When you study for the Professional Cloud Architect exam, you eventually hit a section where the question is not "what does this service do" but "who can do what to it." Networking on Google Cloud is one of those areas. The exam will hand you a scenario about a shared VPC, a security team, or a developer who needs to deploy instances, and ask you which predefined role fits. Knowing the four predefined networking roles cold is one of the cheapest wins available to you.
The first thing to internalize is that every predefined networking role starts with the prefix roles/compute. There is no roles/network namespace. That is not arbitrary. Cloud VPC is tightly coupled to Compute Engine, and all VPC methods are technically part of the Compute Engine API. When you call the API to create a new VPC, the method is compute.networks.insert. When you list subnets, it is compute.subnetworks.list. The networking primitives are Compute Engine resources.
That coupling matters on the exam. If a question shows you a role like roles/compute.networkAdmin and asks what it controls, the answer is the VPC layer that sits underneath your Compute Engine workloads. If a distractor shows something like roles/network.admin, you can eliminate it on sight because that role does not exist.
The role identifier is roles/compute.networkAdmin. This is the full-control networking role. A principal with Network Admin can create, modify, and delete VPC networks, subnets, routes, and the configurations that hold them together. It is the role you grant to whoever owns the network design for a project.
One nuance worth knowing for the Professional Cloud Architect exam: Network Admin gives full control over the network surface, but it does not own the security surface. Firewall rules and SSL certificates fall under a different role, which I cover below. If a question asks who can rearchitect a VPC, the answer is Network Admin. If the same question adds "and modify firewall rules," Network Admin alone is not enough.
The role identifier is roles/compute.networkUser. This role exists almost entirely because of shared VPC. In a shared VPC setup, a host project owns the network and one or more service projects attach to it. The principals working in service projects need to deploy instances and load balancers that consume the host project's subnets, but you do not want them creating or deleting networks in the host project.
Network User is the role that grants exactly that scoped access. A principal with this role can use the VPC networks and subnets of the host project, but cannot create new networks or destroy existing ones. On the exam, when you see a shared VPC scenario where a service project team needs to launch resources into a host project's subnet, Network User is the answer.
The role identifier is roles/compute.networkViewer. This is the read-only networking role. A principal can view VPC configurations, subnet definitions, routes, and the rest of the network state, but cannot modify anything. Network Viewer is the right answer for auditors, on-call engineers troubleshooting a connectivity issue, and security reviewers who need to inspect a network without being able to change it.
The role identifier is roles/compute.securityAdmin. This is the role that owns the security surface of your network. Security Admin lets a principal configure firewall rules, manage SSL certificates, and set security policies. It is distinct from Network Admin because Google Cloud separates the responsibility of designing the network from the responsibility of locking it down.
That separation shows up on the exam. A question that talks about a security team needing to manage firewall rules across all VPCs in a project should point you at Security Admin, not Network Admin. If the same security team also needed to redesign subnets, you would grant both roles, but you would not stretch Network Admin to cover firewall configuration on its own.
Two patterns come up repeatedly. The first is a question where Google Cloud's least-privilege principle is being tested. The exam wants you to pick the narrowest role that satisfies the requirement, and Network User and Network Viewer exist specifically to be those narrow answers. If the requirement is "let the team deploy into an existing subnet," resist the urge to pick Network Admin just because it works. Network User works and is narrower.
The second pattern is the role-pair scenario. A user needs to do two things, and only the combination of two roles covers it. Modifying VPCs and managing firewalls is the canonical example. The Professional Cloud Architect exam will not always make the second requirement obvious, so when you see a question with two distinct verbs in the requirement, check whether one verb falls outside the role you are about to pick.
My Professional Cloud Architect course covers predefined networking roles alongside the rest of the networking material.
