Google Cloud Professional Cloud Architect Advanced Practice Exam: Hard Questions 2025

A global SaaS provider is migrating from a single-region on-prem deployment to Google Cloud. They require: (1) active-active serving in two regions with automated failover, (2) strong consistency for user profile data, (3) the ability to perform zero-downtime schema changes, and (4) RPO close to zero and RTO under 5 minutes during a regional outage. Which architecture best meets these requirements?

A financial services company must keep all data encrypted with customer-managed keys (CMEK). They also require that key usage is restricted so that only workloads running in a specific project can decrypt data, and they need cryptographic separation between environments (dev/test/prod) with auditable key usage. Which approach best satisfies these requirements with the least operational risk?

You operate a shared VPC host project with multiple service projects. A service team reports intermittent failures when calling the Cloud Storage JSON API from GKE workloads. The error indicates requests are being blocked by organization policy and perimeter restrictions. The workloads must remain private (no public egress), and only Cloud Storage access is required. Which is the best fix that preserves security controls while restoring functionality?

A healthcare analytics platform must process sensitive PHI. The security team requires: (1) minimizing data exfiltration risk from managed services, (2) restricting access to only approved services and identities, and (3) allowing analysts to use BigQuery and Cloud Storage while preventing data from being copied to unauthorized projects. Which architecture best meets these needs?

An e-commerce company runs a microservices platform on GKE with Cloud SQL. During peak events, latency spikes and some services time out. Investigation shows connection exhaustion on Cloud SQL and uneven load distribution across pods. The company wants a solution that improves database connection handling, supports autoscaling, and requires minimal application changes. What should you do?

A company needs to stream events from multiple regions into a central analytics pipeline. Requirements: (1) exactly-once processing semantics in the analytics output, (2) ability to replay events for up to 7 days, (3) low operational overhead, and (4) support for late-arriving events and windowed aggregations. Which design best meets these requirements?

A platform team is standardizing CI/CD for 50+ services. They need: (1) strong separation of duties (developers cannot directly deploy to prod), (2) fully auditable releases, (3) the ability to promote the same artifact across dev/stage/prod, and (4) automatic rollback on failed health checks. Which solution best meets these requirements on Google Cloud?

Your organization has an on-prem data center connected to Google Cloud with Cloud VPN today. During quarterly processing, you observe packet loss and throughput limitations causing missed SLAs. The workloads are latency-sensitive and require predictable throughput. You also need encrypted transport and a design that supports high availability. What should you recommend?

A company uses BigQuery as a central data warehouse. Multiple business units must query shared datasets, but the data owner must enforce: (1) row-level access rules by region, (2) masking of sensitive columns for most users, (3) prevention of data exfiltration via copy/export to non-approved projects, and (4) minimal duplication of data. What is the best solution?

After migrating to GKE, an SRE team notices that incident MTTR is high because logs, metrics, and traces are fragmented across tools and do not correlate to specific releases. They need to: (1) correlate user-facing latency to backend services, (2) quickly identify which deployment caused a regression, and (3) implement SLO-based alerting with burn-rate to reduce noisy alerts. Which approach best meets these goals?