Google Professional Cloud Architect: The GCP Cert That Proves You Can Design Enterprise Cloud

Section 1 — Designing and Planning a Cloud Solution Architecture (~31%)

The highest-weighted section. Questions present a business scenario with stated requirements — cost constraints, compliance mandates, latency targets, geographic coverage, existing on-premises infrastructure — and ask candidates to select or justify an architecture. The core competencies:

• Requirements translation: mapping RPO/RTO targets, availability SLAs, data residency rules, and budget envelopes to specific GCP service combinations
• Compute tier selection: Compute Engine (maximum control, OS access, IaaS), GKE (container orchestration for microservices requiring auto-scaling and rolling updates), Cloud Run (serverless containers, stateless HTTP workloads, no infrastructure to manage), Cloud Functions (event-triggered short-duration tasks), App Engine Standard vs Flexible (PaaS for web apps, Standard for stateless traffic spikes at minimal cost, Flexible for custom runtimes or long-running requests)
• GCP VPC model: unlike AWS and Azure, GCP VPCs are global resources — a single VPC spans all regions, with subnets being regional. This eliminates inter-region VPC peering within a project entirely. VMs in a VPC can reach each other across regions without routing configuration unless firewall rules block them. Shared VPC centralises network administration across multiple projects; VPC Peering connects separate VPCs without a shared network admin.
• Migration planning: 4R migration strategies (rehost, replatform, refactor, rebuild), lift-and-shift timeline vs modernisation sequencing, Migrate to VMs for VM-based workloads vs application-layer migration to App Engine or GKE for cloud-native refactoring

Section 2 — Managing and Provisioning a Solution Infrastructure (~17%)

Storage selection decision tree — the map candidates must internalise:

• Cloud Storage: object storage with four storage classes — Standard (frequent access), Nearline (monthly), Coldline (quarterly), Archive (annual). Lifecycle rules automate class transitions. Dual-region and multi-region buckets for geo-redundancy.
• Cloud SQL: managed relational for MySQL, PostgreSQL, and SQL Server. HA via synchronous standby replica in a different zone. Read replicas for read scaling within and across regions. The choice for lift-and-shift relational workloads that fit within a single region.
• Cloud Spanner: horizontally scalable global relational database with ACID compliance and 99.999% multi-region SLA. The choice when the workload outgrows Cloud SQL’s single-instance vertical scaling or requires active-active writes across regions. Spanner’s distributed commit uses TrueTime; the exam tests when Spanner is justified vs Cloud SQL with a cross-region read replica.
• BigQuery: serverless columnar data warehouse for analytics. Partitioned tables (date/integer partitioning) and clustered tables reduce query costs by eliminating scanned partitions. Not a transactional database — optimised for analytical reads over large datasets, not OLTP point queries.
• Firestore: document-oriented NoSQL with real-time sync and offline support, designed for mobile and web application backends. Bigtable: wide-column NoSQL for time-series data, IoT telemetry, and high-throughput workloads at petabyte scale where query patterns are known at design time.

Connectivity and networking: Cloud Interconnect Dedicated (10 Gbps or 100 Gbps direct connection, lowest latency, requires colocation with a Google facility) vs Cloud Interconnect Partner (sub-10 Gbps via service provider, no colocation required) vs HA VPN (IPsec over public internet, two tunnel pairs per gateway for 99.99% SLA). Cloud Router provides dynamic BGP routing over Interconnect and HA VPN. Cloud DNS private zones for internal resolution across projects and VPCs.

Section 3 — Designing for Security and Compliance (~20%)

GCP’s IAM resource hierarchy is the structural foundation of all cloud security: Organisation > Folder > Project > Resource. Policies set at a higher level inherit downward. The exam tests multi-project IAM architecture: when to use folders for policy inheritance vs per-project role bindings, and how to design least-privilege service account assignments without creating overly broad project-level permissions.

Service account patterns: user-managed service accounts for workloads requiring explicit identity; Workload Identity Federation for authenticating external workloads (GitHub Actions, AWS roles, on-premises OIDC providers) to GCP without long-lived service account keys. Impersonation is preferred over key-based access wherever possible — the exam tests this distinction in multi-cloud and CI/CD pipeline scenarios.

• VPC Service Controls: defines a security perimeter around a set of projects and Google API endpoints. Traffic from within the perimeter can access the APIs; external traffic is blocked unless an access policy grants an exception. VPC Service Controls addresses data exfiltration prevention at the API level — distinct from VPC firewall rules, which filter network packets. The exam frequently tests scenarios where both must be combined.
• Cloud KMS: customer-managed encryption keys (CMEK) for Cloud Storage, BigQuery, GKE, and other services. Cloud EKM: externally managed keys held in an on-premises or third-party HSM, never accessible to Google. CSEK: customer-supplied keys passed per-request for Compute Engine disk and Cloud Storage object encryption.
• Organisation Policy Service: constraint-based controls that restrict what resources can be created within an organisation or folder — for example, constraints/compute.requireShieldedVm or constraints/iam.disableServiceAccountKeyCreation. Evaluated at deployment time, not at runtime, unlike IAM conditions.
• Access Transparency: audit logs of Google employee administrative access to customer content — relevant for regulated industries (financial services, healthcare, government) requiring evidence that cloud provider access is auditable and consent-gated.

Section 4 — Analyzing and Optimizing Technical and Business Processes (~18%)

Cost optimisation: the Recommender API surfaces machine type right-sizing recommendations, idle resource detections, and committed use discount (CUD) coverage gaps. Spot VMs (the successor to preemptible instances) are available at up to 91% cost savings for fault-tolerant batch and stateless workloads. The exam tests when Spot VMs are appropriate (stateless, interruptible) vs On-Demand VMs (production, stateful) vs Committed Use Discounts (predictable baseline capacity, one- or three-year terms).

Reliability engineering: the SLO/SLI/error budget model from Google’s SRE practice. Defining service-level indicators (request latency at the 99th percentile, availability percentage, error rate), setting SLOs against those SLIs, and using the error budget as a release velocity gate. When the error budget is exhausted, feature releases pause in favour of reliability work. The exam presents scenarios where the correct answer is adjusting the SLO, modifying alerting thresholds, or changing the deployment cadence based on error budget burn rate.

Cloud Operations Suite: Cloud Monitoring for metrics collection, dashboards, and alerting policies; Cloud Logging for structured log ingestion with log sinks to BigQuery (long-term analytics retention), Cloud Storage (archive), or Pub/Sub (streaming to external SIEM). Cloud Trace for distributed request latency tracing. Cloud Profiler for CPU and heap profiling in production without significant overhead. The exam tests which tool addresses a stated observability gap.

Section 5 — Managing Implementation (~11%)

Infrastructure as Code: Terraform is Google’s recommended IaC tool for GCP and the primary tool tested in this section — provider configuration, resource graph, state management, and module composition. Deployment Manager (Google-native YAML/Python/Jinja IaC) is tested for legacy context but Terraform is preferred in modern architectures for portability and ecosystem breadth. The exam tests when to use config management (Ansible, Chef, Puppet) for in-guest configuration vs declarative IaC for infrastructure provisioning — they address different layers and are not substitutes.

CI/CD on GCP: Cloud Build (serverless build service, triggered by source push or manual API call), Cloud Deploy (managed continuous delivery with promotion between staging and production environments for GKE, Cloud Run, and Compute Engine), Artifact Registry (container images and language packages, the successor to Container Registry). Binary Authorization: a deploy-time policy that allows only cryptographically signed container images from trusted attestors to run on GKE or Cloud Run — closes the gap between code signing and runtime deployment enforcement. The exam tests Binary Authorization in regulated workload scenarios where the requirement is “only auditor-approved images may reach production.”

Section 6 — Ensuring Solution and Operations Reliability (~13%)

High availability architectures: GKE regional clusters (control plane and nodes distributed across three zones in a region, 99.95% control plane SLA) vs zonal clusters (single zone, lower cost, no control plane redundancy — appropriate for development environments). Cloud Spanner multi-region replication for database HA with 99.999% availability. Cloud Storage multi-region buckets for object storage at 99.95% SLA vs regional at 99.9%.

Disaster recovery tiers: cold (backup restore on demand, highest RTO/RPO, lowest cost), warm (scaled-down standby environment, moderate RTO/RPO), hot (full-capacity standby, low RTO/RPO, near-production cost), multi-site active-active (zero RTO/near-zero RPO, highest cost). The exam maps RPO/RTO requirements to the correct DR tier and the specific GCP services that implement it — Persistent Disk snapshots and Cloud SQL automated backups for cold/warm, cross-region Cloud SQL replicas and GKE multi-cluster traffic management for hot/active-active.

• Global load balancing: HTTP(S) Load Balancing (Layer 7, global anycast, Cloud CDN integration, Cloud Armor WAF), Cloud Armor for DDoS mitigation and WAF rules applied at the global LB edge, TCP/SSL Proxy LB (Layer 4, global), Network LB (Layer 4, regional, pass-through for non-proxied TCP/UDP). The exam tests matching workload characteristics (HTTP vs TCP, global vs regional, CDN/WAF requirement) to the correct LB tier.
• Cloud CDN: integrated with HTTP(S) LB, caches responses at Google’s edge PoPs. Cache keys are configurable — the exam tests scenarios where default cache key behaviour causes cache fragmentation or cache poisoning, and how custom cache keys resolve them.