Google Cloud Certified - Professional Cloud Architect Cheat Sheet 2026
The 30 highest-yield Google Cloud Certified - Professional Cloud Architect facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
60 questions
120 min time limit
70.00% to pass
- Which firewall rule direction handles traffic coming INTO a VM instance from outside? → Ingress
- Business organizations can accomplish all of the following, with the exception of: → Minimize the amount of projects needed to leverage GCP effectively
- Which GCP service provides a managed Redis or Memcached in-memory cache to reduce database load? → Memorystore
- A Professional Cloud Architect must ensure traffic between microservices in GKE is encrypted in transit. Which solution is best? → Use Anthos Service Mesh or Istio mTLS
- What is the purpose of Log-Based Metrics in Cloud Logging? → Create Cloud Monitoring metrics from log entry data
- Which GCP service collects application performance data such as latency and request traces across distributed services? → Cloud Trace
- A professional cloud architect needs to audit who made changes to production IAM policies over the past 30 days. Where should they look? → Cloud Audit Logs (Admin Activity logs)
- A company wants to connect its on-premises data center to Google Cloud with a dedicated, private connection. Which service should they use? → Cloud Interconnect
- A company wants to ensure its GCE VMs are never preempted during a critical batch window. Which VM type should they use? → Standard on-demand VMs
- Which type of service account is automatically created when you enable certain GCP APIs and is managed by Google? → Google-managed service account
- Which IAM role should be assigned to a CI/CD pipeline service account that needs to deploy Kubernetes workloads to GKE but should not have cluster admin access? → roles/container.developer
- A financial company needs an RTO of less than 15 minutes for their GCP-hosted trading platform. Which architecture best achieves this? → Hot standby in a second region with automated health-check-driven failover
- Your organization requires that only users from specific geographic regions can access a public-facing GCP application. Which service enforces this? → Cloud Armor geo-restriction policies
- Which GCP compute service is best suited for running stateful, long-running background workers that don't need HTTP endpoints? → Cloud Run Jobs
- A Cloud Architect needs to audit all IAM policy changes in a GCP organization over the past 30 days. Which service provides this data? → Cloud Audit Logs (Admin Activity logs)
- Which Google Cloud feature allows you to share a VPC network across multiple projects within the same organization? → Shared VPC
- A company needs to export all GCP logs to a centralized BigQuery dataset for long-term analysis. What is the best approach? → Configure a Log Sink to route logs to BigQuery
- What is the maximum number of IAM policy bindings that can be set on a single Cloud Storage bucket? → 1,500
- A team wants to receive alerts when their GKE cluster CPU utilization exceeds 80% for 5 minutes. Which tool should they configure? → Cloud Monitoring alerting policies
- What Cloud Storage class is most cost-effective for data accessed less than once per year? → Archive
- An organization wants to test their GCP disaster recovery plan without causing a production outage. Which approach is best? → Conduct a chaos engineering or DR simulation in a non-production environment
- Which GCP monitoring concept defines a target level of service that is measured against an error budget? → SLO (Service Level Objective)
- Which Cloud Spanner configuration provides the highest level of availability and global disaster recovery? → Multi-region instance
- A GKE workload requires access to a Cloud Storage bucket. What is the recommended way to grant this permission without using service account keys? → Use Workload Identity to bind a Kubernetes service account to a GCP service account
- A company must ensure Cloud Storage objects in a specific bucket cannot be deleted or modified for 7 years for compliance. What should they configure? → Bucket Lock with a Retention Policy
- Which GCP service automatically groups and analyzes application error events and notifies developers of new errors? → Error Reporting
- What is the purpose of a Cloud Monitoring workspace? → Provide a unified monitoring view across multiple GCP projects
- Which Compute Engine feature allows you to automatically add or remove VM instances based on load? → Managed Instance Groups with Autoscaling
- A team needs to migrate an existing MySQL database to GCP with minimal changes. Which managed service should they use? → Cloud SQL for MySQL
- Which type of Cloud VPN is recommended for high-availability production workloads? → HA VPN
Turn these facts into recall: