RPO and RTO Targets for GCP Services on the PCA Exam

Recovery Point Objective and Recovery Time Objective questions are some of the most reliably testable items on the Professional Cloud Architect exam. The exam wants two things from me. It wants me to know the RPO and RTO numbers each major Google Cloud service can hit, and it wants me to resist the temptation to pick the fastest, most expensive option when the scenario only asks me to meet a minimum. I want to walk through how I think about both pieces.

What RPO Actually Measures

RPO stands for Recovery Point Objective. It is the maximum acceptable amount of data loss, measured in time, when a disaster or outage occurs. The framing is important. RPO is not measured in megabytes or rows. It is measured in minutes or seconds.

The way to picture it is to imagine your system writing data continuously, with synchronization points where that data gets backed up or replicated to a secondary location. If a disaster hits between two synchronization points, anything written after the last sync and before the failure is data that was never replicated. That window is your data loss exposure, and that window is what RPO names.

The mechanism for hitting an RPO target is to replicate more often than your tolerance. If the company says the RPO is 30 minutes, replication needs to happen at least every 15 minutes to stay safely inside that bound. If the RPO is zero or near-zero, replication has to be synchronous so that no write is acknowledged until it is committed in more than one location.

What RTO Actually Measures

RTO stands for Recovery Time Objective. RPO answers how much data loss is acceptable. RTO answers a different question, which is how much downtime is acceptable.

RTO is measured in time as well, but the time runs from the moment the disaster strikes until the moment the system is back online. If the RTO is 120 seconds and the failure happens at 3:00 PM, the system needs to be operational by 3:02 PM. If recovery takes longer than that, the RTO has been exceeded and the recovery plan failed against its target.

Hitting a tight RTO is an architectural decision. It depends on the failover mechanism, on how the failover is triggered, on whether the standby is hot or warm, and on how quickly traffic can be redirected. The RTO targets I list below for each service are what those services can achieve when they are configured for high availability or multi-region operation.

RPO and RTO by Google Cloud Service

Here are the numbers I keep in my head for the Professional Cloud Architect exam. These are the configurations the exam tends to reference, and the targets they hit.

• Cloud SQL in HA mode with cross-zone synchronous replication. RPO is basically zero. RTO is 60 to 120 seconds. The synchronous cross-zone replica means writes are committed in two zones, so almost no data is in flight when a failure occurs. The RTO sits in the one-to-two minute range because Cloud SQL has to detect the failure and promote the standby.
• Cloud Spanner in Regional or Multi-Region configuration. RPO is zero. RTO is in seconds. Spanner is designed for mission-critical workloads that need both zero data loss and rapid recovery, and the regional and multi-regional configurations are what deliver that guarantee.
• BigQuery. RPO is zero. RTO is in seconds. High availability is built in by default, which is why BigQuery rarely shows up as a problem service in disaster recovery scenarios on the exam.
• Cloud Storage in Dual-Region or Multi-Region. RPO is basically zero. RTO is in seconds. The dual and multi-region configurations replicate object data across regions automatically, so the recovery posture is strong without additional architecture work.
• Regional Persistent Disk. RPO is basically zero. RTO is in minutes. The data is replicated synchronously across two zones in the region, so the data side of the recovery is fine. The RTO is longer than the database services because the disk has to be reattached to a new VM instance after a zonal failure, and that reattachment is what takes the extra time.

The Trap of Picking the Fastest Option

This is the part that catches people on the Professional Cloud Architect exam. When a question lists RPO and RTO requirements, the answer is rarely the most aggressive option on the menu. The question is asking which configuration meets the minimum stated bar at the lowest cost or with the simplest architecture.

If a scenario says the application can tolerate five minutes of downtime and 30 seconds of data loss, the right answer is something with an RTO of five minutes or less and an RPO of 30 seconds or less. It is not the configuration with an RTO of two seconds and an RPO of zero, because that one is more expensive and the scenario did not ask for it. The exam is testing whether I can pick the most cost-effective option that still satisfies the business requirements in the question.

This is a pattern across a lot of Professional Cloud Architect questions, not just disaster recovery. Cost-effectiveness at the minimum bar is the framing the exam rewards. When I see RPO and RTO numbers in the prompt, I treat them as ceilings, not goals to beat.

How I Approach a Disaster Recovery Question

When I read a question that involves RPO and RTO, I do three things in order. First, I pull the RPO and RTO out of the prompt and write them down so I do not lose them. Second, I scan the answer choices and eliminate anything that exceeds either target. Third, among the options that meet both targets, I pick the cheapest or simplest one. The order matters because it stops me from getting impressed by a high-availability option that is overkill for what the scenario actually needs.

The other thing I do is anchor on the service. If the question describes a relational database that needs near-zero data loss and one to two minutes of recovery, that is Cloud SQL HA. If it needs zero data loss and seconds of recovery, that is Cloud Spanner. If it describes object storage with cross-region durability, that is Cloud Storage Dual or Multi-Region. If it describes a VM disk with zero data loss but accepts a few minutes of downtime, that is Regional Persistent Disk. The mapping from requirements to service is what the exam is testing, and it resolves cleanly once the targets are memorized.

I cover RPO and RTO targets and the rest of the disaster recovery framing for Google Cloud services in my full Professional Cloud Architect course, alongside the rest of the advanced architecture material.