Google Cloud PCA
Master Service List
Professional Cloud Architect Exam Study Cheat Sheet
How to use this • Use this as the master PCA coverage checklist. • As you work practice questions, add your own use cases, gotchas, and confused-with notes. • Prioritize the areas you do not already use at work: AI/GenAI, Google-specific identity, networking edge cases, database selection, migration, and Well-Architected tradeoffs. |
High-Yield Study Focus
Area | What to drill |
|---|---|
AI / GenAI | Vertex AI, Gemini Enterprise Agent Platform, Gemini models, Agent Builder, Model Garden, Model Armor, AI Hypercomputer |
Identity & Governance | Resource hierarchy, Org Policy, IAM Conditions, service account impersonation, Workload Identity Federation, IAP, Context-Aware Access |
Networking edge cases | PSC vs Private Google Access vs Cloud NAT, Shared VPC vs Peering, VPN vs Interconnect, Cloud Router/BGP, global vs regional load balancing |
Database choices | Cloud SQL vs AlloyDB vs Spanner vs Bigtable vs Firestore vs BigQuery |
Migration & Hybrid | Migration Center, GCVE, Bare Metal, Migrate to VMs, Migrate to Containers, DMS, GDC/GKE Enterprise |
Well-Architected decisions | Availability, reliability, cost, performance, security, sustainability, and business tradeoffs |
Section Index
# | Area | Items |
|---|---|---|
1 | Compute, Containers, and Serverless | 23 |
2 | Networking and Connectivity | 35 |
3 | Storage, Backup, and Data Transfer | 23 |
4 | Databases and Caching | 14 |
5 | Security, Identity, Governance, and Compliance | 39 |
6 | Data Analytics, BI, and Messaging | 18 |
7 | AI, ML, and GenAI | 27 |
8 | Application Integration and Serverless Orchestration | 12 |
9 | Operations, Observability, Reliability, and Cost | 25 |
10 | CI/CD, DevOps, IaC, and Software Supply Chain | 24 |
11 | Migration, Hybrid, and Multicloud | 21 |
12 | Business, Architecture, and Exam-Style Concepts | 27 |
1. Compute, Containers, and Serverless
Focus: Google’s guide explicitly calls out mapping compute needs to GKE, Cloud Run, Cloud Run functions, spot VMs, custom machine types, specialized workloads, GCVE, and AI Hypercomputer.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Compute Engine / GCE | Core VM service |
Managed Instance Groups / MIGs | Autoscaling, autohealing, rolling updates |
Spot VMs / Preemptible VMs | Batch, fault-tolerant workloads |
Custom machine types | Cost/performance tuning |
Sole-tenant nodes | Licensing/compliance isolation |
GPUs / TPUs / accelerators | AI/ML training and specialized compute |
Google Kubernetes Engine / GKE | Managed Kubernetes |
GKE Standard | More node/control flexibility |
GKE Autopilot | More managed, less node management |
Node auto-provisioning | GKE capacity automation |
VPC-native GKE / alias IPs | Native pod/service IP design |
Workload Identity for GKE | Secure GKE-to-Google API auth |
GKE fleets / multi-cluster management | Important for enterprise/multicluster designs |
Config Management / Config Sync | Policy/config consistency across clusters |
Policy Controller | Governance/policy enforcement for GKE fleets |
Cloud Run | Serverless containers, scale to zero |
Cloud Run functions / Cloud Functions | Event-driven FaaS, now aligned with Cloud Run functions naming |
App Engine Standard | PaaS, quick scale, opinionated runtime |
App Engine Flexible | More flexible runtime/container options |
Serverless VPC Access | Private VPC access from serverless |
Google Cloud VMware Engine / GCVE | VMware lift-and-shift |
Bare Metal Solution | Legacy/licensing-constrained workloads |
AI Hypercomputer | AI infrastructure topic specifically called out in the exam guide |
2. Networking and Connectivity
Focus: The exam guide specifically calls out VPC, peering, firewalls, load balancers, routing, container networking, Shared VPC, PSC, hybrid networking, multicloud networking, and security protection such as intrusion protection/access control/firewalls.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
VPC | Global VPC, regional subnets |
Subnets | Regional subnet design |
Routes | Custom routes, dynamic routing |
Firewall rules | Instance/network access control |
Hierarchical firewall policies | Org/folder/project-level firewall governance |
Shared VPC | Centralized network host project |
Service projects | Workloads use host project network |
VPC Network Peering | Private VPC-to-VPC, non-transitive |
Private Service Connect / PSC | Private access to Google/third-party/producer services |
Private Google Access | Private VM access to Google APIs without external IPs |
Cloud NAT | Outbound internet for private instances |
Cloud Router | Dynamic BGP for VPN/Interconnect |
Cloud VPN | IPsec over public internet |
HA VPN | 99.99% SLA design, BGP |
Classic VPN | Legacy/static lower priority |
Cloud Interconnect | Private physical connectivity |
Dedicated Interconnect | Direct physical link |
Partner Interconnect | Through service provider |
Network Connectivity Center / NCC | Hub-and-spoke hybrid/multicloud networking |
Cloud Load Balancing | Global/regional, external/internal |
External HTTP(S) Load Balancer | Global L7 web load balancing |
Internal Load Balancer | Private app/database tier traffic |
SSL Proxy / TCP Proxy Load Balancing | Non-HTTP global proxy use cases |
Cloud DNS | Public/private DNS |
Cloud DNS private zones / forwarding | Hybrid DNS resolution |
Cloud CDN | Cache web/static content |
Media CDN | Large media/video delivery |
Cloud Armor | WAF/DDoS/geoblocking on edge LB |
Network Intelligence Center | Network observability suite |
Connectivity Tests | Route/firewall troubleshooting |
Firewall Insights | Firewall rule optimization |
Cloud IDS | Intrusion detection/protection style topic |
Container networking | GKE networking, pods, services, ingress |
Hybrid networking patterns | VPN vs Interconnect vs NCC |
Multicloud networking patterns | GCP-to-other-cloud connectivity |
3. Storage, Backup, and Data Transfer
Focus: The guide calls out choosing storage types, data retention/lifecycle management, data growth planning, and data protection such as backup and recovery.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Cloud Storage / GCS | Object storage |
Standard storage class | Hot/frequent access |
Nearline | 30-day minimum |
Coldline | 90-day minimum |
Archive | 365-day minimum |
Lifecycle policies | Automated tiering/deletion |
Object versioning | Recovery/protection |
Retention policies / Bucket Lock | Compliance retention |
Persistent Disk / PD | VM block storage |
Standard PD | HDD-backed |
Balanced PD | General purpose |
SSD PD | Higher performance |
Extreme PD | High-performance block |
Hyperdisk | Modern high-performance block storage |
Local SSD | Ephemeral, high IOPS |
Filestore | Managed NFS |
Google Cloud NetApp Volumes | Enterprise file workloads |
Google Cloud Managed Lustre | HPC/AI file workloads |
Backup and DR Service | Backup/recovery architecture |
Storage Transfer Service | Online transfer into GCS |
Transfer Appliance | Physical large-scale data transfer |
Data retention / lifecycle design | Exam likes cost/compliance tradeoffs |
Backup and recovery design | Explicit PCA topic |
4. Databases and Caching
Focus: This is one of the most important PCA decision areas. You need to know Cloud SQL vs AlloyDB vs Spanner vs Bigtable vs Firestore vs BigQuery cold.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Cloud SQL | Managed MySQL/PostgreSQL/SQL Server |
Cloud SQL HA | Regional failover |
Cloud SQL read replicas | Read scale |
AlloyDB | High-performance PostgreSQL-compatible |
Cloud Spanner | Global relational, strong consistency |
Cloud Bigtable | Wide-column, low-latency, high write throughput |
Firestore | Serverless document DB |
Memorystore for Redis | In-memory cache/session store |
Memorystore for Memcached | Managed Memcached |
BigQuery | Analytics warehouse, not OLTP DB |
Database Migration Service / DMS | DB migration/replication |
Backup/PITR/replication choices | PCA-style DB architecture question |
Regional vs multi-regional DB design | Availability/latency/cost tradeoff |
SQL vs NoSQL decisioning | Common exam pattern |
5. Security, Identity, Governance, and Compliance
Focus: The current guide specifically calls out IAM, resource hierarchy, key/encryption/secret management, VPC-SC, context-aware access, org policy, hierarchical firewall policy, IAP, service account impersonation, Chrome Enterprise Premium, Workload Identity Federation, software supply chain, Model Armor, Sensitive Data Protection, and secure model deployment.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
IAM | Access control |
IAM allow policies | Standard IAM binding model |
Custom roles | Least privilege |
Predefined roles | Prefer over primitive roles |
Basic/primitive roles | Avoid unless necessary |
IAM Conditions | Conditional access |
Service accounts | Machine identity |
Service account impersonation | Secure delegated access |
Workload Identity Federation | External identity to Google Cloud without long-lived keys |
Workload Identity for GKE | GKE workload-to-Google API auth |
Resource hierarchy | Organization, folders, projects |
Organization Policy Service | Guardrails |
Policy constraints | Restrict locations, external IPs, etc. |
VPC Service Controls / VPC-SC | Data exfiltration perimeter |
Identity-Aware Proxy / IAP | Zero-trust app/SSH/RDP access |
Context-Aware Access | Access based on identity/context/device |
BeyondCorp Enterprise | Zero-trust model/product family |
Chrome Enterprise Premium | Secure remote access/context-aware access topic in guide |
Cloud Identity | Identity management for Google Cloud/Workspace orgs |
Managed Service for Microsoft AD | Managed AD for Windows workloads |
Cloud Armor | WAF/DDoS |
Cloud KMS | Key management |
CMEK | Customer-managed encryption keys |
CSEK | Customer-supplied keys, lower priority |
Cloud HSM | Hardware-backed keys |
Cloud External Key Manager / EKM | External key custody |
Secret Manager | Secrets/password/API key storage |
Cloud DLP | Now generally referred to as Sensitive Data Protection |
Sensitive Data Protection | Data discovery, classification, masking |
Security Command Center / SCC | Security posture, findings |
Cloud Audit Logs | Admin/data access/system audit logs |
Cloud Asset Inventory | Asset inventory/history/search |
Assured Workloads | Compliance/data residency controls |
Binary Authorization | Only trusted signed images deploy |
Artifact Analysis / Container Analysis | Image/package vulnerability metadata |
Model Armor | AI prompt/response protection |
Separation of duties | PCA security design pattern |
Data sovereignty | Compliance/regulatory design |
Auditability/log retention | Compliance requirement |
6. Data Analytics, BI, and Messaging
Focus: Focus on the decision patterns around streaming vs batch, warehouse vs lakehouse, and when to use BigQuery, Pub/Sub, Dataflow, Dataproc, Looker, Dataplex, and BigLake.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
BigQuery | Serverless data warehouse |
BigQuery partitioning | Cost/performance |
BigQuery clustering | Cost/performance |
Pub/Sub | Global async messaging |
Pub/Sub Lite | Regional, lower-cost streaming alternative |
Dataflow | Apache Beam stream/batch processing |
Dataproc | Managed Hadoop/Spark |
Cloud Composer | Managed Airflow orchestration |
Cloud Data Fusion | GUI ETL/ELT |
Datastream | Change Data Capture |
Looker | BI/semantic layer/dashboards |
Dataplex | Data governance/lake management |
BigLake | Lakehouse/unified analytics over lake data |
Analytics Hub | Data sharing/exchange |
Data Catalog concepts | Metadata/governance, now often tied into Dataplex |
Batch vs streaming analytics | Dataflow/Pub/Sub/BigQuery decisioning |
Hadoop lift-and-shift | Dataproc trigger |
Real-time CDC | Datastream trigger |
7. AI, ML, and GenAI
Focus: Focus on Vertex AI, Gemini Enterprise Agent Platform, Gemini models/LLMs, Agent Builder, Model Garden, AI Hypercomputer, AI Agents, NotebookLM, and Google AI APIs such as Search, Conversation, Vision, Image, Video, and Audio.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Vertex AI | Unified ML platform |
Gemini Enterprise Agent Platform | Google says PCA naming is moving toward Agent Platform |
Gemini Enterprise app | Create/run/govern enterprise AI agents |
Gemini models / Gemini LLMs | GenAI model selection/use |
Agent Builder / AI Agents | Agentic workflows |
Model Garden | Discover/use foundation and partner models |
Vertex AI Pipelines / Agent Platform Pipelines | ML lifecycle orchestration |
AI Hypercomputer | Large AI training/serving infrastructure |
GPUs / TPUs for ML | Training/serving acceleration |
Pre-trained ML APIs | Use when custom training unnecessary |
Vision AI | Image/object/text detection |
Natural Language AI | Text/entity/sentiment |
Speech-to-Text | Speech transcription |
Text-to-Speech | Speech synthesis |
Translation AI | Translation/glossary |
Document AI | Document extraction/classification |
Google AI Search API | Current guide calls out Search AI API category |
Google AI Conversation API | Conversation/contact-center style AI |
Google AI Image API | Image generation/processing category |
Google AI Video API | Video AI category |
Google AI Audio API | Audio AI category |
NotebookLM in Gemini Enterprise | Guide specifically mentions NotebookLM |
Model Armor | Secure AI prompts/responses |
Sensitive Data Protection for AI | Protect PII/sensitive data in AI workflows |
Secure model deployment | Security/compliance around AI |
Data integration for AI/ML | Feeding models/pipelines |
Consumption models for AI | Cost/performance tradeoff |
8. Application Integration and Serverless Orchestration
Focus: The exam guide explicitly calls out integration patterns with external systems, API management best practices such as Apigee, and movement of data.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Eventarc | Event routing to Cloud Run/functions |
Workflows | API/service orchestration |
Cloud Tasks | Async task queue with rate/retry control |
Cloud Scheduler | Managed cron |
API Gateway | Lightweight serverless API front door |
Apigee | Enterprise API management |
Application Integration | Integration workflows/connectors |
Cloud Endpoints | Older API management option |
Pub/Sub | Decoupled event/messaging backbone |
External system integration patterns | Explicit PCA architecture topic |
Retry/backoff/idempotency | Common serverless architecture pattern |
Synchronous vs asynchronous design | Workflows/API Gateway vs Pub/Sub/Tasks |
9. Operations, Observability, Reliability, and Cost
Focus: The guide calls out Monitoring, Logging, profiling, benchmarking, alerting strategies, deployment/release management, support, quality controls, reliability testing, chaos engineering, penetration testing, and load testing.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Cloud Monitoring | Metrics, dashboards, alerting |
Cloud Logging | Logs, sinks, retention |
Log sinks | Export to BigQuery/GCS/Pub/Sub |
Cloud Trace | Distributed tracing |
Cloud Profiler | Code profiling |
Error Reporting | Exception grouping |
Managed Service for Prometheus | GKE/Kubernetes metrics |
Cloud Audit Logs | Compliance/audit trail |
Cloud Service Health | Google Cloud incident/status awareness |
Recommender | Cost/security/performance recommendations |
Active Assist | Recommendations/optimization family |
Cloud Quotas | Limits/capacity planning |
Cloud Billing | Billing, budgets, cost visibility |
Budgets and alerts | Cost control |
Pricing Calculator | Cost estimation |
Gemini Cloud Assist | Explicitly listed in the guide |
SLOs / SLIs | Reliability measurement |
Alerting strategy | Explicit guide topic |
Backup and recovery | Explicit guide topic |
Disaster recovery / DR | RPO/RTO, failover |
Chaos engineering | Explicit guide topic |
Penetration testing | Explicit guide topic |
Load testing | Explicit guide topic |
Performance benchmarking | Explicit guide topic |
Well-Architected operational excellence | Major guide topic |
10. CI/CD, DevOps, IaC, and Software Supply Chain
Focus: The guide specifically calls out Cloud Shell Editor, Cloud Code, Cloud Shell Terminal, gcloud, gsutil, bq, Cloud Emulators, Terraform/IaC, API best practices, and Google API client libraries.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Cloud Build | CI/build automation |
Artifact Registry | Container/package registry |
Cloud Deploy | Continuous delivery to GKE/Cloud Run/etc. |
Binary Authorization | Enforce signed/trusted container deployments |
Cloud Source Repositories | Legacy/private Git option |
Terraform | IaC |
Cloud Deployment Manager | Legacy-ish GCP IaC |
Infrastructure Manager | Google-managed Terraform deployment service |
Cloud Code | IDE tooling |
Cloud Shell Editor | Browser-based editor |
Cloud Shell Terminal | Browser shell |
Google Cloud SDK | CLI tooling |
gcloud | Main CLI |
gsutil | Storage CLI |
bq | BigQuery CLI |
Cloud Emulators | Local testing for Bigtable/Spanner/Pub/Sub/Firestore |
Google API client libraries | Programmatic API access |
Google API best practices | Explicit guide topic |
Artifact Analysis / Container Analysis | Vulnerability metadata/scanning |
Container image signing/attestations | Supply-chain security |
SDLC | Explicit guide topic |
CI/CD process design | Explicit guide topic |
Release management | Explicit guide topic |
Testing frameworks | Load/unit/integration tests |
11. Migration, Hybrid, and Multicloud
Focus: The exam guide explicitly calls out Migration Center, migration methodologies, workload testing, network planning, dependency planning, software license implications, and financial impact.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Google Cloud Migration Center | Explicitly called out in guide |
Storage Transfer Service | Online object/data transfer |
Transfer Appliance | Physical transfer |
Database Migration Service / DMS | Database migration |
Migrate to Virtual Machines | VM lift-and-shift |
Migrate to Containers | VM/app modernization to containers |
Google Cloud VMware Engine / GCVE | VMware migration |
Bare Metal Solution | Specialized legacy workloads |
Google Distributed Cloud / GDC | On-prem/edge/cloud-adjacent workloads |
GKE Enterprise | Multi-cluster enterprise Kubernetes management |
Fleets | Multi-cluster grouping/management |
Config Sync | Config consistency |
Policy Controller | Policy enforcement |
Hybrid connectivity | VPN/Interconnect/NCC |
Multicloud connectivity | GCP to AWS/Azure/etc. |
Workload disposition | Build, buy, modify, deprecate |
Dependency mapping | Migration planning |
Network planning | Migration prerequisite |
Workload testing | Migration validation |
Licensing implications | GCVE/Bare Metal/sole-tenant triggers |
Financial impact / TCO | Migration business case |
12. Business, Architecture, and Exam-Style Concepts
Focus: These are not “services,” but PCA absolutely tests them.
Service / Concept | PCA Exam Trigger / Notes |
|---|---|
Google Cloud Well-Architected Framework | Major exam requirement |
Operational excellence | Well-Architected pillar |
Security | Well-Architected pillar |
Reliability | Well-Architected pillar |
Performance optimization | Well-Architected pillar |
Cost optimization | Well-Architected pillar |
Sustainability | Well-Architected pillar |
Functional requirements | What system must do |
Non-functional requirements | Availability, latency, scale, compliance |
Business continuity plan | BCP/DR |
KPIs / ROI / success metrics | Business outcome mapping |
Design tradeoffs | Cost vs reliability vs complexity |
High availability | Regional/multiregional/failover |
Failover design | Active/passive, active/active |
Scalability | Autoscaling, queues, managed services |
Performance and latency | Region, CDN, caching, DB choice |
Observability | Logs/metrics/traces/SLOs |
Security and compliance | Controls mapped to requirements |
Stakeholder management | PCA has business/process questions |
Change management | Adoption/implementation |
Team skills readiness | Migration/ops planning |
Customer success management | Explicit guide topic |
CapEx vs OpEx | Cost model |
Service catalog/provisioning | Enterprise governance |
Root cause analysis | Ops/process |
Quality control | Testing and validation |
Case studies | Exam includes case-study questions |