So you're going for the Google Cloud Professional Cloud Architect (PCA) cert. It's one of the most respected cloud architecture certifications out there: and one of the toughest. Maybe you've been designing on GCP for years and want the credential. Or maybe you're coming from AWS/Azure and need to map your architecture knowledge to Google's ecosystem. This GCP Professional Cloud Architect study guide and practice test pulls together everything that matters across 1007+ exam questions. Service selection patterns, security rules, migration planning, cost optimization, and the specific traps that fail candidates. Real stuff. No filler. Let's get into it.
GCP Professional Cloud Architect Exam Quick Facts | Detail | Info | |
|
| | Certification | Google Cloud Professional Cloud Architect | | Questions | ~50-60 (including case studies) | | Time | 2 hours | | Cost | $200 USD | | Format | Multiple choice, multiple select, case studies | | Validity | 2 years | | Prerequisites | None (but 3+ years experience recommended) |
The Service Selection Matrix (Memorize This) The entire exam comes down to this: given business requirements + constraints, which service is the BEST fit? Here are the decisions that come up constantly: ### Compute | Scenario | Answer | Not This | |
|
|
| | Unpredictable traffic, containers, minimal ops | Cloud Run | GKE (overkill), Compute Engine (no autoscale) | | Full Kubernetes control, service mesh, custom controllers | GKE | Cloud Run (no K8s control plane) | | VMware lift-and-shift with minimal change | Google Cloud VMware Engine | Cloud Run (requires containers) | | Stateless web app, simple scaling | Cloud Run + Global external ALB | Single VM, zonal instance group | | Legacy monolith, OS-level control | Compute Engine + MIG | Cloud Run (needs containers) | Cloud Run vs GKE is tested on every exam. Cloud Run = managed containers, minimal ops, autoscaling from zero. GKE = full Kubernetes control, service mesh, custom controllers. If the scenario says "minimize operational overhead" and mentions containers, it's Cloud Run. If it says "custom Kubernetes controllers" or "service mesh," it's GKE. ### Storage & Databases | Scenario | Answer | Not This | |
|
|
| | Petabyte-scale analytics, serverless SQL | BigQuery | Cloud SQL (transactional, not analytics) | | Transactional web app, MySQL/PostgreSQL | Cloud SQL | BigQuery (analytics, not OLTP) | | Global, strong consistency, high-scale | Cloud Spanner | Cloud SQL (not global by default) | | Document/NoSQL, serverless | Firestore | Bigtable (wide-column, not document) | | Time-series, IoT, high throughput | Bigtable | Firestore (not optimized for time-series) | | Object storage, backups, data lakes | Cloud Storage | Persistent Disk (block storage) | | In-memory cache, session store | Memorystore | Bigtable | BigQuery is tested heavily. It's serverless, scales to petabytes, and analysts don't manage clusters. When the scenario mentions "petabyte-scale SQL" and "no cluster management," it's always BigQuery. ### Networking | Scenario | Answer | Not This | |
|
|
| | Private service access across VPC boundaries | Private Service Connect | Full VPC mesh peering | | Internal TCP/UDP service, private IP | Internal Passthrough NLB | External ALB (public HTTP) | | Global HTTP(S) load balancing | Global external ALB | Internal NLB | | Private Google access without internet | Cloud NAT | Public IPs on instances | | Hybrid connectivity, <10 Gbps | Cloud VPN | Dedicated Interconnect (overkill for low bandwidth) | | Hybrid connectivity, high bandwidth, low latency | Dedicated Interconnect | Cloud VPN (bandwidth limits) | | Share VPCs across projects (host + service) | Shared VPC | VPC peering (different use case) | Private Service Connect is the exam-favorite for "expose services across VPCs without peering everything." Mesh peering creates operational complexity and transitive routing limitations. ### Security & Compliance | Scenario | Answer | Not This | |
|
|
| | Data exfiltration prevention around BigQuery/Storage | VPC Service Controls | Cloud NAT (outbound IP translation) | | No-VPN access based on identity + device posture | IAP / Context-Aware Access | IP allowlists | | Encrypt data with customer-managed keys | Cloud KMS (CMEK) | Default encryption only | | Secrets storage/rotation | Secret Manager | Config variables in code | | Limit org-wide policies (e.g., no public IPs) | Organization Policy | IAM alone | | Payment data in logs, minimize exposure | Redact sensitive data before logging | Full payload logging | | Separate duties (network vs app teams) | Scoped groups + hierarchy boundaries | Editor/Owner broad roles | VPC Service Controls create a security perimeter around supported services to prevent data exfiltration. This is different from IAM (who can access) and Cloud NAT (outbound IP management). The exam tests this distinction repeatedly. Client libraries are the answer for "access Google APIs from application code with proper auth and retries." Handwritten auth is error-prone and insecure. Use Google Cloud client libraries. ### Analytics & ML | Scenario | Answer | Not This | |
|
|
| | Stream processing + replay + curated tables | Pub/Sub โ Dataflow โ BigQuery | Direct writes to BigQuery | | ML training/validation/deployment pipeline | Vertex AI Pipelines | Cloud Composer (general purpose, not ML-specific) | | Managed enterprise GenAI over internal docs | Managed GenAI / Vertex AI / Agent Builder | Training from scratch | | Event-driven architecture, decouple producers/consumers | Pub/Sub | Synchronous API calls | Pub/Sub + Dataflow + BigQuery is the canonical GCP analytics pipeline. Pub/Sub decouples ingestion. Dataflow handles streaming transforms. BigQuery serves analytics. Direct-to-warehouse writes lack buffering, replay, and back-pressure handling.
Domain Breakdown and What Matters ### Domain 1: Designing and Planning (25%): The Big One This is where case studies live. Google gives you a company profile and asks multi-step architecture questions. Key patterns:: BCP/DR planning starts with business impact analysis and agreed RTO/RPะ. Not with technology. Always. If the question asks "what should the architect do first?" for a DR scenario, the answer is "meet stakeholders, agree on RTO/RPO." Not "deploy across regions.": Migration planning starts with Migration Center + wave planning. Map dependencies first, then choose target services. Big-bang migration is almost never the answer.: TCO comparison must include ALL cost drivers: direct and indirect. Hourly compute price alone is misleading. Include staffing, licensing, network, downtime risk.: Refactoring decisions balance technical and business criteria. CPU utilization alone doesn't justify a refactor. Consider total cost, agility, business goals.: Elasticity must match workload patterns. Always right-sizing for peak wastes money. Use committed use discounts for baseline + elastic for spikes. ### Domain 2: Managing Infrastructure (17.5%) IaC is the answer for repeatable deployments. Terraform or similar. Manual console work drifts and doesn't audit. If the scenario says "provision across dev, test, prod consistently," it's IaC. Lifecycle rules on Cloud Storage automate transitions to colder classes. IAM Conditions control access, not object aging. Separation of duties: Network admins vs app deployers = scoped groups + org hierarchy boundaries. Not broad Editor/Owner roles. ### Domain 3: Security & Compliance (17.5%) Zero trust / context-aware access is the GCP way. IAP lets you grant access based on identity, device posture, context: without a VPN. IP allowlists alone don't validate user identity. Cloud KMS (CMEK) = customer-managed encryption keys. Organizations with compliance requirements (HIPAA, PCI) need this. Don't rely on default encryption. Organization policies set guardrails across the org. "No public IPs on Compute Engine" = org policy. IAM alone can't enforce org-wide constraints. ### Domain 4: Analyzing and Optimizing (15%) SLOs before alerts. Don't alert on every metric: you'll get alert fatigue. Define Service Level Objectives based on what users actually care about, then build alerts around SLO violations. Observability process standardization makes root cause analysis repeatable. Not ad hoc server access. ### Domain 5: Managing Implementation (12.5%) Blue-green and canary deployments for zero-downtime releases. Client libraries for API access. ### Domain 6: Operations Excellence (12.5%) Google Cloud Observability (Cloud Logging, Monitoring, Trace, Profiler) is the centralized ops platform. Not Cloud DNS (that names management).
Case Study Strategy The PCA exam includes 2-3 case studies with multiple questions each. Here's how to handle them: 1. Read the company profile once, thoroughly. Note: industry, size, current setup, constraints, goals. 2. Make a mini Decision Map: What are they trying to achieve? What are the limits (budget, compliance, timeline)? 3. Answer case questions using the profile, not generic knowledge. If the company is a regulated financial services firm, security + compliance always wins. 4. Eliminate "technically possible" answers that don't match constraints. The right answer fits the specific company, not just the technology.
Most Common Exam Traps 1. "Choose technology before objectives" wrong: BCP, DR, refactoring all start with business analysis 2. "Always use the most managed service" wrong: GKE is right when you need K8s control. Cloud Run is right when you don't 3. "BigQuery for everything database" wrong: OLTP workloads need Cloud SQL or Spanner 4. "Full payload logging for compliance" wrong: Redact sensitive data before logging 5. "Peering for everything networking" wrong: Private Service Connect for service access across VPCs 6. "Single-zone for production" wrong: Multi-zone or regional for any production workload 7. "Manual console for repeatable infra" wrong: IaC/Terraform 8. "Cloud VPN for high-bandwidth hybrid" wrong: Dedicated Interconnect for >10 Gbps needs 9. "IP allowlists for zero trust" wrong: IAP/context-aware access validates identity 10. "Training from scratch for GenAI" wrong: Use managed services (Vertex AI, Agent Builder)
Sample GCP PCA Practice Questions Q1: A stateless service has unpredictable traffic. Developers want container deployment with minimal operational overhead. What architecture fits best?: A) Compute Engine with a managed instance group: B) Cloud Run with a global external Application Load Balancer โ: C) GKE with a multi-zone cluster: D) A single large Compute Engine instance Answer: B. Cloud Run is managed, autoscales from zero, supports containers, and minimizes ops. GKE is overkill without Kubernetes-specific requirements. Q2: A financial services firm needs to prevent data exfiltration from BigQuery to unauthorized projects. Which control helps?: A) VPC Service Controls to create a security perimeter โ: B) Cloud NAT to control outbound IPs: C) IAM conditions on BigQuery datasets: D) Organization policy constraints on instance creation Answer: A. VPC Service Controls create a security perimeter around supported services. Cloud NAT manages outbound IPs but doesn't create API-level perimeters. Q3: An organization wants to grant employees access to an internal web application based on identity and device posture without a VPN. What should they use?: A) IP allowlists on the load balancer: B) Cloud VPN tunnels for all employees: C) IAP with context-aware access โ: D) Organization policy to restrict instance access Answer: C. IAP evaluates identity and context for application access. IP allowlists don't validate user identity or device posture. Q4: A company has 400 applications to migrate but unclear dependencies and a low-risk requirement. What should the architect do first?: A) Immediately migrate all applications using Migrate to Compute Engine: B) Choose GKE as the target for all workloads: C) Use Migration Center and wave planning to map dependencies โ: D) Begin refactoring monoliths to microservices Answer: C. Migration Center exposes dependencies and helps plan waves before committing to target services.
How to Pass the GCP Professional Cloud Architect Exam 1. Build the service matrix into muscle memory: Cloud Run vs GKE, BigQuery vs Cloud SQL, Spanner vs Firestore vs Bigtable, VPN vs Interconnect 2. Think business-first, technology-second: Every scenario starts with requirements, not services 3. Master security patterns: VPC Service Controls, IAP, CMEK, org policies 4. Practice migration planning: Migration Center, TCO, dependency mapping, wave planning 5. Read case studies carefully: The right answer depends on the company profile 6. Take practice exams: The scenario format requires practice, not just reading
