Domain 5: Managing Implementation (~12.5%)
Domain 5 accounts for approximately 12.5% of the Professional Cloud Architect exam, translating to roughly 6-7 questions. This domain tests your ability to advise development and operations teams on deploying applications, migrating workloads, and interacting with Google Cloud programmatically. Expect scenario-based questions that ask you to choose the correct deployment strategy, migration tool, API management platform, or IaC approach for a given business requirement.
5.1 Advising DevOps Teams for Successful Deployment
Application Deployment Pathways
Google Cloud offers multiple compute platforms, each with distinct deployment models. The exam tests your ability to match the right platform and deployment method to a scenario.
| Platform | Deployment Mechanism | Key Characteristics |
|---|---|---|
| App Engine | gcloud app deploy |
Fully managed, automatic scaling, traffic splitting between versions |
| Cloud Run | gcloud run deploy or Cloud Build |
Container-based serverless, revision-based traffic splitting |
| GKE | kubectl apply or Cloud Deploy |
Full Kubernetes orchestration, Deployment/StatefulSet/DaemonSet objects |
| Compute Engine | Instance templates + MIGs | VM-based, managed instance groups for rolling updates |
| Cloud Functions | gcloud functions deploy |
Event-driven, single-purpose functions, auto-scaled |
Cloud Build serves as the CI/CD backbone, building containers from source, running tests, and pushing to Artifact Registry. It integrates with Cloud Deploy for managed continuous delivery pipelines that promote releases through dev, staging, and production targets.
Deployment Strategies by Platform
The exam frequently tests which deployment strategies are available on which platforms and when to use each.
| Strategy | How It Works | Best For | Platform Support |
|---|---|---|---|
| Rolling update | Replaces instances incrementally; old instances removed as new ones become healthy | Zero-downtime updates with minimal extra resources | GKE (default), Compute Engine MIGs |
| Canary | Routes a percentage of traffic to the new version; gradually increases if healthy | Risk-sensitive deployments where you need to validate with real traffic | Cloud Run (revision traffic splitting), GKE (via Cloud Deploy or Istio), App Engine (traffic splitting) |
| Blue-green | Two identical environments; switch traffic atomically from blue (old) to green (new) | Instant rollback capability; zero-downtime with full resource duplication | GKE (two Deployments + Service switch), Compute Engine (two MIGs + load balancer), Cloud Run (tag-based) |
| Recreate | Terminates all old instances before deploying new ones | Dev/test environments; not suitable for production | GKE (Recreate strategy), Compute Engine (delete + create) |
Exam trap: Cloud Deploy supports standard and canary deployment strategies natively. For the first deployment to a target using canary, Cloud Deploy skips the canary phase and deploys directly to stable -- subsequent deployments use canary as configured. Blue-green is achieved through custom target configurations, not a built-in Cloud Deploy strategy type.
Exam trap: App Engine traffic splitting supports three methods: IP address, cookie, and random. IP-based splitting is the default but can cause uneven distribution behind NATs. Cookie-based splitting (GOOGAPPUID) provides more precise user-level routing.
Migration Tools
Choosing the correct migration tool for a scenario is a high-frequency exam topic. Each tool addresses a specific migration use case.
| Tool | Use Case | Key Details |
|---|---|---|
| Migrate to Virtual Machines | VM-to-VM lift-and-shift | Sources: VMware, AWS, Azure, bare metal. Supports test clones before cutover. Minimal downtime migration with streaming replication. |
| Migrate to Containers | VM-to-container modernization | Analyzes VM workloads, generates Dockerfiles and Kubernetes manifests. Targets GKE or Cloud Run. |
| Database Migration Service (DMS) | Database migration to Cloud SQL or AlloyDB | Supports homogeneous and heterogeneous migrations. Continuous replication via CDC for minimal downtime. Gemini-powered schema conversion for heterogeneous migrations. |
| Storage Transfer Service | Cloud-to-cloud or on-prem-to-cloud data transfer | Transfers from AWS S3, Azure Blob, HTTP/HTTPS sources, or on-premises (via agent). Supports scheduled, recurring transfers with filtering. |
| Transfer Appliance | Large offline data transfers | Physical appliance shipped to your data center. For datasets too large for network transfer (typically 20+ TB). Data encrypted at rest with AES-256. |
| BigQuery Data Transfer Service | SaaS data into BigQuery | Automated transfers from Google Ads, Campaign Manager, YouTube, S3, and Teradata. |
| Datastream | Change data capture (CDC) replication | Real-time CDC from Oracle, MySQL, PostgreSQL, SQL Server, AlloyDB to BigQuery, Cloud Storage, or Cloud SQL. |
Exam trap: Transfer Appliance is for ingestion into Google Cloud only -- it does not support exporting data out of GCP. For large-scale egress, use gsutil or Storage Transfer Service.
Exam trap: DMS supports Cloud SQL (MySQL, PostgreSQL, SQL Server) and AlloyDB for PostgreSQL as destinations. It does not migrate to Spanner or Firestore -- those require custom ETL pipelines or Dataflow.
API Management
The exam tests your ability to choose among three API management products based on requirements.
| Feature | Apigee | Cloud Endpoints | API Gateway |
|---|---|---|---|
| Type | Enterprise API platform | Lightweight API proxy | Serverless API gateway |
| Best for | External APIs, partner ecosystems, monetization | Internal microservice APIs on GCP | Serverless backends (Cloud Functions, Cloud Run, App Engine) |
| Rate limiting | Quota policies, spike arrest, concurrent rate limiting | Basic quota configuration | Per-API rate limiting |
| Analytics | Full analytics dashboards, custom reports, latency tracking | Cloud Logging + Cloud Monitoring integration | Basic Cloud Logging metrics |
| Monetization | Built-in (rate plans, prepaid balances, usage-based billing) | Not available | Not available |
| Developer portal | Built-in integrated portal with branding, app management | Not included | Not included |
| Authentication | OAuth 2.0, API keys, SAML, JWT, HMAC | API keys, Firebase Auth, Auth0, Google ID tokens | API keys, Google ID tokens, service accounts |
| Proxy | Apigee runtime (managed or hybrid) | ESP / ESPv2 (open-source, sidecar container) | Managed Google infrastructure |
| Deployment | Apigee X (managed) or Apigee Hybrid (customer-hosted K8s) | Co-deployed with backend on any GCP compute | Fully managed, no infrastructure to manage |
| Cost | Highest (enterprise pricing) | Low (pay for ESP compute) | Low (pay-per-call) |
Decision framework for the exam:
- Need monetization, developer portal, or advanced analytics? Apigee.
- Running microservices on GKE/Compute Engine and need lightweight API management? Cloud Endpoints.
- Serverless backend (Cloud Functions, Cloud Run) and need simple gateway routing? API Gateway.
Exam trap: Apigee Hybrid runs the runtime plane on customer-managed Kubernetes while the management plane stays in Google Cloud. This is the correct answer when the scenario requires data residency control or on-premises API processing.
Testing Strategies
| Test Type | Purpose | Tools / Approach |
|---|---|---|
| Unit tests | Validate individual functions/methods | Language-specific frameworks (JUnit, pytest, Jest), run in Cloud Build steps |
| Integration tests | Validate component interactions | Cloud Build with service dependencies, emulators for Pub/Sub, Firestore, Spanner |
| Load/performance tests | Validate behavior under stress | Cloud Load Testing (managed JMeter/Locust), or self-hosted on GKE |
| Smoke tests | Post-deploy sanity check | Cloud Deploy verification, health check endpoints |
| Canary analysis | Compare metrics between canary and baseline | Cloud Deploy with verify steps, Kayenta-style automated canary analysis |
5.2 Interacting with Google Cloud Programmatically
Cloud Shell
Cloud Shell provides a browser-based terminal pre-authenticated to your Google Cloud account.
| Attribute | Detail |
|---|---|
| VM specs | e2-small (0.5 vCPU, 2 GB RAM), Debian-based, ephemeral (resets after 60 minutes of inactivity) |
| Persistent storage | 5 GB home directory ($HOME) persists across sessions (deleted after 120 days of inactivity) |
| Pre-installed tools | gcloud, gsutil, bq, kubectl, docker, terraform, git, vim, emacs, nano |
| Authentication | Automatically authenticated as the signed-in user; no gcloud auth login needed |
| Cloud Shell Editor | Web-based IDE (Theia-based) for editing files, built into Cloud Shell |
| Boost mode | Temporarily upgrades to e2-medium (1 vCPU, 4 GB RAM) |
| Limitations | No GPU, no persistent VM, 50 hours/week usage limit, not for production workloads |
Exam trap: Cloud Shell is ephemeral -- the VM is recycled after inactivity. Only $HOME persists. Tools installed outside $HOME (e.g., via apt install) are lost on VM reset. If a scenario asks about persistent custom tooling, Cloud Shell is not the answer.
gcloud CLI
The gcloud CLI is the primary command-line tool for managing Google Cloud resources.
Key commands to know:
# Configuration management
gcloud config set project PROJECT_ID
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a
gcloud config configurations create my-config # Named configurations
gcloud config configurations activate my-config
# Authentication
gcloud auth login # User account (interactive)
gcloud auth activate-service-account # Service account (key file)
gcloud auth application-default login # ADC for client libraries
gcloud auth print-access-token # Get current access token
# Common resource management
gcloud compute instances create/list/delete/describe
gcloud container clusters create/get-credentials
gcloud run deploy/services list
gcloud app deploy/browse
gcloud builds submit --tag gcr.io/PROJECT/IMAGE
Exam trap: gcloud auth login authenticates the gcloud CLI itself. gcloud auth application-default login sets up Application Default Credentials (ADC) used by client libraries and Terraform. These are different credential stores. A scenario that says "Terraform can't authenticate" likely needs gcloud auth application-default login, not gcloud auth login.
gsutil
gsutil handles Cloud Storage operations. Key commands:
| Command | Purpose | Example |
|---|---|---|
gsutil mb |
Make bucket | gsutil mb -l us-central1 gs://my-bucket |
gsutil cp |
Copy objects | gsutil cp file.txt gs://bucket/ |
gsutil mv |
Move/rename objects | gsutil mv gs://bucket/old gs://bucket/new |
gsutil rsync |
Synchronize directories | gsutil rsync -r local-dir/ gs://bucket/ |
gsutil ls |
List buckets/objects | gsutil ls gs://bucket/** |
gsutil lifecycle |
Manage lifecycle rules | gsutil lifecycle set policy.json gs://bucket |
gsutil versioning |
Enable/disable versioning | gsutil versioning set on gs://bucket |
gsutil iam |
Manage bucket IAM | gsutil iam ch user:email:role gs://bucket |
gsutil -m |
Multi-threaded operations | gsutil -m cp -r dir/ gs://bucket/ |
Exam trap: gsutil rsync with -d (delete) flag removes destination objects not in source. Without -d, it only adds/updates. The exam may test whether a sync operation deletes extra files.
bq Command-Line Tool
bq is the BigQuery CLI:
| Command | Purpose |
|---|---|
bq mk |
Create datasets, tables, views, transfers |
bq load |
Load data from Cloud Storage or local files |
bq extract |
Export table data to Cloud Storage |
bq query |
Run SQL queries |
bq ls |
List datasets, tables, jobs |
bq show |
Display resource metadata |
bq head |
Display first N rows of a table |
Cloud Code
Cloud Code is an IDE extension for developing cloud-native applications.
- Supported IDEs: VS Code, IntelliJ/JetBrains, Cloud Shell Editor
- Target platforms: GKE, Cloud Run, Cloud Functions, App Engine
- Key features: Starter templates, continuous build/deploy with Skaffold, Kubernetes YAML authoring with validation, live debugging on GKE clusters, log streaming, Secret Manager integration
- Local development: Runs applications locally in containers using Skaffold; supports file watching and hot reload
Emulators for Local Development
Google Cloud provides local emulators to develop and test without incurring cloud costs or network latency.
| Emulator | Command to Start | Default Port |
|---|---|---|
| Pub/Sub | gcloud beta emulators pubsub start |
8085 |
| Firestore | gcloud beta emulators firestore start |
8080 |
| Bigtable | gcloud beta emulators bigtable start |
8086 |
| Spanner | gcloud emulators spanner start |
9010 |
| Datastore | gcloud beta emulators datastore start |
8081 |
After starting an emulator, set the EMULATOR_HOST environment variable so client libraries route requests locally: $(gcloud beta emulators pubsub env-init).
Exam trap: Not all services have emulators. Cloud SQL, BigQuery, Cloud Storage, and Cloud Functions do not have official emulators. If a scenario asks about local testing for these, the answer involves test instances, sandbox projects, or third-party mocks -- not emulators.
Infrastructure as Code: Terraform
Terraform is Google Cloud's recommended IaC tool. The exam tests conceptual understanding, not HCL syntax.
Core Terraform concepts:
| Concept | Description |
|---|---|
| Provider | Plugin that interfaces with a cloud API (e.g., google, google-beta) |
| Resource | A single infrastructure object (e.g., google_compute_instance) |
| Data source | Read-only query for existing infrastructure |
| Module | Reusable collection of resources; Google provides Cloud Foundation Toolkit modules |
| State | JSON file mapping config to real resources; stored in Cloud Storage backend for team collaboration |
| Workspace | Isolated state instances within the same config (e.g., dev/staging/prod) |
| Plan | terraform plan -- preview changes before applying |
| Apply | terraform apply -- execute changes and update state |
State management best practices:
- Store state remotely in a GCS bucket with versioning enabled
- Use state locking (GCS backend supports this natively)
- Never edit state files manually; use
terraform statecommands - Separate state per environment using workspaces or directory structure
Infrastructure Manager (Infra Manager): A Google-managed service that automates Terraform deployments on Google Cloud. It handles execution, state management, and drift detection without requiring you to maintain Terraform CLI infrastructure. Use Infra Manager when the scenario calls for managed Terraform execution without maintaining a separate CI/CD pipeline for IaC.
Exam trap: Terraform state contains sensitive data (passwords, keys, connection strings) in plaintext. The exam may test whether state should be stored in a public bucket (answer: never) or whether CMEK encryption is appropriate for state buckets (answer: yes, for sensitive workloads).
Google API Client Libraries
Google provides idiomatic client libraries for programmatic access to all Google Cloud services.
| Language | Package Manager | Example Package |
|---|---|---|
| Python | pip | google-cloud-storage |
| Java | Maven/Gradle | com.google.cloud:google-cloud-storage |
| Node.js | npm | @google-cloud/storage |
| Go | go modules | cloud.google.com/go/storage |
| C# | NuGet | Google.Cloud.Storage.V1 |
| Ruby | gem | google-cloud-storage |
| PHP | Composer | google/cloud-storage |
Authentication pattern: Client libraries use Application Default Credentials (ADC) by default. ADC checks in order: (1) GOOGLE_APPLICATION_CREDENTIALS environment variable, (2) user credentials from gcloud auth application-default login, (3) attached service account (on GCE, GKE, Cloud Run, etc.), (4) Workload Identity Federation for external environments.
Exam trap: On GKE, the recommended authentication method is Workload Identity, which maps Kubernetes service accounts to Google Cloud service accounts. Using node-level service accounts or exported JSON keys are legacy patterns the exam considers incorrect for GKE scenarios.
Exam Strategy for Domain 5
- Migration tool selection is the highest-value topic. Memorize which tool handles which source/destination and whether it supports continuous replication or one-time transfer.
- API management questions hinge on whether the scenario needs monetization/developer portal (Apigee), lightweight proxy for microservices (Endpoints), or serverless gateway (API Gateway).
- Deployment strategy questions test whether you understand canary vs. blue-green vs. rolling and which platforms support which.
- IaC questions focus on Terraform concepts (state, modules, providers) and when to use Infrastructure Manager vs. self-managed Terraform.
- CLI questions test whether you know
gcloud auth loginvs.gcloud auth application-default loginand the purpose of named configurations.
References
- Google Cloud SDK Documentation
- Apigee Overview
- Cloud Endpoints with OpenAPI
- Cloud Deploy Deployment Strategies
- Database Migration Service Overview
- Cloud Code Documentation
- Terraform on Google Cloud
- Infrastructure Manager Overview
- Managing Infrastructure as Code with Terraform
- Migrate to Virtual Machines
- Storage Transfer Service
- Transfer Appliance
- Application Default Credentials