PCA — Google Cloud Professional Cloud Architect 2026 Exam Blueprint
Practical PCA exam blueprint for Google Cloud Professional Cloud Architect 2026 candidates reviewing architecture, security, operations, data, migration, and governance readiness.
How to Use This Exam Blueprint
Use this checklist as a practical study map for the Google Cloud Professional Cloud Architect 2026 exam from Google Cloud, exam code PCA. It is designed for final review and gap analysis, not as an official scoring guide.
Work through it in three passes:
- Recognition pass: Can you recognize the Google Cloud service, pattern, or control being tested?
- Decision pass: Can you choose between plausible options based on requirements, tradeoffs, constraints, and risk?
- Justification pass: Can you explain why the selected architecture is more appropriate than the alternatives?
For each topic, mark yourself ready only when you can apply it to a scenario with business requirements, operational constraints, security needs, and cost pressure.
Topic-Area Readiness Table
| Readiness area | What to review | You are ready when you can… |
|---|---|---|
| Business and technical requirements | Stakeholders, constraints, SLAs/SLOs, RTO/RPO, compliance, budget, skills, timelines | Translate vague business goals into architecture requirements and tradeoffs |
| Google Cloud resource model | Organizations, folders, projects, billing, labels, tags, policies, service accounts | Design a project and policy structure that supports governance without blocking teams |
| Identity and access | IAM roles, service accounts, least privilege, federation, groups, conditions, auditability | Select the right identity model and explain how access is granted, limited, and reviewed |
| Network architecture | VPCs, subnets, routes, firewall policies, load balancing, DNS, hybrid connectivity, private access | Design secure, scalable connectivity for users, services, and on-premises systems |
| Compute architecture | Compute Engine, managed instance groups, GKE, Cloud Run, App Engine, Cloud Functions, Batch | Match workload shape, scaling needs, operational ownership, and portability to compute options |
| Storage and databases | Cloud Storage, Persistent Disk, Filestore, Cloud SQL, AlloyDB, Spanner, Firestore, Bigtable, Memorystore | Choose storage based on data model, latency, consistency, scale, access pattern, and operations |
| Data and analytics | Pub/Sub, Dataflow, Dataproc, BigQuery, Composer, Dataplex, Data Catalog, Data Fusion | Build ingestion, processing, warehousing, governance, and orchestration patterns |
| Security architecture | Cloud KMS, Secret Manager, Cloud Armor, VPC Service Controls, Security Command Center, audit logs | Layer preventive, detective, and responsive controls into the architecture |
| Reliability and operations | SLOs, monitoring, logging, alerting, incident response, autoscaling, backups, disaster recovery | Design for failure, detect issues early, and recover within stated business objectives |
| Migration and modernization | Assessment, rehost/refactor/replace decisions, data transfer, database migration, phased rollout | Select a migration approach that minimizes risk while meeting time and business constraints |
| DevOps and implementation | Cloud Build, Artifact Registry, Cloud Deploy, IaC, release strategies, rollback, policy automation | Plan safe delivery pipelines and operational handoff for production systems |
| Cost and governance | Budgets, cost attribution, committed use planning, autoscaling, right-sizing, lifecycle policies | Reduce waste without undermining reliability, security, or performance |
Architecture and Requirements Framing
The PCA exam commonly rewards architectural judgment. Before selecting a service, extract the requirement behind the service choice.
Can You Do This?
- Separate business requirements from technical requirements.
- Identify hard constraints: compliance, data residency, latency, RTO, RPO, skills, budget, and timeline.
- Detect when a simple managed service is better than a custom-built platform.
- Explain tradeoffs among cost, performance, reliability, security, portability, and operational effort.
- Choose regional, multi-regional, hybrid, or multi-environment patterns based on actual requirements.
- Recognize when requirements conflict and propose a practical compromise.
- Use labels, tags, folders, and projects to support chargeback, ownership, policy, and lifecycle management.
- Recommend phased implementation when a “big bang” migration or redesign is too risky.
Scenario Cues
| If the scenario says… | Think about… |
|---|---|
| “Minimal operations team” | Managed services, serverless, automation, simplified architecture |
| “Strict recovery target” | Multi-zone or multi-region design, backups, replication, tested failover |
| “Global users with low latency” | Global load balancing, edge caching, data placement, active-active considerations |
| “Sensitive data must not leave a boundary” | Data location, IAM, encryption, VPC Service Controls, logging, access review |
| “Existing on-premises systems must integrate” | Cloud VPN, Cloud Interconnect, DNS, routing, identity federation, migration sequencing |
| “Unpredictable traffic spikes” | Autoscaling, serverless, managed instance groups, queue-based decoupling |
| “Need standardization across teams” | Resource hierarchy, shared networking, policy constraints, CI/CD templates |
| “Cost is unexpectedly high” | Right-sizing, autoscaling, storage lifecycle, BigQuery query optimization, committed use planning |
Google Cloud Resource Hierarchy and Governance
A strong PCA candidate can design the management structure, not just the application architecture.
Checklist
- Explain the purpose of organization, folders, projects, and billing accounts.
- Design project boundaries around environment, application, team, data sensitivity, or lifecycle.
- Use folders to apply policies consistently across departments, environments, or compliance zones.
- Distinguish IAM allow policies from broader governance controls such as organization policies.
- Use labels and tags for cost allocation, automation, and policy targeting.
- Recognize when Shared VPC helps centralize network control while allowing service-project autonomy.
- Plan separate projects for production, nonproduction, shared services, security tooling, and logging when appropriate.
- Identify when centralized logging, monitoring, and security visibility are required.
- Avoid granting broad roles at the organization level unless there is a clear administrative need.
- Design guardrails that let teams move quickly without bypassing security or compliance requirements.
Governance Decision Points
| Decision | Prefer this when… | Watch for… |
|---|---|---|
| Separate projects per environment | Production needs strong isolation from dev/test | Cross-project networking, IAM, logging, and billing visibility |
| Shared VPC | Network team controls connectivity, firewalling, and IP planning | Clear ownership between host and service projects |
| Centralized logging project | Security or operations teams need durable audit visibility | Log sinks, access control, retention needs |
| Organization policies | You need preventive guardrails across projects or folders | Exceptions, inheritance, and developer impact |
| Tags and labels | You need policy targeting or cost attribution | Consistent naming and ownership standards |
Identity, IAM, and Access Design
PCA scenarios often test whether you can enforce least privilege without making the environment unmanageable.
Can You Do This?
- Choose predefined roles when they match the job function.
- Use custom roles only when predefined roles are too broad or too narrow.
- Grant permissions to groups or service accounts rather than individual users where practical.
- Distinguish user identities, workload identities, and service accounts.
- Avoid using long-lived service account keys unless there is a justified need.
- Use service account impersonation where it improves control and auditability.
- Apply IAM at the narrowest practical resource scope.
- Recognize when IAM Conditions can limit access by context.
- Design access for CI/CD systems without overprivileged deployment accounts.
- Use Cloud Audit Logs to investigate who did what, where, and when.
Common IAM Traps
| Trap | Better approach |
|---|---|
| Granting Owner to solve deployment issues | Grant task-specific roles at the proper scope |
| Sharing a service account across many apps | Use workload-specific service accounts |
| Creating unmanaged service account keys | Prefer keyless authentication or managed identity patterns |
| Granting broad access at organization level | Apply access at folder, project, or resource level when possible |
| Ignoring human versus workload identity | Separate administrative access from runtime access |
| Treating IAM as the only security layer | Combine IAM with network, encryption, audit, and policy controls |
Network Architecture
Networking questions often combine service selection with routing, security, hybrid connectivity, and availability.
Core Network Checklist
- Design VPCs, subnets, and IP ranges for growth and isolation.
- Distinguish regional subnets from global VPC concepts.
- Use firewall rules or firewall policies to control ingress and egress.
- Explain when private IP connectivity is required between services.
- Use Cloud NAT for outbound internet access from private resources when appropriate.
- Use Private Google Access for private access to Google APIs from supported private resources.
- Use Private Service Connect when private service access or producer-consumer patterns are required.
- Select appropriate Google Cloud load balancing patterns for global, regional, internal, external, HTTP(S), TCP, or UDP needs.
- Design DNS resolution for cloud, hybrid, and multi-project environments.
- Compare Cloud VPN and Cloud Interconnect for hybrid connectivity requirements.
- Recognize when network peering, Shared VPC, or private connectivity patterns are more suitable than public exposure.
- Include network observability and logging in production designs.
Networking Decision Table
| Requirement | Likely design direction | Key checks |
|---|---|---|
| Private VM egress to internet | Cloud NAT | No public IPs on workloads, route and firewall alignment |
| Private access to Google APIs | Private Google Access or private API access pattern | Subnet settings, DNS, supported services |
| Central network team with app teams deploying projects | Shared VPC | Host/service project roles and firewall ownership |
| Low-latency reliable on-premises connectivity | Cloud Interconnect pattern | Redundancy, routing, bandwidth, operational ownership |
| Encrypted connectivity over internet | Cloud VPN | Redundancy, dynamic routing, throughput expectations |
| Public web app with global users | External HTTP(S) load balancing, CDN where appropriate | TLS, Cloud Armor, backend health checks |
| Internal service-to-service traffic | Internal load balancing, private DNS, service discovery | Firewall rules, health checks, regionality |
| Expose producer service privately to consumers | Private Service Connect | Producer/consumer model, DNS, IAM and network controls |
Network Decision Flow
flowchart TD
A[Workload needs connectivity] --> B{User-facing?}
B -->|Yes| C{HTTP or HTTPS app?}
C -->|Yes| D[External HTTP(S) load balancing, TLS, Cloud Armor as needed]
C -->|No| E[Choose appropriate external TCP/UDP load balancing pattern]
B -->|No| F{Hybrid with on-premises?}
F -->|Yes| G{Dedicated/private capacity required?}
G -->|Yes| H[Cloud Interconnect design with redundancy]
G -->|No| I[Cloud VPN design with dynamic routing as needed]
F -->|No| J{Private Google/service access needed?}
J -->|Yes| K[Private Google Access or Private Service Connect pattern]
J -->|No| L[Internal load balancing, VPC routing, firewall controls]
Compute and Application Platform Selection
A professional cloud architect should choose compute based on workload characteristics and operational model, not preference.
Compute Selection Matrix
| Option | Best fit | Readiness checks |
|---|---|---|
| Compute Engine | VM-based apps, lift-and-shift, custom OS/runtime needs | Images, instance templates, managed instance groups, autoscaling, patching |
| Managed instance groups | Horizontally scalable VM workloads | Health checks, autoscaling policies, rolling updates, regional placement |
| GKE | Containerized apps needing Kubernetes APIs, portability, or platform control | Cluster mode, node pools, networking, workload identity, security posture |
| Cloud Run | Stateless containers, event-driven or HTTP services, low operations | Concurrency, scaling behavior, identity, networking, cold-start considerations |
| App Engine | App-focused platform with managed scaling | Runtime support, versioning, traffic splitting, service boundaries |
| Cloud Functions | Lightweight event-driven functions | Event source, idempotency, retries, permissions |
| Batch | Batch jobs and parallel workloads | Job scheduling, inputs/outputs, resource requirements |
| Bare Metal Solution | Specialized workloads that cannot easily run on standard cloud infrastructure | Integration, support model, migration constraints |
Can You Do This?
- Choose between VMs, containers, and serverless based on operations, portability, startup time, scaling, and runtime control.
- Design stateless application tiers for horizontal scaling.
- Identify when a stateful workload needs persistent disks, managed databases, or externalized session state.
- Explain managed instance group health checks and rolling update behavior.
- Compare GKE and Cloud Run for container workloads.
- Use queues, Pub/Sub, or task patterns to decouple bursty workloads.
- Plan blue-green, canary, and rolling release patterns.
- Recognize when specialized legacy requirements justify Compute Engine instead of a higher-level managed service.
- Include logging, metrics, error reporting, and tracing in the application design.
Compute Scenario Cues
| If the workload… | Consider… |
|---|---|
| Requires a custom kernel, OS agent, or legacy installation | Compute Engine |
| Needs Kubernetes-native controls and portability | GKE |
| Is stateless, containerized, and benefits from scale-to-zero behavior | Cloud Run |
| Is event-driven and small in scope | Cloud Functions |
| Runs large parallel jobs on a schedule | Batch |
| Must survive zone failure | Regional managed instance group or multi-zone service design |
| Has unpredictable demand | Autoscaling, serverless, queue-based decoupling |
Storage and Database Selection
Storage questions often hinge on data model, latency, consistency, query pattern, availability needs, and operational burden.
Storage and Database Matrix
| Service | Primary use | Be ready to decide based on… |
|---|---|---|
| Cloud Storage | Object storage for files, backups, static assets, data lakes | Access frequency, lifecycle, retention, encryption, public/private access |
| Persistent Disk / Hyperdisk | Block storage for VM workloads | Performance needs, attachment pattern, snapshots, zone/region design |
| Filestore | Managed NFS file shares | Shared filesystem needs, app compatibility, throughput expectations |
| Cloud SQL | Managed relational database | Standard relational workloads, compatibility, HA, backups, maintenance |
| AlloyDB | PostgreSQL-compatible managed relational workloads with high performance needs | PostgreSQL compatibility, performance, operational model |
| Spanner | Horizontally scalable relational database | Global/regional scale, strong consistency, relational model |
| Firestore | Document database for app data | Document model, mobile/web patterns, flexible schema |
| Bigtable | Wide-column database for high-throughput low-latency access | Time series, IoT, telemetry, key design, operational scale |
| Memorystore | Managed cache | Low-latency caching, session cache, transient data |
| BigQuery | Analytics warehouse | SQL analytics, large-scale queries, ELT, BI, governance |
Can You Do This?
- Distinguish object, block, file, relational, document, wide-column, cache, and warehouse storage.
- Select Cloud Storage classes and lifecycle policies based on access pattern and retention requirements.
- Choose between Cloud SQL, AlloyDB, and Spanner for relational needs.
- Recognize when BigQuery is for analytics rather than serving low-latency transactional application reads.
- Identify when Bigtable key design affects performance and hotspotting.
- Design backups, snapshots, retention, and restore tests.
- Plan encryption using Google-managed keys, customer-managed keys, or other appropriate controls.
- Avoid placing state on ephemeral compute resources.
- Account for data migration, replication, downtime, and cutover risk.
Database Scenario Cues
| Requirement | Strong candidate choice pattern |
|---|---|
| Existing MySQL/PostgreSQL/SQL Server app with modest redesign | Cloud SQL or compatible managed relational option |
| PostgreSQL-compatible workload needing enhanced managed performance | AlloyDB |
| Globally distributed relational app needing strong consistency | Spanner |
| Flexible document data for application state | Firestore |
| High-throughput time-series or telemetry access by key | Bigtable |
| Interactive analytics over very large datasets | BigQuery |
| Low-latency repeated reads of transient data | Memorystore |
| Shared POSIX-like file access | Filestore |
Data, Analytics, and AI/ML Workflows
PCA candidates do not need to become data engineers, but they should understand architecture patterns for ingestion, processing, governance, analytics, and machine learning.
Data Platform Checklist
- Choose Pub/Sub for asynchronous messaging and event ingestion.
- Use Dataflow for managed stream and batch processing when Apache Beam-style pipelines fit.
- Use Dataproc when managed Spark/Hadoop ecosystem compatibility is important.
- Use BigQuery for analytics, warehousing, SQL analysis, and BI workloads.
- Use Cloud Composer when workflow orchestration across services is required.
- Recognize when Data Fusion can help with visual data integration patterns.
- Include data governance, cataloging, lineage, and access control using appropriate Google Cloud services.
- Design data lakes with Cloud Storage and analytics layers where appropriate.
- Plan schema evolution, data quality checks, and replay/reprocessing needs.
- Separate operational databases from analytical workloads when query patterns conflict.
- Account for batch versus streaming latency requirements.
- Use Vertex AI when ML training, deployment, or model operations are part of the architecture.
- Protect sensitive data with IAM, encryption, masking/tokenization patterns, and audit logging.
Data Pipeline Decision Table
| Scenario | Likely pattern | Watch for |
|---|---|---|
| Real-time events from many producers | Pub/Sub to Dataflow or other consumers | Ordering, retries, dead-letter handling, idempotency |
| Batch ETL from files to analytics | Cloud Storage to Dataflow/Dataproc/BigQuery | File format, schema, partitioning, cost |
| Existing Spark jobs | Dataproc or modernization path | Cluster lifecycle, dependencies, migration effort |
| SQL analytics at scale | BigQuery | Partitioning, clustering, access control, query cost |
| Scheduled multi-step workflows | Cloud Composer | Dependencies, retries, environment ownership |
| ML model lifecycle | Vertex AI | Training data, feature management, deployment, monitoring |
Security Architecture
Security readiness means layering controls across identity, network, data, application, supply chain, and operations.
Security Checklist
- Apply least privilege with IAM and service account design.
- Use organization policies to prevent risky configurations where appropriate.
- Protect secrets with Secret Manager rather than embedding them in code or images.
- Use Cloud KMS and customer-managed keys when key control is required.
- Understand when hardware-backed key options or external key management patterns may be relevant.
- Use Cloud Armor for web application and DDoS-related edge protection patterns.
- Use VPC Service Controls for reducing data exfiltration risk around supported services.
- Use Security Command Center for security visibility and findings.
- Enable and route audit logs for security review and incident investigation.
- Protect container supply chains with secure image storage, scanning, Binary Authorization, and policy checks where appropriate.
- Segment networks and workloads based on trust boundaries.
- Plan secure administrative access without exposing management interfaces unnecessarily.
- Include incident response, alerting, forensics, and evidence retention in the design.
Security Control Selection
| Need | Controls to consider |
|---|---|
| Restrict human access | IAM, groups, conditions, privileged access process, audit logs |
| Restrict workload access | Service accounts, Workload Identity patterns, least privilege |
| Protect secrets | Secret Manager, rotation process, limited runtime access |
| Control encryption keys | Cloud KMS, CMEK, key rotation, separation of duties |
| Reduce data exfiltration risk | VPC Service Controls, private access, IAM, logging |
| Protect public web apps | Cloud Load Balancing, Cloud Armor, TLS, secure headers, logging |
| Govern projects at scale | Organization policies, folders, tags, policy automation |
| Investigate incidents | Cloud Audit Logs, Cloud Logging, Security Command Center |
Reliability, SLOs, and Operations
A PCA-ready architecture includes failure handling, observability, deployment safety, and operational ownership.
Reliability Checklist
- Convert availability goals into SLOs and operational requirements.
- Identify single points of failure in compute, network, database, and deployment processes.
- Design across zones or regions when business requirements justify it.
- Match disaster recovery design to RTO and RPO.
- Use health checks and autoscaling where appropriate.
- Plan backup, restore, and failover tests.
- Use managed services to reduce operational risk when suitable.
- Design graceful degradation for partial outages.
- Include retry, timeout, circuit breaker, and idempotency patterns for distributed systems.
- Use queues or event-driven designs to absorb bursts and isolate failures.
- Ensure monitoring covers symptoms users experience, not only resource utilization.
- Define alert policies that are actionable and routed to the right team.
- Use Cloud Logging, Cloud Monitoring, Error Reporting, Trace, Profiler, and audit logs appropriately.
Useful SLO Formulas
Allowed unavailable time can be estimated from the SLO target and the measurement period.
\[ \text{Allowed unavailable time} = \text{Measurement period} \times (1 - \text{SLO}) \]Error budget is the portion of unreliability allowed by the SLO.
\[ \text{Error budget} = 1 - \text{SLO} \]Use these formulas for reasoning about tradeoffs, not as a substitute for official exam instructions.
Failure-Mode Checklist
| Failure mode | Design checks |
|---|---|
| Zone outage | Multi-zone placement, regional managed services, load balancing |
| Region outage | Cross-region replication, failover process, DNS/load balancing strategy |
| Database corruption | Backups, point-in-time restore where applicable, restore testing |
| Traffic spike | Autoscaling, caching, CDN, queue buffering, rate limiting |
| Bad deployment | Canary/blue-green, rollback, versioning, automated tests |
| Dependency failure | Timeouts, retries, circuit breakers, fallback behavior |
| Security incident | Audit logs, access revocation, key rotation, incident runbooks |
| Cost runaway | Budgets, alerts, quotas/policies, workload right-sizing |
Migration and Modernization
Migration questions often require balancing risk, speed, cost, and business continuity.
Migration Checklist
- Assess application dependencies before choosing a migration strategy.
- Identify data gravity, network constraints, downtime tolerance, and cutover complexity.
- Choose rehost, replatform, refactor, replace, retain, or retire based on business value and risk.
- Use phased migration when dependency or downtime risk is high.
- Plan identity, networking, logging, monitoring, and security before moving workloads.
- Select data transfer methods based on data volume, timeline, network capacity, and sensitivity.
- Use database migration tooling or replication patterns where appropriate.
- Validate performance and reliability after migration.
- Plan rollback or coexistence during transition.
- Modernize only where there is a clear business or operational benefit.
- Avoid refactoring everything during a time-sensitive migration unless required.
- Include training and operational readiness for teams moving to Google Cloud.
Migration Decision Table
| Situation | Likely approach | Key risk |
|---|---|---|
| Tight deadline, compatible VM workload | Rehost to Compute Engine | Carrying legacy issues into cloud |
| App can move with small platform changes | Replatform to managed services | Hidden compatibility issues |
| App blocks scalability or release velocity | Refactor | Time, cost, and complexity |
| SaaS meets business need | Replace | Integration and data migration |
| Low-value workload | Retire | Stakeholder agreement |
| Workload cannot move yet | Retain | Hybrid complexity and delayed benefits |
DevOps, Delivery, and Implementation Planning
The architect role includes designing how systems are built, deployed, secured, and operated.
Delivery Checklist
- Use source control and automated build pipelines.
- Store artifacts in Artifact Registry or an appropriate managed repository.
- Use Cloud Build, Cloud Deploy, or compatible CI/CD tooling based on organizational standards.
- Use infrastructure as code for repeatable environments.
- Separate duties between developers, deployers, operators, and security reviewers where required.
- Include automated testing, policy validation, and security scanning.
- Use canary, blue-green, or rolling deployments based on risk and platform support.
- Define rollback procedures before production release.
- Avoid manual production changes except through controlled break-glass processes.
- Design environment promotion from dev to test to staging to production.
- Ensure deployment service accounts have only required permissions.
- Capture release metrics and operational signals.
Artifacts and Commands to Recognize
PCA is primarily architecture-focused, but you should recognize the purpose of common operational artifacts and commands.
gcloud projects get-iam-policy PROJECT_ID
gcloud compute firewall-rules list
gcloud logging read 'severity>=ERROR' --limit=50
kubectl describe pod POD_NAME
terraform plan
Be ready to explain what each helps inspect:
| Artifact or command | What it indicates |
|---|---|
| IAM policy output | Who has access and at what scope |
| Firewall rule list | Network access posture and possible exposure |
| Logging query | Operational or security events for investigation |
| Kubernetes describe output | Scheduling, health, events, and configuration clues |
| Terraform plan | Proposed infrastructure changes before apply |
Cost Optimization and Financial Governance
Cost questions usually test whether you can reduce waste while preserving required reliability and performance.
Cost Checklist
- Use budgets, alerts, and cost reporting for visibility.
- Apply labels and project structure for attribution.
- Right-size compute resources based on observed utilization.
- Prefer autoscaling where demand varies.
- Choose storage classes and lifecycle policies based on access patterns.
- Avoid overprovisioned always-on resources for bursty workloads.
- Use committed use or similar planning only when usage is predictable enough to justify it.
- Optimize BigQuery queries with partitioning, clustering, and query discipline where applicable.
- Delete unattached, stale, or abandoned resources.
- Consider managed services when operational savings outweigh service cost.
- Include cost review in architecture decisions, not only after deployment.
Cost Trap Table
| Trap | Better exam-ready response |
|---|---|
| Choose the cheapest service without considering reliability | Meet requirements first, then optimize |
| Overbuild multi-region architecture for noncritical workloads | Match resiliency to business impact |
| Keep dev/test running continuously | Schedule shutdown or use ephemeral environments |
| Store all data in the same class forever | Use lifecycle and retention policies |
| Ignore query patterns in analytics | Partition, cluster, and control access/query behavior |
| Treat cost as only infrastructure price | Include operational effort, risk, and migration cost |
Scenario-Based Decision Checks
Use this section to test whether you can make PCA-style architecture decisions quickly.
Workload Placement
- Is the workload stateless or stateful?
- Does it require a specific OS, runtime, or network agent?
- Does it need Kubernetes APIs or just container execution?
- Is traffic steady, spiky, event-driven, or batch?
- Who will operate the platform: app team, platform team, or Google-managed service?
- What is the rollback strategy?
- What monitoring proves the workload is healthy?
Data Placement
- Is the workload transactional, analytical, streaming, or archival?
- What consistency model does the application need?
- What are the dominant queries and access paths?
- What latency is acceptable?
- How will data be backed up, restored, archived, or deleted?
- Who can access sensitive data?
- Does the data need to stay in a particular location or security boundary?
Security and Access
- Who are the human administrators?
- Which workloads call which APIs?
- Are service account keys avoidable?
- Are secrets stored outside code and images?
- Are public endpoints required?
- Are logs sufficient for investigation?
- Is there a break-glass process?
Reliability and Operations
- What happens if a zone fails?
- What happens if a region fails?
- What happens if the database is unavailable?
- What happens if a deployment is bad?
- What happens if traffic doubles suddenly?
- What alerts wake someone up?
- What runbook tells them what to do?
Common Weak Areas
| Weak area | What to practice |
|---|---|
| Choosing services by familiarity instead of requirements | Force yourself to state the requirement before the service |
| Confusing BigQuery with transactional databases | Separate analytical SQL from application transaction processing |
| Overusing Compute Engine | Re-check whether Cloud Run, GKE, App Engine, or managed services reduce operations |
| Underdesigning IAM | Specify identities, roles, scope, and auditability |
| Ignoring service accounts | Treat workload identity as a first-class architecture decision |
| Missing network egress requirements | Check private access, NAT, firewall, routing, and DNS |
| Forgetting operational ownership | Define who monitors, deploys, patches, and responds |
| Overbuilding high availability | Match reliability design to business impact and stated targets |
| Underplanning migration cutover | Include coexistence, testing, rollback, and data sync |
| Treating security as one control | Layer IAM, network, encryption, logging, policy, and detection |
| Ignoring cost signals | Use budgets, labels, right-sizing, lifecycle, and query optimization |
| Not reading scenario wording carefully | Highlight constraints before looking at answer choices |
Final-Week Checklist
Architecture Review
- Review the main Google Cloud compute, storage, database, networking, security, and operations services.
- Make a one-page service selection matrix from memory.
- Practice explaining tradeoffs out loud: “I choose this because…”
- Revisit every missed practice question and classify the miss: service knowledge, requirement reading, or tradeoff judgment.
- Review high-availability and disaster recovery patterns without memorizing unsupported numeric guarantees.
- Review IAM scope and service account patterns.
- Review hybrid networking and private access patterns.
- Review database selection scenarios.
- Review logging, monitoring, alerting, and incident response design.
Scenario Practice
- For each scenario, write the top three requirements before choosing an answer.
- Identify the constraint that eliminates each wrong option.
- Watch for answers that are technically possible but operationally excessive.
- Watch for answers that are cheap but fail reliability, security, or compliance needs.
- Practice choosing the most managed option when it satisfies requirements.
- Practice choosing more control when the scenario explicitly requires it.
- Time yourself on long scenario questions so you do not overanalyze.
Exam-Day Readiness Signals
You are close to ready when you can:
- Choose between similar services without relying on keyword matching.
- Justify architecture decisions using business and technical requirements.
- Recognize overengineered and undersecured answers.
- Design identity, network, data, and operations together rather than separately.
- Handle unfamiliar details by returning to first principles.
- Explain why a managed service reduces operational risk.
- Explain when a lower-level service is justified by control, compatibility, or migration constraints.
Practical Next Step
Use this Exam Blueprint to score your readiness by area. Pick the three weakest rows in the readiness table, review those topics, then answer scenario-based practice questions focused only on those gaps before doing another mixed review.