The most comprehensive free preparation course for the GCP Professional Cloud Architect exam. Master Shared VPC and multi-region architecture, Cloud Spanner and Bigtable data design, Anthos multi-cloud management, VPC Service Controls data perimeters, Binary Authorization supply chain security, SLO engineering with burn rate alerting, and chaos engineering for resilience validation. Scenario-based throughout — every module mirrors real PCA exam case studies.
| Exam fact | Details |
|---|---|
| Exam code | Professional Cloud Architect (GCP PCA) |
| Full name | Google Cloud Certified – Professional Cloud Architect |
| Questions | 50–60 (mix of MCQ and case study questions) |
| Passing score | 70%+ (Google uses scaled scoring, not publicly disclosed) |
| Duration | 120 minutes |
| Price | $200 USD |
| Prerequisites | 3+ years of industry experience, 1+ year of GCP hands-on (GCP ACE recommended) |
| Renewal | Recertify every 2 years via a 2-hour recertification exam |
Build the mental model for GCP's global infrastructure before diving into services. Understand regions, zones, points-of-presence, and how Google's private backbone differs from the public internet. Learn the Resource Hierarchy (organization → folders → projects → resources) and how IAM policies are inherited. Master the shared responsibility model for GCP and the Well-Architected Framework's six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. Grasp network fundamentals: how GCP VPC is global (not regional like AWS), how default routes and VPC flows differ from traditional networks.
Domain 1 carries the highest exam weight (24%) and focuses on selecting the right service for complex architectural scenarios. Learn to choose between Cloud Spanner (global ACID transactions), Bigtable (high-throughput time-series), Firestore (mobile real-time sync), and Cloud SQL (relational, single-region). Design Pub/Sub fan-out patterns for decoupled event-driven architectures. Configure Global HTTPS Load Balancers with anycast TLS termination at Google's edge. Design ephemeral Dataproc clusters for batch ML workloads to minimize cost. Understand when Anthos multi-cloud is the answer for hybrid/multi-cloud Kubernetes management.
Domain 2 covers the provisioning and management of GCP infrastructure. Master Terraform with GCS backend for state locking and version history — the standard IaC approach on GCP. Configure GKE Autopilot (fully managed node infrastructure, billed per pod request) versus GKE Standard with Cluster Autoscaler (GPU node pools with minimum=0 for zero-cost idle). Design MIG autoscaling with warmup periods so new instances are ready before traffic hits them. Implement GKE regional clusters with pod anti-affinity for zone-resilient deployments. Configure Cloud Monitoring SLO burn rate alerts for proactive error budget management.
Domain 3 (18%) focuses on Google's zero-trust security model. VPC Service Controls create a security perimeter around GCP services — even valid credentials from outside the perimeter cannot exfiltrate data. Workload Identity eliminates service account key files by binding Kubernetes service accounts to GCP service accounts. Binary Authorization ensures that only attested, scanned container images can be deployed to GKE production. Cloud Armor with OWASP WAF rules protects against L7 attacks. Organization Policy constraints (vmExternalIpAccess, compute.restrictCloudSQLInstances) enforce security at the org level. Cloud IAP enables zero-trust access to internal web applications without VPN.
Domain 4 (18%) covers optimizing both performance and costs across the GCP portfolio. BigQuery Editions introduce reservation-based pricing for predictable ETL workloads — combine with on-demand pricing for ad-hoc analytics. BigQuery BI Engine accelerates Looker dashboards to sub-second response via in-memory caching. VPA (Vertical Pod Autoscaler) automatically right-sizes pod CPU/memory requests to eliminate over-provisioning waste. Cloud Profiler continuously profiles production services at under 1% overhead. Cloud Trace provides distributed tracing waterfall views for diagnosing multi-service latency. Committed Use Discounts (CUDs) for stable VMs, Spot VMs for seasonal burst workloads.
Domain 5 (11%) covers the tools for delivering software reliably. Cloud Build is GCP's native CI service — cloudbuild.yaml defines sequential steps for build, test, vulnerability scan, and artifact signing. Cloud Deploy provides a managed CD pipeline with promotion gates and requireApproval for production deployments, ensuring the same release artifact flows through all stages. Anthos Config Management's Config Sync watches a Git repository and continuously reconciles configuration across all registered GKE clusters. Binary Authorization enforcement at GKE admission ensures only internally built, attested images can be deployed — closing the supply chain security loop.
Domain 6 (14%) is the SRE domain — and one of the highest-yield areas for the PCA exam. Master the SLI/SLO/Error Budget framework: define SLIs as ratio metrics (HTTP 2xx / total requests), express SLOs as a percentage target over a rolling window, and calculate the error budget. Implement multi-window burn rate alerting from the Google SRE Workbook: 1-hour window at 14.4x burn + 6-hour window at 2x burn catches fast burns without noise. Configure Cloud SQL PITR for precise recovery from accidental data deletion. Design chaos engineering experiments to validate failover assumptions before incidents happen. Apply Production Readiness Reviews to gate production launches.
Shared VPC: multiple service projects share one host project's VPC. Centralized networking, routing, and firewall rules. VPC Peering: two VPCs connect bidirectionally but do NOT share routes transitively (A↔B, B↔C ≠ A↔C). Choose Shared VPC when you need centralized egress control or a common DNS/proxy architecture.
IAM controls WHO can access a resource. VPC Service Controls controls FROM WHERE. Even with valid IAM credentials, a request from outside the VPC SC perimeter is denied. This is the data exfiltration defense-in-depth layer — stolen credentials used from an attacker's network cannot exfiltrate data from BigQuery or Cloud Storage.
Don't alert on raw error rate — alert on burn rate. A 14.4x burn rate on a 99.9% SLO exhausts the monthly budget in 2 hours. Configure multi-window alerts: short window (1h) detects fast burns, long window (6h) suppresses single-spike noise. This pattern from the Google SRE Workbook is the #1 high-value SRE topic on the PCA exam.
60 scenario-based practice questions covering all 6 exam domains. Free, no signup, no account required.