PCA — Google Cloud Professional Cloud Architect 2026 Quick Reference

Compact Google Cloud Professional Cloud Architect 2026 (PCA) architecture reference for service selection, security, reliability, networking, and exam decision points.

How to Use This Quick Reference

This independent Quick Reference supports candidates preparing for the Google Cloud Professional Cloud Architect 2026, exam code PCA. Use it to quickly map scenario requirements to Google Cloud services, architecture patterns, and exam decision points.

For PCA-style questions, read for:

  1. Business goal: reduce operations, improve availability, meet compliance, cut cost, modernize.
  2. Workload shape: stateless, stateful, batch, streaming, OLTP, analytics, ML, legacy.
  3. Constraints: latency, RTO/RPO, data residency, existing tooling, skills, portability.
  4. Managed-service fit: prefer managed/serverless when requirements allow.
  5. Security and governance: least privilege, centralized control, auditability, network boundaries.
  6. Tradeoff: cheapest is not always correct; most managed is not always correct.

Core PCA Architecture Heuristics

If the scenario emphasizes…Prefer…Watch for traps
Minimal operationsCloud Run, App Engine, Cloud SQL, BigQuery, Pub/Sub, managed servicesDo not choose GKE/Compute Engine just because they are familiar
Existing VM app with OS dependenciesCompute Engine, managed instance groups, Migrate to Virtual MachinesDo not force serverless if custom kernel, agents, or stateful local dependencies are required
Container portability and Kubernetes ecosystemGKE Autopilot or GKE StandardAutopilot reduces ops; Standard gives more node-level control
Simple event-driven functionCloud Run functions / Cloud FunctionsFor container control, concurrency, or portable runtime, use Cloud Run
Global relational consistency and scaleCloud SpannerCloud SQL is simpler when a single-region relational database is enough
Analytics over large datasetsBigQueryBigQuery is not an OLTP database
Streaming ingestionPub/Sub plus DataflowPub/Sub alone is messaging, not transformation/analytics
Low-latency key/value or wide-column accessBigtableNot relational; not ad hoc SQL analytics
Centralized enterprise networkShared VPC, Cloud Interconnect/VPN, Cloud Router, Network Connectivity CenterVPC peering is not transitive
Data exfiltration protectionVPC Service Controls, IAM, org policy, loggingVPC Service Controls do not replace IAM
Hybrid private connectivityCloud Interconnect or HA VPNCloud NAT is outbound only; it does not provide inbound access
Global web appGlobal external Application Load Balancer, Cloud CDN, Cloud ArmorRegional LBs may be wrong for worldwide latency and failover
Cost control for batch/fault-tolerant computeSpot VMs, autoscaling, managed services, lifecycle policiesSpot VMs can be interrupted; design for retry

Service Selection: Compute

ServiceChoose whenAvoid whenPCA cues
Cloud RunStateless containerized services, APIs, webhooks, event consumers, scale-to-zero, low opsStateful workloads, deep VM control, specialized networking not supported by service“Containerized app,” “serverless,” “variable traffic,” “reduce operations”
Cloud Run JobsContainerized batch jobs, scheduled tasks, finite workLong-running services needing continuous serving“Run a job,” “batch container,” “no server management”
Cloud Run functions / Cloud FunctionsLightweight event handlers, glue code, simple HTTP functionsComplex services, custom container needs, extensive runtime control“Trigger on upload/message,” “small function”
App Engine StandardWeb apps with supported runtimes, automatic scaling, minimal infrastructureCustom OS/packages, unsupported runtime, portability concerns“Legacy App Engine,” “simple web app,” “PaaS”
App Engine FlexibleApp Engine model with custom runtime/container-like flexibilityNeed Kubernetes control or scale-to-zero economics“Managed web app but custom runtime”
GKE AutopilotKubernetes workloads with reduced node managementNeed detailed node, daemonset, privileged, or specialized control“Kubernetes required,” “reduce cluster operations”
GKE StandardFull Kubernetes control, custom node pools, GPUs, service mesh, complex networkingTeam lacks Kubernetes skills; serverless fits better“Kubernetes ecosystem,” “custom scheduling,” “platform team”
Compute EngineLift-and-shift, OS-level control, legacy apps, custom agents, specialized machinesApp can be easily containerized/serverless“VM-based,” “custom OS,” “existing licenses,” “stateful server”
Managed Instance GroupsAutoscaled/stateless VM fleets, rolling updates, self-healingSingle pets, unmanaged stateful VMs“Autoscale VMs,” “self-healing,” “regional availability”
BatchLarge batch processing, parallel jobs, queue-based computeAlways-on web serving“Batch workloads,” “parallel compute,” “jobs”
VMware EngineVMware migration with minimal re-platformingCloud-native modernization is feasible and required“Existing VMware,” “rapid data center exit”

Compute Decision Path

    flowchart TD
	    A[Workload to host] --> B{Needs OS or VM-level control?}
	    B -->|Yes| C[Compute Engine or MIG]
	    B -->|No| D{Requires Kubernetes APIs/ecosystem?}
	    D -->|Yes| E{Need node-level control?}
	    E -->|Yes| F[GKE Standard]
	    E -->|No| G[GKE Autopilot]
	    D -->|No| H{Containerized service or job?}
	    H -->|Service/API| I[Cloud Run]
	    H -->|Finite job| J[Cloud Run Jobs or Batch]
	    H -->|No, simple function| K[Cloud Run functions / Cloud Functions]

Service Selection: Storage and Databases

NeedBest-fit servicesKey distinction
Object storageCloud StorageDurable object store for files, backups, static assets, data lakes
VM block storagePersistent Disk / HyperdiskAttached to Compute Engine or GKE nodes; not object storage
Shared POSIX/NFS file systemFilestoreManaged NFS for apps requiring shared file semantics
Relational database, moderate scaleCloud SQLManaged MySQL, PostgreSQL, SQL Server; simpler than Spanner
PostgreSQL-compatible high performanceAlloyDBManaged PostgreSQL-compatible option for demanding workloads
Global relational scale and strong consistencyCloud SpannerDistributed relational database; choose when Cloud SQL cannot meet scale/availability/global needs
Document databaseFirestoreServerless document model, mobile/web backends, flexible schema
Wide-column, low-latency high throughputBigtableTime series, IoT, personalization, operational analytics; not relational
In-memory cacheMemorystoreRedis/Valkey-compatible cache layer; not durable primary system of record
Data warehouseBigQueryServerless analytics, SQL over large datasets; not OLTP
SearchVertex AI Search / search-oriented managed optionsUse when full-text/search relevance is central, not simple primary-key lookup

Database Decision Table

RequirementPreferWhy
Existing MySQL/PostgreSQL/SQL Server appCloud SQLLowest migration complexity
Existing PostgreSQL app needs higher performance/scalingAlloyDBPostgreSQL compatibility with managed performance features
Multi-region relational writes and strong consistencySpannerDesigned for distributed relational scale
Mobile app with flexible JSON-like dataFirestoreServerless document database with client-friendly model
Time-series telemetry at high write rateBigtableWide-column, low-latency writes/reads
BI dashboards over petabyte-scale dataBigQueryAnalytical SQL engine
Cache frequent readsMemorystoreReduces database load; not authoritative storage
Lift-and-shift database with full admin controlCompute Engine database VMOnly when managed database does not meet requirements

Cloud Storage Selection

RequirementUseNotes
Frequently accessed objectsStandard storage classCommon for active content and serving
Infrequent accessNearline / Coldline / ArchiveChoose based on access pattern and retrieval expectations; avoid memorizing invented thresholds
Automatic tiering by ageLifecycle rulesCommon exam answer for cost optimization
Prevent accidental deletionVersioning, retention policy, soft delete controls where applicableMatch to governance need
Static web assetsCloud Storage plus Cloud CDN / load balancing where neededBucket alone is not full application hosting
Private object accessIAM, signed URLs, signed policy documentsAvoid making buckets public unless explicitly required
Data lakeCloud Storage plus Dataproc, Dataflow, BigQuery, DataplexObject store is storage; governance/query need additional services

Analytics, Data Engineering, and AI

Use caseChooseAvoid confusing with
Decoupled event ingestionPub/SubCloud Tasks for task dispatch with explicit retry/target semantics
Stream/batch transformationDataflowPub/Sub stores messages; Dataflow processes them
Hadoop/Spark migrationDataprocBigQuery for serverless SQL analytics
Serverless warehouseBigQueryCloud SQL for OLTP
Workflow orchestrationCloud ComposerDataflow for data processing; Workflows for simpler service orchestration
Visual/code-light ETLCloud Data FusionDataflow for custom Apache Beam pipelines
CDC into analyticsDatastreamDatabase Migration Service for database migration workflows
SQL data transformation in BigQueryDataformComposer when cross-system orchestration is required
Data governance and discoveryDataplex, Data Catalog capabilitiesIAM alone is not data governance
BI semantic layer/reportingLooker / Looker StudioBigQuery stores and queries data
ML model training/servingVertex AIBigQuery ML for SQL-centric models inside BigQuery
Prebuilt document extractionDocument AICustom ML when prebuilt processors do not fit
Sensitive data discovery/maskingSensitive Data ProtectionKMS encrypts; it does not classify data

Common Data Architecture Patterns

PatternReference architecture
Real-time analyticsProducers → Pub/Sub → Dataflow → BigQuery → Looker
Batch data lakeSources → Cloud Storage → Dataproc/Dataflow/BigQuery external or native tables → Dataplex governance
CDC replicationSource DB → Datastream → Cloud Storage/BigQuery or target pipeline
ML pipelineCloud Storage/BigQuery → Vertex AI training/pipelines → model registry → endpoint/batch prediction
Log analyticsCloud Logging sinks → BigQuery/Cloud Storage/Pub/Sub → analysis or archival

Networking and Connectivity

Service / featureChoose whenKey exam distinction
VPCPrivate network foundationVPC is global; subnets are regional
Shared VPCCentral networking team, multiple service projectsHost project owns network; service projects deploy workloads
VPC Network PeeringPrivate RFC1918 connectivity between VPCsNot transitive; no central inspection by default
Private Service ConnectPrivate access to Google APIs, producer services, or supported SaaSBetter for controlled private service exposure than broad peering
Private Google AccessVM without external IP needs Google APIs over internal pathApplies to subnet/VM access patterns; not general inbound connectivity
Cloud NATPrivate VMs need outbound internetNo inbound connections; pair with no external IPs
Cloud RouterDynamic routing with BGPUsed with HA VPN and Interconnect
HA VPNEncrypted hybrid connectivity over internetFaster to set up; bandwidth/latency less predictable than Interconnect
Dedicated InterconnectHigh-throughput private physical connectionRequires colocation/provider planning
Partner InterconnectPrivate connectivity through supported providerUseful when Dedicated Interconnect is not practical
Cross-Cloud InterconnectPrivate connectivity to supported other cloudsUse for multicloud private networking scenarios
Network Connectivity CenterHub-and-spoke connectivity managementGood for enterprise hybrid/multicloud topology
Cloud DNSManaged DNSCombine with private zones for internal resolution
Cloud CDNCache static/cacheable content at edgeRequires appropriate backend/load balancing pattern
Cloud ArmorWAF and DDoS protection for supported HTTP(S) workloadsNot a substitute for IAM or app auth

Load Balancer Selection

RequirementPreferNotes
Global HTTP(S) web appGlobal external Application Load BalancerL7 routing, TLS, Cloud CDN, Cloud Armor integration
Regional HTTP(S) appRegional external Application Load BalancerUse when regional scope is required
Private HTTP(S) servicesInternal Application Load BalancerInternal L7 traffic management
TCP/UDP pass-throughNetwork Load Balancer optionsUse for L4 workloads, non-HTTP protocols
Internal TCP/UDPInternal passthrough Network Load BalancerPrivate load balancing inside VPC
GKE ingressGoogle Cloud load balancing via GKE Ingress/GatewayMatch with GKE architecture
Hybrid backend integrationLoad balancer with hybrid connectivity patterns where supportedConfirm backend type and connectivity requirement conceptually

Networking Traps

TrapCorrect thinking
“Cloud NAT lets users reach private VMs”Cloud NAT is outbound-only
“VPC peering creates a hub-and-spoke transit network”VPC peering is not transitive
“External IPs are required for Google API access”Private Google Access or Private Service Connect can avoid external IPs
“Firewall rules replace IAM”Network controls and identity controls solve different problems
“Global VPC means subnets are global”Subnets are regional
“Interconnect is encrypted by default like VPN”VPN provides encryption; for Interconnect, evaluate encryption requirements separately

IAM, Security, and Governance

Resource Hierarchy

LevelUse for
OrganizationEnterprise-wide policies, central governance
FolderDepartment, environment, business unit segmentation
ProjectWorkload/application boundary, billing/quota/IAM unit
ResourceService-specific access where appropriate

IAM Reference

ConceptUsePCA distinction
PrincipalUser, group, service account, workload identityPrefer groups for humans and service accounts for workloads
RoleSet of permissionsUse predefined roles first; custom roles for least privilege gaps
Policy bindingGrants role to principal at resource scopeGrant at lowest practical scope
Basic rolesOwner, Editor, ViewerUsually too broad for production least privilege
Service accountApplication/workload identityDo not treat as a human user
Service account keyLong-lived credentialAvoid when federation or attached service accounts work
IAM ConditionsContext-aware conditional grantsUseful for time, resource, or attribute-based constraints
Deny policiesExplicitly restrict permissionsUse for guardrails where allow policies are too broad
Organization Policy ServiceConstraint-based governanceControls allowed configurations; not the same as IAM
Policy Controller / Config Controller patternsKubernetes/resource policy enforcementUseful in platform governance scenarios

Security Service Selection

RequirementPreferNotes
Centralized identity for workforceCloud Identity / external IdP federationUse SSO and groups for manageability
No service account keys from external workloadsWorkload Identity FederationReplaces long-lived keys for many external CI/CD and workload scenarios
GKE workloads use Google Cloud APIsWorkload Identity for GKEAvoid node-wide broad service account permissions
Secrets storageSecret ManagerDo not store secrets in images, source code, or metadata
Encryption key controlCloud KMS with CMEK where requiredDefault encryption exists, but CMEK gives customer-managed control
External key controlCloud External Key Manager where requiredUse only when scenario demands external key custody
Data perimeterVPC Service ControlsHelps reduce data exfiltration from supported services
App access without VPNIdentity-Aware ProxyUser/context-aware access to supported apps/resources
Threat/security postureSecurity Command CenterCentral visibility, findings, risk management
Asset inventoryCloud Asset InventoryAudit resources and IAM over time
Sensitive data inspectionSensitive Data ProtectionClassification, inspection, masking/tokenization use cases
Audit trailCloud Audit Logs, log sinksExport to BigQuery/Cloud Storage/SIEM as required

Security Traps

Scenario wordingWrong shortcutBetter answer
“Developers need temporary deployment access”Give OwnerUse least-privilege predefined/custom role, group, condition if applicable
“On-prem app needs Google Cloud access”Download service account keyPrefer Workload Identity Federation if supported
“Prevent data exfiltration from BigQuery/Cloud Storage”IAM onlyCombine IAM, VPC Service Controls, org policies, logging, DLP as needed
“KMS encrypts sensitive fields”Use KMS as classifierKMS manages keys; Sensitive Data Protection discovers/classifies/masks
“Network is private, so auth is unnecessary”Trust network boundary onlyUse identity, IAM, mTLS/service auth where appropriate
“Give GKE node service account broad access”Node-level permissionsUse Workload Identity for GKE per workload

Reliability, Availability, and Disaster Recovery

Core Terms

TermMeaningExam use
SLIMeasured indicator, such as latency or availabilityWhat you measure
SLOTarget for an SLIWhat you promise internally
SLAExternal contractual commitmentDo not invent values
Error budgetAllowed unreliability under SLOBalances release velocity and reliability
RTOMaximum acceptable recovery timeDrives failover automation
RPOMaximum acceptable data lossDrives replication/backup design
MTTRMean time to recoverImprove with automation and observability

Availability Pattern Selection

RequirementPattern
Survive VM failureManaged instance group, health checks, autoscaling
Survive zone failureRegional managed instance group or regional managed service
Survive region failureMulti-region active-active or active-passive architecture
Low global latencyGlobal load balancing, CDN, regional backends near users
Stateless app HAMultiple zones/regions behind load balancer
Stateful relational HAManaged HA database option or replicated architecture
Backup/restore DRAutomated backups, tested restore procedures
Near-zero downtime deploymentsRolling, blue/green, or canary deployments
Fault isolationSeparate projects, regions, clusters, service boundaries

DR Decision Table

RTO/RPO pressureTypical architectureTradeoff
Low pressure, cost-sensitiveBackup and restoreCheapest, slowest recovery
ModeratePilot light / warm standbyFaster recovery, some idle cost
HighActive-passive with replicationMore automation and duplicate capacity
Very high global availabilityActive-active multi-regionHighest complexity; conflict/data design matters

Reliability Traps

TrapCorrect thinking
Backups are enough for all DRRestore time and data loss must meet RTO/RPO
Multi-zone equals multi-regionZonal failure protection is not regional disaster protection
Stateless autoscaling fixes database bottlenecksScale and protect the stateful tier separately
Active-active is always bestIt increases cost and complexity; use only when justified
Health checks alone guarantee app healthHealth checks must reflect real dependency readiness
Manual failover is acceptable for strict RTOAutomation is usually required for tight RTO

Application Modernization and Migration

StrategyMeaningGoogle Cloud fit
RehostMove as-isCompute Engine, Migrate to Virtual Machines, VMware Engine
ReplatformMinor changes to managed servicesCloud SQL, Cloud Run, GKE, managed load balancing
RefactorRedesign app architectureMicroservices, Pub/Sub, Cloud Run/GKE, managed databases
ReplaceAdopt SaaS or packaged solutionUse when custom app no longer provides business value
RetireRemove unused systemsCommon cost/risk reduction step
RetainKeep temporarilyUse for dependencies, compliance, or phased migration

Migration Service Selection

NeedChoose
VM migrationMigrate to Virtual Machines
VMware environment migration with minimal changeGoogle Cloud VMware Engine
Database migrationDatabase Migration Service
Large online/offline object transferStorage Transfer Service
Physical appliance transfer for large datasetsTransfer Appliance
Streaming database change replicationDatastream
Landing zone setupResource hierarchy, IAM, Shared VPC, logging, billing, org policies
App dependency discoveryMigration assessment/discovery tooling and architecture review

Modernization Patterns

PatternUse whenReference design
Strangler figReplace legacy app graduallyRoute selected functions to new services while legacy remains
Event-driven decouplingSystems need async integrationPub/Sub between producers and consumers
API façadeLegacy backend needs modern interfaceAPI layer on Cloud Run/GKE with auth, logging, throttling
Containerize firstApp can run in containers but not fully refactoredCloud Run for stateless, GKE for Kubernetes/platform needs
Database offloadAnalytics overloads OLTP databaseReplicate/export to BigQuery

DevOps, CI/CD, and Infrastructure as Code

RequirementPreferNotes
Source repository integrationCloud Build with source triggers or existing CIMatch enterprise tooling if specified
Artifact storageArtifact RegistryContainer and package artifact management
Progressive delivery to GKE/Cloud RunCloud DeployManaged delivery pipelines
Infrastructure as codeTerraform, Infrastructure Manager, Config Controller where appropriatePCA tests concepts more than syntax
Policy as codeOrganization Policy, Policy Controller, CI checksEnforce guardrails before deployment
Secrets in CI/CDSecret Manager and workload identity/federationAvoid plaintext build variables
Deployment rollbackVersioned artifacts, blue/green/canary, release promotionDesign rollback before failure
Environment separationSeparate projects/folders per environmentEnables IAM, billing, quota, and blast-radius control

Deployment Pattern Selection

PatternChoose whenTradeoff
Rolling updateNormal low-risk updatesSimple; some mixed-version period
Blue/greenFast rollback and environment validationDuplicate capacity during cutover
CanaryValidate with small traffic percentageRequires monitoring and traffic control
Immutable infrastructureAvoid configuration driftRequires automated build/deploy pipeline
Feature flagsDecouple release from deploymentRequires app-level implementation

Observability and Troubleshooting

NeedService / featureExam cue
Metrics and alertingCloud MonitoringSLOs, dashboards, uptime checks
LogsCloud LoggingCentral logs, log-based metrics
Audit trailCloud Audit LogsAdmin, data access, policy activity; verify what must be enabled/exported
Error aggregationError ReportingApp exceptions
Distributed tracingCloud TraceLatency across services
ProfilingCloud ProfilerCPU/memory performance over time
Log exportLog sinks to BigQuery, Cloud Storage, Pub/SubAnalytics, retention, SIEM integration
Resource inventoryCloud Asset Inventory“What changed?” and governance review
SLO managementCloud Monitoring SLOsReliability engineering scenarios

Troubleshooting Decision Table

SymptomCheck firstLikely issue
403 permission deniedIAM binding scope, service account, org policy, VPC Service ControlsIdentity or policy problem
VM has no internet egressRoute, firewall egress, Cloud NAT, external IP, Private Google Access for APIsNetwork egress design
Private VM cannot call Google APIsPrivate Google Access / Private Service Connect, DNS, firewallMissing private API access path
GKE pod cannot access Google APIsWorkload Identity for GKE, Kubernetes service account binding, IAM roleWorkload identity mapping
High web latency globallyLoad balancer scope, CDN, backend region, database latencyRegional architecture for global users
Pub/Sub duplicatesSubscriber idempotency and ack handlingPub/Sub is at-least-once; design consumers accordingly
BigQuery query cost highPartitioning, clustering, selected columns, materialized views, reservations if applicableInefficient analytical query design
Cloud Run cold-start concernMin instances where justified, right runtime/container sizeServerless scaling tradeoff
Database overloaded by reportsRead replica or analytics offload to BigQueryMixing OLTP and analytics

Cost and Performance Optimization

AreaPractical controls
Compute EngineRightsizing, autoscaling, managed instance groups, committed use discounts where stable, Spot VMs for interruptible work
GKEAutopilot for reduced ops, right-sized requests/limits, cluster autoscaling, separate node pools for specialized workloads
Cloud RunConcurrency, min instances only when needed, efficient container startup, scale-to-zero for variable traffic
Cloud StorageLifecycle policies, storage class selection, avoid unnecessary duplication, monitor retrieval/egress patterns
BigQueryPartitioning, clustering, materialized views, avoid SELECT *, manage reservations/slots where appropriate
DatabasesRead replicas, caching, indexing, connection pooling, choose the right database model
NetworkingReduce unnecessary cross-region egress, use CDN for cacheable content, place compute near data/users
OperationsBilling export to BigQuery, budgets/alerts, labels, project separation, resource cleanup automation

Cost Traps

TrapBetter approach
Use the cheapest VM shape for everythingMatch workload performance and reliability requirements
Use Spot VMs for critical stateful servicesUse Spot only when interruption is acceptable
Store all data in one class foreverApply lifecycle policies based on access
Run analytics on production OLTPOffload to BigQuery or replicas
Add min instances everywhereUse only where latency requirement justifies cost
Ignore network egressArchitect data locality and caching intentionally

Governance and Enterprise Landing Zone Checklist

DomainInclude in target architecture
Resource hierarchyOrganization, folders, projects by environment/app/team
IdentityCloud Identity or federation, groups, least privilege
NetworkingShared VPC, subnet strategy, hybrid connectivity, DNS, firewall policy
Security guardrailsOrg policies, IAM deny where appropriate, VPC Service Controls for sensitive services
LoggingCentral log sinks, audit log retention/export, SIEM integration if required
BillingBilling accounts, budgets, labels, export to BigQuery
Key managementKMS key rings/keys, CMEK requirements, separation of duties
CI/CDArtifact Registry, build/deploy pipelines, policy checks
MonitoringStandard dashboards, alerting, SLOs, incident response
Compliance evidenceAsset inventory, audit logs, security findings, documented controls

High-Yield Exam Distinctions

Do not confuseWithDistinction
Cloud SQLSpannerCloud SQL is regional managed relational; Spanner is distributed relational scale/global consistency
BigQueryCloud SQLBigQuery is analytics; Cloud SQL is transactional
BigtableBigQueryBigtable serves low-latency operational access; BigQuery analyzes large datasets
Pub/SubCloud TasksPub/Sub is event messaging; Cloud Tasks dispatches tasks to handlers with queue semantics
DataflowDataprocDataflow is managed Beam stream/batch; Dataproc is managed Spark/Hadoop
Cloud RunGKECloud Run is serverless containers; GKE is Kubernetes platform
GKE AutopilotGKE StandardAutopilot reduces node ops; Standard gives more control
Cloud NATLoad balancerNAT enables outbound private VM egress; load balancer handles inbound distribution
VPC peeringShared VPCPeering connects networks; Shared VPC centralizes network ownership for projects
IAMOrg PolicyIAM grants permissions; org policy constrains allowed configurations
KMSSecret ManagerKMS manages cryptographic keys; Secret Manager stores secrets
VPC Service ControlsFirewallVPC-SC protects service perimeters; firewall controls network traffic
Cloud CDNCloud StorageCDN caches/serves content closer to users; Storage holds objects

Scenario Answer Patterns

Scenario clueStrong candidate answer
“Reduce operational overhead”Prefer serverless/managed services; avoid self-managed clusters/VMs unless required
“Existing monolith on VMs, rapid migration”Rehost to Compute Engine or VMware Engine; modernize later
“Stateless container API with unpredictable traffic”Cloud Run behind appropriate load balancing/auth controls
“Kubernetes required by platform team”GKE Autopilot unless node-level control is required
“Global users, static and dynamic web content”Global external Application Load Balancer, Cloud CDN for cacheable assets, regional backends
“Strict least privilege”Groups, predefined/custom roles, minimal scope, service accounts, IAM Conditions if useful
“No public IPs on workloads”Private subnets, Cloud NAT for egress, Private Google Access/Private Service Connect
“Sensitive data perimeter”IAM plus VPC Service Controls, audit logs, org policies, DLP/Sensitive Data Protection
“Streaming sensor data”Pub/Sub ingestion, Dataflow processing, Bigtable or BigQuery depending on serving/analytics need
“Reports slow down production DB”Replicate/export to BigQuery; use read replicas when appropriate
“Need multi-region relational consistency”Cloud Spanner
“Need cache to reduce read latency”Memorystore in front of primary database
“Need central network administration”Shared VPC with host/service projects
“Need private hybrid connectivity”HA VPN for encrypted internet-based connectivity; Interconnect for private higher-throughput needs
“Need auditable infrastructure changes”IaC, CI/CD approvals, Cloud Audit Logs, Asset Inventory

Last-Minute PCA Review Checklist

  • Can you justify why a managed service is or is not suitable?
  • Can you separate OLTP, analytics, cache, object, block, and file storage?
  • Can you choose between Cloud Run, GKE, App Engine, and Compute Engine from requirements?
  • Can you explain Shared VPC, VPC peering, Private Service Connect, Private Google Access, Cloud NAT, VPN, and Interconnect?
  • Can you design for least privilege without using broad basic roles?
  • Can you identify when VPC Service Controls are needed and when they are not enough?
  • Can you map RTO/RPO to backup, warm standby, active-passive, or active-active?
  • Can you design centralized logging, monitoring, alerting, and audit export?
  • Can you optimize BigQuery, Cloud Storage, compute, and network egress without breaking requirements?
  • Can you spot answers that are technically possible but operationally heavy?

Practical Next Step

Use this Quick Reference to review one architecture scenario at a time: identify the business goal, choose the managed services, define the security boundary, plan reliability, and explain the tradeoff. Then move into timed PCA practice questions and force yourself to eliminate answers that violate requirements, add unnecessary operations, or ignore security and reliability constraints.