Cert-Pass
Log in Sign up
arrow_back Cert

Google Google Cloud Associate Cloud Engineer

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

Google Cloud Associate Cloud Engineer

Compressed Course

Google Cloud Associate Cloud Engineer Exam Course

Target blueprint: Google Cloud Associate Cloud Engineer standard exam, using the updated English exam guide scheduled to be live on June 30.
Purpose: A compressed but complete revision course built from the source question bank, with repetition removed and scenario patterns merged into practical decision rules.
Important: If you sit the English exam before June 30, review the current Google Cloud exam guide because the earlier weighting and terminology differ slightly.


1. Exam Overview

The Associate Cloud Engineer exam tests whether you can deploy, secure, operate, and troubleshoot Google Cloud solutions. It is not a pure memorization exam. Most questions describe a workload or operational problem and ask for the best action among several technically possible actions.

Exam format

Item Standard exam
Duration 2 hours
Question count 50–60
Question types Multiple choice and multiple select
Recommended experience 6+ months of hands-on Google Cloud experience
Main skill Choose and operate the simplest correct Google Cloud solution

Updated exam weighting

Domain Weight Priority
Setting up a cloud solution environment ~20% High
Planning and implementing a cloud solution ~30% Very high
Ensuring the successful operation of a cloud solution ~30% Very high
Configuring access and security ~20% High

How to think during the exam

For every scenario, identify five things before reading the options closely:

  1. Workload type: VM, container, Kubernetes, event-driven function, database, object storage, analytics, or AI agent.
  2. Control level: Does the team need operating-system control, Kubernetes control, or minimal operations?
  3. Scope: Organization, folder, project, bucket, subnet, resource, service account, or workload.
  4. Security expectation: Least privilege, private access, short-lived credentials, no public exposure, or customer-managed encryption keys.
  5. Operational goal: Deploy, scale, monitor, troubleshoot, optimize, back up, restore, or route traffic.

A good answer normally satisfies the requirement with the least unnecessary privilege, least operational overhead, and narrowest appropriate scope.


2. Exam Domains

Domain 1: Setting up a cloud solution environment — ~20%

You must understand initial governance, project setup, API activation, quotas, billing, Cloud Identity, Workforce Identity Federation, resource inventory, and observability foundations.

Domain 2: Planning and implementing a cloud solution — ~30%

This is one of the most important domains. You must choose the correct compute, data, storage, network, and infrastructure-as-code solution for a workload.

Domain 3: Ensuring the successful operation of a cloud solution — ~30%

This is the other major domain. You must know how to operate Compute Engine, GKE, Cloud Run, databases, networking, monitoring, logging, diagnostics, backups, and optimization tooling.

Domain 4: Configuring access and security — ~20%

You must apply IAM inheritance correctly, use predefined or custom roles appropriately, manage service accounts, prefer short-lived credentials, and distinguish workforce identities from workload identities.


3. Start-to-Finish Study Path

Use this sequence to prepare efficiently.

Phase 1: Build the foundation

Learn the Google Cloud resource hierarchy:

Organization
└── Folder
    └── Project
        └── Resources

Practice:

  • Create a project.
  • Link it to a billing account.
  • Enable an API.
  • Set a default project in gcloud.
  • Review quotas.
  • Create a budget alert.
  • Explore IAM roles at organization, folder, project, and resource scope.

Phase 2: Master service selection

Memorize decision rules, not product definitions. You should be able to choose between:

  • Compute Engine, GKE, Cloud Run, Cloud Run functions, and Agent Runtime.
  • Cloud SQL, AlloyDB, Spanner, Firestore, Bigtable, BigQuery, Memorystore, Pub/Sub, Dataflow, and Managed Service for Apache Kafka.
  • Cloud Storage, Persistent Disk, Hyperdisk, Filestore, Google Cloud NetApp Volumes, and Google Cloud Managed Lustre.
  • Shared VPC, VPC Network Peering, Cloud VPN, Cloud Interconnect, Cloud NAT, Cloud DNS, load balancing, and Network Service Tiers.

Phase 3: Practice deployment and scaling

Perform small labs:

  • Create a Compute Engine VM with OS Login.
  • Build an instance template and managed instance group.
  • Create a GKE cluster and inspect nodes, Pods, and Services with kubectl.
  • Deploy a container to Cloud Run and create a new revision.
  • Configure traffic splitting.
  • Review autoscaling options for VMs, Pods, node pools, and Cloud Run.

Phase 4: Practice operations

Perform operational tasks:

  • Create and restore a disk snapshot.
  • Review Cloud Logging entries with filters.
  • Create a Cloud Monitoring alert.
  • Compare built-in and custom metrics.
  • Review Cloud Run revisions and rollback behavior.
  • Review GKE node pools and Pod resource requests.
  • Review database backups and restore options.
  • Reserve static internal and external IP addresses.
  • Configure Cloud NAT for private VM egress.

Phase 5: Master IAM and identity

Practice the differences between:

  • Human users and groups.
  • Service accounts.
  • Service-account impersonation.
  • Short-lived credentials.
  • Workload Identity Federation.
  • Workload Identity Federation for GKE.
  • Workforce Identity Federation.

Phase 6: Simulate exam reasoning

When reviewing practice questions:

  1. State the requirement in one sentence.
  2. Identify the required service category.
  3. Remove answers from the wrong category.
  4. Remove answers with excessive scope or privilege.
  5. Prefer the managed option that meets the requirement directly.
  6. Check whether the question asks for design, deployment, operation, troubleshooting, or optimization.

4. Core Concepts by Domain

Domain 1 — Setting Up a Cloud Solution Environment

4.1 Resource hierarchy

Scope Best use
Organization Company-wide governance
Folder Department, business unit, environment, or policy boundary
Project Workload boundary, billing linkage, API enablement, quotas, and many IAM grants
Resource Narrow access when a project-wide grant is too broad

Decision rule: Apply policy at the highest level that covers the intended resources, but not higher.

Example:

  • All finance projects need the same guardrail → apply it at the Finance folder.
  • Every project in the company must follow the same restriction → apply it at the organization.
  • One bucket must be readable by one workload → apply a bucket-level IAM role.

4.2 Organization policies versus IAM

Mechanism Purpose
IAM allow policy Grants principals permission to perform actions
Organization policy Restricts allowed configurations across the hierarchy
Billing account Controls payment relationship and cost reporting
VPC firewall rule or Cloud NGFW policy Controls network traffic

Common trap: Granting an IAM role does not enforce a resource configuration restriction. If the scenario says “prevent public IP addresses” or “restrict a configuration across projects,” think organization policy.

4.3 Cloud Identity groups

Grant roles to groups rather than editing individual bindings repeatedly.

Use a group when:

  • Team membership changes frequently.
  • Multiple people need the same role.
  • Access should remain stable while membership changes.

Avoid sharing a service account key with a workforce team. A service account represents a workload identity, not a shared human login.

4.4 API enablement

Before creating resources in a project, verify that the required API is enabled.

Typical failure pattern:

Project exists
Billing is linked
IAM appears correct
Deployment still fails
→ Check whether the service API is enabled

4.5 Quotas and geographical availability

Quotas can apply by project, service, region, or resource type. Check capacity before deployment.

Also verify that the product, accelerator, and required feature exist in the target region or zone. A product name alone does not guarantee regional availability.

4.6 Cloud Asset Inventory and Gemini Cloud Assist

Use Cloud Asset Inventory to inspect and analyze the resource estate across projects. The updated blueprint also includes using Gemini Cloud Assist to assist with resource analysis.

4.7 Workforce Identity Federation

Use Workforce Identity Federation when external human users or groups authenticate through an external identity provider and need controlled access to supported Google Cloud resources.

Do not confuse it with workload federation, which is designed for machines and external workloads.

4.8 Billing configuration

Requirement Correct approach
Link a project to payment responsibility Link the project to a billing account
Separate subsidiary invoicing Use separate billing accounts
Receive spend notifications Create budgets and alerts
Analyze detailed usage and cost Export billing data to BigQuery

Important: A budget alert is not a hard spending cap by default. It notifies; it does not automatically stop workloads.


Domain 2 — Planning and Implementing a Cloud Solution

4.9 Compute selection

Requirement Best choice Why
Full OS control, custom software, legacy runtime Compute Engine Direct VM administration
Kubernetes APIs, orchestration, multi-service platform GKE Managed Kubernetes
Stateless HTTP container with minimal infrastructure management Cloud Run Serverless container execution
Small event-driven function Cloud Run functions with an event source such as Eventarc Minimal operations for event processing
Managed AI agent runtime Agent Runtime on Gemini Enterprise Agent Platform Purpose-built managed agent execution

Elimination rule: If the scenario explicitly says “do not manage servers or nodes,” remove Compute Engine and usually remove GKE Standard.

4.10 Compute Engine essentials

VM storage

Storage Best use
Zonal Persistent Disk Durable zonal block storage
Regional Persistent Disk Cross-zone replicated block storage for higher resilience
Hyperdisk Workload-specific block-storage performance profiles
Local SSD High-performance ephemeral local storage

Trap: Local SSD is not a durable backup. If the VM is removed, do not treat Local SSD data as persistent.

VM scaling

For identical VMs that must scale automatically:

  1. Create an instance template.
  2. Create a managed instance group.
  3. Configure autoscaling.

OS Login

Use OS Login for centrally managed SSH access through IAM. Avoid manually distributing shared private SSH keys.

VM Manager

Use VM Manager for centralized VM operating-system management and inventory capabilities.

Spot VMs

Use Spot VMs for interruptible workloads that can restart, such as fault-tolerant batch jobs. Avoid them for workloads that cannot tolerate termination.

Custom machine types

Use a custom machine type when standard CPU-to-memory ratios waste resources.

4.11 GKE essentials

Requirement Best choice
Reduce node-management work GKE Autopilot
Need direct node-pool control GKE Standard
Control-plane resilience across zones Regional GKE cluster
Nodes should avoid public IP addresses Private GKE cluster
Manage Kubernetes resources from CLI kubectl

Core Kubernetes objects:

Object Purpose
Pod Running workload unit
Deployment Manages stateless replicated Pods and rollout behavior
Service Stable network endpoint for Pods
StatefulSet Stable identities and ordered behavior for stateful workloads
Node pool Group of GKE worker nodes with a shared configuration

4.12 Serverless events

Use an event-driven serverless pattern when code should execute after an event such as:

  • Pub/Sub message delivery.
  • Cloud Storage object creation or modification.
  • Eventarc-supported events.

Avoid running a polling VM unless the scenario explicitly requires a self-managed polling process.

4.13 GPUs and TPUs

Identify whether the workload has been validated for GPU or TPU acceleration. Then confirm:

  • Framework compatibility.
  • Machine or runtime compatibility.
  • Regional or zonal availability.
  • Quota availability.

4.14 Data-service selection

Service Best fit Avoid when
Cloud SQL Managed traditional relational OLTP workload You need global horizontal relational scale
AlloyDB Demanding PostgreSQL-compatible relational workload The workload is analytical rather than operational
Spanner Horizontally scalable relational database with strong consistency A small conventional relational database is enough
Firestore Document-oriented application database You need warehouse-style analytical joins
Bigtable Low-latency, high-throughput wide-column workloads such as time series You need relational joins and transactions
BigQuery Serverless analytics and data warehousing You need an OLTP application database
Memorystore Managed in-memory cache You need a durable system of record
Pub/Sub Asynchronous event delivery and decoupling You need batch transformation
Dataflow Managed batch and streaming data-processing pipelines You only need message transport
Managed Service for Apache Kafka Kafka-compatible managed broker semantics Kafka compatibility is not required

4.15 Storage selection

Service Interface Best use
Cloud Storage Object Files, objects, archives, data-lake style storage
Persistent Disk Block Durable VM disks
Hyperdisk Block VM block storage with workload-specific performance needs
Filestore File Managed shared NFS-style access
Google Cloud NetApp Volumes File Enterprise file workloads requiring managed NFS or SMB capabilities
Google Cloud Managed Lustre Parallel POSIX file Throughput-intensive AI and HPC workloads
Local SSD Local ephemeral block Temporary high-performance VM-local data

Cloud Storage classes:

Class Typical pattern
Standard Frequent access
Nearline Infrequent access
Coldline Rare access
Archive Very rare access and long retention

Rule: Choose the storage interface first: object, block, shared file, or parallel file. Then choose durability, performance, and access-frequency tradeoffs.

4.16 Loading data

Scenario Correct tool
Upload local files to a bucket from terminal Google Cloud CLI, such as gcloud storage
Load files already stored in Cloud Storage into BigQuery BigQuery load job
Move a large existing dataset into Cloud Storage through a managed transfer workflow Storage Transfer Service
Transform streaming or batch data Dataflow

4.17 VPC designs

Requirement Correct choice
Explicit subnet CIDRs and regions Custom mode VPC
Central network team owns subnets; application projects consume them Shared VPC
Independently administered VPCs need private connectivity VPC Network Peering
Encrypted on-premises connectivity across the public internet Cloud VPN
Private high-throughput on-premises connectivity Cloud Interconnect

Critical distinction: Shared VPC is about centralized ownership of subnets. VPC Network Peering is about private connectivity between separately administered VPC networks.

4.18 Firewalls and Cloud NGFW

A firewall decision depends on:

  • Direction: ingress or egress.
  • Action: allow or deny.
  • Source or destination.
  • Target.
  • Protocol.
  • Port.
  • Priority.
  • Governed targeting, such as secure Tags or service accounts where appropriate.

Trap: An egress rule cannot authorize inbound HTTPS traffic.

4.19 Load balancing, Cloud NAT, and Network Service Tiers

Requirement Service
Distribute inbound traffic to application backends Load balancer
Allow private resources without external IP addresses to reach the internet outbound Cloud NAT
Publish DNS records Cloud DNS
Compare premium Google network path versus eligible lower-cost internet routing Network Service Tiers

Do not use Cloud NAT as an inbound load balancer.

4.20 Infrastructure as code and tooling

Tool Use
Terraform Versioned, repeatable infrastructure deployment and state management
Config Connector Kubernetes-style declarative management of Google Cloud resources
Helm Package and parameterize Kubernetes application manifests
Fabric FAST Infrastructure-as-code foundation accelerator
Gemini CLI, Gemini Cloud Assist, Google Antigravity, Application Design Center AI-assisted planning and implementation where appropriate

For exam questions, prefer repeatable, version-controlled infrastructure over undocumented manual console-only changes when the scenario asks for consistency across environments.


Domain 3 — Ensuring the Successful Operation of a Cloud Solution

4.21 Compute Engine operations

Know how to:

  • View running instances.
  • Connect remotely using an approved method.
  • Use OS Login-backed SSH where appropriate.
  • Create, view, delete, and schedule snapshots.
  • Create reusable VM images.
  • Attach supported GPUs or TPUs after validating compatibility and availability.

Snapshot versus image

Item Best use
Snapshot Point-in-time disk backup and restoration
Image Reusable VM boot-disk baseline for new VM creation

4.22 GKE operations

Know how to:

  • Inspect nodes, Pods, Services, and workload events.
  • Configure access to private Artifact Registry images.
  • Add, edit, remove, and autoscale node pools.
  • Work with Pods, Services, Deployments, and StatefulSets.
  • Manage Pod resource requests in Autopilot.

Autoscaling comparison:

Mechanism Changes
Node-pool autoscaling Number of worker nodes
Horizontal Pod Autoscaler Number of Pod replicas
Vertical Pod Autoscaler CPU and memory requests for Pods
Cloud Run autoscaling Number of Cloud Run instances

4.23 Cloud Run operations

Cloud Run releases create revisions. Use revisions to:

  • Deploy a new version.
  • Roll back if needed.
  • Split traffic between revisions.
  • Limit maximum instances to protect a downstream dependency.
  • Perform canary-style rollouts.

Trap: Changing a DNS record is not the same as configuring revision-level traffic splitting.

4.24 AI agent and developer environment operations

The updated blueprint includes:

  • Deploying an agent to Agent Runtime on Gemini Enterprise Agent Platform.
  • Managing notebooks in Gemini Enterprise Agent Platform Workbench and BigQuery.
  • Managing developer environments such as Cloud Workstations.

Recognize the terminology transition from former Vertex AI product names.

4.25 Cloud Storage operations

Know how to:

  • Grant bucket-level or object-level access appropriately.
  • Use IAM rather than making objects public unless public access is truly required.
  • Configure Object Lifecycle Management.
  • Estimate cost based on storage class, retention, retrieval, and operations.

Example lifecycle pattern:

New object
→ Standard storage
→ Transition to colder class after age threshold
→ Delete after retention requirement

4.26 Database operations

Know how to:

  • Execute targeted queries against the correct database instance.
  • Configure backups.
  • Test restoration.
  • Review job status for BigQuery and Dataflow.
  • Use Database Center to manage database-fleet visibility.
  • Configure CMEK when the customer must control the encryption-key lifecycle.

Trap: High availability does not eliminate the need for backup and restore testing.

4.27 Network operations

Task Correct action
Subnet is running out of IPv4 addresses Expand the subnet range to a larger non-overlapping range where supported
Stable private endpoint address Reserve a static internal IP
Stable public endpoint address Reserve a static external IP
Send traffic for a CIDR to a designated next hop Add a custom static route
Private VM outbound internet access Configure Cloud NAT
Authoritative records for a domain Create or update a Cloud DNS managed zone
Connectivity issue after security change Review firewall rules and Cloud NGFW policies

4.28 Monitoring, logging, and diagnostics

Monitoring

Use Cloud Monitoring to:

  • Create alerts based on metrics and thresholds.
  • Ingest custom metrics from applications or logs.
  • Use Gemini Cloud Assist for Cloud Monitoring where appropriate.
  • Review Active Assist recommendations before applying changes.
  • Use Cloud Hub for operational context, active events, and application-health data.

Logging

Use Cloud Logging to:

  • Filter entries by service, severity, time, resource, and other fields.
  • Inspect detailed log messages.
  • Route selected logs through log router sinks.
  • Export logs to BigQuery or external systems.
  • Configure log buckets and retention.
  • Use Log Analytics for analytics-capable log queries.
  • Review audit logs, VPC Flow Logs, and firewall logs for investigations.

Diagnostics

Problem Best tool
Request latency path Cloud Trace
Code-level performance profile Cloud Profiler
Slow database SQL statements Query Insights
Index recommendations from observed workload patterns Index advisor
Suspected Google Cloud service disruption Personalized Service Health

VM telemetry

Use Ops Agent to collect supported VM logs and metrics.

Prometheus metrics

Use Google Cloud Managed Service for Prometheus for Prometheus-compatible managed monitoring.


Domain 4 — Configuring Access and Security

4.29 IAM inheritance

IAM allow policies inherit down the hierarchy.

Organization role
→ inherited by folders
→ inherited by projects
→ inherited by eligible child resources

If a user has unexpected access, check:

  1. Direct resource policy.
  2. Project IAM.
  3. Parent folder IAM.
  4. Organization IAM.
  5. Group membership.
  6. Service-account impersonation pathways.

4.30 Role types

Role type Use
Basic role Broad legacy-style access; generally avoid when a narrower role exists
Predefined role Preferred default for standard least-privilege access
Custom role Use when no predefined role fits and the required permissions are supported

Trap: Owner and Editor are usually too broad for workload-specific requirements.

4.31 Service accounts

A service account is a workload identity.

Best-practice pattern:

  1. Create a dedicated service account.
  2. Grant only the required permissions.
  3. Attach it to the runtime.
  4. Avoid unnecessary long-lived key files.
  5. Use impersonation or another short-lived credential flow when appropriate.

4.32 Attached service account versus key file

Scenario Best choice
Workload runs on a Google Cloud runtime that supports an attached identity Attach a service account
Human operator temporarily needs to act as a service account Service-account impersonation
External machine workload needs Google Cloud access without a key file Workload Identity Federation
GKE Pod needs Google Cloud API access without a key file Workload Identity Federation for GKE
External human users authenticate through an external IdP Workforce Identity Federation

4.33 Workforce versus workload federation

Identity type Correct federation pattern
Human users and groups from an external identity provider Workforce Identity Federation
External CI/CD pipeline, AWS-hosted application, or other machine workload Workload Identity Federation
GKE workload Workload Identity Federation for GKE

Fast memory rule:
Workforce = people. Workload = machines. GKE workload identity = Pods.

4.34 Google-managed service accounts

Some managed services use Google-managed service accounts. Do not delete or over-grant them blindly. Preserve only the permissions required for the service to operate.


5. Service Selection Guide

Compute decision tree

Need direct OS control?
├── Yes → Compute Engine
└── No
    Need Kubernetes APIs or orchestration?
    ├── Yes → GKE
    │   ├── Minimize node operations → Autopilot
    │   └── Need direct node-pool control → Standard
    └── No
        Stateless container or HTTP service?
        ├── Yes → Cloud Run
        └── Event-driven function?
            ├── Yes → Cloud Run functions + Eventarc-supported event source
            └── Managed AI agent? → Agent Runtime on Gemini Enterprise Agent Platform

Database decision tree

Analytics warehouse?
├── Yes → BigQuery
└── No
    Cache?
    ├── Yes → Memorystore
    └── No
        Document database?
        ├── Yes → Firestore
        └── No
            Wide-column, time-series, very high throughput?
            ├── Yes → Bigtable
            └── No
                Relational database?
                ├── Conventional managed relational workload → Cloud SQL
                ├── Demanding PostgreSQL-compatible workload → AlloyDB
                └── Global horizontal relational scale + strong consistency → Spanner

Messaging and pipeline decision tree

Need asynchronous message delivery and decoupling?
├── Yes → Pub/Sub
└── No
    Need Kafka-compatible broker semantics?
    ├── Yes → Managed Service for Apache Kafka
    └── No
        Need batch or streaming transformations?
        └── Yes → Dataflow

Storage decision tree

Object storage?
├── Yes → Cloud Storage
└── No
    VM block storage?
    ├── Yes → Persistent Disk or Hyperdisk
    └── No
        Shared file access?
        ├── General managed NFS-style access → Filestore
        ├── Enterprise NFS or SMB requirements → Google Cloud NetApp Volumes
        └── Parallel POSIX throughput for AI or HPC → Google Cloud Managed Lustre

Connectivity decision tree

Need on-premises connectivity?
├── Encrypted over public internet → Cloud VPN
└── Private high-throughput connection → Cloud Interconnect

Need connectivity between VPC networks?
├── Central network ownership and shared subnets → Shared VPC
└── Separately administered VPCs connected privately → VPC Network Peering

Need outbound internet from private resources?
└── Cloud NAT

Need inbound traffic distribution?
└── Load balancer

Identity decision tree

Human users from external IdP?
└── Workforce Identity Federation

External machine workload?
└── Workload Identity Federation

GKE Pod calling Google Cloud API?
└── Workload Identity Federation for GKE

Google Cloud workload with attached identity support?
└── Attach a dedicated service account

Human temporarily acting as service account?
└── Service-account impersonation

6. Architecture Patterns

Pattern 1: Governed department projects

Organization
└── Finance folder
    ├── finance-prod
    └── finance-dev

Use:

  • Folder-level IAM when finance teams need shared access.
  • Folder-level organization policies when finance projects need shared restrictions.
  • Separate billing account only when payment responsibility must differ.

Pattern 2: Central networking with application autonomy

Shared VPC host project
├── centrally managed subnets
└── firewall governance

Service projects
├── application project A
└── application project B

Use Shared VPC when network administrators must own subnets while application teams deploy resources into service projects.

Pattern 3: Stateless web API with minimal operations

Client
→ Load balancer or managed endpoint as required
→ Cloud Run service
→ Managed database or backend

Use Cloud Run when the application is stateless and the team wants minimal infrastructure management. Configure revision traffic splitting for a gradual rollout and maximum instances to protect downstream dependencies.

Pattern 4: Kubernetes platform

Artifact Registry
→ GKE cluster
   ├── Deployment
   ├── Service
   ├── node pools
   └── autoscaling

Use:

  • Regional GKE cluster for greater control-plane resilience.
  • Private cluster when nodes should avoid public IPs.
  • Workload Identity Federation for GKE for keyless API access from Pods.
  • Node-pool autoscaling, HPA, and VPA for the correct scaling layers.

Pattern 5: Private VM outbound internet access

Private VM without external IP
→ Cloud NAT
→ Internet

Use Cloud NAT for outbound access without exposing the VM directly to inbound internet traffic.

Pattern 6: Event-driven processing

Cloud Storage object event or Pub/Sub message
→ Eventarc-supported event flow
→ Cloud Run function

Use this instead of a polling VM when minimal operations and event-driven execution are required.

Pattern 7: External CI/CD without key files

External CI/CD identity
→ Workload Identity Federation
→ short-lived Google Cloud credentials
→ deployment action

Avoid downloading a long-lived service-account JSON key.

Pattern 8: Human partner access through external identity provider

Partner employee
→ external identity provider
→ Workforce Identity Federation
→ authorized Google Cloud resources

Do not use workload federation for a human-browser-access scenario.

Pattern 9: Operational observability

Application and infrastructure signals
├── Cloud Monitoring metrics and alerts
├── Cloud Logging filters, buckets, and sinks
├── Ops Agent for VM telemetry
├── Managed Service for Prometheus
├── Cloud Trace / Cloud Profiler
├── Query Insights / index advisor
├── Personalized Service Health
└── Cloud Hub

Pattern 10: Cost-aware object retention

Cloud Storage bucket
→ object lifecycle rule
→ transition to colder storage class
→ delete after retention requirement

Choose storage class based on expected access, retrieval, and retention patterns.


7. Exam Traps

7.1 Choosing a related service from the wrong category

Examples:

  • Cloud NAT is not an inbound load balancer.
  • Cloud DNS is not an authentication or routing engine for application traffic.
  • BigQuery is not the default OLTP database.
  • Cloud SQL is not a global horizontally scalable relational database.
  • A billing alert is not a runtime scaler.
  • Monitoring alerts detect conditions; they do not implement configuration changes.

7.2 Selecting a technically possible but operationally heavier option

If Cloud Run directly meets the requirement, a manually managed VM is usually inferior when the scenario emphasizes minimal operations.

If GKE Autopilot meets the requirement, GKE Standard is usually inferior when the scenario emphasizes minimizing node management.

7.3 Excessive IAM scope

Watch for:

  • Organization Owner for a project-level task.
  • Project Editor for bucket read-only access.
  • Shared private keys for a changing workforce.
  • Broad service-account permissions when one narrowly scoped role is enough.

7.4 Confusing organization policy with IAM

  • IAM grants permissions.
  • Organization policy restricts allowed configurations.
  • Firewall rules control traffic.
  • Billing accounts control payment linkage.

7.5 Confusing identities

  • Workforce Identity Federation → humans.
  • Workload Identity Federation → external machine workloads.
  • Workload Identity Federation for GKE → Pods.
  • Service-account impersonation → controlled short-lived use of a service account.
  • Attached service account → preferred for supported Google Cloud runtimes.

7.6 Confusing network designs

Wrong assumption Correct idea
Shared VPC and VPC Network Peering are interchangeable Shared VPC centralizes subnet ownership; peering connects separate networks
Cloud VPN is always a dedicated private connection VPN is encrypted connectivity over the public internet
Cloud NAT accepts inbound application traffic NAT provides outbound access for private resources
DNS records replace load balancing DNS publishes names; a load balancer distributes traffic

7.7 Confusing storage types

  • Cloud Storage is object storage.
  • Persistent Disk and Hyperdisk are VM block storage.
  • Filestore and NetApp Volumes are shared file services.
  • Managed Lustre is a parallel POSIX file service for demanding workloads.
  • Local SSD is ephemeral.

7.8 Confusing scaling layers

  • Managed instance-group autoscaling → VM count.
  • Node-pool autoscaling → GKE worker-node count.
  • HPA → Pod replica count.
  • VPA → per-Pod CPU and memory requests.
  • Cloud Run autoscaling → Cloud Run instance count.

7.9 Confusing backup with availability

High availability is not a replacement for backup. A restore path should be tested.

7.10 Ignoring scope words

Pay attention to words such as:

  • Organization-wide.
  • Department-only.
  • One project.
  • One bucket.
  • One subnet.
  • One service account.
  • Private resources.
  • Public endpoint.
  • Multi-region.
  • Cross-zone.

The scope words often eliminate half the options immediately.

7.11 Ignoring the requested operational stage

The same product can appear in different questions, but the required action changes:

Stage Example
Plan Choose Cloud Run versus GKE
Deploy Create a new Cloud Run service or GKE workload
Operate Split traffic, configure autoscaling, inspect logs
Troubleshoot Review Query Insights, Cloud Logging, or Personalized Service Health
Optimize Review Active Assist recommendations

7.12 Assuming every recommendation should be applied automatically

Active Assist and index-advisor recommendations must be reviewed in workload context. A recommendation is input to an engineering decision, not an automatic command.


8. Quick Memory Rules

Governance

  • Organization = company.
  • Folder = department or policy boundary.
  • Project = workload and billing-linkage boundary.
  • Organization policy restricts configurations.
  • IAM grants permissions.
  • Budget alerts notify; they do not normally stop spend automatically.
  • Billing export → BigQuery for analysis.

Compute

  • OS control → Compute Engine.
  • Kubernetes → GKE.
  • Serverless stateless container → Cloud Run.
  • Event-driven function → Cloud Run functions plus event source.
  • Identical scalable VMs → instance template plus managed instance group.
  • Restart-tolerant batch → Spot VM.
  • IAM-backed SSH → OS Login.

GKE

  • Minimize node operations → Autopilot.
  • Need node-pool control → Standard.
  • Cross-zone control-plane resilience → regional cluster.
  • Avoid public node IPs → private cluster.
  • Replica count → HPA.
  • Pod requests → VPA.
  • Node count → node-pool autoscaling.
  • Stable stateful Pods → StatefulSet.

Data and storage

  • Analytics → BigQuery.
  • Traditional relational OLTP → Cloud SQL.
  • Demanding PostgreSQL-compatible OLTP → AlloyDB.
  • Global scalable relational consistency → Spanner.
  • Document database → Firestore.
  • Wide-column and time series → Bigtable.
  • Cache → Memorystore.
  • Messages → Pub/Sub.
  • Transformations → Dataflow.
  • Kafka compatibility → Managed Service for Apache Kafka.
  • Object → Cloud Storage.
  • VM block → Persistent Disk or Hyperdisk.
  • Shared NFS-style file → Filestore.
  • Enterprise NFS or SMB → NetApp Volumes.
  • Parallel AI/HPC file system → Managed Lustre.

Networking

  • Explicit CIDRs → custom mode VPC.
  • Central network team and shared subnets → Shared VPC.
  • Separate VPC administrations with private connectivity → VPC Network Peering.
  • Encrypted public-internet hybrid path → Cloud VPN.
  • Private high-throughput hybrid path → Cloud Interconnect.
  • Private VM outbound internet → Cloud NAT.
  • Inbound distribution → load balancer.
  • DNS records → Cloud DNS.

Identity and security

  • People → Workforce Identity Federation.
  • External machines → Workload Identity Federation.
  • Pods → Workload Identity Federation for GKE.
  • Temporary act-as access → service-account impersonation.
  • Supported Google Cloud runtime → attach service account, avoid key file.
  • Least privilege → narrowest suitable role and scope.
  • Customer controls encryption-key lifecycle → CMEK.

Operations

  • Disk backup → snapshot.
  • Reusable VM baseline → image.
  • Slow request path → Cloud Trace.
  • Code profiling → Cloud Profiler.
  • Slow SQL → Query Insights.
  • Index suggestions → index advisor.
  • Google Cloud incident relevance → Personalized Service Health.
  • VM logs and metrics → Ops Agent.
  • Prometheus-compatible managed monitoring → Managed Service for Prometheus.
  • Operational overview → Cloud Hub.

9. Final Revision Notes

One-page revision sequence

Review these topics in this order during the final days:

  1. Compute selection: Compute Engine, GKE, Cloud Run, functions, and Agent Runtime.
  2. Database and storage selection.
  3. Shared VPC versus VPC Network Peering versus Cloud VPN versus Cloud Interconnect.
  4. Cloud NAT versus load balancing versus Cloud DNS.
  5. IAM hierarchy and least privilege.
  6. Service-account attachment, impersonation, and federation.
  7. GKE scaling layers.
  8. Cloud Run revisions, traffic splitting, and autoscaling.
  9. Snapshots, images, backups, restore testing, and CMEK.
  10. Monitoring, logging, Query Insights, index advisor, Personalized Service Health, Ops Agent, Prometheus, Active Assist, and Cloud Hub.

Top confusing pairs

Pair Fast distinction
Organization policy vs IAM Restriction vs permission
Folder vs project scope Department-wide vs workload-specific
Shared VPC vs VPC Peering Central subnet ownership vs separate networks connected privately
Cloud VPN vs Cloud Interconnect Encrypted public-internet path vs private high-throughput path
Cloud NAT vs load balancer Outbound private-resource access vs inbound traffic distribution
Cloud Run vs GKE Minimal serverless container operations vs Kubernetes orchestration
Snapshot vs image Backup point in time vs reusable VM baseline
HPA vs VPA Pod count vs Pod resource requests
Workforce vs workload federation Humans vs machines
Pub/Sub vs Dataflow Messaging vs processing
BigQuery vs Cloud SQL Analytics vs OLTP
Filestore vs Managed Lustre Shared file access vs high-throughput parallel file access

Option-elimination checklist

When two options look plausible:

  1. Remove the option that grants more privilege than necessary.
  2. Remove the option that operates at the wrong hierarchy scope.
  3. Remove the option that solves monitoring when the question asks for configuration.
  4. Remove the option that solves payment or billing when the question asks for capacity or runtime behavior.
  5. Remove the option that uses a public endpoint when the scenario asks for private access.
  6. Remove the option that introduces manual infrastructure when a managed service directly meets the requirement.
  7. Remove the option designed for humans when the caller is a machine.
  8. Remove the option designed for machine workloads when the caller is a person.
  9. Prefer the answer that directly maps to the stated interface: object, block, file, database, message, pipeline, DNS, NAT, VPN, or load balancing.
  10. Verify that the answer matches the requested operational stage: choose, deploy, scale, monitor, troubleshoot, or optimize.

Updated terminology to recognize

The updated blueprint includes terminology tied to Gemini Enterprise Agent Platform. Be ready to recognize:

  • Agent Runtime on Gemini Enterprise Agent Platform, formerly Vertex AI Agent Engine.
  • Gemini Enterprise Agent Platform Workbench, formerly Vertex AI Workbench.
  • Gemini Cloud Assist for resource analysis and Cloud Monitoring support.
  • AI-assisted planning and implementation tooling such as Gemini CLI, Google Antigravity, Gemini Cloud Assist, and Application Design Center.

10. Exam-Day Checklist

Before starting:

  • Confirm whether your exam date uses the current or the June 30 updated English blueprint.
  • Read each scenario for scope, workload type, security constraint, and operational goal.
  • Identify whether the question expects one answer or multiple answers.
  • Mark questions that require extra review and return to them later.
  • Avoid spending too long on one service-name detail.

For every question:

  • Ask: “What is the simplest managed solution that directly meets the requirement?”
  • Check whether the option uses the correct hierarchy scope.
  • Reject broad Owner or Editor access unless the scenario genuinely requires it.
  • Reject long-lived keys when attached identities, impersonation, or federation are supported.
  • Distinguish people from workloads.
  • Distinguish inbound traffic from outbound connectivity.
  • Distinguish object, block, and file storage.
  • Distinguish analytics from transactional databases.
  • Distinguish scaling signals from scaling layers.
  • Distinguish detection tools from configuration tools.

Final confidence check:

  • I can choose Compute Engine, GKE, Cloud Run, functions, and Agent Runtime correctly.
  • I can choose relational, document, wide-column, analytical, cache, messaging, and pipeline services correctly.
  • I can choose object, block, shared file, enterprise file, and parallel file storage correctly.
  • I understand Shared VPC, peering, VPN, Interconnect, load balancing, NAT, DNS, and firewall decisions.
  • I understand IAM inheritance, role scope, service accounts, impersonation, and federation.
  • I can operate snapshots, images, autoscaling, traffic splitting, backups, CMEK, monitoring, logging, and diagnostics.
  • I can eliminate distractors that solve the wrong problem category.

Official Alignment References

  • Google Cloud Associate Cloud Engineer certification page: https://cloud.google.com/learn/certification/cloud-engineer
  • Updated English standard exam guide scheduled for June 30: https://services.google.com/fh/files/misc/063026_associate_cloud_engineer_exam_guide_english.pdf
lock_open

Unlock the full course

All 15 modules with detailed explanations, code examples, and exam tips.

workspace_premium
You've answered 0 of 35 free questions 1065 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 16 72 questions/day Finish by Jul 30, 2026
Question 1 of 1100
Section 1: Setting up a cloud solution environment · 20%

A site reliability engineer is setting up project payments-core. A deployment command fails because a newly created project has not activated the service needed to create Cloud Run resources. Which option best meets the requirement?

0 correct
0 wrong
1100 left
0% done