GCP · PCA

Scope Overreach — GCP Professional Cloud Architect (PCA)

You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.

Least Privilege Fails in Both Directions

Watch for the phrase 'across all projects in the organization' — it sounds like an org-level binding is required, but the actual constraint is often two or three projects under a single folder. Equally, 'needs access to this bucket' rarely justifies Owner on the containing project. The exam uses scope language precisely: 'the team manages billing for the division' is a folder-level signal; 'the service reads one Cloud Storage bucket' is a resource-level signal. Resolve the scope first, then pick the role.

22%of exam questions affected (44 of 200)

The Scenario

The question asks for a specific capability. You chose an answer that provides that capability plus additional protections, features, or governance that the scenario never mentioned. Every extra component adds cost and complexity. The correct answer addresses exactly what was asked, nothing more.

How to Spot It

  • Read the requirement literally. If it says "encrypt at rest," the answer is the simplest encryption option. If it says "restrict access to a VNet," the answer is the simplest network restriction. Do not add monitoring, auditing, or threat detection unless the question asks for them.
  • Count the components in your answer vs. the requirements in the question. If your answer has 4 components for 1 requirement, you have overreached by 3x.
  • The exam rewards precision. Addressing requirements that were not stated is not extra credit — it makes the answer wrong because it adds unnecessary complexity and cost.

Decision Rules

Whether to attach the gcp.resourceLocations Organization Policy constraint at the Prod folder level (where it inherits to all current and future child projects automatically) versus at the level of each existing individual project (where new projects added later are uncovered until manually configured).

Organization Policy ServiceFoldersResource Manager

Whether to structure billing accounts as one shared org-level account with Billing Account Viewer granted broadly to all finance contacts, versus creating separate per-BU billing accounts explicitly linked to each division's projects and scoping Billing Account Viewer to each BU's own billing account.

Billing AccountsCloud IAM (org and folder level)Resource Manager

Whether to apply the constraints/gcp.resourceLocations Organization Policy constraint at the Prod folder scope versus at individual project scope — folder-level application inherits downward to all current and future child projects at creation time, while project-level application is static and silently fails to cover projects not yet created.

Organization Policy ServiceFoldersResource Manager

Whether to select Cloud Spanner multi-region (external consistency, horizontal scaling, 99.999% SLA) versus Cloud SQL (regional ACID, single-primary) when the workload explicitly requires globally consistent writes across three geographic regions.

Cloud SpannerCloud SQLFirestore

Select the storage service and geographic deployment scope that simultaneously satisfies narrow-column high-throughput write ingestion and cross-regional read locality — requiring Bigtable multi-cluster replication with app-profile routing rather than a single-region deployment or a relational service.

BigtableCloud SQLBigQuery

Whether the connectivity requirement is bilateral and regional (HA VPN per VPC pair satisfies it) or requires global hub-and-spoke transitivity across heterogeneous spokes (NCC is the only primitive that satisfies it without an O(n²) tunnel mesh and manual route management).

Network Connectivity CenterCloud VPN (HA VPN)Cloud Router

Whether the 8 Gbps sustained bandwidth floor and 99.99% SLA together mandate Dedicated Interconnect — because HA VPN's aggregate throughput ceiling (~3 Gbps across tunnel pairs) and public-internet routing path disqualify it regardless of its redundant-tunnel topology.

Dedicated InterconnectHA VPNCloud Router

Whether achieving the contractual 99.99% Dedicated Interconnect SLA requires two physical circuits provisioned at the same metro location (correct — dual-circuit same-metro = 99.99%) versus a single 10 Gbps circuit (which delivers only 99.9%), when the SLA tier is the binding constraint and HA VPN with Cloud Router BGP serves as the backup failover path.

Dedicated InterconnectCloud RouterHA VPN

Whether the 99.99% availability target and globally-distributed external user base require a regional multi-zone MIG paired with Global HTTP(S) Load Balancing, rather than a simpler and cheaper zonal MIG paired with Regional Internal Load Balancing.

Managed Instance Groups (MIG)Cloud Load Balancing (Global HTTP(S))Cloud Load Balancing (Regional internal)

Whether a GKE zonal cluster (single-zone Kubernetes control plane) or a GKE regional cluster (control plane distributed across three zones) is required to satisfy a 99.95% intra-region availability SLA when Cloud SQL HA already provides cross-zone database failover.

GKE Regional ClusterCloud SQL HACloud Load Balancing (Regional internal)

Whether Cloud IAM bindings in the source project or VPC Service Controls perimeter enforcement is the correct mechanism to prevent authenticated principals from exfiltrating data to Cloud Storage buckets in external projects via Google API calls.

VPC Service ControlsCloud IAMOrganization Policy Service

Domain Coverage

Designing and Planning a Cloud Solution ArchitectureManaging and Provisioning a Solution InfrastructureDesigning for Security and ComplianceManaging ImplementationEnsuring Solution and Operations Reliability

Difficulty Breakdown

Hard: 28Medium: 12Expert: 4

Related Patterns

Multi-Service Tradeoff26% of examNetwork Connectivity Design16% of examSecurity And Governance Boundary12% of exam
Start training this trap →

See all PCA traps →