Sole-tenant nodes are one of those Compute Engine features that sound exotic until you understand the problem they solve. Most workloads on Google Cloud run on multi-tenant hosts, where the hypervisor isolates your VMs from other customers' VMs on the same physical server. That isolation is strong, but the hardware itself is shared. Sole-tenant nodes change that by giving you exclusive use of the underlying physical machine. For the Professional Cloud Architect exam, you need to recognize when this matters and how to actually configure it.
A sole-tenant node is a dedicated physical server in a Google Cloud data center that runs only your workloads. No other customer has VMs on that hardware. You still get the normal Compute Engine experience on top, you create VMs, attach disks, configure networking, but the host underneath is yours alone.
Compare this to a standard multi-tenant host. On a typical Compute Engine host, VMs from Customer 1, Customer 2, and Customer 3 might all be running on the same physical server. The hypervisor enforces virtual separation between those workloads, and that separation is robust enough for the vast majority of regulated and security-sensitive deployments. But the bare metal is shared. With a sole-tenant node, every VM on that host belongs to the same customer, and the physical resources are not divided across organizations.
The reason this exists is compliance and licensing. Some regulatory regimes require physical isolation of workloads, not just logical isolation. Some software vendors license per physical core or per physical socket, which only makes economic sense if you control the host. Sensitive financial data, classified workloads, and certain healthcare scenarios are common drivers. If your scenario doesn't have a hard requirement for physical separation, you usually don't need sole-tenancy, you pay a premium for dedicated hardware that most workloads don't benefit from.
Setting up sole-tenancy involves three steps that the Professional Cloud Architect exam expects you to know in order: create the nodes, label them, then place VMs on them with affinity rules.
First, you create either individual nodes or a node group using the gcloud compute sole-tenancy command family. A node group is the more common pattern because it lets you manage multiple physical nodes as a unit and scale capacity up or down within the group.
gcloud compute sole-tenancy node-groups create finance-nodes \
--node-template=n2-node-80-640 \
--target-size=2 \
--zone=us-central1-aSecond, you assign node labels. Labels are key-value pairs attached to the nodes that identify their purpose. A label like business_unit=finance on a set of nodes signals that these nodes are reserved for finance workloads.
gcloud compute sole-tenancy node-groups update finance-nodes \
--zone=us-central1-a \
--node-labels=business_unit=financeThird, you create VMs with a node affinity rule that tells Compute Engine which labels the host must match. The affinity rule is what binds a VM to a particular node or group.
gcloud compute instances create finance-vm-1 \
--zone=us-central1-a \
--machine-type=n2-standard-4 \
--node-affinity-file=affinity.jsonThe affinity file references the label so Google Cloud knows where to schedule the VM:
[
{
"key": "business_unit",
"operator": "IN",
"values": ["finance"]
}
]That triple, node group plus labels plus affinity rule, is the mental model to walk into the exam with. The exam tends to test whether you understand that sole-tenancy is not just a checkbox on a VM, it requires you to provision dedicated hardware first and then direct workloads onto it.
The Professional Cloud Architect exam frames sole-tenant nodes as a compliance and isolation pattern. A scenario will describe a customer with regulatory requirements for physical separation, or a software license that demands a dedicated host, and ask which Compute Engine feature satisfies the requirement. Sole-tenant nodes are the answer in those cases. If the scenario only mentions logical isolation between teams or projects, the answer is usually IAM, VPC Service Controls, or separate projects, not sole-tenancy.
The placement mechanics also matter. If a question asks how you ensure a specific VM lands on dedicated hardware reserved for a particular team or workload, the answer involves node labels and affinity rules, not just creating a sole-tenant node and hoping VMs end up there.
My Professional Cloud Architect course covers sole-tenant nodes alongside the rest of the compute material.
