PCA — Google Cloud Professional Cloud Architect 2026 Quick Review

Quick Review for Google Cloud Professional Cloud Architect 2026 (PCA): architecture, security, reliability, data, networking, and exam traps.

Quick Review purpose

This Quick Review is for candidates preparing for the Google Cloud Professional Cloud Architect 2026 exam, official exam code PCA, from Google Cloud. Use it to refresh high-yield architecture concepts before moving into topic drills, mock exams, and detailed explanations.

The PCA exam is not just a service-name recall test. Strong candidates can translate business requirements into secure, reliable, cost-aware Google Cloud architectures. Expect scenarios where several answers are technically possible, but only one best matches the constraints.

Use this page to review:

  • Core Google Cloud architecture decision rules
  • Compute, networking, data, security, and operations patterns
  • Common traps in scenario questions
  • How to connect review to IT Mastery practice and original practice questions

High-yield PCA mindset

The best answer usually balances business requirements, technical constraints, Google Cloud managed services, and operational simplicity.

Scenario clueArchitectural instinct
“Minimize operations”Prefer managed/serverless services over self-managed infrastructure
“Global users, low latency”Consider global load balancing, CDN, multi-region data, edge caching
“Strict RPO/RTO”Design for replication, automated failover, tested recovery, backups
“Regulated data”Use IAM least privilege, encryption, audit logging, VPC Service Controls where appropriate
“Existing on-premises integration”Consider Cloud VPN, Cloud Interconnect, hybrid DNS, identity federation
“Unpredictable traffic”Use autoscaling, serverless, queues, event-driven design
“Large analytics workloads”Think BigQuery, Dataflow, Dataproc, Pub/Sub, Cloud Storage
“Transactional relational workload”Consider Cloud SQL, AlloyDB, or Spanner depending on scale and global needs
“Need portability / Kubernetes standardization”Consider Google Kubernetes Engine, but weigh operational complexity
“Cost is a key constraint”Rightsize, autoscale, choose storage classes, avoid unnecessary egress, use commitments carefully

Fast architecture decision flow

    flowchart TD
	    A[Read business goal] --> B[Identify constraints]
	    B --> C{Primary workload type?}
	    C -->|Web/API/app| D[Choose compute pattern]
	    C -->|Data/analytics| E[Choose storage and pipeline]
	    C -->|Hybrid/migration| F[Choose connectivity and migration path]
	    D --> G[Secure identity, network, secrets]
	    E --> G
	    F --> G
	    G --> H[Design reliability and DR]
	    H --> I[Optimize cost and operations]
	    I --> J[Select answer with least complexity that satisfies requirements]

Core Google Cloud resource model

Understand the hierarchy because many PCA security and governance questions depend on it.

LevelWhat to remember
OrganizationTop-level boundary for centralized policy, IAM, billing, and governance
FolderGroups projects by department, environment, app, or business unit
ProjectMain isolation boundary for resources, IAM, quotas, billing attribution, APIs
ResourceIndividual service objects such as VM instances, buckets, clusters, datasets

Common hierarchy traps

  • Granting permissions too broadly at the organization level when project-level or resource-level access is enough.
  • Using primitive roles when predefined or custom roles better support least privilege.
  • Forgetting that inherited IAM can create access unintentionally.
  • Mixing production and non-production workloads in the same project without a strong reason.
  • Ignoring organization policies when the scenario asks for centralized enforcement.

Compute and application platform review

Choose compute by matching operational burden, portability, scaling, and runtime requirements.

Service / patternBest fitWatch for
Cloud RunStateless containers, APIs, event-driven apps, scale-to-zero patternsNot ideal for highly stateful workloads without external state storage
Cloud FunctionsLightweight event-driven functionsAvoid when container control or complex runtime dependencies are required
App EngineManaged web apps with minimal infrastructure managementLess control than GKE or Compute Engine
Google Kubernetes EngineContainer orchestration, microservices, Kubernetes portability, platform teamsMore operational complexity than Cloud Run
Compute EngineCustom VMs, legacy workloads, special OS/configuration needsRequires more management than serverless/managed platforms
Managed instance groupsAutoscaled VM fleets, rolling updates, self-healingDesign health checks and load balancing correctly
BatchBatch jobs and high-throughput non-interactive workloadsNot for low-latency request/response apps
Cloud Run jobsContainerized jobs without always-on infrastructureGood for task execution, not long-lived services
VMware EngineVMware-based migration or extension scenariosUse when VMware compatibility matters, not as default modernization

Compute decision rules

  • Prefer Cloud Run for stateless containerized services when you want managed scaling and low operational overhead.
  • Prefer GKE when Kubernetes control, service mesh, custom networking, or workload portability is a requirement.
  • Prefer Compute Engine when the workload needs custom machine configuration, legacy software, or VM-level control.
  • Prefer managed instance groups over unmanaged VM fleets for autoscaling and self-healing.
  • Externalize state to managed storage such as Cloud SQL, Spanner, Firestore, Memorystore, Cloud Storage, or Bigtable.

Container and delivery topics to review

NeedGoogle Cloud option
Store container imagesArtifact Registry
Build/test/deploy pipelineCloud Build, Cloud Deploy
Kubernetes workload identityWorkload Identity / workload identity federation patterns
Enforce trusted container deploymentBinary Authorization
Manage GKE configurationConfig Sync / policy-based controls where appropriate
Canary or progressive deliveryCloud Deploy, load balancing, GKE rollout strategies, Cloud Run revisions
SecretsSecret Manager, not hardcoded environment values

Networking quick review

Networking questions often test whether you can keep traffic private, reduce latency, connect hybrid environments, or choose the right load balancer.

RequirementLikely Google Cloud concept
Isolate resourcesVPC, subnet design, firewall rules, IAM
Centralize networking for many projectsShared VPC
Private communication to Google APIsPrivate Google Access / Private Service Connect depending on use case
Private service publishing/consumptionPrivate Service Connect
Connect VPCsVPC Network Peering or Network Connectivity Center patterns
Outbound internet for private VMsCloud NAT
Hybrid connectivityCloud VPN or Cloud Interconnect
Low-latency dedicated hybrid linkCloud Interconnect
Global external HTTP(S) trafficGlobal external Application Load Balancer
Internal service trafficInternal load balancing
Edge cachingCloud CDN
DNS managementCloud DNS
DDoS/WAF protectionCloud Armor
Service-to-service control in GKEService mesh / network policies where appropriate

Networking traps

  • Cloud NAT is outbound only. It does not allow inbound internet connections to private instances.
  • Firewall rules are stateful, but you still need the right direction, target, source, and priority.
  • Shared VPC is commonly the right answer when central network teams manage networking for service projects.
  • VPC peering is not transitive. Do not assume A-to-B and B-to-C means A-to-C connectivity.
  • Private Google Access helps private VMs reach supported Google APIs without external IPs.
  • Cloud VPN is often faster to set up; Cloud Interconnect is typically used when dedicated, higher-throughput, lower-latency connectivity is required.
  • Use Cloud CDN and global load balancing for global web performance; do not solve every latency issue by adding more VMs.

Storage and database decision table

Most PCA data questions come down to workload shape: object storage, relational transactions, global consistency, document access, time-series/wide-column data, or analytics.

WorkloadStrong candidate service
Object storage, backups, media, data lake landing zoneCloud Storage
Managed MySQL/PostgreSQL/SQL Server relational databaseCloud SQL
High-performance PostgreSQL-compatible transactional workloadAlloyDB
Global relational database with strong consistency and horizontal scaleSpanner
Document database for app developmentFirestore
Wide-column, low-latency, high-throughput workloadsBigtable
In-memory cacheMemorystore
Enterprise file sharesFilestore
Analytics warehouseBigQuery
Streaming messagingPub/Sub
Stream/batch data processingDataflow
Managed Spark/HadoopDataproc
Workflow orchestrationCloud Composer
Data lake storage foundationCloud Storage plus analytics tools

Data decision traps

TrapBetter thinking
Choosing BigQuery for high-frequency OLTP app transactionsBigQuery is analytics-focused; use transactional databases for OLTP
Choosing Cloud SQL for global horizontal scale with strong consistencyConsider Spanner if global relational scale is required
Choosing Bigtable because data is “big”Bigtable fits low-latency key-based access patterns, not general SQL analytics
Choosing Firestore for complex relational joinsFirestore is document-oriented; model access patterns carefully
Storing secrets in Cloud Storage or source codeUse Secret Manager
Ignoring data residency or compliance cluesChoose region/multi-region deliberately and apply governance controls
Overusing multi-region storage without needBalance availability, latency, compliance, and cost

BigQuery and analytics review

BigQuery questions often mix cost, performance, governance, and ingestion choices.

NeedReview point
Analyze large datasets with SQLBigQuery
Load data periodicallyBatch loads, BigQuery Data Transfer Service, Storage Transfer Service depending on source
Stream eventsPub/Sub into Dataflow or supported streaming ingestion patterns
Reduce query costPartitioning, clustering, selective columns, materialized views, query optimization
Control data accessDataset/table permissions, authorized views, row-level and column-level controls where appropriate
Separate storage and computeUnderstand BigQuery’s serverless analytics model
Share governed datasetsUse appropriate IAM and data sharing patterns

BigQuery traps

  • Querying unnecessary columns increases scanned data when using on-demand pricing models.
  • Partitioning is useful only when queries filter on partitioned fields.
  • Clustering helps when queries filter or aggregate on clustered columns.
  • BigQuery is not a replacement for a low-latency transactional application database.
  • Governance is not just IAM; consider dataset structure, views, policy tags, and auditability.

Security and IAM quick review

Security scenarios often ask for the least privileged, most auditable, and most maintainable answer.

RequirementStrong approach
Human access controlIAM groups, predefined/custom roles, least privilege
Application identityService accounts
Avoid long-lived keysWorkload identity federation or attached service accounts instead of downloadable keys
Store secretsSecret Manager
Encryption key controlCloud KMS / Cloud HSM when appropriate
Central policy enforcementOrganization Policy Service
Detect security risksSecurity Command Center
Audit activityCloud Audit Logs
Restrict data exfiltration from supported servicesVPC Service Controls
Context-aware accessAccess Context Manager / BeyondCorp-style controls
Protect web appsCloud Armor
Private access to servicesPrivate Service Connect and private networking patterns

IAM decision rules

  1. Assign access to groups, not individual users, where possible.
  2. Use predefined roles before custom roles unless the scenario requires exact permission tailoring.
  3. Avoid Owner, Editor, and Viewer for production access unless the question explicitly justifies them.
  4. Use service accounts per workload rather than sharing one broad service account.
  5. Avoid service account keys when an identity-based alternative is available.
  6. Use organization policies to enforce constraints across projects.
  7. Use separation of duties for production deployments, security administration, and audit review.

Security traps

  • “Encrypt the data” is not enough; identify whether default encryption is sufficient or customer-managed keys are required.
  • Do not grant broad project-level roles to solve one resource-level permission issue.
  • Do not expose a private workload with public IPs when private connectivity is required.
  • Do not use firewall rules as the only security boundary for identity-sensitive services.
  • Do not confuse authentication with authorization.
  • Do not store API keys, passwords, or certificates in container images or source repositories.

Reliability, DR, and SRE review

PCA reliability questions usually test whether the architecture meets availability and recovery requirements without unnecessary complexity.

Key terms:

  • RTO: how quickly the service must be restored.
  • RPO: how much data loss is acceptable.
  • SLO: target reliability level for a service.
  • Error budget: allowable unreliability over a period.
\[ \text{Availability} = \frac{\text{Successful requests}}{\text{Total valid requests}} \]\[ \text{Error budget} = 1 - \text{SLO} \]

Reliability design table

RequirementDesign instinct
Survive zonal failureUse regional managed services or deploy across zones
Survive regional failureUse multi-region or cross-region DR design
Low RTOAutomate failover and keep warm/active capacity
Low RPOUse synchronous or near-real-time replication where appropriate
Stateless web tierUse load balancing and autoscaling across zones
Stateful databaseUse managed HA, replicas, backups, and tested restore
Message bufferingPub/Sub or queues to absorb spikes and decouple systems
Graceful degradationCache, fallback responses, circuit breakers
Operational visibilityCloud Monitoring, Cloud Logging, tracing, alerts, dashboards

DR pattern comparison

PatternUse whenTradeoff
Backup and restoreLower cost, higher RTO acceptableSlowest recovery
Pilot lightMinimal standby environmentFaster than restore, still needs scale-up
Warm standbyReduced-capacity duplicate environmentHigher cost, faster recovery
Active-activeVery low RTO, global availabilityHighest complexity and cost

Reliability traps

  • Backups do not prove recoverability; restores must be tested.
  • Multi-zone is not the same as multi-region.
  • Autoscaling does not fix database bottlenecks automatically.
  • A load balancer cannot route to healthy capacity if the backend design is single-zone.
  • SLOs should reflect user experience, not only infrastructure uptime.
  • Alerting on every metric creates noise; alert on symptoms and user-impacting conditions.

Operations and observability

Operational questions look for maintainable, automated, auditable solutions.

NeedGoogle Cloud capability
Metrics and alertingCloud Monitoring
LogsCloud Logging
Distributed tracesCloud Trace
Error aggregationError Reporting
Service health and SLOsCloud Monitoring service monitoring
Audit trailCloud Audit Logs
Deployment automationCloud Build, Cloud Deploy, Terraform/infrastructure as code patterns
Config governanceOrganization policies, policy-as-code, Config Controller/Config Sync where appropriate
Incident responseDashboards, alerts, runbooks, postmortems

Operations traps

  • Manual console changes are rarely the best answer for repeatable production architecture.
  • Alerts should be actionable and tied to service impact.
  • Logs have cost and retention implications; collect what you need and manage retention.
  • Monitoring must include dependencies such as databases, queues, and external services.
  • Production changes should be versioned, reviewed, and reversible.

Cost and performance review

PCA cost questions are usually about selecting an architecture that meets requirements without overengineering.

Cost areaReview points
ComputeAutoscaling, rightsizing, machine family selection, committed use discounts where appropriate
ServerlessPay-per-use can reduce idle cost, but understand concurrency and invocation patterns
StorageChoose appropriate storage class, lifecycle policies, retention, object versioning
NetworkingWatch egress, inter-region traffic, CDN caching, private connectivity needs
BigQueryPartitioning, clustering, materialized views, reservations/slots or on-demand fit
LoggingLog volume, exclusions, retention
DatabasesScale shape, replicas, HA, storage growth, backups
DRBalance RTO/RPO against standby capacity cost

Cost traps

  • Choosing active-active multi-region when the RTO/RPO does not require it.
  • Keeping development environments running 24/7 without need.
  • Ignoring network egress in distributed architectures.
  • Overprovisioning GKE clusters when serverless or autoscaling would satisfy the requirement.
  • Using premium managed services by default without matching workload needs.
  • Treating committed discounts as a first step before rightsizing and usage analysis.

Migration and modernization review

Migration scenarios test sequencing, risk reduction, downtime tolerance, and data movement.

ScenarioStrong approach
Lift-and-shift VMsMigrate to Virtual Machines / Compute Engine migration tooling
Modernize monolith graduallyStrangler pattern, APIs, staged migration
Database migration with minimal downtimeDatabase Migration Service where supported, replication, cutover planning
Large object/data transferStorage Transfer Service, Transfer Appliance for very large/offline transfers
Hybrid period requiredCloud VPN or Cloud Interconnect, hybrid DNS, identity integration
Validate before cutoverPilot, test migration, dual-run, canary, rollback plan
Standardize infrastructureInfrastructure as code and repeatable deployment pipelines
Legacy app with minimal changesCompute Engine or VMware Engine depending on constraints

Migration traps

  • Replatforming everything at once increases risk unless the scenario requires it.
  • Choosing a solution that requires downtime when the requirement says minimal downtime.
  • Ignoring identity, DNS, firewall, monitoring, and rollback planning.
  • Moving data without validating consistency and application compatibility.
  • Forgetting that migration success includes operations after cutover, not only data transfer.

Scenario-reading technique for PCA

Use this checklist on every long question.

  1. Identify the primary business goal. Cost reduction, availability, compliance, modernization, speed, scalability, or migration?
  2. Underline hard constraints. “Must,” “without downtime,” “least operational overhead,” “existing Kubernetes,” “global,” “private,” “auditable.”
  3. Classify the workload. Web app, batch, analytics, streaming, relational transaction, document, ML, hybrid.
  4. Choose managed services first. Only add lower-level infrastructure when needed.
  5. Apply security by default. IAM least privilege, private access, encryption, audit logs, secrets management.
  6. Check reliability. Does the answer meet stated RTO/RPO and failure-domain requirements?
  7. Check cost and simplicity. Avoid architectures that exceed the requirement.
  8. Eliminate answers with one fatal flaw. Broad IAM, public exposure, manual process, single point of failure, wrong data model.

Common answer-choice patterns

If the option says…Be cautious because…
“Grant Owner role”Usually violates least privilege
“Create service account keys”Long-lived keys are often avoidable
“Use a single VM”May fail availability/scaling requirements
“Use BigQuery for app transactions”Wrong fit for OLTP
“Manually copy data”Weak for repeatability, scale, and auditability
“Expose the database publicly”Usually fails security requirements
“Use Cloud NAT for inbound access”Cloud NAT is outbound only
“Use multi-region everywhere”May overrun cost/complexity requirements
“Refactor all applications immediately”Often too risky for migration scenarios
“Rely only on backups for low RTO”Restore time may not meet requirement

Final rapid review checklist

Before starting original practice questions, confirm that you can quickly explain:

  • When to choose Cloud Run, GKE, Compute Engine, App Engine, or Cloud Functions
  • How Shared VPC, VPC peering, Private Google Access, Private Service Connect, Cloud NAT, Cloud VPN, and Cloud Interconnect differ
  • When to choose Cloud SQL, AlloyDB, Spanner, Firestore, Bigtable, BigQuery, or Cloud Storage
  • How IAM inheritance, service accounts, least privilege, and organization policies work
  • How to design for zonal, regional, and multi-region resilience
  • How RTO, RPO, SLOs, and error budgets influence architecture choices
  • How to reduce BigQuery, compute, storage, logging, and network costs
  • How to plan staged migrations with validation and rollback
  • How to spot overbroad permissions, public exposure, manual operations, and single points of failure

Connect this review to practice

After this Quick Review, move into IT Mastery practice:

  • Use topic drills for weak areas such as IAM, networking, data services, and reliability.
  • Use original practice questions to build scenario-reading speed.
  • Use a full question bank to compare similar services under realistic constraints.
  • Review detailed explanations carefully, especially when an answer is technically possible but not the best architectural choice.

Practical next step: choose one weak domain, complete a focused topic drill, and review every explanation until you can state why the correct answer is better than the plausible distractors.

Continue in IT Mastery

Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Google Cloud questions, copied live-exam content, or exam dumps.