GCP DevOps Certification Preparation Guide
10 Sep 2022 by dzlab
I recently passed Google Professional DevOps Engineer Certification and, while preparing for it, I went through a lot of resources. I had to review the documentation of many Google Cloud products, and at no point did I feel that one source covered everything I needed.
This article summarizes the resources I found helpful for passing the exam, plus the topics I wish I had spent more time reading about.
Keep in mind that Google updates its services and certification guides very often, so any source other than the official documentation can become outdated quickly. Before booking the exam, always check the current Professional Cloud DevOps Engineer certification page and the official exam guide.
I started my preparation by reading Google Cloud for DevOps Engineers. It is a good read even if it is not focused only on the exam. It covers general DevOps practices, particularly SRE practices as recommended by Google, and many Google Cloud services that a DevOps engineer is expected to know.
It is a very good starting point if you have little knowledge of Google Cloud services and DevOps. Google also recommends the Site Reliability Engineering book, and you can find more SRE resources from Google on sre.google.
Exam at a glance
The exam is close in difficulty to other Google professional certification exams, but the scope is broad because it touches organization setup, infrastructure, CI/CD, SRE, observability, security, and cost optimization.
- Recommended experience: 3+ years of industry experience, including 1+ year designing and managing production systems on Google Cloud.
- Format: 50-60 multiple choice and multiple select questions.
- Duration: two hours.
- Delivery: online-proctored or onsite-proctored at a test center.
- Prerequisites: none.
The current official guide organizes the exam around five areas:
- Bootstrapping and maintaining a Google Cloud organization.
- Building and implementing CI/CD pipelines, including continuous testing, for application, infrastructure, and machine learning workloads.
- Applying site reliability engineering practices.
- Implementing observability practices and troubleshooting issues.
- Optimizing performance and cost.
Preparation strategy
The most useful preparation path for me was:
- Read the official exam guide and use it as a checklist.
- Review the Google Cloud services listed in each domain.
- Build or at least mentally trace an end-to-end deployment path: source repository, build, artifact storage, deployment, monitoring, alerting, rollback, and cost review.
- Study SRE concepts separately from product documentation. The exam tests both product knowledge and operational judgment.
- Practice scenario questions. Most questions are less about memorizing commands and more about choosing the safest, most maintainable, and most Google-recommended option.
If you only read product pages, the preparation can feel endless. Try to connect each product to an operational decision: when to use it, what problem it solves, how it fails, how to secure it, and how to troubleshoot it.
Organization and environments
You should understand how to bootstrap and maintain a Google Cloud organization for multiple teams and environments.
Resource hierarchy
Know how organizations, folders, projects, and resources fit together. A common pattern is to separate projects by application and environment, for example app-dev, app-staging, and app-prod, then apply policies at the folder or organization level.
Important topics:
- Resource hierarchy and projects - link
- Organization policy constraints - link
- IAM roles, service accounts, and the principle of least privilege - link
- Best practices for enterprise organizations - link
- Data residency and resource location constraints - link
For the exam, be comfortable with questions where several answers technically work but only one keeps security, auditability, and future growth under control.
Networking
DevOps questions can involve network architecture, especially when deployments span many projects or connect to existing environments.
You should know:
- Shared VPC - link
- VPC Network Peering - link
- Private Service Connect - link
- Cloud VPN and Cloud Interconnect - link
- VPC Flow Logs for troubleshooting - link
Infrastructure as code
Infrastructure as code is a major topic. You should know how to automate infrastructure changes, review them, and apply them consistently across environments.
Useful resources:
- Infrastructure Manager - link
- Terraform on Google Cloud - link
- Cloud Foundation Toolkit - link
- Config Connector - link
- Google Cloud architecture blueprints - link
For the exam, remember that infrastructure changes should be versioned, reviewed, automated, and observable. Avoid answers that rely on manual console changes for repeatable production operations.
Development environments
You may see questions about creating secure and repeatable development environments. Know the purpose of:
- Cloud Workstations - link
- Cloud Shell - link
- Cloud SDK - link
- Gemini Code Assist and Gemini Cloud Assist - link
The important idea is that developers should get the right tools and access without manually provisioning insecure or inconsistent machines. For AI-assisted development and operations, understand where these tools can help with code, logs, metrics, and troubleshooting, but do not use them as a substitute for knowing the underlying platform.
CI/CD
CI/CD is one of the biggest parts of the exam. You need to understand the full path from source code to a safely deployed production workload.
Cloud Build
Cloud Build is Google Cloud’s managed CI service. You should understand build triggers, build configuration files, private pools, substitutions, service accounts, and logs.
Useful resources:
- Cloud Build overview - link
- Build configuration files - link
- Build triggers - link
- Private pools - link
- Cloud Build service accounts - link
Good to know: Cloud Build steps share a workspace. This can be useful for passing generated artifacts, test reports, or deployment metadata between steps.
Artifact Registry
Artifact Registry is used to store and manage build artifacts such as container images and language packages.
You should know:
- Artifact Registry overview - link
- Repository formats - link
- Access control - link
- Vulnerability scanning with Artifact Analysis - link
Expect questions that combine Artifact Registry with Cloud Build, Cloud Deploy, vulnerability scanning, Binary Authorization, and IAM.
Cloud Deploy
Cloud Deploy is Google Cloud’s managed continuous delivery service. It helps define delivery pipelines and promote releases through targets such as staging and production.
Read:
- Cloud Deploy overview - link
- Delivery pipelines and targets - link
- Deployment strategies - link
- Skaffold with Cloud Deploy - link
The exam can ask you to choose between rebuilding an artifact per environment and promoting the same artifact through environments. In most production pipelines, you want to build once, store the artifact, then promote that artifact through controlled stages.
Deployment strategies
Know the trade-offs between common deployment strategies:
| Strategy | When it is useful | Main trade-off |
|---|---|---|
| Rolling deployment | Gradually replace old instances with new ones | Simple, but rollback can be slower |
| Blue/green deployment | Keep old and new versions separate | Safer rollback, but needs extra capacity |
| Canary deployment | Send a small amount of traffic to the new version first | Requires good metrics and traffic control |
| Traffic splitting | Shift percentages of traffic between versions | Useful for gradual rollout and A/B testing |
| Feature flags | Decouple deploy from release | Requires application-level flag management |
Useful resources:
- Application deployment and testing strategies - link
- Cloud Run rollouts and traffic migration - link
- App Engine traffic splitting - link
- GKE deployment strategies - link
Secrets and configuration
Do not put secrets in source code, build logs, or container images. Know how to separate build-time and runtime configuration.
Important services and topics:
- Secret Manager - link
- Parameter Manager - link
- Cloud Key Management Service - link
- Certificate Manager - link
- Workload Identity Federation - link
- GKE Workload Identity Federation - link
For exam answers, prefer short-lived credentials, workload identity, secret managers, and least-privilege service accounts over long-lived keys.
Securing the supply chain
You should understand the security controls around CI/CD:
- Artifact Analysis and vulnerability scanning - link
- Binary Authorization - link
- Software supply chain security - link
- SLSA framework - link
- Cloud Audit Logs - link
The general pattern is to build from trusted source, produce signed or verifiable artifacts, scan them, store them in Artifact Registry, enforce policy before deployment, and keep audit logs.
Machine learning pipelines
The current exam guide also mentions CI/CD for machine learning workloads. You do not need to become a machine learning engineer for this exam, but you should understand how ML delivery differs from application delivery: model artifacts, data validation, training pipelines, approval gates, evaluation metrics, and rollback plans matter.
Useful resources:
- Vertex AI Pipelines - link
- MLOps continuous delivery and automation pipelines - link
- Cloud Build for machine learning workflows - link
Compute and runtime platforms
The DevOps exam is not just about CI/CD tools. You also need to know how applications run on Google Cloud and how operational decisions differ by platform.
Cloud Run
Cloud Run is a serverless container platform. It is a good fit when you want to run containers without managing clusters.
- Cloud Run overview - link
- Services, jobs, and worker pools - link
- Autoscaling - link
- Traffic management - link
Google Kubernetes Engine
GKE is a managed Kubernetes service. It appears often in DevOps scenarios because many CI/CD, security, autoscaling, and observability questions involve Kubernetes.
- GKE overview - link
- Autopilot and Standard clusters - link
- Cluster autoscaler - link
- Horizontal Pod autoscaling - link
- Fleet management - link
- Troubleshooting GKE - link
Compute Engine
Compute Engine still matters for workloads that need VM-level control.
- Managed instance groups - link
- Autoscaling managed instance groups - link
- Startup scripts - link
- Spot VMs - link
Know when a managed instance group, Cloud Run service, or GKE workload is the better operational fit.
Site reliability engineering
The DevOps certification has a strong SRE flavor. You should be comfortable with reliability concepts and how they influence engineering decisions.
SLIs, SLOs, SLAs, and error budgets
These are core concepts:
- SLI: what you measure, for example request success rate or latency.
- SLO: the reliability target, for example 99.9% successful requests over 30 days.
- SLA: the external commitment to customers.
- Error budget: the amount of unreliability you can tolerate before slowing risky changes.
Read:
- SRE book: Service Level Objectives - link
- SRE workbook: Implementing SLOs - link
- Cloud Monitoring SLOs - link
- Cloud Service Mesh SLOs and service telemetry - link
Exam questions often ask what to do when reliability is below target. The safest answer usually reduces risk: pause risky releases, roll back, add capacity, reduce blast radius, or improve observability before continuing.
Capacity and lifecycle management
Know how to plan for quotas, limits, reservations, autoscaling, upgrades, and retirement.
Useful resources:
- Quotas and limits - link
- Compute Engine reservations - link
- Cloud Run autoscaling - link
- GKE cluster autoscaler - link
- GKE upgrades - link
Incident response
You should know the operational response options when users are affected:
- Roll back a bad release.
- Drain or redirect traffic.
- Add capacity.
- Disable a risky feature flag.
- Use logs, metrics, and traces to identify the failing layer.
- Write a postmortem and improve the system.
Read:
Observability and troubleshooting
Observability is another large part of the exam. You should understand logs, metrics, traces, dashboards, alerts, and how to use them together.
Logs
Know how Cloud Logging collects, stores, filters, routes, excludes, and exports logs.
Important topics:
- Cloud Logging overview - link
- Logs Explorer - link
- Logging query language - link
- Log routing and sinks - link
- Log exclusions and cost controls - link
- Cloud Audit Logs - link
- Sensitive data protection in logs - link
You should also know when to route logs to BigQuery, Pub/Sub, or Cloud Storage for analysis, downstream processing, or long-term retention.
Metrics, dashboards, and alerts
Cloud Monitoring is central to SRE and troubleshooting questions.
- Cloud Monitoring overview - link
- Metrics Explorer - link
- Alerting policies - link
- Dashboards - link
- PromQL in Cloud Monitoring - link
- Google Cloud Managed Service for Prometheus - link
- Cloud Service Mesh observability - link
Make sure you understand alert quality. A good alert should be actionable, tied to user impact or an SLO, and routed to the right team.
Traces and telemetry
Know when tracing helps and how it complements logs and metrics.
Distributed tracing is especially useful when latency or errors involve many services.
Ops Agent and hybrid workloads
Know the role of the Ops Agent for Compute Engine and hybrid workloads.
Troubleshooting approach
For scenario questions, work from symptom to scope:
- Is the issue global or limited to a region, version, user segment, or dependency?
- Did it start after a deployment, config change, quota change, traffic spike, or dependency failure?
- What do logs say?
- What do metrics say?
- What do traces say?
- Can you mitigate user impact before finding root cause?
The exam often rewards mitigation first, then root-cause analysis.
Performance and cost optimization
The last domain combines performance engineering and FinOps. You should know how to collect performance data, use recommenders, and choose cost-effective infrastructure.
Performance
Useful topics:
- Application performance monitoring - link
- Cloud Trace - link
- Cloud Profiler - link
- Active Assist - link
- Recommenders - link
Questions may ask how to diagnose latency, right-size workloads, or identify bottlenecks. Prefer answers that use measured data rather than guessing.
Cost
Know the common cost levers:
- Budgets and alerts - link
- Cost table and reports - link
- Labels for cost allocation - link
- Committed use discounts - link
- Sustained use discounts - link
- Spot VMs - link
- Network Service Tiers - link
Do not forget observability costs. Logs, metrics, and traces are valuable, but high-cardinality metrics, noisy logs, and unnecessary retention can become expensive. Know how to use filters, exclusions, sampling, and routing.
Topics worth extra review
These are topics I would spend extra time on:
- SLOs, SLIs, SLAs, and error budgets.
- Cloud Build, Artifact Registry, and Cloud Deploy working together.
- Deployment strategies and rollback decisions.
- Secret handling and Workload Identity Federation.
- Binary Authorization, vulnerability scanning, and supply chain security.
- Cloud Logging sinks, exclusions, and audit logs.
- Cloud Monitoring alert policies and SLO monitoring.
- OpenTelemetry and Cloud Trace.
- GKE autoscaling and upgrades.
- Cost controls, labels, budgets, recommenders, and committed use discounts.
Practice resources
Useful preparation resources:
- Official Professional Cloud DevOps Engineer certification page - link
- Official exam guide - link
- Google Cloud Skills Boost path - link
- Official sample questions - link
- Preparing for Google Cloud Certification: Cloud DevOps Engineer Professional Certificate - link
- Site Reliability Engineering book - link
- Site Reliability Workbook - link
- Google Cloud Architecture Framework - link
Certification SWAG
After passing the exam, you can choose one of the official certification swags:
That’s all folks
Check the following preparation tips for passing other Google certifications:
- Data Engineer certification - link
- Machine Learning Engineer certification - link
- Cloud Developer certification - link
Feel free to leave a comment or reach out on twitter @bachiirc