PCA — Google Cloud Professional Cloud Architect 2026 Quick Review
Quick Review for Google Cloud Professional Cloud Architect 2026 (PCA): architecture, security, reliability, data, networking, and exam traps.
Quick Review purpose
This Quick Review is for candidates preparing for the Google Cloud Professional Cloud Architect 2026 exam, official exam code PCA, from Google Cloud. Use it to refresh high-yield architecture concepts before moving into topic drills, mock exams, and detailed explanations.
The PCA exam is not just a service-name recall test. Strong candidates can translate business requirements into secure, reliable, cost-aware Google Cloud architectures. Expect scenarios where several answers are technically possible, but only one best matches the constraints.
Use this page to review:
- Core Google Cloud architecture decision rules
- Compute, networking, data, security, and operations patterns
- Common traps in scenario questions
- How to connect review to IT Mastery practice and original practice questions
High-yield PCA mindset
The best answer usually balances business requirements, technical constraints, Google Cloud managed services, and operational simplicity.
| Scenario clue | Architectural instinct |
|---|---|
| “Minimize operations” | Prefer managed/serverless services over self-managed infrastructure |
| “Global users, low latency” | Consider global load balancing, CDN, multi-region data, edge caching |
| “Strict RPO/RTO” | Design for replication, automated failover, tested recovery, backups |
| “Regulated data” | Use IAM least privilege, encryption, audit logging, VPC Service Controls where appropriate |
| “Existing on-premises integration” | Consider Cloud VPN, Cloud Interconnect, hybrid DNS, identity federation |
| “Unpredictable traffic” | Use autoscaling, serverless, queues, event-driven design |
| “Large analytics workloads” | Think BigQuery, Dataflow, Dataproc, Pub/Sub, Cloud Storage |
| “Transactional relational workload” | Consider Cloud SQL, AlloyDB, or Spanner depending on scale and global needs |
| “Need portability / Kubernetes standardization” | Consider Google Kubernetes Engine, but weigh operational complexity |
| “Cost is a key constraint” | Rightsize, autoscale, choose storage classes, avoid unnecessary egress, use commitments carefully |
Fast architecture decision flow
flowchart TD
A[Read business goal] --> B[Identify constraints]
B --> C{Primary workload type?}
C -->|Web/API/app| D[Choose compute pattern]
C -->|Data/analytics| E[Choose storage and pipeline]
C -->|Hybrid/migration| F[Choose connectivity and migration path]
D --> G[Secure identity, network, secrets]
E --> G
F --> G
G --> H[Design reliability and DR]
H --> I[Optimize cost and operations]
I --> J[Select answer with least complexity that satisfies requirements]
Core Google Cloud resource model
Understand the hierarchy because many PCA security and governance questions depend on it.
| Level | What to remember |
|---|---|
| Organization | Top-level boundary for centralized policy, IAM, billing, and governance |
| Folder | Groups projects by department, environment, app, or business unit |
| Project | Main isolation boundary for resources, IAM, quotas, billing attribution, APIs |
| Resource | Individual service objects such as VM instances, buckets, clusters, datasets |
Common hierarchy traps
- Granting permissions too broadly at the organization level when project-level or resource-level access is enough.
- Using primitive roles when predefined or custom roles better support least privilege.
- Forgetting that inherited IAM can create access unintentionally.
- Mixing production and non-production workloads in the same project without a strong reason.
- Ignoring organization policies when the scenario asks for centralized enforcement.
Compute and application platform review
Choose compute by matching operational burden, portability, scaling, and runtime requirements.
| Service / pattern | Best fit | Watch for |
|---|---|---|
| Cloud Run | Stateless containers, APIs, event-driven apps, scale-to-zero patterns | Not ideal for highly stateful workloads without external state storage |
| Cloud Functions | Lightweight event-driven functions | Avoid when container control or complex runtime dependencies are required |
| App Engine | Managed web apps with minimal infrastructure management | Less control than GKE or Compute Engine |
| Google Kubernetes Engine | Container orchestration, microservices, Kubernetes portability, platform teams | More operational complexity than Cloud Run |
| Compute Engine | Custom VMs, legacy workloads, special OS/configuration needs | Requires more management than serverless/managed platforms |
| Managed instance groups | Autoscaled VM fleets, rolling updates, self-healing | Design health checks and load balancing correctly |
| Batch | Batch jobs and high-throughput non-interactive workloads | Not for low-latency request/response apps |
| Cloud Run jobs | Containerized jobs without always-on infrastructure | Good for task execution, not long-lived services |
| VMware Engine | VMware-based migration or extension scenarios | Use when VMware compatibility matters, not as default modernization |
Compute decision rules
- Prefer Cloud Run for stateless containerized services when you want managed scaling and low operational overhead.
- Prefer GKE when Kubernetes control, service mesh, custom networking, or workload portability is a requirement.
- Prefer Compute Engine when the workload needs custom machine configuration, legacy software, or VM-level control.
- Prefer managed instance groups over unmanaged VM fleets for autoscaling and self-healing.
- Externalize state to managed storage such as Cloud SQL, Spanner, Firestore, Memorystore, Cloud Storage, or Bigtable.
Container and delivery topics to review
| Need | Google Cloud option |
|---|---|
| Store container images | Artifact Registry |
| Build/test/deploy pipeline | Cloud Build, Cloud Deploy |
| Kubernetes workload identity | Workload Identity / workload identity federation patterns |
| Enforce trusted container deployment | Binary Authorization |
| Manage GKE configuration | Config Sync / policy-based controls where appropriate |
| Canary or progressive delivery | Cloud Deploy, load balancing, GKE rollout strategies, Cloud Run revisions |
| Secrets | Secret Manager, not hardcoded environment values |
Networking quick review
Networking questions often test whether you can keep traffic private, reduce latency, connect hybrid environments, or choose the right load balancer.
| Requirement | Likely Google Cloud concept |
|---|---|
| Isolate resources | VPC, subnet design, firewall rules, IAM |
| Centralize networking for many projects | Shared VPC |
| Private communication to Google APIs | Private Google Access / Private Service Connect depending on use case |
| Private service publishing/consumption | Private Service Connect |
| Connect VPCs | VPC Network Peering or Network Connectivity Center patterns |
| Outbound internet for private VMs | Cloud NAT |
| Hybrid connectivity | Cloud VPN or Cloud Interconnect |
| Low-latency dedicated hybrid link | Cloud Interconnect |
| Global external HTTP(S) traffic | Global external Application Load Balancer |
| Internal service traffic | Internal load balancing |
| Edge caching | Cloud CDN |
| DNS management | Cloud DNS |
| DDoS/WAF protection | Cloud Armor |
| Service-to-service control in GKE | Service mesh / network policies where appropriate |
Networking traps
- Cloud NAT is outbound only. It does not allow inbound internet connections to private instances.
- Firewall rules are stateful, but you still need the right direction, target, source, and priority.
- Shared VPC is commonly the right answer when central network teams manage networking for service projects.
- VPC peering is not transitive. Do not assume A-to-B and B-to-C means A-to-C connectivity.
- Private Google Access helps private VMs reach supported Google APIs without external IPs.
- Cloud VPN is often faster to set up; Cloud Interconnect is typically used when dedicated, higher-throughput, lower-latency connectivity is required.
- Use Cloud CDN and global load balancing for global web performance; do not solve every latency issue by adding more VMs.
Storage and database decision table
Most PCA data questions come down to workload shape: object storage, relational transactions, global consistency, document access, time-series/wide-column data, or analytics.
| Workload | Strong candidate service |
|---|---|
| Object storage, backups, media, data lake landing zone | Cloud Storage |
| Managed MySQL/PostgreSQL/SQL Server relational database | Cloud SQL |
| High-performance PostgreSQL-compatible transactional workload | AlloyDB |
| Global relational database with strong consistency and horizontal scale | Spanner |
| Document database for app development | Firestore |
| Wide-column, low-latency, high-throughput workloads | Bigtable |
| In-memory cache | Memorystore |
| Enterprise file shares | Filestore |
| Analytics warehouse | BigQuery |
| Streaming messaging | Pub/Sub |
| Stream/batch data processing | Dataflow |
| Managed Spark/Hadoop | Dataproc |
| Workflow orchestration | Cloud Composer |
| Data lake storage foundation | Cloud Storage plus analytics tools |
Data decision traps
| Trap | Better thinking |
|---|---|
| Choosing BigQuery for high-frequency OLTP app transactions | BigQuery is analytics-focused; use transactional databases for OLTP |
| Choosing Cloud SQL for global horizontal scale with strong consistency | Consider Spanner if global relational scale is required |
| Choosing Bigtable because data is “big” | Bigtable fits low-latency key-based access patterns, not general SQL analytics |
| Choosing Firestore for complex relational joins | Firestore is document-oriented; model access patterns carefully |
| Storing secrets in Cloud Storage or source code | Use Secret Manager |
| Ignoring data residency or compliance clues | Choose region/multi-region deliberately and apply governance controls |
| Overusing multi-region storage without need | Balance availability, latency, compliance, and cost |
BigQuery and analytics review
BigQuery questions often mix cost, performance, governance, and ingestion choices.
| Need | Review point |
|---|---|
| Analyze large datasets with SQL | BigQuery |
| Load data periodically | Batch loads, BigQuery Data Transfer Service, Storage Transfer Service depending on source |
| Stream events | Pub/Sub into Dataflow or supported streaming ingestion patterns |
| Reduce query cost | Partitioning, clustering, selective columns, materialized views, query optimization |
| Control data access | Dataset/table permissions, authorized views, row-level and column-level controls where appropriate |
| Separate storage and compute | Understand BigQuery’s serverless analytics model |
| Share governed datasets | Use appropriate IAM and data sharing patterns |
BigQuery traps
- Querying unnecessary columns increases scanned data when using on-demand pricing models.
- Partitioning is useful only when queries filter on partitioned fields.
- Clustering helps when queries filter or aggregate on clustered columns.
- BigQuery is not a replacement for a low-latency transactional application database.
- Governance is not just IAM; consider dataset structure, views, policy tags, and auditability.
Security and IAM quick review
Security scenarios often ask for the least privileged, most auditable, and most maintainable answer.
| Requirement | Strong approach |
|---|---|
| Human access control | IAM groups, predefined/custom roles, least privilege |
| Application identity | Service accounts |
| Avoid long-lived keys | Workload identity federation or attached service accounts instead of downloadable keys |
| Store secrets | Secret Manager |
| Encryption key control | Cloud KMS / Cloud HSM when appropriate |
| Central policy enforcement | Organization Policy Service |
| Detect security risks | Security Command Center |
| Audit activity | Cloud Audit Logs |
| Restrict data exfiltration from supported services | VPC Service Controls |
| Context-aware access | Access Context Manager / BeyondCorp-style controls |
| Protect web apps | Cloud Armor |
| Private access to services | Private Service Connect and private networking patterns |
IAM decision rules
- Assign access to groups, not individual users, where possible.
- Use predefined roles before custom roles unless the scenario requires exact permission tailoring.
- Avoid Owner, Editor, and Viewer for production access unless the question explicitly justifies them.
- Use service accounts per workload rather than sharing one broad service account.
- Avoid service account keys when an identity-based alternative is available.
- Use organization policies to enforce constraints across projects.
- Use separation of duties for production deployments, security administration, and audit review.
Security traps
- “Encrypt the data” is not enough; identify whether default encryption is sufficient or customer-managed keys are required.
- Do not grant broad project-level roles to solve one resource-level permission issue.
- Do not expose a private workload with public IPs when private connectivity is required.
- Do not use firewall rules as the only security boundary for identity-sensitive services.
- Do not confuse authentication with authorization.
- Do not store API keys, passwords, or certificates in container images or source repositories.
Reliability, DR, and SRE review
PCA reliability questions usually test whether the architecture meets availability and recovery requirements without unnecessary complexity.
Key terms:
- RTO: how quickly the service must be restored.
- RPO: how much data loss is acceptable.
- SLO: target reliability level for a service.
- Error budget: allowable unreliability over a period.
Reliability design table
| Requirement | Design instinct |
|---|---|
| Survive zonal failure | Use regional managed services or deploy across zones |
| Survive regional failure | Use multi-region or cross-region DR design |
| Low RTO | Automate failover and keep warm/active capacity |
| Low RPO | Use synchronous or near-real-time replication where appropriate |
| Stateless web tier | Use load balancing and autoscaling across zones |
| Stateful database | Use managed HA, replicas, backups, and tested restore |
| Message buffering | Pub/Sub or queues to absorb spikes and decouple systems |
| Graceful degradation | Cache, fallback responses, circuit breakers |
| Operational visibility | Cloud Monitoring, Cloud Logging, tracing, alerts, dashboards |
DR pattern comparison
| Pattern | Use when | Tradeoff |
|---|---|---|
| Backup and restore | Lower cost, higher RTO acceptable | Slowest recovery |
| Pilot light | Minimal standby environment | Faster than restore, still needs scale-up |
| Warm standby | Reduced-capacity duplicate environment | Higher cost, faster recovery |
| Active-active | Very low RTO, global availability | Highest complexity and cost |
Reliability traps
- Backups do not prove recoverability; restores must be tested.
- Multi-zone is not the same as multi-region.
- Autoscaling does not fix database bottlenecks automatically.
- A load balancer cannot route to healthy capacity if the backend design is single-zone.
- SLOs should reflect user experience, not only infrastructure uptime.
- Alerting on every metric creates noise; alert on symptoms and user-impacting conditions.
Operations and observability
Operational questions look for maintainable, automated, auditable solutions.
| Need | Google Cloud capability |
|---|---|
| Metrics and alerting | Cloud Monitoring |
| Logs | Cloud Logging |
| Distributed traces | Cloud Trace |
| Error aggregation | Error Reporting |
| Service health and SLOs | Cloud Monitoring service monitoring |
| Audit trail | Cloud Audit Logs |
| Deployment automation | Cloud Build, Cloud Deploy, Terraform/infrastructure as code patterns |
| Config governance | Organization policies, policy-as-code, Config Controller/Config Sync where appropriate |
| Incident response | Dashboards, alerts, runbooks, postmortems |
Operations traps
- Manual console changes are rarely the best answer for repeatable production architecture.
- Alerts should be actionable and tied to service impact.
- Logs have cost and retention implications; collect what you need and manage retention.
- Monitoring must include dependencies such as databases, queues, and external services.
- Production changes should be versioned, reviewed, and reversible.
Cost and performance review
PCA cost questions are usually about selecting an architecture that meets requirements without overengineering.
| Cost area | Review points |
|---|---|
| Compute | Autoscaling, rightsizing, machine family selection, committed use discounts where appropriate |
| Serverless | Pay-per-use can reduce idle cost, but understand concurrency and invocation patterns |
| Storage | Choose appropriate storage class, lifecycle policies, retention, object versioning |
| Networking | Watch egress, inter-region traffic, CDN caching, private connectivity needs |
| BigQuery | Partitioning, clustering, materialized views, reservations/slots or on-demand fit |
| Logging | Log volume, exclusions, retention |
| Databases | Scale shape, replicas, HA, storage growth, backups |
| DR | Balance RTO/RPO against standby capacity cost |
Cost traps
- Choosing active-active multi-region when the RTO/RPO does not require it.
- Keeping development environments running 24/7 without need.
- Ignoring network egress in distributed architectures.
- Overprovisioning GKE clusters when serverless or autoscaling would satisfy the requirement.
- Using premium managed services by default without matching workload needs.
- Treating committed discounts as a first step before rightsizing and usage analysis.
Migration and modernization review
Migration scenarios test sequencing, risk reduction, downtime tolerance, and data movement.
| Scenario | Strong approach |
|---|---|
| Lift-and-shift VMs | Migrate to Virtual Machines / Compute Engine migration tooling |
| Modernize monolith gradually | Strangler pattern, APIs, staged migration |
| Database migration with minimal downtime | Database Migration Service where supported, replication, cutover planning |
| Large object/data transfer | Storage Transfer Service, Transfer Appliance for very large/offline transfers |
| Hybrid period required | Cloud VPN or Cloud Interconnect, hybrid DNS, identity integration |
| Validate before cutover | Pilot, test migration, dual-run, canary, rollback plan |
| Standardize infrastructure | Infrastructure as code and repeatable deployment pipelines |
| Legacy app with minimal changes | Compute Engine or VMware Engine depending on constraints |
Migration traps
- Replatforming everything at once increases risk unless the scenario requires it.
- Choosing a solution that requires downtime when the requirement says minimal downtime.
- Ignoring identity, DNS, firewall, monitoring, and rollback planning.
- Moving data without validating consistency and application compatibility.
- Forgetting that migration success includes operations after cutover, not only data transfer.
Scenario-reading technique for PCA
Use this checklist on every long question.
- Identify the primary business goal. Cost reduction, availability, compliance, modernization, speed, scalability, or migration?
- Underline hard constraints. “Must,” “without downtime,” “least operational overhead,” “existing Kubernetes,” “global,” “private,” “auditable.”
- Classify the workload. Web app, batch, analytics, streaming, relational transaction, document, ML, hybrid.
- Choose managed services first. Only add lower-level infrastructure when needed.
- Apply security by default. IAM least privilege, private access, encryption, audit logs, secrets management.
- Check reliability. Does the answer meet stated RTO/RPO and failure-domain requirements?
- Check cost and simplicity. Avoid architectures that exceed the requirement.
- Eliminate answers with one fatal flaw. Broad IAM, public exposure, manual process, single point of failure, wrong data model.
Common answer-choice patterns
| If the option says… | Be cautious because… |
|---|---|
| “Grant Owner role” | Usually violates least privilege |
| “Create service account keys” | Long-lived keys are often avoidable |
| “Use a single VM” | May fail availability/scaling requirements |
| “Use BigQuery for app transactions” | Wrong fit for OLTP |
| “Manually copy data” | Weak for repeatability, scale, and auditability |
| “Expose the database publicly” | Usually fails security requirements |
| “Use Cloud NAT for inbound access” | Cloud NAT is outbound only |
| “Use multi-region everywhere” | May overrun cost/complexity requirements |
| “Refactor all applications immediately” | Often too risky for migration scenarios |
| “Rely only on backups for low RTO” | Restore time may not meet requirement |
Final rapid review checklist
Before starting original practice questions, confirm that you can quickly explain:
- When to choose Cloud Run, GKE, Compute Engine, App Engine, or Cloud Functions
- How Shared VPC, VPC peering, Private Google Access, Private Service Connect, Cloud NAT, Cloud VPN, and Cloud Interconnect differ
- When to choose Cloud SQL, AlloyDB, Spanner, Firestore, Bigtable, BigQuery, or Cloud Storage
- How IAM inheritance, service accounts, least privilege, and organization policies work
- How to design for zonal, regional, and multi-region resilience
- How RTO, RPO, SLOs, and error budgets influence architecture choices
- How to reduce BigQuery, compute, storage, logging, and network costs
- How to plan staged migrations with validation and rollback
- How to spot overbroad permissions, public exposure, manual operations, and single points of failure
Connect this review to practice
After this Quick Review, move into IT Mastery practice:
- Use topic drills for weak areas such as IAM, networking, data services, and reliability.
- Use original practice questions to build scenario-reading speed.
- Use a full question bank to compare similar services under realistic constraints.
- Review detailed explanations carefully, especially when an answer is technically possible but not the best architectural choice.
Practical next step: choose one weak domain, complete a focused topic drill, and review every explanation until you can state why the correct answer is better than the plausible distractors.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Google Cloud questions, copied live-exam content, or exam dumps.