GCP Associate Cloud Engineer Guide: ACE Exam Breakdown and Study Plan

The GCP Associate Cloud Engineer (ACE) is the essential entry certification for engineers working on Google Cloud. It is not a broad cloud-concepts exam — it tests that you can deploy, operate, and manage real workloads on GCP using the console, gcloud CLI, and GCP’s service catalogue.

Passing it proves you understand not just what GCP services do, but how to configure them correctly for a given requirement. That distinction matters in interviews, where you will be expected to go beyond definitions.

What the ACE exam actually tests#

The ACE is focused on operations rather than architecture design. A typical question presents a deployment scenario — a team needs to run a containerised application with automatic scaling, store its state in a managed database, and restrict access to a service account — and asks which combination of services and configurations achieves this.

Exam domains and weightings:

Format: Approximately 50–60 questions, approximately 2 hours, approximately $200, 2-year validity.

Key services and topics to know#

Compute#

Compute Engine (virtual machines):

• Machine types: general purpose (N-series, E-series), compute-optimised (C-series), memory-optimised (M-series)
• Managed instance groups (MIGs): autoscaling, health checks, update policies
• Preemptible and Spot VMs: use cases and limitations (can be reclaimed by GCP at any time with 30-second notice for preemptible, similar behaviour for Spot)
• Startup and shutdown scripts
• Sole-tenant nodes: when and why
• Instance templates: creating standardised VM configurations

Google Kubernetes Engine (GKE):

• Standard vs Autopilot mode: who manages what
• Node pools: separate groups of nodes with different machine types
• Cluster networking: VPC-native clusters, secondary IP ranges for pods and services
• Workload Identity: linking Kubernetes service accounts to GCP service accounts
• GKE Autopilot pricing model vs Standard

App Engine:

• Standard vs Flexible environment: key differences and use cases
• Traffic splitting for canary deployments
• Service configuration using app.yaml

Cloud Run:

• Fully managed serverless containers
• Minimum instances (to avoid cold starts), maximum instances
• Concurrency settings
• Traffic splitting between revisions
• Service identity and IAM

Cloud Functions:

• When to choose over Cloud Run
• Trigger types: HTTP, Cloud Storage, Pub/Sub, Firestore, Cloud Scheduler
• Execution environment (Node.js, Python, Go, Java, etc.)
• Retries and error handling

Storage#

Cloud Storage:

• Storage classes: Standard, Nearline, Coldline, Archive — cost and access frequency trade-offs
• Lifecycle rules: transitioning objects between classes, deleting after a time period
• Object versioning
• IAM vs ACLs: when each applies, why IAM is preferred
• Signed URLs for temporary access
• Cloud Storage Transfer Service for moving data from on-premises or other clouds

Cloud SQL:

• Managed MySQL, PostgreSQL, SQL Server instances
• High availability: regional persistent disk, automatic failover
• Read replicas: when to use them
• Maintenance windows and backup configuration
• Connecting securely: Cloud SQL Proxy and Private IP

Cloud Spanner:

• Globally distributed relational database
• When to choose it over Cloud SQL (global scale, 99.999% SLA)
• External consistency model

Cloud Bigtable:

• High-throughput NoSQL for time series, analytics workloads
• Key design: row key structure determines performance

Firestore:

• Document-based NoSQL, real-time sync
• Use cases: mobile and web applications, user data

Networking#

• VPC design: Subnets (regional resources in GCP, unlike AWS zones), CIDR ranges, firewall rules
• Firewall rules: Direction (ingress/egress), priority, target tags vs service accounts, allow vs deny
• Cloud NAT: Outbound internet access for private VMs without public IPs
• Cloud Load Balancing: HTTP(S), TCP, SSL, Internal — difference between global and regional
• Cloud DNS: Managed zones, DNS forwarding, private zones
• VPC Peering vs Shared VPC: When to use each, transitive peering limitation
• Cloud Interconnect and VPN: Hybrid connectivity options

IAM and security#

IAM questions appear in 20% of the exam. Know this well.

• IAM roles: Basic (Owner, Editor, Viewer), predefined, custom
• Service accounts: What they are, how applications use them, the difference between user-managed and Google-managed service accounts
• Workload Identity Federation: Allowing external identities (GitHub Actions, AWS) to act as GCP service accounts without a key file
• IAM conditions: Time-based, resource-based access conditions
• Policy inheritance: Project, folder, and organisation policies and how they interact
• Cloud Audit Logs: Admin Activity, Data Access, System Event, Policy Denied — which are enabled by default
• VPC Service Controls: Protecting sensitive data with perimeters

Operations and monitoring#

• Cloud Monitoring: Metrics, uptime checks, alerting policies, dashboards
• Cloud Logging: Log-based metrics, log sinks (to BigQuery, Cloud Storage, Pub/Sub), log exclusions
• Cloud Trace and Cloud Profiler: Distributed tracing and performance profiling
• Deployment Manager: GCP’s native infrastructure-as-code tool (though Terraform is commonly used in practice)

Billing and cost management#

• Billing accounts: How they relate to projects
• Budgets and alerts: Setting thresholds, notification channels
• Resource quotas: How to view and increase them
• Committed use discounts vs sustained use discounts: How GCP pricing rewards consistent usage

What makes ACE questions distinctive#

GCP exam questions frequently require you to know the correct gcloud command or console configuration, not just the concept. For example, a question might ask which gcloud command grants a specific IAM role to a service account. You need to know: gcloud projects add-iam-policy-binding PROJECT_ID --member=serviceAccount:SA_EMAIL --role=roles/ROLE_NAME.

This is different from AWS exams, which tend to be more service-awareness and architectural trade-off focused. ACE rewards engineers who have used the gcloud CLI regularly.

How to prepare#

Use the gcloud CLI constantly. Set up a GCP free-tier account (GCP offers $300 in credits for new accounts). Deploy resources through both the console and gcloud. Create a VM, deploy a GKE cluster with Workload Identity, set up Cloud SQL with a private IP, configure a Cloud Run service — all from the command line.

Labs over videos. Google Cloud has its own lab environment (Google Cloud Skills Boost). Qwiklabs are hands-on exercises where you work in real GCP environments. These are more valuable than watching lectures because they force you to use the actual tools.

Know IAM cold. Twenty percent of the exam is IAM and security. Spend disproportionate time here. The questions are specific and punishing if you confuse service account types, role scopes, or audit log categories.

Practice exam questions: GCP practice questions have a different feel from AWS — more specific, more console-and-CLI-oriented. Use GCP-specific practice banks, not general cloud practice questions.

Preparation time:

After the ACE: what comes next#

The ACE is the gateway to GCP professional certifications. After passing it:

• Engineers focused on architecture move to the GCP Professional Cloud Architect
• Data-focused engineers move to the Professional Data Engineer
• DevOps engineers move to the Professional Cloud DevOps Engineer

The GCP cert renewal cycle is 2 years and requires re-examination — not a free online renewal like Azure. Factor this into your planning.

Summary#

• The ACE tests operational deployment and configuration knowledge — not just what GCP services do
• IAM and security account for 20% of the exam — know it in depth
• gcloud CLI knowledge is tested directly — use it regularly during preparation
• Hands-on labs (Google Cloud Skills Boost) are more valuable than lecture-only study
• 6–8 weeks is realistic for engineers with cloud experience on other platforms