GCP Professional Cloud Network Engineer Cert Path

Google Cloud - Professional Cloud Network Engineer Certification

Google Cloud – Professional Cloud Network Engineer Certification Learning Path

📋 2025/2026 Exam Updates

  • Exam Restructured (April 24, 2025): The PCNE exam has been restructured and streamlined for greater focus and reduced repetition.
  • New Exam Delivery Provider (March 2026): Google Cloud certifications have transitioned from Kryterion to Pearson VUE for exam delivery.
  • New Topics Added: Cloud Next Generation Firewall (Cloud NGFW), Secure Web Proxy, Private Service Connect, Network Connectivity Center, and Cross-Cloud Interconnect are now explicitly covered.
  • Updated Load Balancing Naming: Google Cloud has updated load balancer names — HTTP(S) Load Balancer is now “Application Load Balancer,” TCP/SSL Proxy is now “proxy Network Load Balancer,” and Network LB is now “passthrough Network Load Balancer.”

Google Cloud – Professional Cloud Network Engineer certification exam focuses on the design, implementation, and management of Google Cloud network infrastructure. This includes designing network architectures for high availability, scalability, resiliency, and security.

Google Cloud – Professional Cloud Network Engineer Certification Summary

  • Has 50-60 questions to be answered in 2 hours.
  • Registration fee: $200 (plus tax where applicable)
  • Available in English and Japanese
  • Delivered through Pearson VUE — online-proctored or at a testing center
  • Covers a wide range of Google Cloud services mainly focusing on network services
  • Recommended experience: 3+ years of industry experience including 1+ years designing and managing solutions using Google Cloud
  • Hands-on is a MUST — if you have not worked on GCP before, make sure you do lots of labs else you would be absolutely clueless for some of the questions and commands
  • The exam assesses your ability to:
    • Design and plan a Google Cloud Virtual Private Cloud (VPC) network
    • Implement a VPC network
    • Configure managed network services
    • Configure and implement hybrid and multi-cloud network interconnectivity
    • Manage, monitor, and troubleshoot network operations
    • Configure, implement, and manage a cloud network security solution

Google Cloud – Professional Cloud Network Engineer Certification Resources

Google Cloud – Professional Cloud Network Engineer Certification Topics

Network Services

  • Refer Google Cloud Networking Services Cheat Sheet
  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets, and host applications within them
    • VPC Routes determine the next hop for the traffic. HINT: It can be defined for specific tags as well. More specific takes priority.
    • Firewall rules control the traffic to and from instances. HINT: Rules with lower integers indicate higher priorities. Firewall rules can be applied to specific tags or service accounts.
    • Cloud Next Generation Firewall (Cloud NGFW) — The modern firewall management framework that includes:
      • Hierarchical firewall policies — Applied at organization and folder levels for consistent enforcement across multiple VPC networks
      • Network firewall policies — Applied at VPC network level, replacing legacy VPC firewall rules
      • Cloud NGFW Enterprise (powered by Palo Alto Networks) — Provides intrusion detection/prevention (IDS/IPS) and TLS inspection
      • HINT: Understand the evaluation order — Hierarchical policies → Network policies → VPC firewall rules. “goto_next” action delegates to the next level.
    • VPC Peering allows internal or private IP address connectivity across two VPC networks regardless of whether they belong to the same project or the same organization. HINT: VPC Peering uses private IPs and does not support transitive peering
    • Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other securely and efficiently using internal IPs from that network HINT: VLAN attachments and Cloud Routers for Interconnect must be created in the host project
    • Understand the concept of internal and external IPs and the difference between static and ephemeral IPs
    • VPC Subnets support primary and secondary (alias) IP range
    • Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
    • Private Access options for services allow instances with internal IP addresses to communicate with Google APIs and services.
    • Private Google Access allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface. HINT: Private Google Access is enabled on the subnet and not on the VPC level
    • Private Service Connect — Allows consumers to access managed services privately from inside their VPC network using an internal IP endpoint. Supports accessing Google APIs, published services, and third-party services (e.g., Elastic, MongoDB, Snowflake). HINT: PSC provides an alternative to VPC peering with better security isolation and no shared scaling dependencies.
    • VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.
    • Firewall Rules Logging enables auditing, verifying, and analyzing the effects of the firewall rules HINT: Default implicit ingress deny rule is not captured by firewall rules logging. Add an explicit deny rule
    • Resources within a VPC network can communicate with one another by using internal IPv4 addresses
    • IPv6 Support — VPC networks and subnets support dual-stack (IPv4 and IPv6) configuration. Understand internal IPv6 (ULA) and external IPv6 (GUA) addressing.
  • Hybrid Connectivity
  • Cloud VPN
    • Cloud VPN provides secure connectivity from the on-premises data center to the GCP network through the public internet. Cloud VPN does not provide internal or private IP connectivity
    • Understand what are the requirements to setup Cloud VPN.
    • Cloud VPN is quick to setup and test hybrid connectivity
    • Understand limitations of Cloud VPN esp. 3Gbps limit per tunnel. How it can be improved with multiple tunnels.
    • Cloud VPN requires non overlapping primary and secondary IPs address between on-premises and GCP VPC networks
    • Cloud VPN HA provides a highly available and secure connection between the on-premises and the VPC network through an IPsec VPN connection in a single region
    • HA VPN IPv6 Support — HA VPN now supports dual-stack (IPv4_IPV6) and IPv6-only gateway types. Multiprotocol BGP (MP-BGP) enables exchanging IPv6 routes over IPv4 BGP sessions and vice versa.
    • Classic VPN Dynamic Routing Deprecation (August 1, 2025): BGP/dynamic routing for Classic VPN tunnels is deprecated. If your workloads require BGP for VPN connectivity, you must use HA VPN. Classic VPN only supports policy-based and route-based (static) configurations going forward.
  • Cloud Interconnect
    • Cloud Interconnect provides direct connectivity from the on-premises data center to GCP network
    • Dedicated Interconnect provides a direct physical connection between the on-premises network and Google’s network. Supports 10 Gbps or 100 Gbps connections (400G announced at Cloud Next ’25 for AI workloads)
    • Partner Interconnect provides connectivity between the on-premises and VPC networks through a supported service provider. Supports 50Mbps to 50 Gbps
    • Understand Dedicated Interconnect vs Partner Interconnect and when to choose
    • Know Interconnect as the reliable high speed, low latency, and dedicated bandwidth option.
    • Cloud Monitoring monitors interconnect links. Circuit Operational Status metric threshold tracks the circuits while Interconnect Operational Status metric tracks all the links
    • Cross-Cloud Interconnect — Provides high-bandwidth dedicated connectivity between Google Cloud and another cloud provider (AWS, Azure, Oracle Cloud). Enables building multicloud architectures with private, SLA-backed connections. HINT: Use Cross-Cloud Interconnect for multicloud connectivity; use Dedicated/Partner Interconnect for on-premises connectivity.
    • Cross-Site Interconnect (GA) — Transparent, on-demand Layer 2 connectivity between on-premises sites leveraging Google’s global infrastructure.
  • Cloud Router
    • Cloud Router provides dynamic routing using BGP with HA VPN and Cloud Interconnect
    • Cloud Router Global routing mode provides visibility to resources in all regions
    • Cloud Router uses Multi-exit Discriminator (MED) value to route traffic. The same MED value results in Active/Active connection and different MED results in Active/Passive connection
    • Supports Multiprotocol BGP (MP-BGP) for exchanging IPv4 and IPv6 routes over a single BGP session
  • Network Connectivity Center
    • Network Connectivity Center (NCC) provides a hub-and-spoke model for network connectivity management in Google Cloud
    • Supports VPC spokes for inter-VPC connectivity without needing VPC peering
    • Supports hybrid spokes (Cloud VPN, Interconnect VLAN attachments, Router appliances) for connecting on-premises and other cloud networks
    • Enables using Google’s network as a wide area network (WAN) for data transfer between on-premises or multi-cloud sites
    • HINT: NCC provides transitive connectivity through the hub, overcoming VPC peering’s non-transitive limitation
  • Cloud NAT
    • Cloud NAT allows VM instances without external IP addresses and private GKE clusters to send outbound packets to the internet and receive any corresponding established inbound response packets.
    • Requests would not be routed through Cloud NAT if they have an external IP address
  • Cloud Peering
    • Google Cloud Peering provides Direct Peering and Carrier Peering
    • Peering provides a direct path from the on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses — does not provide a private dedicated connection
  • Cloud Load Balancing
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.
    • Understand Google Load Balancing options and their use cases — which is global/regional, external/internal, and what protocols they support.
    • Updated Load Balancer Naming (2023+):
      • Application Load Balancer (formerly HTTP(S) Load Balancer) — Layer 7, supports HTTP/HTTPS/HTTP2/HTTP3(QUIC)
        • Global external Application Load Balancer
        • Regional external Application Load Balancer
        • Cross-region internal Application Load Balancer
        • Regional internal Application Load Balancer
      • Proxy Network Load Balancer (formerly TCP/SSL Proxy Load Balancer) — Layer 4 proxy
        • Global external proxy Network Load Balancer
        • Regional external proxy Network Load Balancer
        • Cross-region internal proxy Network Load Balancer
        • Regional internal proxy Network Load Balancer
      • Passthrough Network Load Balancer (formerly Network Load Balancer / Internal TCP/UDP LB) — Layer 4, pass-through
        • External passthrough Network Load Balancer — regional, external
        • Internal passthrough Network Load Balancer — regional, internal
    • Cloud Load Balancing supports health checks with managed instance groups
  • Cloud CDN
    • Understand Cloud CDN as the global content delivery network
    • Know CDN works with global external Application Load Balancer (formerly HTTP(S) LB)
    • Media CDN — Optimized for large-scale media delivery (video streaming, gaming downloads). Separate from Cloud CDN.
    • Cache is not removed if the underlying origin data is removed. Cache has to be invalidated explicitly, or is removed once expired.
    • Cloud CDN does not compress but serves response from the origin as is. HINT: As LB adds Via header some web server do not compress response and must be configured to ignore the Via header
  • Cloud DNS
    • Understand Cloud DNS and its features
    • Supports migration or importing of records from on-premises using JSON/YAML format
    • Supports DNSSEC, a feature of DNS, that authenticates responses to domain name lookups and protects the domains from spoofing and cache poisoning attacks
    • Supports DNS routing policies (weighted round-robin, geolocation, failover)

Identity Services

  • Cloud Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Compute Network Admin does not provide access to SSL certificates and firewall rules. Need to assign Security Admin role
    • Understand IAM-governed tags for firewall policy rules (replacing network tags for newer policies)

Compute Services

  • Compute services like Google Compute Engine and Google Kubernetes Engine are lightly covered more from the networking aspects
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine grained control
    • Difference between managed vs unmanaged instance groups and auto-healing feature
    • Regional Managed Instance group helps spread load across instances in multiple zones within the same region providing scalability and HA
    • Managed Instance group helps perform canary and rolling updates
    • Managed Instance group autoscaling can be configured on CPU or load balancer metrics or custom metrics.
    • Managing access using OS Login or project and instance metadata
  • Google Kubernetes Engine
    • Google Kubernetes Engine, powered by the open-source container scheduler Kubernetes, enables you to run containers on Google Cloud Platform.
    • Understand GKE Networking in detail
    • Understand GKE Cluster types based on networking — VPC-Native clusters (recommended, uses alias IPs) vs Routes-based clusters (legacy)
    • Understand GKE VPC-Native cluster IP Allocation
    • Private clusters help isolate nodes from having inbound and outbound connectivity to the public internet by providing nodes with internal IP addresses only.
    • GKE Dataplane V2 — eBPF-based dataplane providing better network policy enforcement, observability, and performance

Security Services

  • Cloud Armor
    • Cloud Armor protects applications from multiple types of threats, including DDoS attacks and application attacks like XSS and SQLi
    • Cloud Armor Enterprise (formerly Managed Protection Plus) — Provides advanced DDoS protection, Adaptive Protection, threat intelligence, and bot management with insurance-backed DDoS protection
    • Adaptive Protection — ML-based detection of L7 DDoS attacks that automatically suggests and can auto-deploy mitigation rules
    • Works with global external Application Load Balancer; with GKE needs to be configured with GKE Ingress
    • Can be used to block/allow IPs, geolocation-based access control, rate limiting, and bot management
    • Supports preview mode to understand patterns without blocking the users
    • Supports preconfigured WAF rules for OWASP Top 10
    • Google Threat Intelligence integration for IP reputation feeds
  • Secure Web Proxy
    • Secure Web Proxy is a cloud-first, secure web gateway that helps monitor and secure egress web traffic (HTTP/HTTPS)
    • Provides URL filtering, TLS inspection, and logging for outbound traffic from VMs and GKE pods
    • Replaces the need for third-party proxy appliances for egress filtering
    • HINT: Secure Web Proxy is for egress traffic control; Cloud Armor is for ingress traffic protection
  • VPC Service Controls
    • Creates security perimeters around Google Cloud resources to mitigate data exfiltration risks
    • Restricts access to Google Cloud services and resources within defined perimeters
    • HINT: VPC Service Controls protect against data exfiltration from Google Cloud services, not network-level traffic

Network Monitoring and Operations

  • Network Intelligence Center
    • Provides a comprehensive network monitoring, verification, and optimization platform
    • Connectivity Tests — Diagnoses connectivity issues between source and destination endpoints
    • Performance Dashboard — Monitors network performance metrics (latency, packet loss) across Google Cloud
    • Network Topology — Visualizes the network infrastructure and traffic flows
    • Firewall Insights — Identifies overly permissive or shadowed firewall rules
  • Cloud Logging and Monitoring
    • VPC Flow Logs, Firewall Rules Logging, Cloud NAT logs, and DNS logs for network troubleshooting
    • Cloud Monitoring for setting up alerts on network metrics

All the Best !!

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Learning Path

AWS Certified Alexa Skill Builder - Specialty Certificate

⚠️ CERTIFICATION RETIRED

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) was retired on March 23, 2021.

The last day to take this exam was March 22, 2021. Certifications earned prior to retirement remained active for the standard three-year period but have now all expired.

This content is maintained for historical reference and for those interested in Alexa skill development concepts.

Recommended Current AWS Certifications:

📢 Alexa Ecosystem Update (2024-2026)

  • Alexa+ – Amazon launched its next-generation AI-powered assistant (Alexa+) in February 2026, free for Prime members. It represents a major shift from the traditional skills-based model to conversational AI.
  • Developer Program Changes – Amazon ended the Alexa Developer Rewards Program and AWS Promotional Credits for Alexa in June 2024.
  • Deprecated Features – Multiple Alexa features have been deprecated including A/B testing (Aug 2025), Alexa Routines Kit (May 2026), and EventDetectionSensor (Feb 2023).
  • The Alexa Skills Kit remains available for developers, but the ecosystem focus has shifted significantly toward generative AI capabilities.

Finally All Down for AWS (for now) …

Continuing on my AWS journey with the last AWS certification, I took another step by clearing the AWS Certified Alexa Skill Builder – Specialty (AXS-C01) certification. It is amazing to know and learn how Voice first experiences are making an impact and changing how we think about technology and use cases.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) exam basically validates your ability to build, test, publish and certify Alexa skills.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Summary

  • AWS Certified Alexa Skill Builder – Specialty exam focuses only on Alexa and how to build skills.
  • AWS Certified Alexa Skill Builder – Specialty exam has 65 questions with a time limit of 170 minutes
  • Compared to the other professional and specialty exams, the question and answers are not long and similar to associate exams. So if you are prepared well, it should not need the 170 minutes.
  • As the exam was online from home, there was no access to paper and pen but the trick remains the same, read the question and draw a rough architecture and focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach to the right answer or atleast have a 50% chance of getting it right.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Topic Summary

Refer AWS Alexa Cheat Sheet

Domain 1: Voice-First Design Practices and Capabilities

1.1 Describe how users interact with skills

1.2 Map features and capabilities to use cases

  • Alexa supports display cards to display text (Simple card) and text with image (Standard card)
  • Alexa Alexa Skill Kits supports APIs
    • Alexa Settings APIs allow developers to retrieve customer preferences for the settings like time zone, distance measuring unit, and temperature measurement unit
    • Device services – a skill can request the customer’s permission to their address information, which is a static data filled by customer and includes the country/region, postal code and full address
    • Customer Profile services – a skill can request the customer’s permission to their contact information, which includes name, email address and phone number
    • With Location services, a skill can ask a user’s permission to obtain the real-time location of their Alexa-enabled device, specifically at the time of the user’s request to Alexa, so that the skill can provide enhanced services.
  • Alexa Skill Kit APIs need apiAccessToken and deviceId to access the ASK APIs
  • Progressive Response API allows you to keep the user engaged while the skill prepares a full response to the user’s request.
  • Personalization can be provided using userId and state persistence

Domain 2: Skill Design

2.1 Design and develop an interaction model

  • Alexa interaction model includes skill, Invocation name, utterances, slots, Intents
  • A skill is ‘an app for Alexa’, however they are not downloadable but just need to be enabled.
  • Wakeword – Amazon offers a choice of wakewords like ‘Alexa’, ‘Amazon’, ‘Echo’, ‘skill’, ‘app’ or ‘Computer’, with the default being ‘Alexa’.
  • Launch phrases include “run,” “start,” “play,” “resume,” “use,” “launch,” “ask,” “open,” “tell,” “load,” “begin,” and “enable.”
  • Connecting words include “to,” “from,” “in,” “using,” “with,” “about,” “for,” “that,” “by,” “if,” “and,” “whether.”
  • Invocation name
    • is the word or phrase used to trigger the skill for custom skills and the invocation name should adhere to the requirements
    • must not infringe upon the intellectual property rights of an entity or person
    • must be compound of two or more works.
    • One-word invocation names are allowed only for brand/intellectual property.
    • must not include names of people or places
    • if two-word invocation names, one of the words cannot be a definite article (“the”), indefinite article (“a”, “an”) or preposition (“for”, “to”, “of,” “about,” “up,” “by,” “at,” “off,” “with”).
    • must not contain any of the Alexa skill launch phrases, connecting words and wake words
    • must contain only lower-case alphabetic characters, spaces between words, and possessive apostrophes
    • must spell characters like numbers for e.g., twenty one
    • can have periods in the invocation names containing acronyms or abbreviations that are pronounced as a series of individual letters, for e.g. NASA as n. a. s. a.
    • cannot spell out phonemes for e.g., a skill titled “AWS Facts” would need “AWS” represented as “a. w. s. ” and NOT “ay double u ess.”
    • must not create confusion with existing Alexa features.
    • must be written in each supported language
  • An intent is what a user is trying to accomplish.
    • Amazon provides standard built-in intents which can be extended
    • Intents need to have a unique utterance
  • Utterances are the specific phrases that people will use when making a request to Alexa.
  • A slot is a variable that relates to an intent allowing Alexa to understand information about the request
    • Amazon provides standard built-in slots which can be extended
  • Entity resolution improves the way Alexa matches possible slot values in a user’s utterance with the slots defined in your interaction model

2.2 Design a multi-turn conversation

  • Alexa Dialog management model identifies the prompts and utterances to collect, validate, and confirm the slot values and intents.
  • Alexa supports
    • Auto Delegation where Alexa completes all of the dialog steps based on the dialog model.
    • Manual delegation using Dialog.Delegate where Alexa sends the skill an IntentRequest for each turn of the conversation and provides more flexibility.
  • AMAZON.FallbackIntent will not be triggered in the middle of a dialog

2.3 Use built-in intents and slots

  • Standard built-in intents cannot include any slots. If slots are needed, create a custom intent and write your own sample utterances.
  • Alexa recommends using and extending standard built-in intents like Alexa.HelpIntent, Alexa.YesIntent with additional utterances as per the skill requirements
  • Alexa provides Alexa.FallbackIntent for handling any unmatched utterances and can be used to improve the interaction model accuracy.
  • Standard built-in intents cannot include any slots. If slots are needed, create a custom intent and write your own sample utterances.
  • Alexa provides slot which helps capture variables and can be either be a Amazon predefined slot such as dates, numbers, durations, time, etc. or a custom one specific to the skill
  • Predefined slots can be extended to add additional values

2.4 Handle unexpected conversational requests or responses

  • Alexa provides Alexa.FallbackIntent for handling any unmatched utterances and can be used to improve the interaction model accuracy.
  • Alexa also provides Intent History which provides a consolidate view with aggregated, anonymized frequent utterances and the resolved intents. These can be used to map the utterances to correct intents

2.5 Design multi-modal skills using one or more service interfaces (for example, audio, video, and gadgets)

  • Alexa enabled devices with a screen handles Page and Scroll intents. Do not handle Next and Previous.
  • Alexa skill with AudioPlayer interface
    • must handle AMAZON.ResumeIntent and AMAZON.PauseIntent
    • PlaybackController events to track AudioPlayer status changes initiated from the device buttons

Domain 3: Skill Architecture

3.1 Identify AWS services for extending Alexa skill functionality (Amazon CloudFront, Amazon S3, Amazon CloudWatch, and Amazon DynamoDB)

  • Focus on standard skill architecture using Lambda for backend, DynamoDB for persistence, S3 for severing static assets, and CloudWatch for monitoring and logs.
  • Lambda provide serverless handling for the Alexa requests, but remember the following limits
    • default concurrency soft limit of 1000 can be increased by raising a support request
    • default timeout of 3 secs, and should be increased to atleast 7 secs to be inline with Alexa timeout of 8 secs
    • default memory of 128mb, increase to improve performance
  • S3 performance can be improved by exposing it through CloudFront esp. for images, audio and video files

3.2 Use AWS Lambda to build Alexa skills

  • Lambda integrates with CloudWatch to provide logs and should be the first thing to check in case of any issues or errors.
  • Alexa allows any http endpoint to act as a backend, but needs to meet following requirements
    • must be accessible over the internet.
    • must accept HTTP requests on port 443.
    • must support HTTP over SSL/TLS, using an Amazon-trusted certificate.

3.3 Follow AWS and Alexa security and privacy best practices

  • Alexa requires the backend to verify that incoming requests come from Alexa using Skill ID verification
  • Child-directed skills cannot use personal and location information
  • Skills cannot be used to capture health information
  • Alexa Skills Kit uses the OAuth 2.0 authentication framework for Account linking, which defines a means by which the service can allow Alexa, with the user’s permission, to access information from the account that the user has set up with you.
  • Alexa smart home skills must have OAuth authorization code grant implementation while custom skills can have authorization code grant or impact grant implementation.

Domain 4: Skill Development

4.1 Implement in-skill purchasing and Amazon Pay for Alexa Skills

  • In-skill purchasing enables selling premium content such as game features and interactive stories in skills with a custom interaction model.
  • In-skill purchasing is handled by Alexa when the skill sends a Upsell directive. As the skill session ends when a Upsell directive is sent, be sure to save any relevant user data in a persistent data store so that the skill can continue where the user left off after the purchase flow is completed and the endpoint is back in control of the user experience.
  • Skill can handle the Connections.Response request that indicates the result of a purchase flow and resume the skill

4.2 Use Speech Synthesis Markup Language (SSML) for expression and MP3 audio

  • SSML is a markup language that provides a standard way to mark up text for the generation of synthetic speech.
  • Alexa supports a subset of SSML tags including
    • say-as to interpret text as telephone, date, time etc.
    • phonemeprovides a phonemic/phonetic pronunciation
    • prosody modifies the volume, pitch, and rate of the tagged speech.
    • audioallows playing MP3 player while rendering a response
      • must be in valid MP3 file (MPEG version 2) format
      • must be hosted at an Internet-accessible HTTPS endpoint.
      • For speech response, the audio file cannot be longer than 240 seconds.
        • combined total time for all audio files in the outputSpeech property of the response cannot be more than 240 seconds.
        • combined total time for all audio files in the reprompt property of the response cannot be more than 90 seconds.
      • bit rate must be 48 kbps.
      • sample rate must be 22050Hz, 24000Hz, or 16000Hz.

4.3 Implement state management

  • Alexa Skill state persistence can be handled using session attributes during the session and externally using services like DynamoDB, RDS across sessions.

4.4 Implement Alexa service interfaces (audio player, video player, and screens)

4.5 Parse Alexa JSON requests and provide responses

  • All requests include the session (optional), context, and request objects at the top level.
    • session object provides additional context associated with the request.
      • session attributes can be used to store data
      • user containing userId to uniquely define an user and accessToken to access other services.
      • system object provides apiAccessToken and device object provides deviceId to access ASK APIs
      • application provide applicationId
      • device object provides supportedInterfaces to list each interface that the device supports
      • user containing userId to uniquely define an user and accessToken to access other services.
    • A request object that provides the details of the user’s request.
  • Response includes
    • outputSpeech contains the speech to render to the user.
    • reprompt contains the outputSpeech to use if a re-prompt is necessary.
    • shouldEndSession provides a boolean value that indicates what should happen after Alexa speaks the response.

Domain 5: Test, Validate, and Troubleshoot

5.1 Debug and troubleshoot using Amazon CloudWatch or other tools

  • Lambda integrates with CloudWatch for metric and logs and can be check for any errors and metrics.

5.2 Use the Alexa developer testing tools

  • Utterance profiles – test utterances to know what intent they resolve to
  • Alexa Skill simulator
    • provides an ability to Interact with Alexa with either your voice or text, without an actual device.
    • maintains the skill session, so the interaction model and dialog flow can be tested.
    • supports multiple languages testing by selecting locale
    • has limitations in testing audio, video, Alexa settings and Device API
  • Manual Json
    • enter a JSON request directly and see the skill returned JSON response
    • does not maintain the skill session and is similar to testing a JSON request in the Lambda console.
  • Voice & Tone – enter plain text or SSML and hear how Alexa speaks the text in a selected language
  • Alexa device – test with an Alexa-enabled device.
  • Alexa app – test the skill with the Alexa app for Android/iOS
  • Lambda Test console – to test Lambda functions

5.3 Perform beta testing

  • Skill beta testing tool can be used to test the Alexa skill in beta before releasing it to production
  • Beat testing allows testing changes to an existing skill, while still keeping the currently live version of the skill available for the general public.
  • Members can be invited using their Alexa email address. Alexa device used by the beta tester must be associated with the email address in the tester’s invitation.

5.4 Troubleshoot errors in the interaction model

Domain 6: Publishing, Operations, and Lifecycle Management

6.1 Describe the skill publishing process

  • Alexa skill needs to go through certification process before the Skill is live and made available to the users
  • Alexa creates an in development version of the skill, once the skill becomes live
  • Alexa Skill live version cannot be edited, and it is recommended to edit the in development skill, test and then re-certify for publishing.
  • Backend changes like changes in Lambda functions or response output from the function, however, can be made on live version and do not require re-certification. However, it is recommended to use Lambda versioning or alias to do such changes.
  • Alexa for Business allows skill to be made private and available to select users within the company

6.2 Add and remove users in the developer console

  • Alexa Skill Developer console access can be shared across multiple users for collaboration
  • Administrator and Analyst roles will also have access to the Earnings and Payments sections.
  • Administrator and Marketer roles will also have access to edit the content associated with apps (i.e. Descriptions, Images & Multimedia) and IAPs
  • Administrator and Developer roles will have access to create, modify and delete Alexa skills using ASK CLI and SMAPI.
  • Administrator, Analyst and Marketer roles have access to sales report

6.3 Perform analysis of skill analytics in the developer console

  • Intent History – View aggregated, anonymized frequent utterances and the resolved intents. You cannot track the user intent history as they are anonymized.
  • Actions – Unique customers per action, total actions, and total utterances per action.
  • Customers – Total number of unique customers who accessed the skill.
  • Intents – Unique customers per intent, total utterances per intent, total intents, and failed intents.
  • Interaction Path – Paths users take when interacting with the skill.
  • Plays Total number of times that a user played the skill content.
  • Retention (live skills only) Usage of the skill over time by groups of customers or cohorts. View the number or percentage of customers who returned to your skill over a 12-week period.
  • Sessions Total sessions, successful session types (sessions that didn’t end due to an error), average sessions per customer. Includes a breakdown of successful, failed, and no-response sessions as a percentage of total sessions. Custom
  • Utterances Metrics for utterances depend on the skill category.

6.4 Differentiate among the statuses/versions of skills (for example, In Development, In Certification, and Live)

  • In Development – skill available for development, testing
  • In Review – A certification review is in progress and the skill cannot be edited
  • Certified – Skill passed certification review, and is not yet available to users
  • Live – skill has been published and is available to users. You cannot edit the configuration for live skills
  • Hidden – skill was previously published, but has since been hidden. Existing users can access the skill. New users cannot discover the skill.
  • Removed – skill was previously published, but has since been removed. Users cannot enable or use the skill.

AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Exam Resources

Recommended Current AWS Certifications

Since the Alexa Skill Builder certification has been retired, consider these current AWS certifications that cover related domains:

Certification Focus Area Relevance
AWS Certified AI Practitioner (AIF-C01) AI/ML fundamentals, Generative AI Covers AI services including Amazon Lex (conversational interfaces)
AWS Certified ML Engineer – Associate ML model building and deployment NLP, speech processing, conversational AI models
AWS Certified Developer – Associate (DVA-C02) Application development on AWS Lambda, DynamoDB, API Gateway – same services used in Alexa skills
AWS Certified Generative AI Developer – Professional Building generative AI applications Next-gen conversational AI, Amazon Bedrock, LLM-powered apps

Alexa Development Resources (Current)

While the certification is retired, Alexa skill development continues. Here are current resources:

AWS Certified Solutions Architect – Associate SAA-C02 Exam Learning Path

SAA-C02 Certification

⚠️ EXAM RETIRED – SAA-C02 No Longer Available

AWS Solutions Architect – Associate SAA-C02 exam was retired on August 29, 2022 and has been replaced by the SAA-C03 exam.

This content is maintained for historical reference only. If you are preparing for the AWS Solutions Architect – Associate certification, please refer to the current exam version.

👉 AWS Certified Solutions Architect – Associate SAA-C03 Exam Learning Path

Key differences in SAA-C03:

  • Reorganized into 4 domains: Secure Architectures (30%), Resilient Architectures (26%), High-Performing Architectures (24%), Cost-Optimized Architectures (20%)
  • Increased emphasis on security (now the highest-weighted domain)
  • Added modern services: AWS Transfer Family, AWS DataSync, Amazon EventBridge, AWS Transit Gateway, AWS Network Firewall, Amazon EKS/Fargate
  • Greater focus on serverless, containers, and multi-account architectures
  • Sustainability considerations added

AWS Certified Solutions Architect – Associate SAA-C02 Exam Learning Path

[HISTORICAL REFERENCE – Exam Retired August 29, 2022]

AWS Solutions Architect – Associate SAA-C02 exam was the AWS certification exam that replaced the previous SAA-C01 and was itself replaced by the current SAA-C03 exam on August 30, 2022. It validated the ability to effectively demonstrate knowledge of how to architect and deploy secure and robust applications on AWS technologies.

  • Define a solution using architectural design principles based on customer requirements.
  • Provide implementation guidance based on best practices to the organization throughout the life cycle of the project.

AWS Solutions Architect – Associate SAA-C02 Exam Summary

  • SAA-C02 exam consisted of 65 questions in 130 minutes.
  • SAA-C02 Exam covered the architecture aspects in deep, focusing on how to visualize the architecture and how different services relate.
  • AWS updated the exam concepts from the focus being on individual services to more building of scalable, highly available, cost-effective, performant, resilient architectures.
  • If you had been preparing for the SAA-C01 –
    • SAA-C02 was pretty much similar to SAA-C01 except the operational effective architecture domain was dropped
    • Most of the services and concepts covered by the SAA-C01 were the same. There were few new additions like Aurora Serverless, AWS Global Accelerator, FSx for Windows, FSx for Lustre

AWS Solutions Architect – Associate SAA-C02 Exam Resources

Note: These resources are outdated. For current SAA-C03 preparation resources, visit the SAA-C03 Exam Learning Path.

AWS Solutions Architect – Associate SAA-C02 Exam Topics

Note: These topics are for the retired SAA-C02 exam. For current exam topics, refer to the SAA-C03 Exam Learning Path.

Networking

  • Be sure to create VPC from scratch. This is mandatory.
    • Create VPC and understand whats a CIDR and addressing patterns
    • Create public and private subnets, configure proper routes, security groups, NACLs. (hint: Subnets are public or private depending on whether they can route traffic directly through Internet gateway)
    • Create Bastion for communication with instances
    • Create NAT Gateway or Instances for instances in private subnets to interact with internet
    • Create two tier architecture with application in public and database in private subnets
    • Create three tier architecture with web servers in public, application and database servers in private. (hint: focus on security group configuration with least privilege)
    • Make sure to understand how the communication happens between Internet, Public subnets, Private subnets, NAT, Bastion etc.
  • Understand difference between Security Groups and NACLs (hint: Security Groups are Stateful vs NACLs are stateless. Also only NACLs provide an ability to deny or block IPs)
  • Understand VPC endpoints and what services it can help interact (hint: VPC Endpoints routes traffic internally without Internet)
    • VPC Gateway Endpoints supports S3 and DynamoDB.
    • VPC Interface Endpoints OR Private Links supports others
  • Understand difference between NAT Gateway and NAT Instance (hint: NAT Gateway is AWS managed and is scalable and highly available)
  • Understand how NAT high availability can be achieved (hint: provision NAT in each AZ and route traffic from subnets within that AZ through that NAT Gateway)
  • Understand VPN and Direct Connect for on-premises to AWS connectivity
    • VPN provides quick connectivity, cost-effective, secure channel, however routes through internet and does not provide consistent throughput
    • Direct Connect provides consistent dedicated throughput without Internet, however requires time to setup and is not cost-effective
  • Understand Data Migration techniques
    • Choose Snowball vs Snowmobile vs Direct Connect vs VPN depending on the bandwidth available, data transfer needed, time available, encryption requirement, one-time or continuous requirement
    • Snowball, SnowMobile are for one-time data, cost-effective, quick and ideal for huge data transfer
    • Direct Connect, VPN are ideal for continuous or frequent data transfers
  • Understand CloudFront as CDN and the static and dynamic caching it provides, what can be its origin (hint: CloudFront can point to on-premises sources and its usecases with S3 to reduce load and cost)
  • Understand Route 53 for routing
    • Understand Route 53 health checks and failover routing
    • Understand Route 53 Routing Policies it provides and their use cases mainly for high availability (hint: focus on weighted, latency, geolocation, failover routing)
  • Be sure to cover ELB concepts in deep.
    • SAA-C02 focuses on ALB and NLB and does not cover CLB
    • Understand differences between CLB vs ALB vs NLB
      • ALB is layer 7 while NLB is layer 4
      • ALB provides content based, host based, path based routing
      • ALB provides dynamic port mapping which allows same tasks to be hosted on ECS node
      • NLB provides low latency and ability to scale
      • NLB provides static IP address

Security

  • Understand IAM as a whole
    • Focus on IAM role (hint: can be used for EC2 application access and Cross-account access)
    • Understand IAM identity providers and federation and use cases
    • Understand MFA and how would implement two factor authentication for an application
    • Understand IAM Policies (hint: expect couple of questions with policies defined and you need to select correct statements)
  • Understand encryption services
  • AWS WAF integrates with CloudFront to provide protection against Cross-site scripting (XSS) attacks. It also provides IP blocking and geo-protection.
  • AWS Shield integrates with CloudFront to provide protection against DDoS.
  • Refer Disaster Recovery whitepaper, be sure you know the different recovery types with impact on RTO/RPO.

Storage

  • Understand various storage options S3, EBS, Instance store, EFS, Glacier, FSx and what are the use cases and anti patterns for each
  • Instance Store
    • Understand Instance Store (hint: it is physically attached to the EC2 instance and provides the lowest latency and highest IOPS)
  • Elastic Block Storage – EBS
    • Understand various EBS volume types and their use cases in terms of IOPS and throughput. SSD for IOPS and HDD for throughput
    • Understand Burst performance and I/O credits to handle occasional peaks
    • Understand EBS Snapshots (hint: backups are automated, snapshots are manual)
  • Simple Storage Service – S3
    • Cover S3 in depth
    • Understand S3 storage classes with lifecycle policies
      • Understand the difference between S3 Standard vs S3 IA vs S3 IA One Zone in terms of cost and durability
    • Understand S3 Data Protection (hint: S3 Client side encryption encrypts data before storing it in S3)
    • Understand S3 features including
      • S3 provides a cost effective static website hosting
      • S3 versioning provides protection against accidental overwrites and deletions
      • S3 Pre-Signed URLs for both upload and download provides access without needing AWS credentials
      • S3 CORS allows cross domain calls
      • S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
    • Understand Glacier as an archival storage with various retrieval patterns
    • Glacier Expedited retrieval allows object retrieval within mins
  • Understand Storage gateway and its different types.
    • Cached Volume Gateway provides access to frequently accessed data, while using AWS as the actual storage
    • Stored Volume gateway uses AWS as a backup, while the data is being stored on-premises as well
    • File Gateway supports SMB protocol
  • Understand FSx easy and cost effective to launch and run popular file systems.
  • Understand the difference between EBS vs S3 vs EFS
    • EFS provides shared volume across multiple EC2 instances, while EBS can be attached to a single volume within the same AZ.
  • Understand the difference between EBS vs Instance Store
  • Would recommend referring Storage Options whitepaper, although a bit dated 90% still holds right

Compute

  • Understand Elastic Cloud Compute – EC2
  • Understand Auto Scaling and ELB, how they work together to provide High Available and Scalable solution. (hint: Span both ELB and Auto Scaling across Multi-AZs to provide High Availability)
  • Understand EC2 Instance Purchase Types – Reserved, Scheduled Reserved, On-demand and Spot and their use cases
    • Choose Reserved Instances for continuous persistent load
    • Choose Scheduled Reserved Instances for load with fixed scheduled and time interval
    • Choose Spot instances for fault tolerant and Spiky loads
    • Reserved instances provides cost benefits for long terms requirements over On-demand instances
    • Spot instances provides cost benefits for temporary fault tolerant spiky load
  • Understand EC2 Placement Groups (hint: Cluster placement groups provide low latency and high throughput communication, while Spread placement group provides high availability)
  • Understand Lambda and serverless architecture, its features and use cases. (hint: Lambda integrated with API Gateway to provide a serverless, highly scalable, cost-effective architecture)
  • Understand ECS with its ability to deploy containers and micro services architecture.
    • ECS role for tasks can be provided through taskRoleArn
    • ALB provides dynamic port mapping to allow multiple same tasks on the same node
  • Know Elastic Beanstalk at a high level, what it provides and its ability to get an application running quickly.

Databases

  • Understand relational and NoSQL data storage options which include RDS, DynamoDB, Aurora and their use cases
  • RDS
    • Understand RDS features – Read Replicas vs Multi-AZ
      • Read Replicas for scalability, Multi-AZ for High Availability
      • Multi-AZ are regional only
      • Read Replicas can span across regions and can be used for disaster recovery
    • Understand Automated Backups, underlying volume types
  • Aurora
    • Understand Aurora
      • provides multiple read replicas and replicates 6 copies of data across AZs
    • Understand Aurora Serverless provides a highly scalable cost-effective database solution
  • DynamoDB
    • Understand DynamoDB with its low latency performance, key-value store (hint: DynamoDB is not a relational database)
    • DynamoDB DAX provides caching for DynamoDB
    • Understand DynamoDB provisioned throughput for Read/Writes
  • Know ElastiCache use cases, mainly for caching performance

Integration Tools

  • Understand SQS as message queuing service and SNS as pub/sub notification service
  • Understand SQS features like visibility, long poll vs short poll
  • Focus on SQS as a decoupling service
  • Understand SQS Standard vs SQS FIFO difference (hint: FIFO provides exactly once delivery but low throughput)

Analytics

  • Know Redshift as a business intelligence tool
  • Know Kinesis for real time data capture and analytics
  • Know what AWS Glue does, so you can eliminate the answer

Management Tools

  • Understand CloudWatch monitoring to provide operational transparency
  • Know which EC2 metrics it can track. Remember, it cannot track memory and disk space/swap utilization
  • Understand CloudWatch is extendable with custom metrics
  • Understand CloudTrail for Audit
  • Have a basic understanding of CloudFormation, OpsWorks

AWS Whitepapers & Cheat sheets

AWS Solutions Architect – Associate SAA-C02 Exam Domains

Note: SAA-C03 has reorganized these into 4 domains with different weightings. See the SAA-C03 Exam Learning Path for current domains.

Domain 1: Design Resilient Architectures

  1. Design a multi-tier architecture solution
  2. Design highly available and/or fault-tolerant architectures
  3. Design decoupling mechanisms using AWS services
  4. Choose appropriate resilient storage

Domain 2: Define High-Performing Architectures

  1. Identify elastic and scalable compute solutions for a workload
  2. Select high-performing and scalable storage solutions for a workload
  3. Select high-performing networking solutions for a workload
  4. Choose high-performing database solutions for a workload

Domain 3: Specify Secure Applications and Architectures

  1. Design secure access to AWS resources
  2. Design secure application tiers
  3. Select appropriate data security options

Domain 4: Design Cost-Optimized Architectures

  1. Determine how to design cost-optimized storage.
  2. Determine how to design cost-optimized compute.

AWS Certified Big Data -Speciality (BDS-C00) Exam Learning Path

⚠️ CERTIFICATION RETIRED

AWS Certified Big Data – Specialty (BDS-C00) was retired on July 1, 2020.

It was replaced by AWS Certified Data Analytics – Specialty (DAS-C01), which was itself retired on April 9, 2024.

The current replacement certification is:

This content is maintained for historical reference only. For current exam preparation, see the AWS Certified Data Engineer – Associate Exam Learning Path.

Clearing the AWS Certified Big Data – Speciality (BDS-C00) was a great feeling. This was my third Speciality certification and in terms of the difficulty level (compared to Network and Security Speciality exams), I would rate it between Network (being the toughest) Security (being the simpler one).

Big Data in itself is a very vast topic and with AWS services, there is lots to cover and know for the exam. If you have worked on Big Data technologies including a bit of Visualization and Machine learning, it would be a great asset to pass this exam.

AWS Certified Big Data – Speciality (BDS-C00) exam basically validates

  • Implement core AWS Big Data services according to basic architectural best practices
  • Design and maintain Big Data
  • Leverage tools to automate Data Analysis

Refer AWS Certified Big Data – Speciality Exam Guide for details

AWS Certified Big Data – Speciality Domains

AWS Certified Big Data – Speciality (BDS-C00) Exam Summary

  • AWS Certified Big Data – Speciality exam, as its name suggests, covers a lot of Big Data concepts right from data transfer and collection techniques, storage, pre and post processing, analytics, visualization with the added concepts for data security at each layer.
  • One of the key tactic I followed when solving any AWS Certification exam is to read the question and use paper and pencil to draw a rough architecture and focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach to the right answer or atleast have a 50% chance of getting it right.
  • Be sure to cover the following topics
    • Whitepapers and articles
    • Analytics
      • Make sure you know and cover all the services in depth, as 80% of the exam is focused on these topics
      • Elastic Map Reduce
        • Understand EMR in depth
        • Understand EMRFS (Note: EMRFS Consistent View reached end of support on June 1, 2023. Since December 2020, Amazon S3 provides strong read-after-write consistency natively, making Consistent View unnecessary.)
        • Know EMR Best Practices (hint: start with many small nodes instead on few large nodes)
        • Know Hive can be externally hosted using RDS, Aurora and AWS Glue Data Catalog
        • Know also different technologies
          • Presto is a fast SQL query engine designed for interactive analytic queries over large datasets from multiple sources
          • D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS
          • Spark is a distributed processing framework and programming model that helps do machine learning, stream processing, or graph analytics using Amazon EMR clusters
          • Zeppelin/Jupyter as a notebook for interactive data exploration and provides open-source web application that can be used to create and share documents that contain live code, equations, visualizations, and narrative text
          • Phoenix is used for OLTP and operational analytics, allowing you to use standard SQL queries and JDBC APIs to work with an Apache HBase backing store
      • Kinesis
        • Understand Kinesis Data Streams and Kinesis Data Firehose in depth
        • Know Kinesis Data Streams vs Kinesis Firehose
          • Know Kinesis Data Streams is open ended on both producer and consumer. It supports KCL and works with Spark.
          • Know Kineses Firehose is open ended for producer only. Data is stored in S3, Redshift and OpenSearch Service (formerly Elasticsearch).
          • Kinesis Firehose works in batches with minimum 60secs interval.
        • Understand Kinesis Encryption (hint: use server side encryption or encrypt in producer for data streams)
        • Know difference between KPL vs SDK (hint: PutRecords are synchronously, while KPL supports batching)
        • Kinesis Best Practices (hint: increase performance increasing the shards)
      • Know Amazon OpenSearch Service (formerly Elasticsearch Service) is a search and analytics service which supports indexing, full text search, faceting, vector search, and log analytics.
      • Redshift
        • Understand Redshift in depth
        • Understand Redshift Advance topics like Workload Management, Distribution Style, Sort key
        • Know Redshift Best Practices w.r.t selection of Distribution style, Sort key, COPY command which allows parallelism
        • Know Redshift views to control access to data.
      • Amazon Machine Learning
      • Know Data Pipeline for data transfer (Note: AWS Data Pipeline is in maintenance mode and closed to new customers as of July 25, 2024. Alternatives include AWS Glue, AWS Step Functions, and Amazon MWAA (Managed Workflows for Apache Airflow).)
      • QuickSight
      • Know Glue as the ETL tool (AWS Glue is now at version 5.1 with Apache Spark 3.5.4, Python 3.11, and native integration with Apache Iceberg, Hudi, and Delta Lake.)
    • Security, Identity & Compliance
    • Management & Governance Tools
      • Understand AWS CloudWatch for Logs and Metrics. Also, CloudWatch Events more real time alerts as compared to CloudTrail
    • Storage
    • Compute
      • Know EC2 access to services using IAM Role and Lambda using Execution role.
      • Lambda esp. how to improve performance batching, breaking functions etc.

AWS Certified Big Data – Speciality (BDS-C00) Exam Resources

⚠️ Note: The resources below were relevant for the retired BDS-C00 exam. For current Data Engineer certification preparation, see:

Current Replacement: AWS Certified Data Engineer – Associate (DEA-C01)

The AWS Certified Data Engineer – Associate (DEA-C01) is the current certification that covers data and analytics topics on AWS. It validates skills across four domains:

  • Domain 1: Data Ingestion and Transformation (34%) – Kinesis, MSK, DMS, Glue, EMR, Step Functions
  • Domain 2: Data Store Management (26%) – S3, Redshift, DynamoDB, RDS, Lake Formation, Data Catalog
  • Domain 3: Data Operations and Support (22%) – Pipeline orchestration, monitoring, troubleshooting, MWAA
  • Domain 4: Data Security and Governance (18%) – Encryption, access control, data privacy, Lake Formation permissions

Key differences from BDS-C00:

  • Associate-level (not Specialty) – requires 1-2 years hands-on AWS experience
  • Stronger focus on modern services: AWS Glue, Lake Formation, Step Functions, Amazon MWAA
  • Includes Apache Iceberg, Hudi, and Delta Lake open table formats
  • No longer covers deprecated services (Data Pipeline, Amazon ML classic)
  • Includes Amazon OpenSearch Service (replaced Elasticsearch Service)
  • Covers Amazon SageMaker AI for ML integration in data pipelines

For the full learning path, see AWS Certified Data Engineer – Associate (DEA-C01) Exam Learning Path.

AWS Certified DevOps Engineer – Professional (DOP-C01) Exam Learning Path

AWS Certified DevOps Engineer - Professional (DOP-C01) Certificate

AWS Certified DevOps Engineer – Professional (DOP-C01) Exam Learning Path

⚠️ EXAM RETIRED – DOP-C01 No Longer Available

AWS Certified DevOps Engineer – Professional (DOP-C01) was retired on March 6, 2023.

This content is maintained for historical reference only. The DOP-C01 exam can no longer be taken.

Current Exam Version:

Key Changes in DOP-C02:

  • Updated domain structure with 6 domains (previously 5)
  • Greater emphasis on CI/CD automation, IaC, and container/serverless deployments
  • New coverage of AWS CDK, Step Functions, EventBridge, and modern observability
  • 75 questions in 180 minutes (previously 170 minutes)

AWS Certified DevOps Engineer – Professional (DOP-C01) exam was the upgraded pattern of the DevOps Engineer – Professional exam which was released in 2018. AWS replaced it with DOP-C02 on March 7, 2023.

AWS Certified DevOps Engineer – Professional (DOP-C01) exam validated

  • Implement and manage continuous delivery systems and methodologies on AWS
  • Implement and automate security controls, governance processes, and compliance validation
  • Define and deploy monitoring, metrics, and logging systems on AWS
  • Implement systems that are highly available, scalable, and self-healing on the AWS platform
  • Design, manage, and maintain tools to automate operational processes

AWS Certified DevOps Engineer – Professional (DOP-C01) Exam Summary

AWS Certified DevOps Engineer – Professional – Current Exam Resources (DOP-C02)

Note: The resources below have been updated for the current DOP-C02 exam. For the complete DOP-C02 learning path, visit the DOP-C02 Exam Learning Path.

DOP-C02 Exam Domain Overview

The current DOP-C02 exam has 6 domains (compared to 5 in DOP-C01):

  • Domain 1: SDLC Automation (22%) – CI/CD pipelines, testing, deployment strategies
  • Domain 2: Configuration Management and IaC (17%) – CloudFormation, CDK, Systems Manager
  • Domain 3: Resilient Cloud Solutions (15%) – HA, scalability, disaster recovery
  • Domain 4: Monitoring and Logging (15%) – CloudWatch, X-Ray, observability
  • Domain 5: Incident and Event Response (14%) – EventBridge, automation, remediation
  • Domain 6: Security and Compliance (17%) – IAM, secrets management, compliance automation

For the complete DOP-C02 preparation guide, refer to the AWS Certified DevOps Engineer – Professional (DOP-C02) Exam Learning Path.

AWS Certified Advanced Networking – Speciality (ANS-C00) Exam Learning Path

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Learning Path

⚠️ EXAM RETIREMENT NOTICE

AWS Certified Advanced Networking – Specialty (ANS-C01) is being retired. The last day to take the exam is August 25, 2026.

Certifications earned prior to retirement will remain active for the standard three-year period. New AWS Certified Advanced Networking – Specialty certifications will not be issued after the retirement date.

Note: The original ANS-C00 version was retired in July 2022 and replaced by ANS-C01. This page has been updated to reflect the current ANS-C01 exam content.

I recently cleared the AWS Certified Advanced Networking – Specialty (ANS-C01), which was my first, en route my path to the AWS Specialty certifications. Frankly, I feel the time I gave for preparation was still not enough, but I just about managed to get through. So a word of caution, this exam is inline or tougher than the professional exam especially for the reason that the Networking concepts it covers are not something you can get your hands dirty with easily.

AWS Certified Advanced Networking – Specialty (ANS-C01) exam focuses on AWS Networking concepts. It validates the ability to

  • Design, implement, manage, and secure AWS and hybrid network architectures at scale
  • Design and maintain network architecture for all AWS services
  • Leverage tools to automate AWS networking tasks
  • Implement network security, compliance, and governance controls

ANS-C01 Exam Domains

The ANS-C01 exam is structured into four domains (compared to six in the retired ANS-C00):

  • Domain 1: Network Design (30%) — Design solutions incorporating edge networking, DNS, load balancing, routing, and connectivity
  • Domain 2: Network Implementation (26%) — Implement routing, connectivity, multi-Region/multi-account solutions
  • Domain 3: Network Management and Operation (20%) — Maintain, monitor, and troubleshoot network solutions
  • Domain 4: Network Security, Compliance, and Governance (24%) — Implement and maintain network security controls

Refer to AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Guide

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Resources

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Summary

  • AWS Certified Advanced Networking – Specialty exam covers extensive Networking concepts like VPC, VPN, Direct Connect, Transit Gateway, Route 53, ALB, NLB, Gateway Load Balancer, AWS Network Firewall, VPC Lattice, and Cloud WAN.
  • One of the key tactics when solving questions is to read the question and use paper and pencil to draw a rough architecture and focus on the areas that you need to improve. You will be able to eliminate 2 answers for sure and then need to focus on only the other two.
  • Be sure to cover the following topics
    • Networking & Content Delivery
      • You should know everything in Networking.
      • Understand VPC in depth
      • AWS Transit Gateway
        • Understand Transit Gateway as the primary hub-and-spoke architecture for connecting VPCs and on-premises networks (replaces Transit VPC pattern)
        • Know Transit Gateway route tables, associations, propagations, and peering across Regions
        • Understand Transit Gateway Connect attachments for SD-WAN integration using GRE tunnels and BGP
        • Know Transit Gateway Network Manager for global network visibility
      • AWS Cloud WAN
        • Know AWS Cloud WAN for building and managing global WANs using a central dashboard and network policies
        • Understand Core Network, segments, attachments, and policies
        • Know when to use Cloud WAN vs Transit Gateway (Cloud WAN for multi-Region global networks; Transit Gateway for single-Region hub-and-spoke)
        • Understand Service Insertion for centralized inspection architectures
      • Amazon VPC Lattice
        • Know Amazon VPC Lattice as an application-layer networking service for service-to-service connectivity
        • Understand service networks, services, target groups, and listeners
        • Know that VPC Lattice works across VPCs and accounts without requiring VPC peering or Transit Gateway
        • Understand the difference: VPC Lattice (Layer 7 application networking) vs Transit Gateway (Layer 3 network connectivity)
      • AWS VPC IPAM
        • Know VPC IP Address Manager (IPAM) for planning, tracking, and monitoring IP addresses at scale
        • Understand IPAM pools, scopes, and allocations across multi-account environments
      • Virtual Private Network to establish connectivity between on-premises data center and AWS VPC
        • Understand Site-to-Site VPN, accelerated VPN (using Global Accelerator), and VPN over Direct Connect
        • Know CloudHub for connecting multiple VPN sites
      • Direct Connect to establish connectivity between on-premises data center and AWS VPC and Public Services
        • Make sure you understand Direct Connect in detail — without this you cannot clear the exam
        • Understand Direct Connect connections – Dedicated (1, 10, 100, 400 Gbps) and Hosted connections
        • Understand how to create a Direct Connect connection (hint: LOA-CFA provides the details for partner to connect to AWS Direct Connect location)
        • Understand virtual interfaces options – Private VIF for VPC resources, Public VIF for public resources, and Transit VIF for Transit Gateway
        • Understand Route Propagation, propagation priority, BGP connectivity, and BFD (Bidirectional Forwarding Detection)
        • Understand High Availability options: Second Direct Connect connection, VPN as backup, or LAG (Link Aggregation Group)
        • Understand Direct Connect Gateway – provides connectivity to multiple VPCs across Regions from on-premises using a single DX connection
        • Know Direct Connect SiteLink – enables sending data between Direct Connect locations bypassing AWS Regions (site-to-site connectivity)
        • Understand Direct Connect + Cloud WAN integration (direct gateway association with Core Network)
        • Understand MACsec encryption for Direct Connect (Layer 2 encryption for dedicated connections)
      • Route 53
        • Understand Route 53 and Routing Policies and their use cases. Focus on Weighted, Latency, Geolocation, and Geoproximity routing policies
        • Understand Route 53 Split View DNS for same DNS to access a site externally and internally
        • Understand Route 53 Resolver – inbound/outbound endpoints for hybrid DNS resolution between on-premises and AWS
        • Know Route 53 Resolver DNS Firewall – filters outbound DNS queries, blocks malicious domains, prevents DNS tunneling and DGA attacks
        • Know Route 53 Resolver DNS Firewall Advanced (launched Nov 2024) – provides intelligent protection with real-time threat detection
      • Understand CloudFront and use cases including Origin Shield and real-time logs
      • AWS Global Accelerator
        • Know Global Accelerator for improving global application availability and performance using the AWS global network
        • Understand the difference between CloudFront (content caching/CDN) and Global Accelerator (network-layer acceleration with static anycast IPs)
        • Know dual-stack support for NLB endpoints
      • Load Balancer
        • Understand ALB, NLB, and Gateway Load Balancer (GWLB)
        • Understand the difference: ALB (Layer 7 – content, host, path-based routing), NLB (Layer 4 – static IP, ultra-low latency, TLS passthrough), GWLB (Layer 3 – transparent network gateway for third-party appliances)
        • Know Gateway Load Balancer for deploying, scaling, and managing third-party virtual appliances (firewalls, IDS/IPS) with GENEVE encapsulation
        • Know how to design VPC CIDR block with NLB (Hint – minimum number of IPs required are 8)
        • Know how to pass original Client IP to the backend instances (Hint – X-Forwarded-For for ALB, Proxy Protocol for NLB, and client IP preservation for GWLB)
      • Know WorkSpaces requirements and setup
    • Security
      • AWS Network Firewall
        • Know AWS Network Firewall as a managed stateful network firewall and IDS/IPS for VPCs
        • Understand rule groups (stateless and stateful), firewall policies, and deployment models (centralized, distributed)
        • Know integration with Gateway Load Balancer for centralized inspection architectures
      • AWS Verified Access
        • Know AWS Verified Access for secure application access without VPN using Zero Trust principles
        • Evaluates each request based on user identity and device health rather than network location
        • Now supports non-HTTP(S) protocols (announced re:Invent 2024)
      • Know AWS GuardDuty as managed threat detection service
      • Know AWS Shield esp. Shield Advanced and features (DDoS cost protection, SRT access, advanced mitigation)
      • Know WAF as Web Traffic Firewall — (Hint – WAF can be attached to CloudFront, ALB, API Gateway, AppSync, and Cognito User Pools)
      • Know AWS Firewall Manager for centrally managing firewall rules across accounts and resources in AWS Organizations

Key Differences: ANS-C01 vs ANS-C00

  • Structure: ANS-C01 has 4 domains (vs 6 in ANS-C00) — more streamlined and focused
  • New Services: Transit Gateway, Cloud WAN, VPC Lattice, IPAM, Network Firewall, Gateway Load Balancer, Global Accelerator, Verified Access, Route 53 Resolver endpoints
  • Deprecated Patterns: Transit VPC pattern replaced by Transit Gateway; complex VPN hub-and-spoke designs replaced by Transit Gateway with Cloud WAN
  • Emphasis Changes: Greater focus on multi-account/multi-Region networking, Zero Trust architecture, network automation, and centralized security
  • Direct Connect: Transit VIF, SiteLink, MACsec encryption, 400 Gbps connections, and Cloud WAN integration are new topics

GCP Associate Cloud Engineer Certification Path

Google Cloud - Associate Cloud Engineer

Google Cloud – Associate Cloud Engineer Certification learning path

📋 Last Updated: June 2026 — This guide has been updated to reflect the current ACE exam guide, including Cloud Run, Spot VMs, AlloyDB, Terraform/IaC tools, and the deprecation of Deployment Manager.

Google Cloud – Associate Cloud Engineer certification exam is for individuals who deploy applications, monitor operations, and manage enterprise solutions on Google Cloud. The exam validates production-ready skills including deploying and securing applications, configuring networks and IAM, monitoring systems, and automating routine tasks.

Google Cloud – Associate Cloud Engineer Certification Summary

  • Has 50-60 questions (typically ~50) to be answered in 2 hours.
  • Registration fee: $125 (plus tax where applicable).
  • Available in English, Japanese, Spanish, and Portuguese.
  • Covers wide range of Google Cloud services and what they actually do. It focuses heavily on IAM, Compute (including Cloud Run and Cloud Functions), Storage with networking and monitoring/observability.
  • Hands-on is a must. Covers Cloud SDK, CLI commands and Console operations that you would use for day-to-day work. If you have not worked on GCP before make sure you do lot of labs else you would be absolute clueless for some of the questions and commands.
  • The exam includes multiple-select questions where you must choose 2 or 3 correct answers from 4-5 options.
  • Make sure you understand Infrastructure as Code tools (Terraform, Config Connector) as Deployment Manager has been deprecated.

Google Cloud – Associate Cloud Engineer Certification Topics

General Services

  • Cloud Billing
    • Understand how Cloud Billing works. Monthly vs Threshold and which has priority
    • Budgets can be set to alert for projects
    • How to change a billing account for a project and what roles you need. Hint – Project Owner and Billing Administrator for the billing account
    • Cloud Billing can be exported to BigQuery and Cloud Storage
  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Understand organizational policies and how they constrain resource configurations across the hierarchy.
  • Cloud SDK
    • Understand gcloud commands esp. when dealing with
      • configurations i.e. gcloud config
        • activate profiles – gcloud config configurations activate
        • GKE setting default cluster i.e. gcloud config set container/cluster CLUSTER_NAME
        • set project gcloud config set project mygcp-demo
        • set region gcloud config set compute/region us-west1
        • set zone gcloud config set compute/zone us-west1-a
      • Get project list and ids gcloud projects list
      • Auth i.e gcloud auth
        • Auth login using user gcloud auth login
        • Auth login using service account gcloud auth activate-service-account --key-file=sa_key.json
      • VPC firewalls i.e. gcloud compute firewall-rules

Network Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets and host applications within them. Hint – VPC spans across regions
    • Understand how Firewall rules work and how they are configured. Hint – Focus on Network Tags and Service Accounts for targeting. Also, there are 2 implicit firewall rules – default ingress deny and default egress allow
    • Understand creating ingress and egress firewall rules and policies (IP subnets, network tags, service accounts)
    • Understand VPC Peering and Shared VPC
    • Understand the concept of internal and external IPs and difference between static and ephemeral IPs
    • Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
    • Understand Cloud DNS and Cloud NAT configuration and management.
  • Cloud Load Balancing
    • Understand Google Cloud Load Balancing
    • Know load balancer options and differences esp. HTTPS and SSL proxy when handling SSL termination.
    • Understand Network Service Tiers (Premium vs Standard) and their impact on routing and availability.

Identity Services

  • Identity and Access Management – IAM
    • Identity and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand the difference between Basic (formerly Primitive), Predefined and Custom roles and their use cases
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Basically Permissions -> Roles -> (IAM Policy) -> Members (Principals)
    • Need to know and understand the roles for the following services at least
      • Cloud Storage – Admin vs Creator vs Viewer
      • Compute Engine – Admin vs Instance Admin
      • Spanner – Viewer vs Database User
      • BigQuery – User vs JobUser
    • Know how to copy roles to different projects or organization. Hint – gcloud iam roles copy
    • Know how to use service accounts with applications
    • Understand service account impersonation and creating short-lived credentials
    • Apply principle of least privilege when assigning service accounts to resources
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity providers like Active Directory.
    • Know how to manage users and groups in Cloud Identity (manually and automated)

Compute Services

  • Make sure you know all the compute services: Compute Engine, App Engine, Google Kubernetes Engine, Cloud Run, and Cloud Functions. They are heavily covered in the exam.
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control
    • Know how to create a Compute Engine instance, connect to it using Cloud Shell or SSH keys
    • Difference between backups and images and how to create instances from the same.
    • Instance templates with managed instance groups. Instance template cannot be edited, create a new one and attach.
    • Difference between managed vs unmanaged instance groups and auto-healing feature
    • Spot VMs (replacement for Preemptible VMs) and their use cases. HINT – Spot VMs can be terminated any time when Compute Engine needs resources, but unlike Preemptible VMs they have NO 24-hour maximum lifetime. Same pricing model as Preemptible VMs. Google recommends using Spot VMs instead of Preemptible VMs for new workloads.
    • Understand custom machine types for right-sizing compute resources
    • Upgrade an instance without downtime using Live Migration
    • Managing access using OS Login or project and instance metadata
    • Configure VM Manager for OS patch management and compliance
    • Prevent accidental deletion using deletion protection flag
    • In case of any issues or errors, how to debug the same
  • Google App Engine
    • Google App Engine is mainly the best option for PaaS with platforms supported and features provided.
    • Deploy an application with App Engine and understand how versioning and rolling deployments can be done
    • Understand how to keep auto scaling and traffic splitting and migration.
    • Know App Engine is a regional resource and understand the steps to migrate or deploy application to different region and project.
    • Know the difference between App Engine Flexible vs Standard
  • Google Kubernetes Engine (GKE)
    • Google Kubernetes Engine enables you to run containers on Google Cloud Platform.
    • GKE takes care of provisioning and maintaining the underlying virtual machine cluster, scaling your application, and operational logistics such as logging, monitoring, and cluster health management.
    • Be sure to Create a Kubernetes Cluster and configure it to host an application
    • Understand different cluster configurations: Autopilot (fully managed, recommended for most workloads), Standard, regional clusters, and private clusters
    • Understand GKE Enterprise for multi-cluster management
    • Understand how to make the cluster auto-repairable and upgradable. Hint – Node auto-upgrades and auto-repairing feature
    • Very important to understand where to use gcloud commands (to create a cluster) and kubectl commands (manage the cluster components)
    • Very important to understand how to increase cluster size, enable autoscaling, and manage node pools (add, edit, remove)
    • Know how to manage secrets like database passwords
    • Understand Horizontal and Vertical Pod Autoscaler configurations
    • Know how to configure GKE to access Artifact Registry for container images
  • Cloud Run
    • Cloud Run is a fully managed serverless platform for running containerized applications.
    • Deploy containerized applications without managing infrastructure
    • Understand traffic splitting between revisions for canary deployments
    • Configure scaling parameters (min/max instances, concurrency)
    • Understand event-driven architecture with Eventarc and Pub/Sub triggers
    • Know when to choose Cloud Run vs App Engine vs GKE vs Cloud Functions
  • Cloud Functions
    • Cloud Functions is a serverless execution environment for building and connecting cloud services.
    • Best for event-driven, single-purpose functions (e.g., responding to Cloud Storage events, Pub/Sub messages)
    • Understand triggers: HTTP, Pub/Sub, Cloud Storage, Eventarc
    • Know the difference between Cloud Functions and Cloud Run for serverless workloads

Storage Services

  • Understand each storage service options and their use cases.
  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data.
    • Very important to know the different storage classes and their use cases:
      • Standard (frequent access — replaces the legacy Regional and Multi-Regional classes)
      • Nearline (access less than once per 30 days)
      • Coldline (access less than once per 90 days)
      • Archive (access less than once per year — coldest tier, ideal for long-term retention and compliance)
    • Understand lifecycle management. HINT – Changes are in accordance to object creation date
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand access control and permissions – IAM vs ACLs (fine-grained control). IAM is recommended for uniform bucket-level access.
    • Understand best practices esp. uploading and downloading the data. HINT using parallel composite uploads
  • Relational Databases
    • Cloud SQL
      • Cloud SQL is a fully-managed service that provides MySQL, PostgreSQL, and SQL Server
      • Supports up to 64TB storage and is a regional service.
      • Difference between Failover and Read replicas. Failover provides High Availability and almost zero downtime while Read replicas provide scalability. Cross-region Read Replicas are supported.
      • Perform Point-In-Time recovery. Hint – requires binary logging and backups
    • AlloyDB for PostgreSQL
      • AlloyDB is a fully managed, PostgreSQL-compatible database designed for demanding enterprise workloads.
      • Provides up to 4x faster transactional performance than standard PostgreSQL.
      • Features automatic storage scaling, columnar engine for analytics, and 99.99% availability SLA.
      • Best for enterprise applications needing PostgreSQL compatibility with superior performance and availability.
      • Now included in the ACE exam guide as a data solution option.
    • Cloud Spanner
      • Is a fully managed, mission-critical relational database service.
      • Provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at global scale.
      • Globally distributed and can scale and handle more than 10TB.
      • Not a direct replacement for Cloud SQL and would need migration.
  • NoSQL Databases
    • Firestore
      • Highly scalable and serverless NoSQL document database with MongoDB compatibility.
      • Suitable for mobile, web, and IoT applications requiring real-time sync.
      • Now included in the ACE exam guide as both a deployment and management topic.
    • Bigtable
      • Cloud-native wide-column database for large-scale, low-latency workloads (IoT, analytics, time-series data).
  • Data Warehousing
    • BigQuery
      • Provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
      • Remember it is most suitable for historical analysis and analytics.
      • Know how to perform a preview or dry run. Hint – price is determined by bytes read not bytes returned.
      • Supports federated tables or external tables that can support Cloud Storage, Bigtable, Google Drive and Cloud SQL.
      • Understand how to review job status and estimate costs.

Data Services

  • Although there are only a few references to data services in the exam, it is important to know the data analytics stack to understand which service fits the different layers of ingest, store, process, and analytics:
    • Cloud Storage as the medium to store data as a data lake
    • Pub/Sub as the messaging service to capture real-time data esp. IoT. Designed to provide reliable, many-to-many, asynchronous messaging between applications.
    • Dataflow to process, transform, and transfer data — the key service for stream and batch processing pipelines.
    • BigQuery for storage and analytics. Remember BigQuery provides a cost-effective option for storage similar to Cloud Storage.
    • Managed Service for Apache Spark (formerly Cloud Dataproc) for existing Hadoop/Spark jobs. Hint – Use it to replace existing Hadoop infrastructure. Renamed from Dataproc in 2025.

⚠️ Deprecated Data Services:

  • Cloud Datalab — Deprecated since September 2, 2022. Replaced by Vertex AI Workbench for interactive data exploration, analysis, and visualization.
  • Cloud Dataprep — Now “Dataprep by Trifacta” (operated by Alteryx). Consider Cloud Data Fusion for data preparation and integration on Google Cloud.

Monitoring and Observability

  • Google Cloud Operations Suite (formerly Stackdriver)
    • The suite includes Cloud Monitoring, Cloud Logging, Cloud Trace, Cloud Profiler, and Error Reporting.
    • Create Cloud Monitoring alerts based on resource metrics
    • Create and ingest custom metrics (from applications or logs)
    • Export logs to external systems (on-premises, BigQuery)
    • Configure log buckets, log analytics, and log routers
    • View and filter logs in Cloud Logging; view specific log message details
    • Use cloud diagnostics to research application issues
    • Configure and deploy Ops Agent (replaces the legacy Monitoring and Logging agents)
    • Deploy Managed Service for Prometheus for Kubernetes workload monitoring
    • Configure audit logs for security and compliance
    • Remember audits and troubleshooting primarily involve checking Cloud Logging and Cloud Monitoring

DevOps and Infrastructure as Code

  • Infrastructure as Code (IaC)
    • The ACE exam now focuses on modern IaC tooling:
    • Terraform — The recommended IaC tool for Google Cloud. Supports declarative infrastructure provisioning with HCL.
    • Infrastructure Manager — Google Cloud’s managed Terraform service for deploying and managing infrastructure.
    • Config Connector — Kubernetes add-on for managing Google Cloud resources using Kubernetes-style YAML.
    • Cloud Foundation Toolkit — Reference templates and best practices for Terraform deployments.
    • Helm — Package manager for Kubernetes applications.

⚠️ Deployment Manager — DEPRECATED

Google Cloud Deployment Manager support ended December 31, 2025 and reached End of Life on March 31, 2026.

Migration Options:

  • Terraform (recommended) — Multi-cloud support, richer module ecosystem, expressive configuration language
  • Infrastructure Manager — Google Cloud’s managed Terraform service
  • Config Connector — For Kubernetes-native resource management

The ACE exam guide now references Terraform, Config Connector, Cloud Foundation Toolkit, and Helm as IaC tools instead of Deployment Manager.

  • Google Cloud Marketplace (formerly Cloud Launcher)
    • Provides a way to launch common software packages (e.g., Jenkins, WordPress) and stacks on Google Compute Engine with just a few clicks — a prepackaged solution.
    • Can help minimize deployment time and can be used without detailed knowledge about the product.

Google Cloud – Associate Cloud Engineer Certification Exam Domains (2025/2026)

The current exam guide covers five sections:

  • Section 1: Setting up a cloud solution environment (~20%) — Resource hierarchy, organizational policies, IAM roles, Cloud Identity, billing configuration
  • Section 2: Planning and configuring a cloud solution (~17.5%) — Compute choices (Compute Engine, GKE, Cloud Run, Cloud Functions), data storage options, network resources
  • Section 3: Deploying and implementing a cloud solution (~25%) — Compute Engine, GKE (Autopilot, regional, private clusters), Cloud Run & Cloud Functions, data solutions (Cloud SQL, Firestore, BigQuery, Spanner, AlloyDB, Pub/Sub, Dataflow), networking, IaC (Terraform, Config Connector, Helm)
  • Section 4: Ensuring successful operation (~20%) — Managing Compute Engine, GKE, Cloud Run resources; storage/database management; networking; monitoring and logging (Ops Agent, Managed Prometheus)
  • Section 5: Configuring access and security (~17.5%) — IAM policies, role types, service accounts, impersonation, short-lived credentials

Google Cloud – Associate Cloud Engineer Certification Resources

GCP Professional Data Engineer Certification Path

Google Cloud – Professional Data Engineer Certification Learning Path

I just recertified on my Google Cloud Certified – Professional Data Engineer certification. The first attempt on the Data Engineer exam has already been 2 long years which lasted for 4 hours with 95 questions. Once again, similar to the other Google Cloud certification exams, the Data Engineer exam covers not only the gamut of services and concepts but also focuses on logical thinking and practical experience.

📋 2025-2026 Exam Update Notice

The Professional Data Engineer exam has been significantly updated. Key changes include:

  • Increased focus on data governance (Dataplex), data lakehouse architecture (BigLake), Looker/Looker Studio for visualization, and Vertex AI for ML.
  • Reduced focus on deep ML concepts (overfitting, hyperparameters), Compute Engine/GKE, and command-line syntax.
  • New services covered: Dataplex Universal Catalog, BigLake, Analytics Hub, Dataform, Vertex AI (replacing AI Platform/Cloud ML Engine).
  • Deprecated services removed: Cloud Datalab (replaced by Vertex AI Workbench), Pub/Sub Lite (EOL March 2026), Data Catalog (replaced by Dataplex Knowledge Catalog).
  • Rebranding: Cloud DLP is now Sensitive Data Protection; Stackdriver is fully replaced by Cloud Monitoring/Logging; Vertex AI is now Gemini Enterprise Agent Platform.

Google Cloud – Professional Cloud Data Engineer Certification Summary

  • Cloud Data Engineer exam has 50 to 60 questions to be answered in 2 hours
  • Covers a wide range of data services including machine learning, with other topics covering storage, security, and data governance.
  • Exam does not cover any case studies
  • The exam has been updated to reflect current service names — Cloud Monitoring and Cloud Logging (no longer Stackdriver).
  • Strong focus on BigQuery, Dataflow, Pub/Sub, Dataproc, Cloud Composer, Looker, and Vertex AI.
  • Nothing much on Compute and Network is covered
  • Questions sometimes test your logical thinking rather than any concept regarding Google Cloud.
  • Hands-on is MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands
  • Be sure that NO Online Courses or Practice tests are going to cover all. Hands-on or practical knowledge is MUST.

Google Cloud – Professional Cloud Data Engineer Certification Resources

Google Cloud – Professional Cloud Data Engineer Certification Topics

Data & Analytics Services

  • Obviously, there are lots and lots of data and related services
  • Google Cloud Data & Analytics Services Cheatsheet
  • Know the Big Data stack and understand which service fits the different layers of ingest, store, process, analytics
  • Cloud BigQuery
    • provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
    • ideal for storage and analytics.
    • provides the same cost-effective option for storage as Cloud Storage
    • understand BigQuery Security
      • use BigQuery IAM access roles to control data and querying access
      • use Authorized views to access control tables, columns within tables, and query results. HINT: Authorized views need to reside in a different dataset as compared to the source dataset.
      • support data encryption
    • understand BigQuery Best Practices including key strategy, cost optimization, partitioning, and clustering
      • use dry run to estimate costs
      • use partitioning and clustering to limit the amount of data scanned
      • using external data sources might result in query performance degradation and its better to import the data
    • Dataset location can be set ONLY at the time of its creation.
    • supports schema auto-detection for JSON and CSV files.
    • understand how BigQuery Streaming works
    • know BigQuery limitations esp. with updates and inserts
    • supports an external data source (federated data source)
      • which is a data source that can be queried directly even though the data is not stored in BigQuery.
      • offers support for querying data directly from:
        • Cloud Bigtable
        • Cloud Storage
        • Google Drive
        • Cloud SQL
      • Use Permanent table for querying an external data source multiple times
      • Use Temporary table for querying an external data source for one-time, ad-hoc queries over external data, or for extract, transform, and load (ETL) processes.
    • BigQuery Studio (launched 2023) provides a unified workspace with SQL and notebook (Colab Enterprise) interfaces for data engineers, analysts, and scientists to perform end-to-end data tasks.
    • BigQuery editions (Standard, Enterprise, Enterprise Plus) provide flexible compute pricing with autoscaling slots, replacing the legacy flat-rate pricing model.
    • BI Engine provides fast in-memory analysis for sub-second query performance on dashboards connected to BigQuery.
  • Cloud Bigtable
    • provides column database suitable for both low-latency single-point lookups and precalculated analytics
    • understand Bigtable is not for long term storage as it is quite expensive
    • know the differences with HBase
    • Know how to measure performance and scale
    • supports Development and Production mode. Development mode can be upgraded to production and not vice versa.
    • supports HDD and SDD storage during cluster creation. HDD can be converted to SDD by exporting the data to the new instance.
    • understand Bigtable Replication. Can be used to separate real-time and batch workloads on the same instance using application profiles.
  • Cloud Pub/Sub
    • as the messaging service to capture real-time data esp. IoT
    • is designed to provide reliable, many-to-many, asynchronous messaging between applications esp. real-time IoT data capture
    • now supports exactly-once delivery (when subscribers connect in the same region), in addition to the default at-least-once delivery.
    • how it compares to Kafka (HINT: Pub/Sub provides only 7 days of retention vs Kafka which depends on the storage)
    • Note: Pub/Sub Lite has been deprecated (no new customers after Sept 24, 2024; EOL March 18, 2026). Use standard Pub/Sub instead.
  • Cloud Dataflow
    • to process, transform, transfer data and the key service to integrate store and analytics.
    • know how to improve a Dataflow performance
    • understand Apache Beam features as well
      • understand PCollections, Transforms, ParDo and what they do
      • understand windowing, watermarks, triggers Hint: windowing and watermarks can be used to handle delayed messages
    • supports drain feature to finish existing jobs but stop processing new ones, usually useful for deploying incompatible breaking changes
    • canceling a job will lead to an immediate stop and in-flight data loss.
    • Note: Dataflow SQL has been deprecated (July 2024, shutdown Jan 2025). Use standard Dataflow with Apache Beam SDK instead.
  • Cloud Dataprep (by Trifacta/Alteryx)
    • to clean and prepare data. It can be used for anomaly detection.
    • does not need any programming language knowledge and can be done through the graphical interface
    • be sure to know or try hands-on on a dataset
    • Note: Now operated by Alteryx. For new projects, consider Dataform (integrated into BigQuery) for SQL-based data transformations.
  • Cloud Dataproc
    • to handle existing Hadoop/Spark jobs
    • supports connector for BigQuery, Bigtable, Cloud Storage
    • supports Ephemeral clusters and with Cloud Storage connector support the data can be stored in GCS instead of HDFS
    • you need to know how to improve the performance of the Hadoop cluster as well :). Know how to configure the Hadoop cluster to use all the cores (hint- spark executor cores) and handle out of memory errors (hint – executor memory)
    • Secondary workers can be used to scale with the below limitations
      • Processing only with no data storage
      • No secondary-worker-only clusters
      • Persistent disk size is used for local caching of data and is not available through HDFS.
    • how to install other components (hint – initialization actions)
    • Dataproc Serverless allows running Spark batch workloads and interactive sessions without managing clusters.
  • Vertex AI Workbench
    • is the interactive notebook-based environment for data exploration, transformation, analysis, and visualization on Google Cloud
    • replaces the deprecated Cloud Datalab (deprecated Sept 2022)
    • provides managed and user-managed notebook instances with JupyterLab
    • integrates with BigQuery, Dataproc, and other GCP services
  • Cloud Composer
    • fully managed workflow orchestration service, based on Apache Airflow, enabling workflow creation that spans across clouds and on-premises data centers.
    • pipelines are configured as directed acyclic graphs (DAGs)
    • workflow lives on-premises, in multiple clouds, or fully within GCP.
    • provides the ability to author, schedule, and monitor the workflows in a unified manner
    • Composer 2 (current) provides autoscaling, better resource management, and improved performance over Composer 1.

Data Governance & Catalog Services

  • Dataplex
    • intelligent data fabric that enables organizations to centrally manage, monitor, and govern data across data lakes, data warehouses, and data marts.
    • organizes data into Lakes, Zones, and Assets for logical data management.
    • provides unified access management across BigQuery, Cloud Storage, and other services.
    • supports data quality rules and automated data profiling.
    • Dataplex Knowledge Catalog (formerly Dataplex Universal Catalog, replacing deprecated Data Catalog) provides metadata management, data discovery, and governance features.
    • Understand data mesh architecture patterns with Dataplex — the exam tests when data mesh is the right answer.
  • BigLake
    • unified storage engine that extends BigQuery’s fine-grained security and governance to multi-cloud and open-format data.
    • creates a unified interface over data stored in Cloud Storage (and even AWS S3 or Azure ADLS).
    • supports formats like Parquet, ORC, Avro, and Apache Iceberg.
    • enables applying BigQuery column-level security and row-level access policies to data lake files.
  • Analytics Hub
    • centralized platform for sharing BigQuery datasets securely, both within and across organizations.
    • enables data providers to list datasets and data consumers to subscribe under governed access controls.
    • supports private data exchanges for internal organizational sharing.
  • Dataform
    • integrated into BigQuery for SQL-based data transformation and pipeline management.
    • supports version control (Git), testing, and documentation for data pipelines.
    • alternative to dbt for BigQuery-native SQL workflow orchestration.

Identity Services

  • Cloud IAM
    • provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand IAM Best practices

Storage Services

  • Understand each storage service option and its use cases.
  • Cloud Storage
    • cost-effective object storage for unstructured data.
    • very important to know the different classes and their use cases:
      • Standard — frequent access (hot data)
      • Nearline — monthly access (30-day minimum storage)
      • Coldline — quarterly access (90-day minimum storage)
      • Archive — yearly access (365-day minimum storage, lowest cost)
    • Autoclass automatically transitions objects between storage classes based on access patterns, eliminating retrieval and early-deletion charges.
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand permissions – IAM vs ACLs (fine-grained control). Note: Uniform bucket-level access is now the recommended default over ACLs.
  • Cloud SQL
    • is a fully-managed service that provides MySQL, PostgreSQL, and SQL Server.
    • supports Enterprise and Enterprise Plus editions with different performance tiers.
    • Limited to 64TB storage and is a regional service.
    • No direct options for Oracle yet.
  • AlloyDB for PostgreSQL
    • fully managed PostgreSQL-compatible database with up to 4x faster performance than standard PostgreSQL for transactional workloads and up to 100x faster for analytical queries.
    • integrates with Vertex AI for built-in vector search and AI capabilities.
    • ideal for demanding enterprise workloads requiring PostgreSQL compatibility with enhanced performance.
  • Cloud Spanner
    • is a fully managed, mission-critical relational database service.
    • provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at a global scale.
    • globally distributed and can scale and handle more than 10TB.
    • now supports PostgreSQL interface for familiar tooling and migration.
    • supports Spanner Graph, full-text search, and vector search (2024-2025) making it a multi-model database.
    • not a direct replacement for Cloud SQL and would need migration
  • Cloud Firestore (Datastore mode)
    • provides document database for web and mobile applications. Datastore mode is not for analytics.
    • Firestore in Datastore mode is the recommended successor to the legacy Cloud Datastore.
    • Understand Datastore indexes and how to update indexes for Datastore
    • Firestore now offers Standard and Enterprise editions with enhanced features.

Machine Learning

  • Google expects the Data Engineer to know some of the Data scientists stuff, though the depth has been reduced in the current exam.
  • Understand the different algorithms
    • Supervised Learning (labeled data)
      • Classification (for e.g. Spam or Not)
      • Regression (for e.g. Stock or House prices)
    • Unsupervised Learning (Unlabelled data)
      • Clustering (for e.g. categories)
    • Reinforcement Learning
  • Vertex AI (now rebranded as Gemini Enterprise Agent Platform)
    • Unified ML platform replacing the legacy AI Platform and Cloud ML Engine.
    • provides end-to-end ML workflow: data preparation, training, deployment, and monitoring.
    • Vertex AI Workbench for notebook-based development (replaces Cloud Datalab).
    • AutoML for building models without extensive ML expertise.
    • Vertex AI Pipelines for orchestrating ML workflows.
    • Model Registry for versioning and managing models.
    • Access to Gemini foundation models for generative AI use cases.
  • Know the Cloud AI products which include
    • Cloud Vision AI
    • Cloud Natural Language AI
    • Cloud Speech-to-Text
    • Cloud Video Intelligence AI
    • Dialogflow (conversational AI)

Monitoring

  • Cloud Monitoring and Cloud Logging (formerly Stackdriver)
    • provides monitoring, alerting, error reporting, metrics, diagnostics, debugging, and trace capabilities.
    • remember audits are mainly checking Cloud Logging entries (Audit Logs)
    • Aggregated sink can route log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or projects
    • Cloud Logging supports log-based metrics for creating dashboards and alerts.

Security Services

  • Sensitive Data Protection (formerly Cloud Data Loss Prevention / Cloud DLP)
    • to handle sensitive data esp. redaction of PII data.
    • provides discovery, classification, and de-identification of sensitive data inside and outside Google Cloud.
    • integrated with Security Command Center for risk assessment.
  • understand Encryption techniques
    • Google-managed encryption keys (default)
    • Customer-managed encryption keys (CMEK) via Cloud KMS
    • Customer-supplied encryption keys (CSEK)

Data Transfer Services

  • Storage Transfer Service
    • allows import of large amounts of data into Google Cloud Storage, quickly and cost-effectively.
    • supports transfers from AWS S3, Azure Blob Storage, HTTP/HTTPS locations, other GCS buckets, and on-premises file systems (via agent-based transfers).
    • recommended for transferring more than 1 TB from on-premises or cloud sources.
  • Transfer Appliance
    • to transfer large amounts of data (hundreds of TB to PB) quickly and cost-effectively into Google Cloud Platform via physical appliance.
    • Check for the data size — typically used when network transfer would take too long.
  • BigQuery Data Transfer Service
    • to integrate with third-party services (e.g., Google Ads, YouTube, Amazon S3, Teradata) and load data into BigQuery on a scheduled basis.

Visualization & BI

  • Looker Studio (formerly Google Data Studio)
    • free, self-service BI tool for creating interactive dashboards and reports.
    • connects directly to BigQuery and other data sources.
    • can use BigQuery BI Engine for sub-second query performance.
  • Looker
    • enterprise BI platform with LookML modeling language for governed metrics.
    • provides semantic layer, embedded analytics, and data applications.
    • integrated with BigQuery for governed, reusable analytics.

GCP Professional Cloud Architect Certification Path

Google Cloud - Professional Cloud Architect certificate

Google Cloud – Professional Cloud Architect Certification Learning Path

🔄 Last Updated: June 2026 — This post has been updated to reflect the new PCA exam format (v6.1, released October 30, 2025), new case studies, AI/ML content additions, service rebrandings, and the transition to Pearson as exam delivery provider (March 2026).

Re-certified !!!! Google Cloud – Professional Cloud Architect certification exam is one of the toughest exam I have appeared for. Even though it was recertification, the preparation level was same as the first one. The gamut of services and concepts it tests your knowledge on is really vast.

Google Cloud – Professional Cloud Architect Certification Summary

  • Has 50 questions to be answered in 2 hours.
  • Registration fee is $200 (plus tax where applicable).
  • Covers wide range of Google Cloud services and what they actually do.
  • includes Compute, Storage, Network, Data services, and now AI/ML services (Vertex AI, Gemini)
  • The exam was significantly updated in October 2025 (v6.1) to include the Google Cloud Well-Architected Framework and AI/ML integration topics.
  • Questions sometimes tests your logical thinking rather than any concept regarding Google Cloud.
  • Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolute clueless for some of the questions and commands
  • Make sure you cover the case studies before hand. The exam includes ~15 questions based on case studies and it can really be a savior for you in the exams.
  • Be sure that NO Online Course or Practice tests is going to cover all. Hands-on or practical knowledge is MUST.
  • Exam Delivery: As of March 2026, exams are delivered through Pearson VUE (previously Kryterion). Exams can be taken onsite at test centers or remotely.

Google Cloud – Professional Cloud Architect Exam Updates (October 2025 – v6.1)

  • AI Content Expansion: Two new sections (2.4, 2.5) focused on Vertex AI, including AutoML, custom training, and model deployment.
  • Well-Architected Framework: Now required knowledge; questions focus on operational excellence, security, reliability, cost optimization, and performance pillars.
  • New Case Studies: EHR Healthcare retained; three new scenarios added — Altostrat Media, Cymbal Retail, and KnightMotives Automotive (all with AI integration).
  • ~30% new topics compared to the previous version; some older topics have been deprioritized.
  • Service Rebrandings: Be aware of Dataproc → Managed Service for Apache Spark, Cloud Functions → Cloud Run functions, Container Registry → Artifact Registry.

Google Cloud – Professional Cloud Architect Certification Resources

Google Cloud – Professional Cloud Architect Certification Topics

General Services

  • Cloud Billing
    • understand how Cloud Billing works. Monthly vs Threshold and which has priority
    • Budgets can be set to alert for projects
    • how to change a billing account for a project and what roles you need. Hint – Project Owner and Billing Administrator for the billing account
    • Cloud Billing can be exported to BigQuery and Cloud Storage
  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.

Identity Services

  • Cloud Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand the difference between Basic (formerly Primitive), Pre-defined and Custom roles and their use cases
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Basically Permissions -> Roles -> (IAM Policy) -> Members (Principals)
    • Know how to use service accounts with applications
    • Understand IAM Conditions for fine-grained, attribute-based access control
    • Understand IAM Deny Policies to set guardrails on access
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity provides like Active Directory.
    • Cloud Identity supports federating with Active Directory using GCDS to implement the synchronization

Compute Services

    • Make sure you know all the compute services Google Compute Engine, Google App Engine, Google Kubernetes Engine, and Cloud Run. You need to be sure to know the pros and cons and the use cases that you should use them.
    • Google Compute Engine
      • Google Compute Engine is the best IaaS option for compute and provides fine grained control
      • Know how to create a Compute Engine instance, connect to it using Cloud shell or ssh keys
      • Difference between backups and images and how to create instances from the same.
      • Understand Compute Engine Storage Options. Disk throughput and IOPS depends on type and size.
      • Understand Compute Engine Snapshots
      • Instance templates with managed instance groups provide scalability and high availability
      • Instance template cannot be edited, create a new one and attach.
      • Difference between managed vs unmanaged instance groups and auto-healing feature
      • Managed instance groups are covered heavily the exam, as they provide the key auto-scaling capability. Hint: you need to create an Instance template and associate it with Instance group
      • Understand how migration or traffic splitting with Managed instance groups works Hint – rolling updates & deployments
      • Spot VMs (previously known as Preemptible VMs) and their use cases. HINT – can be terminated any time when Compute Engine needs the resources. Spot VMs no longer have the 24-hour maximum lifetime limitation that Preemptible VMs had.
      • Upgrade an instance without downtime using Live Migration
      • Managing access using OS Login or project and instance metadata
      • Prevent accidental deletion using deletion protection flag
      • Understand the pricing and discounts model Hint – Sustained (automatic up to 30%) vs Committed (1 to 3 yrs) discounts.
      • In case of any issues or errors, how to debug the same
    • Google App Engine
      • Google App Engine is mainly the best option for PaaS with platforms supported and features provided.
      • Deploy an application with App Engine and understand how versioning and rolling deployments can be done
      • Understand how to keep auto scaling and traffic splitting and migration.
      • Know App Engine is a regional resource and understand the steps to migrate or deploy application to different region and project.
      • Know the difference between App Engine Flexible vs Standard
    • Google Kubernetes Engine
      • Google Kubernetes Engine, powered by the open source container scheduler Kubernetes, enables you to run containers on Google Cloud Platform.
      • Kubernetes Engine takes care of provisioning and maintaining the underlying virtual machine cluster, scaling your application, and operational logistics such as logging, monitoring, and cluster health management.
      • A node pool is a subset of machines that all have the same configuration, including machine type (CPU and memory) authorization scopes. Node pools represent a subset of nodes within a cluster; a container cluster can contain one or more node pools. Hint : For adding new machine types, need to add a new node pool as existing one cannot be edited
      • Be sure to Create a Kubernetes Cluster and configure it to host an application
      • Understand how to make the cluster auto repairable and upgradable. Hint – Node auto-upgrades and auto-repairing feature
      • Very important to understand where to use gcloud commands (to create a cluster) and kubectl commands (manage the cluster components)
      • Very important to understand how to increase cluster size and enable autoscaling for the cluster
      • Know how to manage secrets like database passwords
      • Understand GKE Autopilot mode — a fully managed mode where Google manages the nodes, scaling, and security
    • Cloud Run
      • Cloud Run is a fully managed serverless platform for deploying and running containerized applications.
      • Supports any language or library as long as it can be containerized.
      • Scales automatically from zero to many instances and back to zero.
      • Supports both services (request-driven) and jobs (task-based workloads).
      • Cloud Run is now the unified serverless platform — Cloud Functions has been rebranded as Cloud Run functions.
    • Cloud Run functions (formerly Cloud Functions)
      • is a lightweight, event-based, asynchronous compute solution that allows you to create small, single-purpose functions that respond to cloud events without the need to manage a server or a runtime environment.
      • Remember that Cloud Run functions is serverless and scales from zero to scale and back to zero as the demand changes.
      • 2nd gen functions (recommended for new projects) are built on Cloud Run infrastructure and offer improved performance, concurrency, longer request processing (up to 60 minutes), and Eventarc integration.

Network Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets and host applications within them Hint VPC spans across region
    • Understand how Firewall rules works and how they are configured. Hint – Focus on Network Tags. Also, there are 2 implicit firewall rules – default ingress deny and default egress allow
    • Understand VPC Peering and Shared VPC
    • Understand the concept internal and external IPs and difference between static and ephemeral IPs
    • Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
    • Understand Private Google Access and Private Service Connect use cases
  • On-premises connectivity
    • Cloud VPN and Cloud Interconnect are 2 components which help you connect to on-premises data center.
    • Understand HA VPN (recommended) vs Classic VPN. Note: Classic VPN dynamic routing via BGP is deprecated as of August 2025 — use HA VPN for BGP.
    • Understand what are the requirements to setup Cloud VPN.
    • Cloud Router provides dynamic routing using BGP
    • Know Interconnect as the reliable high speed, low latency and dedicated bandwidth options (Dedicated Interconnect and Partner Interconnect).
    • Cross-Cloud Interconnect — provides dedicated, high-bandwidth connectivity between Google Cloud and other cloud providers (e.g., AWS, Azure) without traversing the public internet.
    • Network Connectivity Center — a centralized hub for managing hybrid and multi-cloud network connectivity, connecting on-premises, Google Cloud, and other cloud networks through spokes.
  • Cloud Load Balancing (GCLB)
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.
    • Understand Google Load Balancing options and their use cases esp. which is global and internal and what protocols they support.

Storage Services

  • Understand each Storage Options and use cases.
  • Persistent disks
    • attached to the Compute Engines, provide fast access however are limited in scalability, availability and scope.
    • Remember performance depends on the size of the disk
  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data.
    • very important to know the different storage classes and their use cases: Standard (frequent access, replaces the legacy Regional/Multi-Regional classes), Nearline (30-day minimum, monthly access), Coldline (90-day minimum, quarterly access), and Archive (365-day minimum, yearly access)
    • Understand life cycle management. HINT – Changes are in accordance to object creation date
    • Understand various data encryption techniques
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand access control and permissions – IAM vs ACLs (fine grained control). Note: Uniform bucket-level access is now the recommended default.
    • Understand best practices esp. uploading and downloading the data. HINT using parallel composite uploads
  • Relational Databases
    • Know Cloud SQL, Cloud Spanner, and AlloyDB for PostgreSQL
    • Cloud SQL
      • Cloud SQL is a fully-managed service that provides MySQL, PostgreSQL and MS SQL Server
      • Supports up to 64TB of storage.
      • Difference between Failover and Read replicas. Failover provides High Availability and almost zero downtime while Read replicas provide scalability. Cross region Read Replicas are supported
      • Perform Point-In-Time recovery. Hint – requires binary logging and backups
      • Cloud SQL Enterprise Plus edition provides near-zero downtime maintenance and advanced HA features
    • Cloud Spanner
      • is a fully managed, mission-critical relational database service.
      • provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at global scale.
      • globally distributed and can scale horizontally.
      • not a direct replacement for Cloud SQL and would need migration
    • AlloyDB for PostgreSQL
      • Fully managed, PostgreSQL-compatible database designed for demanding enterprise workloads.
      • Up to 4x faster for transactional workloads and up to 100x faster for analytical queries compared to standard PostgreSQL.
      • Provides automatic storage scaling, integrated AI/ML capabilities with built-in Vertex AI integration.
      • Best for enterprise PostgreSQL workloads that need high performance and availability.
  • NoSQL
    • Know Firestore and Bigtable
    • Firestore (successor to Cloud Datastore)
      • Firestore operates in two modes: Native mode (real-time, mobile/web apps) and Datastore mode (server-side, backward compatible with legacy Datastore)
      • Provides document database for web and mobile applications. Not for analytics.
      • Understand Firestore indexes and how to update indexes
      • Can be configured Multi-regional and regional
    • Bigtable
      • provides column database suitable for both low-latency single-point lookups and precalculated analytics
      • understand Bigtable is suitable for high-throughput workloads like IoT, time-series, and analytics
  • Data Warehousing
    • BigQuery
      • provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
      • Remember it is most suitable for historical analysis.
      • Now includes BigQuery ML for running ML models directly in SQL, and BigQuery Studio for unified analytics.
  • Memorystore and Firebase are now more commonly tested; understand Memorystore for Redis/Memcached caching use cases.

Data Services

  • Although there is a different certification for Data Engineer, the Cloud Architect does cover data services. Data services are also part of the use cases so be sure to know about them
  • Know the Big Data stack and understand which service fits the different layers of ingest, store, process, analytics, use
  • Key Services which need to be mainly covered are –
    • Cloud Storage as the medium to store data as data lake
    • Pub/Sub
      • as the messaging service to capture real time data esp. IoT
      • is designed to provide reliable, many-to-many, asynchronous messaging between applications esp. real time IoT data capture
      • Cloud Storage can generate notifications via Pub/Sub
    • Dataflow to process, transform, transfer data and the key service to integrate store and analytics. Now supports ML inference directly in pipelines (RunInference) and TPU integration.
    • BigQuery for storage and analytics. Remember BigQuery provides the same cost-effective option for storage as Cloud Storage
    • Managed Service for Apache Spark (formerly Cloud Dataproc) to handle existing Hadoop/Spark jobs. Hint – Use it to replace existing hadoop infra. Now includes serverless Spark option (no cluster management needed).
    • Dataform for managing SQL-based data transformation pipelines in BigQuery (replaces the need for Cloud Dataprep in many scenarios)
  • Know standard patterns Pub/Sub -> Dataflow -> BigQuery

AI and Machine Learning Services (NEW for PCA v6.1)

  • The updated PCA exam includes significant AI/ML content. Key services to know:
  • Vertex AI
    • Google Cloud’s unified AI/ML platform for building, deploying, and scaling ML models
    • Understand AutoML (no-code/low-code model training) vs Custom Training (bring your own code)
    • Understand Vertex AI Workbench (managed notebooks, replacement for Cloud Datalab)
    • Model deployment to endpoints with online/batch prediction
    • Vertex AI Feature Store for managing ML features
    • Vertex Explainable AI for model interpretability
  • Gemini
    • Google’s multimodal AI model family, available through Vertex AI
    • Understand use cases for generative AI in architecture (content generation, code assistance, data analysis)
  • Pre-trained APIs
    • Vision AI, Natural Language AI, Translation AI, Speech-to-Text, Text-to-Speech
    • Know when to use pre-trained APIs vs AutoML vs custom training

Monitoring

  • Google Cloud Monitoring (formerly Stackdriver)
    • provides everything from monitoring, alert, error reporting, metrics, diagnostics, debugging, trace.
    • remember audits are mainly checking Cloud Audit Logs
  • Google Cloud Logging (formerly Stackdriver Logging)
    • Understand log routing, sinks, and log-based metrics
    • Know log retention periods and where to export for long-term storage
  • Cloud Trace — distributed tracing for latency analysis
  • Error Reporting — aggregates and displays errors from cloud services

DevOps services

  • Infrastructure as Code
    • Infrastructure Manager (Terraform-based) — Google Cloud’s recommended IaC service
    • Terraform — the industry standard for multi-cloud IaC, fully supported on Google Cloud
    • Deployment ManagerDeprecated (support discontinued March 31, 2026). Migrate to Infrastructure Manager or Terraform.
  • Source Code Management
    • Secure Source Manager — regionally deployed, managed source code repository on Google Cloud
    • Cloud Source Repositories — End of sale since June 2024; not available to new customers. Use Secure Source Manager, GitHub, or GitLab.
  • Artifact Registry
    • is the universal package manager for all build artifacts and dependencies (Docker images, language packages, OS packages).
    • Container RegistryShut down March 18, 2025. All container image storage has migrated to Artifact Registry.
  • Cloud Build
    • is a service that executes your builds on Google Cloud Platform infrastructure.
    • Supports CI/CD pipelines with triggers from source repositories.
  • Cloud Deploy
    • Managed continuous delivery service for deploying to GKE, Cloud Run, and Anthos.
  • MarketPlace (Cloud Launcher)
    • provides a way to launch common software packages e.g. Jenkins or WordPress and stacks on Google Compute Engine with just a few clicks like a prepackaged solution.
    • can help minimize deployment time and can be used without any knowledge about the product

Security Services

  • Web Security Scanner (formerly Cloud Security Scanner)
    • is a web application security scanner that enables developers to easily check for a subset of common web application vulnerabilities in websites built on App Engine, GKE, and Compute Engine.
  • Cloud DLP (Sensitive Data Protection)
    • to handle sensitive data esp. redaction of PII data. Rebranded as Sensitive Data Protection.
  • Security Command Center (SCC)
    • Centralized security and risk management platform for Google Cloud resources.
    • Provides asset discovery, threat detection, and compliance monitoring.
  • Cloud Armor
    • DDoS protection and WAF (Web Application Firewall) for applications behind Load Balancers.
  • VPC Service Controls
    • Creates security perimeters around Google Cloud resources to prevent data exfiltration.
  • PCI-DSS compliant
    • GCP services are PCI-DSS compliant, however you need to make sure for the applications and hosting to be inline with PCI-DSS requirements
  • Same concept as PCI-DSS applies to GDPR as well

Google Cloud Well-Architected Framework (NEW for PCA v6.1)

  • The Well-Architected Framework is now required knowledge for the PCA exam.
  • Understand the six pillars:
    • Operational Excellence — monitoring, incident management, deployment practices
    • Security, Privacy, and Compliance — identity, data protection, network security
    • Reliability — high availability, disaster recovery, fault tolerance
    • Cost Optimization — resource efficiency, committed use discounts, rightsizing
    • Performance Optimization — scaling, caching, optimizing resources
    • Sustainability — efficient use of resources, carbon-aware workloads
  • Includes an AI and ML perspective covering design principles for AI workloads on Google Cloud.

Other Services

  • Know various data transfer options
  • Storage Transfer Service
    • allows import of large amounts of online data into Google Cloud Storage, quickly and cost-effectively.
    • Online data is the key here as it supports AWS S3, Azure Blob Storage, HTTP/HTTPS and other GCS buckets.
    • for on-premises data you can use the Storage Transfer Service agent or gsutil command
  • Transfer Appliance
    • to transfer large amounts of data quickly and cost-effectively into Google Cloud Platform.
    • Check for the data size and it would be always compared with Storage Transfer Service or gsutil commands.

Case Studies

  • The PCA exam was updated in October 2025 with new case studies. The current case studies are:
    • EHR Healthcare — electronic health record provider migrating to Google Cloud for scalability and disaster recovery
    • Altostrat Media — media company with AI integration requirements
    • Cymbal Retail — online retailer modernizing operations with conversational commerce and AI
    • KnightMotives Automotive — automotive company with AI-driven use cases
  • All new case studies emphasize AI/ML integration in architecture decisions.
  • Note: The previous case studies (Mountkirk Games, Dress4Win, TerramEarth) are no longer part of the exam.

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Learning Path

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Learning Path

⚠️ EXAM RETIRED – SOA-C01 No Longer Available

The AWS Certified SysOps Administrator – Associate (SOA-C01) exam has been retired. It was replaced by the SOA-C02 exam, which itself was retired on September 29, 2025.

The current exam is now the AWS Certified CloudOps Engineer – Associate (SOA-C03), launched on September 30, 2025.

Recommended Next Steps:

This content is maintained for historical reference only. If you are preparing for certification, please use the SOA-C03 exam resources.

AWS Certified SysOps Administrator – Associate (SOA-C01) exam was the AWS associate-level operations exam that validated the ability to:

  • Deploy, manage, and operate scalable, highly available, and fault tolerant systems on AWS
  • Implement and control the flow of data to and from AWS
  • Select the appropriate AWS service based on compute, data, or security requirements
  • Identify appropriate use of AWS operational best practices
  • Estimate AWS usage costs and identify operational cost control mechanisms
  • Migrate on-premises workloads to AWS

Refer AWS Certified SysOps – Associate Exam Guide Sep 18

AWS Certified SysOps Administrator - Associate Content Outline

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Summary

  • AWS Certified SysOps Administrator – Associate exam was quite different from the previous one with more focus on the error handling, deployment, monitoring.
  • AWS Certified SysOps Administrator – Associate exam covered a lot of AWS services like ALB, Lambda, AWS Config, AWS Inspector, AWS Shield while focusing majorly on other services like CloudWatch, Metrics from various services, CloudTrail.
  • Be sure to cover the following topics
    • Monitoring & Management Tools
      • Understand CloudWatch monitoring to provide operational transparency
        • Know which EC2 metrics it can track (disk, network, CPU, status checks) and which would need custom metrics (memory, disk swap, disk storage etc.)
        • Know ELB monitoring
          • Classic Load Balancer metrics SurgeQueueLength and SpilloverCount
          • Reasons for 4XX and 5XX errors
      • Understand CloudTrail for audit and governance
      • Understand AWS Config and its use cases
      • Understand AWS Systems Manager and its various services like parameter store, patch manager
      • Understand AWS Trusted Advisor and what it provides
      • Very important to understand AWS CloudWatch vs AWS CloudTrail vs AWS Config
      • Very important to understand Trust Advisor vs Systems manager vs Inspector
      • Know Personal Health Dashboard & Service Health Dashboard
      • Deployment tools
        • Know AWS OpsWorks and its ability to support chef & puppet
        • Know Elastic Beanstalk and its advantages
        • Understand AWS CloudFormation
          • Know stacks, templates, nested stacks
          • Know how to wait for resources setup to be completed before proceeding esp. cfn-signal
          • Know how to retain resources (RDS, S3), prevent rollback in case of a failure
    • Networking & Content Delivery
      • Understand VPC in depth
        • Understand the difference between
          • Bastion host – allow access to instances in private subnet
          • NAT – route traffic from private subnets to internet
          • NAT instance vs NAT Gateway
          • Internet Gateway – Access to internet
          • Virtual Private Gateway – Connectivity between on-premises and VPC
          • Egress-Only Internet Gateway – relevant to IPv6 only to allow egress traffic from private subnet to internet, without allowing ingress traffic
        • Understand
        • Understand how VPC Peering works and limitations
        • Understand VPC Endpoints and supported services
        • Ability to debug networking issues like EC2 not accessible, EC2 instances not reachable, Instances in subnets not able to communicate with others or Internet.
      • Understand Route 53 and Routing Policies and their use cases
        • Focus on Weighted, Latency routing policies
      • Understand VPN and Direct Connect and their use cases
      • Understand CloudFront and use cases
      • Understand ELB, ALB and NLB and what features they provide like
        • ALB provides content and path routing
        • NLB provides ability to give static IPs to load balancer.
    • Compute
      • Understand EC2 in depth
        • Understand EC2 instance types
        • Understand EC2 purchase options esp. spot instances and improved reserved instances options.
        • Understand how IO Credits work and T2 burstable performance and T2 unlimited
        • Understand EC2 Metadata & Userdata. Whats the use of each? How to look up instance data after it is launched.
        • Understand EC2 Security.
          • How IAM Role work with EC2 instances
          • IAM Role can now be attached to stopped and runnings instances
        • Understand AMIs and remember they are regional and how can they be shared with others.
        • Troubleshoot issues with launching EC2 esp. RequestLimitExceeded, InstanceLimitExceeded etc.
        • Troubleshoot connectivity, lost ssh keys issues
      • Understand Auto Scaling
      • Understand Lambda and its use cases
      • Understand Lambda with API Gateway
    • Storage
    • Databases
    • Security
      • Understand IAM as a whole
      • Understand KMS for key management and envelope encryption
      • Understand CloudHSM and KMS vs CloudHSM esp. support for symmetric and asymmetric keys
      • Know AWS Inspector and its use cases
      • Know AWS GuardDuty as managed threat detection service. Will help eliminate as the option
      • Know AWS Shield esp. the Shield Advanced option and the features it provides
      • Know WAF as Web Traffic Firewall
      • Know AWS Artifact as on-demand access to compliance reports
    • Integration Tools
      • Understand SQS as message queuing service and SNS as pub/sub notification service
        • Focus on SQS as a decoupling service
        • Understand SQS FIFO, make sure you know the differences between standard and FIFO
      • Understand CloudWatch integration with SNS for notification
    • Cost management

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Resources

📌 Note: The resources below were relevant for the retired SOA-C01 exam. For current certification preparation, refer to:

AWS Cloud Computing Whitepapers

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Contents

Domain 1: Monitoring and Reporting

  1. Create and maintain metrics and alarms utilizing AWS monitoring services
  2. Recognize and differentiate performance and availability metrics
  3. Perform the steps necessary to remediate based on performance and availability metrics

Domain 2: High Availability

  1. Implement scalability and elasticity based on use case
  2. Recognize and differentiate highly available and resilient environments on AWS

Domain 3: Deployment and Provisioning

  1. Identify and execute steps required to provision cloud resources
  2. Identify and remediate deployment issues

Domain 4: Storage and Data Management

  1. Create and manage data retention
  2. Identify and implement data protection, encryption, and capacity planning needs

Domain 5: Security and Compliance

  1. Implement and manage security policies on AWS
  2. Implement access controls when using AWS
  3. Differentiate between the roles and responsibility within the shared responsibility model

Domain 6: Networking

  1. Apply AWS networking features
  2. Implement connectivity services of AWS
  3. Gather and interpret relevant information for network troubleshooting

Domain 7: Automation and Optimization

  1. Use AWS services and features to manage and assess resource utilization
  2. Employ cost-optimization strategies for efficient resource utilization
  3. Automate manual or repeatable process to minimize management overhead

Exam Evolution: SOA-C01 → SOA-C02 → SOA-C03 (CloudOps Engineer)

The AWS SysOps Administrator certification has gone through significant evolution:

  • SOA-C01 (2018-2021) – Original version covered in this post. Focused on traditional operations with 7 domains.
  • SOA-C02 (2021-2025) – Added hands-on exam labs, introduced automation focus, reduced to 6 domains. Retired September 29, 2025.
  • SOA-C03 / AWS Certified CloudOps Engineer – Associate (2025-present) – Current exam. Rebranded to reflect modern cloud operations. Added containers (ECS, EKS, ECR), multi-account architectures, and expanded automation coverage. 5 domains with new question types (ordering, matching, case studies).

SOA-C03 Exam Domains (Current)

Domain Weight
Monitoring, Logging, Analysis, Remediation & Performance Optimization 22%
Reliability and Business Continuity 22%
Deployment, Provisioning, and Automation 22%
Networking and Content Delivery 18%
Security and Compliance 16%

Key additions in SOA-C03 compared to SOA-C01:

  • Container Operations – Amazon ECS, EKS, ECR, Fargate
  • Multi-Account Architecture – AWS Organizations, Service Control Policies (SCPs), AWS Control Tower
  • Modern Automation – AWS CDK, EventBridge, expanded Systems Manager capabilities
  • Cost Optimization – Compute Optimizer, AWS Budgets actions, Savings Plans
  • Enhanced Security – Security Hub, AWS Backup, Secrets Manager rotation

For the current exam preparation, refer to the official AWS CloudOps Engineer certification page.