Technical Processes
The delivery lifecycle as one automated pipeline
A developer pushes a commit, and minutes later that change is running in production with no one having typed a deploy command. That is the technical process this section designs, and on Google Cloud it is two services in sequence. Cloud Build[1] handles continuous integration: it imports source from a repository or Cloud Storage and executes a build config as a series of steps, where each step runs in a Docker container, then pushes the result to Artifact Registry[2]. Cloud Deploy[3] handles continuous delivery: it automates delivery of an application to a series of target environments in a defined promotion sequence.
The Professional Cloud Architect is expected to recommend the shape of this pipeline rather than implement it: which stages exist, what each stage validates, and where a human gate belongs. So the vocabulary matters.
CI: the build config
A Cloud Build build is defined by a build config (commonly cloudbuild.yaml) listing the steps to run. Tests are first-class steps, not an afterthought: you can configure a build to fetch dependencies, run unit tests, static analyses, and integration tests, then create artifacts with tools such as docker, gradle, maven, or bazel. A build trigger starts a new build in response to code changes from Cloud Source Repositories, GitHub, or Bitbucket, which is what makes the integration continuous.
CD: pipeline, target, release, rollout
Cloud Deploy has four nouns the exam reuses. A delivery pipeline contains the promotion sequence, the order in which to deploy to the configured targets. A target is one destination environment (a GKE cluster, a Cloud Run service, or a GKE attached cluster). A release is the rendered, deployable artifact, generated from your source, a skaffold.yaml, and references to specific container images; Cloud Deploy uses Skaffold for rendering, deployment, and verification. A rollout associates a release with a target and drives the actual deploy. Promotion means deploying the release to the next target in the sequence, for example from staging to prod.
Cloud Deploy sits downstream of any CI tool that outputs container images, so it pairs naturally with Cloud Build but does not require it. That separation is the answer to a common stem: build and test live in CI, environment-to-environment promotion lives in CD.
How you know it is working: the four DORA keys
A pipeline is only as good as the outcomes it produces, and those are measured by four metrics from DORA research[4]. Deployment frequency (how often you successfully release to production) and lead time for changes (how long a commit takes to reach production) measure velocity. Change failure rate (the percentage of deployments causing a failure in production) and time to restore service (how long recovery from a production failure takes) measure stability. The four are read as two pairs on purpose: optimizing velocity while ignoring stability just ships breakage faster, so a healthy process moves both pairs in the right direction.
Validation gates, disaster recovery, and self-service provisioning
With the pipeline shape settled, the remaining technical processes are the controls that wrap it: what stops a bad change, how the system recovers when something does go wrong, and how teams provision infrastructure without a central bottleneck.
Validation has two gates, before and at deploy
Testing happens twice in the lifecycle, and conflating the two is a common mistake. The first gate is in CI: unit, static-analysis, and integration tests run as Cloud Build steps, and a failing step fails the build so no artifact is produced. The second gate is at deploy time and checks provenance rather than behavior. Binary Authorization[5] is a deploy-time control that enforces that images being deployed to a supported platform conform to a policy you define; the policy admits only images carrying the required cryptographic attestations and rejects the rest. An attestation records the image's registry path and digest and is digitally signed by a required signer, so it proves a specific image passed a specific step. Binary Authorization is part of software supply-chain security and integrates with Cloud Build (which produces attestations) and Artifact Analysis (which supplies vulnerability data). Roll a new policy out in dry-run mode first: it logs what would be blocked without actually blocking, so you confirm the policy before enforcing it.
Disaster recovery: pick the pattern that meets RTO and RPO
When recovery is the topic, two numbers drive every decision. The recovery time objective (RTO)[6] is the maximum acceptable time the application can be offline. The recovery point objective (RPO) is the maximum acceptable length of time during which data might be lost. You design backwards from these: settle the RTO and RPO the business needs, then choose the DR pattern that meets them at the lowest cost that qualifies. The patterns scale by readiness. Cold (backup and restore) provisions recovery resources only after a disaster strikes, so it is the cheapest and slowest. Warm keeps a scaled-down standby already running and scales it up on failover, trading some cost for faster recovery. Hot runs a full second deployment serving traffic, the fastest and the most expensive. The relationship is monotonic: the smaller your RTO and RPO, the more your application costs to run. A frequent distinction is high availability versus disaster recovery: HA keeps a service up through a zone failure within a region, while DR restores service after a larger, often regional, disaster; meeting a tight RTO inside one region with multi-zone HA can make a separate cross-region DR pattern unnecessary.
Troubleshooting and root cause analysis
When a deployment does cause an incident, the technical process is to restore service first, then run a blameless retrospective. The Well-Architected Framework's operational excellence pillar names "manage incidents and problems[7]" as a core principle: reduce incident impact and prevent recurrence through observability, incident response procedures, retrospectives, and preventive measures. Blameless means the analysis identifies the contributing systemic causes without indicting any individual, on the assumption that people acted reasonably on the information they had; the deliverable is a set of action items that reduce the likelihood or impact of recurrence, which is also what lowers the change failure rate and time-to-restore DORA keys over time.
Service catalog and governed provisioning
Provisioning at scale poses a governance problem: let every team run their own gcloud and you lose consistency; route everything through central ops and you create a bottleneck. Service Catalog[8] resolves it by letting cloud admins curate a list of trusted solutions (Terraform configurations, Deployment Manager templates, or reference links) that internal users discover and deploy themselves. Admins control distribution at different folder and project levels and bake in parameters and organization policies, so a developer self-serves within guardrails the admin already approved. That is the standard answer when a scenario wants fast, repeatable provisioning that still enforces standards.
Exam-pattern recognition
Section 4.1 questions are usually scenarios that name a process pain and ask which Google Cloud capability fixes it. The trick is matching the symptom to the right lifecycle stage.
"Deploys are slow and error-prone" (CI/CD shape)
When a stem describes manual, inconsistent deploys and asks for an automated path from commit to production, the answer is Cloud Build for build and test plus Cloud Deploy for promotion across environments. Distractors usually offer a single tool for the whole job, or put the test stage in the wrong place. Remember the split: Cloud Build runs your tests and produces artifacts, Cloud Deploy promotes a release through ordered targets. A choice that says "run integration tests in Cloud Deploy" is the trap; Cloud Deploy runs Skaffold verify, your test suite belongs in the CI build steps.
"Only approved or scanned images may run in prod" (validation gate)
If the requirement is that untrusted, untested, or unscanned container images must never reach production, the answer is Binary Authorization with a policy requiring attestations. The tempting wrong answer is an IAM role or a firewall rule, but neither inspects image provenance at deploy time. A second trap is enforcing the new policy immediately; the safe rollout is dry-run mode first to see what would be blocked.
"How fast can we recover, and at what cost" (DR)
When a scenario gives a tolerable-downtime and tolerable-data-loss figure and asks for the recovery design, translate them to RTO and RPO and pick the cheapest pattern that meets both: cold for loose objectives, warm for moderate, hot for the tightest. The classic distractor is choosing hot (or a fully active-active design) when the stated RTO and RPO are loose; that over-provisions and overspends. The other distractor confuses HA with DR: a multi-zone regional setup answers a zone-failure RTO, not a regional-disaster one.
"Teams keep building infrastructure inconsistently" (governed provisioning)
When many teams provision their own resources and the result is drift and policy violations, the answer is Service Catalog publishing approved Terraform or Deployment Manager solutions for self-service. The distractor is a pure central-ops gatekeeper (a bottleneck) or unrestricted project owner access (no guardrails). Service Catalog is the middle path: self-service inside admin-approved bounds.
"Did our process change actually help?" (measurement)
When asked how to evaluate a delivery-process investment, the answer is the four DORA keys, read as velocity (deployment frequency, lead time for changes) and stability (change failure rate, time to restore service). The trap is reporting only the velocity pair, or a vanity metric like commit count, which can mask rising failure rates.
Which Google Cloud process tool owns which lifecycle stage
| Lifecycle stage | Cloud Build | Cloud Deploy | Binary Authorization | Service Catalog |
|---|---|---|---|---|
| Primary stage | Build and test (CI) | Promote and deploy (CD) | Deploy-time admission gate | Governed provisioning entry |
| What it acts on | Source from a repo or Cloud Storage | A release of container images | Container images at deploy time | Approved IaC solutions |
| Key construct | Build config of steps in containers | Pipeline of ordered targets | Policy plus attestations | Admin-curated catalog |
| Runs tests? | Yes: unit, static analysis, integration | Runs Skaffold verify, not your CI tests | No: checks attestation, not behavior | No: governs what can be deployed |
| Output or effect | Artifacts pushed to Artifact Registry | Rollout to a target environment | Admit or reject the image | Self-service deploy within guardrails |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Cloud Build runs CI; Cloud Deploy promotes across environments
Split the pipeline by stage: Cloud Build is the continuous-integration service that runs your build config as steps in containers (fetching dependencies, running unit, static-analysis, and integration tests, and producing artifacts), while Cloud Deploy is the continuous-delivery service that promotes a release through an ordered sequence of target environments such as dev, staging, then prod. Cloud Deploy sits downstream of any CI tool that outputs container images, so the two pair naturally but are distinct responsibilities.
Trap Putting your unit or integration test suite in Cloud Deploy; Cloud Deploy runs Skaffold verify against a target, your behavioral tests belong in the Cloud Build steps.
- Cloud Build defines a build as containerized steps from a build config
A Cloud Build build is specified by a build config (typically cloudbuild.yaml) that lists steps, and each step runs in its own Docker container, so any tool packaged as an image can be a step. A build trigger starts a new build on code changes from Cloud Source Repositories, GitHub, or Bitbucket, and finished artifacts are pushed to Artifact Registry. That containerized-step model is why you can run tests, linters, and the build itself in one declarative file.
- Learn the Cloud Deploy nouns: pipeline, target, release, rollout
Cloud Deploy has four constructs. The delivery pipeline holds the promotion sequence (the order of targets). A target is one destination environment, a GKE cluster, a Cloud Run service, or a GKE attached cluster. A release is the rendered, deployable artifact built from your source, a skaffold.yaml, and specific container image references. A rollout binds a release to a target and performs the deploy. Promotion advances a release to the next target in the sequence.
- Gate production deploys with a Cloud Deploy required approval
To put a human checkpoint before a sensitive environment, set the target to require approval; promotion to that target then pauses until approved, and Cloud Deploy emits a Pub/Sub message an external system can consume. Use it on the prod target so no release reaches production unreviewed, while lower environments promote automatically.
- Cloud Deploy rollback redeploys the last good release
A rollback in Cloud Deploy triggers a new rollout against the last successfully deployed release on that target, so recovery from a bad deploy is a first-class operation rather than a manual re-run of the old pipeline. Cloud Deploy also supports canary deployments, rolling a release out to a percentage of traffic before full promotion, so risk is contained on the way in and a rollback is the fast exit if it goes wrong. Together they keep time-to-restore short for deployment-caused incidents.
- Measure delivery with the four DORA keys, read as two pairs
DORA research names four metrics: deployment frequency and lead time for changes measure velocity, while change failure rate and time to restore service measure stability. Read them as two pairs on purpose, because improving velocity while ignoring stability just ships failures faster. When a scenario asks whether a process change helped, the answer is to track these four, not commit counts or story points.
Trap Reporting only deployment frequency and lead time to claim success; without change failure rate and time to restore, a faster pipeline can be hiding a rising failure rate.
- Binary Authorization is a deploy-time gate that admits only attested images
Binary Authorization enforces that container images deployed to a supported platform (GKE, Cloud Run, Cloud Service Mesh, Google Distributed Cloud) conform to a policy you define, admitting only images that carry the required cryptographic attestations and rejecting the rest. An attestation records the image's registry path and digest and is signed by a required signer, proving a specific image passed a specific step. It is a software-supply-chain control and integrates with Cloud Build and Artifact Analysis.
Trap Reaching for an IAM role or firewall rule to keep untrusted images out of prod; neither inspects image provenance at deploy time, which is what Binary Authorization checks.
- Roll out a Binary Authorization policy in dry-run mode first
Before enforcing, set the policy to dry-run so it logs which deployments would be blocked without actually blocking them. That lets you confirm the policy admits everything legitimate and catches everything it should before flipping to enforcement, avoiding an outage caused by a too-strict policy.
Trap Enforcing a brand-new Binary Authorization policy directly in production; a single overly strict rule then blocks legitimate deploys instead of just logging them.
- Design disaster recovery backwards from RTO and RPO
Recovery time objective (RTO) is the maximum acceptable time the application can be offline; recovery point objective (RPO) is the maximum acceptable length of time during which data might be lost. Settle these business numbers first, then choose the cheapest DR pattern that meets both. The relationship is monotonic: the smaller (tighter) your RTO and RPO, the more your application costs to run.
- DR patterns scale by readiness: cold, warm, hot
Google's DR planning guide frames three patterns. Cold is backup and restore: recovery resources are provisioned only after a disaster, so it is cheapest and slowest. Warm keeps a scaled-down standby already running and scales it up on failover, the middle ground. Hot runs a full second deployment serving traffic, the fastest and the priciest. Match the pattern to the RTO and RPO rather than defaulting to the most resilient.
Trap Choosing a hot or active-active DR design when the stated RTO and RPO are loose; it meets the objective but over-provisions and overspends, where cold backup-and-restore would qualify.
- Service Catalog gives governed, self-service provisioning
When many teams need infrastructure, Service Catalog lets cloud admins curate a list of approved solutions (Terraform configurations, Deployment Manager templates, or reference links) that internal users discover and deploy themselves. Admins control distribution at different folder and project levels and bake in parameters and organization policies, so developers self-serve within guardrails the admin already approved. It is the middle path between a central-ops bottleneck and unrestricted access.
Trap Granting broad project owner or editor access so teams can provision freely; that removes the bottleneck but also the guardrails Service Catalog keeps, inviting drift and policy violations.
- Run a blameless postmortem after an incident to cut recurrence
The operational excellence pillar's manage-incidents-and-problems principle says to restore service first, then run a retrospective that identifies the systemic contributing causes without indicting any individual, on the assumption people acted reasonably on the information they had. The deliverable is action items that reduce the likelihood or impact of recurrence, which is what drives change failure rate and time to restore down over time.
Trap Running a root cause analysis that assigns individual blame; it discourages honest disclosure, so the real systemic causes stay hidden and the incident recurs.
- Validation happens twice: pre-build tests and a deploy-time gate
Testing software and infrastructure spans the pipeline in two distinct places. Pre-build validation runs as Cloud Build steps (unit, static analysis, integration), and a failing step fails the build so no artifact ships. The deploy-time gate checks provenance, not behavior: Binary Authorization admits only images with the required attestations. Knowing which gate a requirement maps to is the decision the exam tests.
- Cloud Deploy uses Skaffold to render and deploy releases
Cloud Deploy relies on Skaffold for rendering, deployment, and verification, and a release is generated from your source plus a skaffold.yaml and references to specific container images. So a Cloud Deploy setup requires a skaffold configuration even though you may not run Skaffold by hand. The render step turns templates into the concrete manifest applied to each target.
- Cloud Deploy adds canary rollouts and hands-off promotion automation
Beyond a plain rollout, a Cloud Deploy delivery pipeline can run a canary that shifts traffic in phases (for example 25% then 50% then 100%); for GKE you declare a gatewayServiceMesh stanza referencing the HTTPRoute, Service, and Deployment rather than editing manifests. A canary needs an already-deployed version to split traffic against, so the very first release skips straight to the stable phase. Automation resources remove manual steps: promoteReleaseRule auto-promotes a release to the next target after a successful rollout, and advanceRolloutRule auto-advances a canary from one phase to the next after a wait time.
Trap A canary skipping to stable on the first deploy is expected, not a misconfiguration — there is no prior version to compare against.
4 questions test this
- Cymbal Retail is deploying a new microservices application to GKE using Cloud Deploy. The DevOps team wants to implement a canary…
- A development team at Cymbal Retail uses Cloud Deploy to manage their GKE application deployments across dev, staging, and production…
- Your company is deploying a microservices application to GKE using Cloud Deploy. The deployment team wants to implement a canary deployment…
- EHR Healthcare operates a patient portal application deployed on GKE using Cloud Deploy. The operations team wants to reduce manual…
References
- Cloud Build overview
- Artifact Registry overview
- Cloud Deploy overview
- Using the Four Keys to measure your DevOps performance Blog
- Binary Authorization overview
- Disaster recovery planning guide Well-Architected
- Well-Architected Framework: operational excellence pillar Well-Architected
- Service Catalog overview