads where occasional disruption is tolerable and you want a simpler, cheaper setup. For most production traffic on the exam, it is not the right answer.
The HA VPN Gateway is what Google steers you toward for any workload that matters.
For critical workloads, the HA VPN Gateway is the default answer. The combination of multi-zone redundancy, active-active tunnels, and automated failover is exactly what production hybrid traffic needs.
The decision rule I use on Professional Cloud Architect questions is simple. If the scenario describes anything resembling production, customer-facing, or business-critical traffic, choose HA VPN Gateway. If the question explicitly emphasizes lowest cost for non-critical or development workloads where occasional downtime is acceptable, Classic Gateway is in scope.
The SLA numbers are useful as a memory anchor: 99.9% for Classic, 99.99% for HA. If a question references a 99.99% availability requirement, that is a direct signal to pick HA VPN Gateway.
And if the prompt is about Cloud VPN as a backup to Cloud Interconnect, that's a real pattern Google documents. A VPN tunnel is a reasonable secondary path when your primary connectivity is a Dedicated or Partner Interconnect.
My Professional Cloud Architect course covers Cloud VPN alongside the rest of the networking material.
