What does the Google Cloud Associate Cloud Engineer exam cover?
The Google Cloud Associate Cloud Engineer exam covers deploying and managing applications on Google Cloud, managing Compute Engine and GKE workloads, configuring Cloud Storage and databases, managing networking and IAM, and monitoring operations with Cloud Monitoring and Logging. The exam costs $200 USD and targets engineers with 6 or more months of GCP experience.
The Google Cloud Associate Cloud Engineer (ACE) certification validates the ability to deploy, monitor, and manage applications on Google Cloud Platform. It is Google Cloud's primary practitioner-level certification and is commonly the first GCP certification pursued by cloud engineers joining Google Cloud-centric organizations.
The ACE exam tests practical GCP administration skills across compute, storage, networking, security, and operations. Strong candidates are comfortable with the Google Cloud Console, the gcloud CLI, and have deployed real workloads on GCP.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | Associate Cloud Engineer |
| Provider | Google Cloud |
| Number of Questions | 50 |
| Time Limit | 2 hours |
| Passing Score | Not published (approximately 70%) |
| Cost | $200 USD |
| Prerequisites | None (6+ months GCP experience recommended) |
| Validity | 2 years |
The exam covers five sections:
- Setting up a cloud solution environment (17.5%)
- Planning and configuring a cloud solution (17.5%)
- Deploying and implementing a cloud solution (25%)
- Ensuring successful operation of a cloud solution (20%)
- Configuring access and security (20%)
"The ACE exam rewards candidates who have actually deployed workloads on GCP. Reading documentation is not sufficient — you need to understand why you choose Compute Engine vs. GKE vs. Cloud Run for different scenarios, and why Cloud SQL differs from Spanner. Hands-on experience with the gcloud CLI and understanding how IAM policies flow from organization to project to resource is essential." -- Google Cloud certified engineer community
Setting Up a Cloud Solution Environment
Resource Hierarchy
Google Cloud's resource hierarchy determines how policies and billing flow:
Organization (company.com)
└── Folders
├── Production Folder
│ ├── Project: prod-web (billing account: acme-prod)
│ └── Project: prod-data
└── Development Folder
├── Project: dev-web
└── Project: dev-data
Key hierarchy concepts:
- Organization: Root node, maps to a Google Workspace or Cloud Identity domain
- Folders: Optional grouping for departments, teams, or environments
- Projects: Core unit of organization; all GCP resources belong to a project
- Resources: VMs, buckets, databases, etc. within projects
IAM policy inheritance: Policies set at higher levels are inherited by lower levels. A policy granting a role at the organization level grants it across all folders, projects, and resources.
gcloud CLI Essential Commands
# Configure gcloud with your account
gcloud init
# Set active project
gcloud config set project PROJECT_ID
# List current configuration
gcloud config list
# Create a new project
gcloud projects create my-project-id --name="My Project"
# Set IAM policy on a project
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:email@example.com" \
--role="roles/compute.instanceAdmin"
# List available regions
gcloud compute regions list
# List active account
gcloud auth list
Compute Engine
Instance Types and Machine Families
| Machine Family | Use Case | Example Types |
|---|---|---|
| General-purpose (N2, E2, N2D) | Web servers, dev/test | n2-standard-2, e2-medium |
| Compute-optimized (C2, C2D) | CPU-intensive workloads | c2-standard-4 |
| Memory-optimized (M2, M3) | In-memory databases, SAP HANA | m2-megamem-416 |
| Accelerator-optimized (A2, G2) | GPU workloads, ML training | a2-highgpu-1g |
| Storage-optimized (Z3) | High-throughput storage | z3-standard-88 |
Spot VMs: Preemptible instances at 60-91% discount. Can be preempted with 30-second warning when Compute Engine needs capacity. Use for fault-tolerant batch workloads.
# Create a VM instance
gcloud compute instances create my-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--image-family=debian-11 \
--image-project=debian-cloud \
--boot-disk-size=20GB \
--tags=http-server
# Create a managed instance group
gcloud compute instance-groups managed create my-mig \
--template=my-instance-template \
--size=3 \
--zone=us-central1-a
# Set autoscaling
gcloud compute instance-groups managed set-autoscaling my-mig \
--zone=us-central1-a \
--max-num-replicas=10 \
--target-cpu-utilization=0.7
Google Kubernetes Engine (GKE)
GKE Cluster Types
| Cluster Type | Description | Use Case |
|---|---|---|
| Standard | You manage node pools; pay for nodes | Full control, custom configs |
| Autopilot | Google manages nodes; pay per pod | Hands-off management |
| Private | No external IPs on nodes; private API server | Security-sensitive workloads |
| Regional | Nodes in multiple zones for HA | Production workloads |
# Create a GKE cluster
gcloud container clusters create my-cluster \
--zone=us-central1-a \
--num-nodes=3 \
--machine-type=e2-standard-2
# Get credentials for kubectl
gcloud container clusters get-credentials my-cluster \
--zone=us-central1-a
# Create Autopilot cluster
gcloud container clusters create-auto my-autopilot-cluster \
--region=us-central1
# Update cluster to enable Workload Identity
gcloud container clusters update my-cluster \
--zone=us-central1-a \
--workload-pool=PROJECT_ID.svc.id.goog
Cloud Storage
Storage Classes
| Class | Availability SLA | Min Duration | Use Case |
|---|---|---|---|
| Standard | 99.99% multi-region | None | Frequently accessed data |
| Nearline | 99.9% | 30 days | Monthly access |
| Coldline | 99.9% | 90 days | Quarterly access |
| Archive | 99.9% | 365 days | Annual/disaster recovery |
# Create a bucket
gcloud storage buckets create gs://my-bucket \
--location=US \
--storage-class=STANDARD \
--public-access-prevention
# Upload a file
gcloud storage cp local-file.txt gs://my-bucket/
# Set lifecycle rule (transition to Nearline after 30 days)
cat lifecycle.json
{
"rule": [{
"action": {"type": "SetStorageClass", "storageClass": "NEARLINE"},
"condition": {"age": 30}
}]
}
gcloud storage buckets update gs://my-bucket --lifecycle-file=lifecycle.json
# Make bucket public (read)
gcloud storage buckets add-iam-policy-binding gs://my-bucket \
--member="allUsers" \
--role="roles/storage.objectViewer"
Networking
VPC Architecture
Google Cloud VPCs are global resources with regional subnets:
# Create a custom VPC
gcloud compute networks create my-vpc --subnet-mode=custom
# Create a subnet in the VPC
gcloud compute networks subnets create my-subnet \
--network=my-vpc \
--region=us-central1 \
--range=10.0.0.0/24
# Create a firewall rule
gcloud compute firewall-rules create allow-http \
--network=my-vpc \
--allow=tcp:80 \
--source-ranges=0.0.0.0/0 \
--target-tags=http-server
# Create a Cloud NAT for private instances
gcloud compute routers create my-router \
--network=my-vpc \
--region=us-central1
gcloud compute routers nats create my-nat \
--router=my-router \
--region=us-central1 \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges
Load Balancers
| Load Balancer | Scope | Protocol | Use Case |
|---|---|---|---|
| External HTTPS (Global) | Global | HTTP/HTTPS | Web apps, CDN |
| External TCP/UDP (Regional) | Regional | TCP/UDP | TCP services |
| Internal HTTP(S) | Regional | HTTP/HTTPS | Internal microservices |
| Internal TCP/UDP | Regional | TCP/UDP | Internal TCP services |
IAM and Security
IAM Roles
Primitive roles (avoid for granular access):
- Owner: Full control + billing
- Editor: All read/write except IAM
- Viewer: Read-only
Predefined roles (recommended):
# Common predefined roles:
roles/compute.instanceAdmin.v1 # Create/manage VMs
roles/storage.objectAdmin # Full Cloud Storage access
roles/container.developer # GKE deploy and manage
roles/cloudsql.client # Connect to Cloud SQL
roles/logging.viewer # View Cloud Logging logs
roles/monitoring.viewer # View Cloud Monitoring data
Custom roles: Build roles with only the specific permissions needed.
Service accounts: Identity for workloads (VMs, Cloud Functions, GKE pods):
# Create a service account
gcloud iam service-accounts create my-sa \
--display-name="My Service Account"
# Grant a role to the service account on a project
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:my-sa@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/storage.objectViewer"
# Create and download a key (prefer Workload Identity over keys)
gcloud iam service-accounts keys create key.json \
--iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.com
Operations (Monitoring and Logging)
Cloud Monitoring
# Create an alerting policy for CPU > 80%
gcloud alpha monitoring policies create \
--policy-from-file=alert-policy.yaml
# Cloud Monitoring dashboard via Console or Terraform
# Key metrics:
# compute.googleapis.com/instance/cpu/utilization
# compute.googleapis.com/instance/network/received_bytes_count
# storage.googleapis.com/api/request_count
Cloud Logging
# Read recent logs for a VM
gcloud logging read "resource.type=gce_instance AND \
resource.labels.instance_id=INSTANCE_ID" \
--limit=50 --format=json
# Create a log sink to export logs to Cloud Storage
gcloud logging sinks create my-sink \
storage.googleapis.com/my-log-bucket \
--log-filter='severity>=ERROR'
# List log sinks
gcloud logging sinks list
Frequently Asked Questions
How is the ACE different from the Professional Cloud Architect? The Associate Cloud Engineer validates practical administration skills: deploying, configuring, and managing GCP workloads. The Professional Cloud Architect validates the ability to design enterprise-scale cloud solutions, evaluating trade-offs between services, designing for reliability and security, and advising businesses on GCP adoption. The ACE is the practitioner exam; PCA is the architect exam. Many engineers pursue ACE first, then PCA after gaining more design experience.
Which GCP services are most important for the ACE exam? The highest-priority services based on exam domain weights are: Compute Engine (VMs, managed instance groups, autoscaling), GKE (cluster types, deployments, services), Cloud Storage (storage classes, lifecycle, access control), Cloud IAM (roles, service accounts, policy inheritance), VPC networking (subnets, firewall rules, load balancers), and Cloud Monitoring/Logging. Cloud SQL, Cloud Run, and Cloud Functions appear in scenario questions.
Is the gcloud CLI tested on the ACE exam? Yes. The ACE exam includes questions about gcloud CLI commands, particularly for tasks like creating resources, setting IAM policies, and retrieving credentials for GKE clusters. You do not need to memorize every flag, but you should know the structure of common commands and which command to use for which task. The official Google Cloud Skill Boost platform provides hands-on labs that build CLI familiarity.
References
- Google Cloud. (2025). Associate Cloud Engineer Certification. https://cloud.google.com/certification/cloud-engineer
- Google Cloud. (2025). Cloud SDK (gcloud CLI) Documentation. https://cloud.google.com/sdk/docs
- Google Cloud. (2025). Google Cloud Skill Boost. https://cloudskillsboost.google/
- Geewax, J.J. (2021). Google Cloud in Action. Manning Publications.
- Google Cloud. (2025). Identity and Access Management Documentation. https://cloud.google.com/iam/docs
- Tutorials Dojo. (2025). Google Cloud ACE Practice Exams. https://tutorialsdojo.com/google-cloud/