intermediateGCP-ACE8-10 weeks prep8 min read
Google Cloud Associate Cloud Engineer — Study Guide
Study guide for the Google Cloud Associate Cloud Engineer (ACE) exam. Covers Compute Engine, GKE, Cloud Storage, IAM, networking, and billing — for engineers deploying and managing GCP workloads.
gcpgoogle-cloudassociate-cloud-engineeraceintermediatecompute-enginegkecloud-storage
Domains
8
Key concepts
12
Study time
8-10 weeks
Exam Overview
| Detail | Info |
|---|---|
| Exam code | GCP ACE |
| Duration | 120 minutes |
| Questions | 50–60 (multiple choice, multiple response) |
| Passing score | ~70% (not publicly stated) |
| Cost | $200 USD |
| Validity | 2 years |
| Audience | Cloud engineers deploying, configuring, and managing GCP |
Domain Weightings
| Domain | Weight |
|---|---|
| Setting up cloud solution environment | 17.5% |
| Planning and configuring cloud solutions | 17.5% |
| Deploying and implementing cloud solutions | 23% |
| Ensuring successful operation | 22% |
| Configuring access and security | 20% |
Domain 1: Setting Up Environment (17.5%)
GCP project structure
Organisation (domain: company.com)
└── Folders (optional — departments, teams)
└── Projects (billing + resource boundary)
└── Resources (VMs, buckets, etc.)
Essential gcloud commands
# Auth and config
gcloud auth login
gcloud config set project my-project
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a
gcloud config list # show current config
gcloud config configurations create dev # named config
# Projects
gcloud projects list
gcloud projects create my-new-project --folder=12345
gcloud projects describe my-project
# IAM
gcloud projects get-iam-policy my-project
gcloud projects add-iam-policy-binding my-project \
--member=user:alice@example.com \
--role=roles/editor
# Services (APIs)
gcloud services list --enabled
gcloud services enable compute.googleapis.com
Billing
- Billing accounts — linked to a payment method; one billing account can fund many projects.
- Budgets and alerts — set at billing account or project level; trigger email at thresholds.
- Cost breakdown — Cloud Billing in console; export to BigQuery for analysis.
Domain 2: Planning and Configuring (17.5%)
Compute service selection
| Service | Use case |
|---|---|
| Compute Engine (GCE) | IaaS; full VM control |
| Google Kubernetes Engine (GKE) | Managed Kubernetes |
| Cloud Run | Serverless containers; HTTP requests |
| Cloud Functions | Serverless event-driven functions |
| App Engine | PaaS; managed runtime; Flexible (containers) or Standard (sandbox) |
| Batch | Large-scale batch jobs |
Storage selection
| Service | Type | Use case |
|---|---|---|
| Cloud Storage | Object storage | Files, backups, static websites |
| Persistent Disk | Block storage | VM disks (HDD, SSD, extreme) |
| Filestore | NFS file system | Shared file storage |
| Cloud SQL | Managed relational (MySQL, PostgreSQL, SQL Server) | OLTP |
| Cloud Spanner | Globally distributed relational | Global scale ACID transactions |
| Firestore | Serverless NoSQL document | Mobile, web apps |
| Bigtable | NoSQL wide-column | IoT, timeseries, analytics at scale |
| BigQuery | Data warehouse | Analytics, SQL at petabyte scale |
| Memorystore | Managed Redis/Memcached | In-memory caching |
Network planning
- VPC — global (spans all regions); subnets are regional.
- Subnet modes — Auto (Google creates subnets per region) vs Custom (you control).
- Shared VPC — host project shares VPC with service projects; centralised network management.
- VPC Peering — connect VPCs; non-transitive.
- Cloud Interconnect — Dedicated (10/100 Gbps) or Partner; private connection to GCP.
- Cloud VPN — IPsec tunnel over internet; Classic or HA VPN (2 tunnels, 99.99% SLA).
Domain 3: Deploying and Implementing (23%)
Compute Engine (GCE)
# Create a VM
gcloud compute instances create my-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--image-family=debian-12 \
--image-project=debian-cloud \
--boot-disk-size=20GB \
--tags=http-server
# Start/stop/delete
gcloud compute instances start my-vm --zone=us-central1-a
gcloud compute instances stop my-vm --zone=us-central1-a
gcloud compute instances delete my-vm --zone=us-central1-a
# SSH
gcloud compute ssh my-vm --zone=us-central1-a
# Add a disk
gcloud compute disks create my-disk --size=100GB --zone=us-central1-a
gcloud compute instances attach-disk my-vm --disk=my-disk --zone=us-central1-a
# Snapshot
gcloud compute disks snapshot my-vm --zone=us-central1-a --snapshot-names=my-snapshot
Machine types
| Series | Type | Use case |
|---|---|---|
| E2 | Cost-optimised | Dev/test, small workloads |
| N2/N2D | General purpose | Web, app servers |
| C3/C4 | Compute-optimised | HPC, gaming |
| M3 | Memory-optimised | SAP HANA, in-memory DBs |
| A3 | Accelerator (GPU) | ML/AI training |
GKE cluster management
# Create cluster
gcloud container clusters create my-cluster \
--zone=us-central1-a \
--num-nodes=3 \
--machine-type=e2-standard-4 \
--enable-autoscaling --min-nodes=1 --max-nodes=10
# Autopilot (fully managed, no node management)
gcloud container clusters create-auto my-cluster \
--region=us-central1
# Connect kubectl
gcloud container clusters get-credentials my-cluster --zone=us-central1-a
# Upgrade cluster
gcloud container clusters upgrade my-cluster --zone=us-central1-a
# Node pools
gcloud container node-pools create gpu-pool \
--cluster=my-cluster \
--zone=us-central1-a \
--accelerator=type=nvidia-tesla-t4,count=1 \
--machine-type=n1-standard-4
Cloud Storage
# Create bucket
gcloud storage buckets create gs://my-bucket --location=us-central1
# Copy files
gcloud storage cp file.txt gs://my-bucket/
gcloud storage cp -r local-dir/ gs://my-bucket/dir/
# List
gcloud storage ls gs://my-bucket/
# Set lifecycle
gcloud storage buckets update gs://my-bucket \
--lifecycle-file=lifecycle.json
# Signed URL (time-limited access)
gcloud storage sign-url gs://my-bucket/file.txt \
--duration=1h \
--private-key-file=key.json
Storage classes: Standard → Nearline (30-day min) → Coldline (90-day) → Archive (365-day). Set lifecycle rules to auto-transition.
Cloud Run and Cloud Functions
# Deploy to Cloud Run from container
gcloud run deploy my-service \
--image=gcr.io/my-project/my-app:latest \
--region=us-central1 \
--platform=managed \
--allow-unauthenticated
# Deploy Cloud Function
gcloud functions deploy hello-http \
--gen2 \
--runtime=python311 \
--entry-point=hello_http \
--trigger-http \
--region=us-central1
Domain 4: Ensuring Successful Operation (22%)
Cloud Monitoring
# Create uptime check
gcloud monitoring uptime create my-check \
--display-name="My App Health" \
--resource-type=uptime-url \
--hostname=myapp.example.com \
--path=/health
# Create alert policy (via console or Terraform for complex policies)
gcloud alpha monitoring policies create --policy-from-file=policy.json
Key metrics to know: VM CPU utilisation, disk IOPS, network bytes, GKE node/pod metrics.
Cloud Logging
# View logs
gcloud logging read "resource.type=gce_instance AND severity>=ERROR" \
--freshness=1h --limit=50
# Export logs to BigQuery
gcloud logging sinks create my-sink \
bigquery.googleapis.com/projects/my-project/datasets/logs \
--log-filter="resource.type=gce_instance"
# Log-based metrics
gcloud logging metrics create error-rate \
--description="Count of errors" \
--log-filter="severity=ERROR"
Instance groups and autoscaling
# Managed Instance Group (MIG)
gcloud compute instance-groups managed create my-mig \
--base-instance-name=web \
--size=3 \
--template=web-template \
--zone=us-central1-a
# Set autoscaling
gcloud compute instance-groups managed set-autoscaling my-mig \
--max-num-replicas=10 \
--min-num-replicas=2 \
--target-cpu-utilization=0.6 \
--zone=us-central1-a
# Rolling update
gcloud compute instance-groups managed rolling-action start-update my-mig \
--version=template=new-template \
--max-surge=3 \
--max-unavailable=0 \
--zone=us-central1-a
Domain 5: Access and Security (20%)
IAM fundamentals
- Principals — Google accounts, service accounts, Google groups, Workspace domains,
allUsers,allAuthenticatedUsers. - Roles — Basic (Owner/Editor/Viewer), Predefined (e.g.,
roles/compute.instanceAdmin), Custom. - Conditions — restrict role binding by time, IP, resource type.
# Service account for a VM
gcloud iam service-accounts create my-sa \
--display-name="My Service Account"
# Grant role to service account
gcloud projects add-iam-policy-binding my-project \
--member=serviceAccount:my-sa@my-project.iam.gserviceaccount.com \
--role=roles/storage.objectViewer
# Assign service account to a VM
gcloud compute instances create my-vm \
--service-account=my-sa@my-project.iam.gserviceaccount.com \
--scopes=cloud-platform
Firewall rules
# Allow HTTP from anywhere
gcloud compute firewall-rules create allow-http \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:80 \
--source-ranges=0.0.0.0/0 \
--target-tags=http-server
# Allow SSH from specific IP
gcloud compute firewall-rules create allow-ssh-my-ip \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:22 \
--source-ranges=203.0.113.0/32
Cloud KMS
# Create keyring and key
gcloud kms keyrings create my-keyring --location=us-central1
gcloud kms keys create my-key \
--location=us-central1 \
--keyring=my-keyring \
--purpose=encryption
# Encrypt/decrypt
gcloud kms encrypt \
--location=us-central1 \
--keyring=my-keyring \
--key=my-key \
--plaintext-file=secret.txt \
--ciphertext-file=secret.enc
gcloud kms decrypt \
--location=us-central1 \
--keyring=my-keyring \
--key=my-key \
--ciphertext-file=secret.enc \
--plaintext-file=secret-decrypted.txt
Study Plan (8–10 Weeks)
| Weeks | Focus |
|---|---|
| 1–2 | GCP fundamentals — project structure, gcloud CLI, IAM |
| 3 | Compute Engine — VMs, instance groups, autoscaling |
| 4 | GKE — cluster creation, kubectl, workloads, autoscaling |
| 5 | Storage — Cloud Storage, persistent disks, Cloud SQL |
| 6 | Networking — VPC, firewall rules, Cloud Load Balancing, VPN |
| 7 | Monitoring, logging, Cloud Run, Cloud Functions |
| 8 | Security — IAM, KMS, org policies, VPC Service Controls |
| 9–10 | Full practice exams + weak area labs |
Key Resources
| Resource | Notes |
|---|---|
| Google Cloud Skills Boost | Free courses + labs (Qwiklabs); official Google path |
| A Cloud Guru GCP ACE | Popular paid video course |
| Dan Sullivan (Udemy/O'Reilly) | Official GCP ACE study guide author |
| Tutorials Dojo GCP ACE | Practice exams |
| GCP Free Tier | $300 free credits + always-free products for hands-on practice |