Course Introduction
Professional certification
Google Professional Cloud Architect
Design secure, resilient Google Cloud architectures and prove it on exam day. Use this guide to move from requirements to architectures, practice trade-offs, and memorize defaults with flashcards.
Want to pass faster?
Get practice tests + the latest deals/discount codes
Get the latest from Cloud-Edify
Get two free courses coupons. Curated learning content, tools, and deal alerts—straight to your inbox.
Outcomes
Translate business needs into secure, scalable reference designs.
Practice
Decision trees for compute, data, networking, and security trade-offs.
Exam focus
Flashcards that cover defaults, quotas, IAM scopes, and service fit.
Next steps
Apply patterns to migration, hybrid connectivity, and landing zones.
Exam Guide + Learning Objectives
The PCA exam validates your ability to design robust, secure, scalable, and highly available solutions that meet business objectives.
Exam Overview
Length: 2 hours
Format: 50-60 multiple choice and multiple select questions
Case studies: About 20-30% of questions from 4 case studies (EHR Healthcare, Helicopter Racing League, Mountkirk Games, TerramEarth)
Prereqs: None officially, but 3+ years industry experience (1+ year on GCP) recommended
The 6 Core Knowledge Domains
Open each domain to review key objectives.
1) Designing and planning a cloud solution architecture
Business requirements: cost reduction (CapEx vs OpEx), agility, compliance, sovereignty.
Technical requirements: HA/Failover, scalability, performance/latency (CDN, edge, interconnect).
Migration planning: lift-and-shift, re-platform, re-factor; tools like Migrate for Compute Engine, Storage Transfer Service, BigQuery Data Transfer Service.
2) Managing and provisioning a solution infrastructure
Networking: VPCs, subnets, Shared VPC vs VPC peering; hybrid connectivity (VPN, Dedicated/Partner Interconnect).
Storage systems: object, file, block, RDBMS, NoSQL; capacity planning and lifecycle.
Compute systems: Compute Engine sizing, preemptible VMs; GKE Standard vs Autopilot.
3) Designing for security and compliance
IAM: principals, roles (primitive, predefined, custom), policies; service accounts; Cloud Identity.
Data security: default encryption, CMEK, CSEK, KMS; encryption in transit.
Network security: firewall rules, VPC Service Controls, Cloud Armor, IAP.
Compliance: Audit Logs, HIPAA, GDPR, PCI-DSS.
4) Analyzing and optimizing technical and business processes
Technical: SDLC, CI/CD, troubleshooting, root cause analysis.
Business: stakeholder management, cost optimization, CUDs and SUDs.
5) Managing implementation
Deployments: blue/green, canary, rolling, A/B testing.
IaC: Terraform, Deployment Manager.
Tooling: Console, Cloud SDK (gcloud, gsutil, bq), Cloud Shell, APIs.
6) Ensuring reliability
Monitoring: Cloud Operations, SLIs, SLOs, SLAs, alerting, uptime checks.
Incident response: post-mortems, DR patterns (cold/warm/hot).
Deep Dive: Critical Technical Topics
Compute choices
Compute Engine: lift-and-shift, custom OS, full control (IaaS).
GKE: microservices, container orchestration, hybrid/multi-cloud.
App Engine: PaaS web apps; Standard scales to zero; Flexible for custom runtimes.
Cloud Run: stateless containers, serverless scaling.
Cloud Functions: event-driven glue code (Pub/Sub, Storage triggers).
Storage & databases decision tree
Structured SQL: Spanner for global scale; Cloud SQL for traditional relational; BigQuery for analytics.
NoSQL: Bigtable for high throughput; Firestore for document/mobile; Memorystore for caching.
Unstructured: Cloud Storage for images, videos, backups; Filestore for NFS.
Storage classes: Standard (hot), Nearline (30 days), Coldline (90 days), Archive (365 days).
Networking essentials
Load balancing: global HTTP(S) L7, SSL/TCP proxy L4, regional network LB L4, internal HTTP(S).
Interconnects: Dedicated (10/100 Gbps), Partner (50 Mbps-10 Gbps), VPN (IPsec over internet).
The Case Studies
Memorize goals and constraints to save exam time.
EHR Healthcare
Challenges: scaling, legacy transformation, high availability.
Solutions: GKE, Spanner/Cloud SQL, Pub/Sub, Anthos.
Focus: HIPAA compliance and interoperability.
Helicopter Racing League (HRL)
Challenges: low latency, real-time analytics, global spikes.
Solutions: Dataflow, BigQuery, Cloud CDN, AI insights.
Focus: real-time data + global delivery.
Mountkirk Games
Challenges: viral scale, legacy MySQL replacement, time-series data.
Solutions: Spanner, BigQuery, GKE/App Engine.
Focus: global scale with managed services.
TerramEarth
Challenges: IoT telemetry at scale, hybrid connectivity, batch vs streaming.
Solutions: MQTT bridge to Pub/Sub, BigQuery, Bigtable.
Focus: IoT pipelines and hybrid connectivity.
Strategic Golden Rules
Managed services first: choose fully managed when minimizing ops overhead.
Global vs regional vs zonal: know resource scope (VPCs global, subnets regional, VMs zonal).
Decoupling: prefer Pub/Sub for asynchronous workflows.
Least privilege: use predefined/custom roles; avoid Owner/Editor in prod.
Cost awareness: preemptibles for batch, committed use for steady workloads.
Key Questions
Reveal the answer you should give on the exam.
Compute Engine vs Cloud Run?
Compute Engine = VMs with OS control; Cloud Run = serverless containers that scale to zero.
When choose Cloud Spanner over Cloud SQL?
Spanner for global scale and strong consistency; Cloud SQL for regional relational workloads.
Pay-as-you-go vs traditional procurement?
Cloud OpEx = usage-based; traditional = upfront CapEx.
Purpose of Organization node?
Root of the resource hierarchy for centralized policy management.
Storage class for yearly access?
Archive Storage for data accessed about once per year.
How does Cloud Load Balancing improve reliability?
Distributes traffic across backends and regions to handle spikes and failover.
Cost estimate before migration?
Use the Google Cloud Pricing Calculator.
Shared responsibility in cloud security?
Google secures the infrastructure; customers secure data, IAM, and configs.
Best service for VMware lift-and-shift?
Google Cloud VMware Engine.
Region vs Zone?
Regions are geographic areas; zones are isolated locations within a region.
Vocabulary
HA
High Availability: keep systems up during failures.
SLA
Provider uptime commitment with financial backing.
Latency
Delay before data transfer starts.
TCO
Total cost to acquire and operate infrastructure.
Zero Trust
Assume no user/device is trusted by default.
Microservices
Independent services that together form an app.
Flashcards
Architectural guardrails, services, and trade-offs
Question Text
Click to reveal answerAnswer Text
Architecture Decision Diagrams
Click a title to show/hide reference diagrams. Click images to expand.
Storage & Data Decision
Compute Decision Tree
Network Decision Tree
Security Layers Reference
Traffic & Load Balancer Selection
| LB Type | Scope | Protocol | Best For |
|---|---|---|---|
| HTTP(S) External | Global | HTTP/S | Web apps/APIs, CDN, WAF (Armor) |
| TCP/UDP External | Regional | TCP/UDP | Legacy protocols, non-HTTP traffic |
| Internal HTTP(S) | Regional | HTTP/S | North-south inside VPC, PSC backends |
| Internal TCP/UDP | Regional | TCP/UDP | Service-to-service within VPC |
| Network LB | Regional | L3/L4 | Low latency, passthrough needs |
Streaming vs Batch Data Processing
| Pattern | Latency | Engine | Use Cases |
|---|---|---|---|
| Streaming | Sub-second to seconds | Dataflow (Beam), Pub/Sub, BigQuery streaming | Telemetry, fraud, real-time analytics |
| Micro-batch | Minutes | Dataflow, Cloud Run Jobs, Workflows | Near-real time aggregations |
| Batch | Hours | Dataproc/Batch, Dataflow, BigQuery scheduled | ETL, reports, backfills |
Compute Runtime Chooser
| Runtime | Ops Model | Best For | Notes |
|---|---|---|---|
| Cloud Run | Fully managed | Stateless HTTP, event-driven | Scale to zero, rapid deploy, per-request IAM |
| Cloud Functions | Fully managed | Simple event handlers | Lightweight, single-purpose functions |
| GKE | Managed control plane | Complex microservices | Pods, HPA/VPA, mesh, service mesh policies |
| Compute Engine | Self-managed | Custom/legacy workloads | Full control; use MIGs, images, OS Config |
Transactional vs Analytics Storage
| Service | Model | Strength | Choose When |
|---|---|---|---|
| Cloud Spanner | Relational | Global consistency, HA | Strict consistency + massive scale |
| Cloud SQL | Relational | Simplicity | Common RDBMS apps |
| Bigtable | Wide-column | Low-latency | Time-series, large sparse datasets |
| Firestore | Document | Developer agility | Mobile/web with offline |
| BigQuery | Columnar analytics | Serverless analytics | BI/Reporting/ML over large data |
AI Solution Selection
| Option | Focus | Use When | Notes |
|---|---|---|---|
| Gemini APIs | LLM tasks | Chat, summarize, code assist | Fast start; enterprise controls |
| Vertex AI | ML ops | Train/tune/deploy/monitor | Pipelines, Model Garden, evaluation |
| Agent Builder | Agents | Task-oriented workflows | Tool use, grounding, orchestration |
| Model Garden | Prebuilt | Pick best-fit models | Integrate managed models |
Resilience & DR Topologies
| Topology | RTO/RPO | Complexity | Notes |
|---|---|---|---|
| Active-Passive | Low/Low | Medium | Replicate data; DNS/LB failover |
| Active-Active | Very low/Very low | High | Global LB; data sync; conflict resolution |
| Regional HA | Low/Low | Low | Zonal redundancy; snapshots/backups |
Hybrid Connectivity Choices
| Method | Availability | Bandwidth | Use When |
|---|---|---|---|
| Dedicated Interconnect | Very high | 10/100 Gbps | Mission-critical hybrid, low latency |
| Partner Interconnect | High | 50 Mbps-50 Gbps | Carrier-mediated connectivity |
| HA VPN | High | Up to ~3 Gbps per tunnel | Quick setup, encrypted tunnels |
| Cloud VPN | Medium | Lower | Non-HA or dev/test |
| VPC Peering | High | N/A | Privately connect VPCs (no transitive) |