Google Cloud Associate Cloud Engineer Exam Course
Target blueprint: Google Cloud Associate Cloud Engineer standard exam, using the updated English exam guide scheduled to be live on June 30.
Purpose: A compressed but complete revision course built from the source question bank, with repetition removed and scenario patterns merged into practical decision rules.
Important: If you sit the English exam before June 30, review the current Google Cloud exam guide because the earlier weighting and terminology differ slightly.
1. Exam Overview
The Associate Cloud Engineer exam tests whether you can deploy, secure, operate, and troubleshoot Google Cloud solutions. It is not a pure memorization exam. Most questions describe a workload or operational problem and ask for the best action among several technically possible actions.
Exam format
| Item |
Standard exam |
| Duration |
2 hours |
| Question count |
50–60 |
| Question types |
Multiple choice and multiple select |
| Recommended experience |
6+ months of hands-on Google Cloud experience |
| Main skill |
Choose and operate the simplest correct Google Cloud solution |
Updated exam weighting
| Domain |
Weight |
Priority |
| Setting up a cloud solution environment |
~20% |
High |
| Planning and implementing a cloud solution |
~30% |
Very high |
| Ensuring the successful operation of a cloud solution |
~30% |
Very high |
| Configuring access and security |
~20% |
High |
How to think during the exam
For every scenario, identify five things before reading the options closely:
- Workload type: VM, container, Kubernetes, event-driven function, database, object storage, analytics, or AI agent.
- Control level: Does the team need operating-system control, Kubernetes control, or minimal operations?
- Scope: Organization, folder, project, bucket, subnet, resource, service account, or workload.
- Security expectation: Least privilege, private access, short-lived credentials, no public exposure, or customer-managed encryption keys.
- Operational goal: Deploy, scale, monitor, troubleshoot, optimize, back up, restore, or route traffic.
A good answer normally satisfies the requirement with the least unnecessary privilege, least operational overhead, and narrowest appropriate scope.
2. Exam Domains
Domain 1: Setting up a cloud solution environment — ~20%
You must understand initial governance, project setup, API activation, quotas, billing, Cloud Identity, Workforce Identity Federation, resource inventory, and observability foundations.
Domain 2: Planning and implementing a cloud solution — ~30%
This is one of the most important domains. You must choose the correct compute, data, storage, network, and infrastructure-as-code solution for a workload.
Domain 3: Ensuring the successful operation of a cloud solution — ~30%
This is the other major domain. You must know how to operate Compute Engine, GKE, Cloud Run, databases, networking, monitoring, logging, diagnostics, backups, and optimization tooling.
Domain 4: Configuring access and security — ~20%
You must apply IAM inheritance correctly, use predefined or custom roles appropriately, manage service accounts, prefer short-lived credentials, and distinguish workforce identities from workload identities.
3. Start-to-Finish Study Path
Use this sequence to prepare efficiently.
Phase 1: Build the foundation
Learn the Google Cloud resource hierarchy:
Organization
└── Folder
└── Project
└── Resources
Practice:
- Create a project.
- Link it to a billing account.
- Enable an API.
- Set a default project in
gcloud.
- Review quotas.
- Create a budget alert.
- Explore IAM roles at organization, folder, project, and resource scope.
Phase 2: Master service selection
Memorize decision rules, not product definitions. You should be able to choose between:
- Compute Engine, GKE, Cloud Run, Cloud Run functions, and Agent Runtime.
- Cloud SQL, AlloyDB, Spanner, Firestore, Bigtable, BigQuery, Memorystore, Pub/Sub, Dataflow, and Managed Service for Apache Kafka.
- Cloud Storage, Persistent Disk, Hyperdisk, Filestore, Google Cloud NetApp Volumes, and Google Cloud Managed Lustre.
- Shared VPC, VPC Network Peering, Cloud VPN, Cloud Interconnect, Cloud NAT, Cloud DNS, load balancing, and Network Service Tiers.
Phase 3: Practice deployment and scaling
Perform small labs:
- Create a Compute Engine VM with OS Login.
- Build an instance template and managed instance group.
- Create a GKE cluster and inspect nodes, Pods, and Services with
kubectl.
- Deploy a container to Cloud Run and create a new revision.
- Configure traffic splitting.
- Review autoscaling options for VMs, Pods, node pools, and Cloud Run.
Phase 4: Practice operations
Perform operational tasks:
- Create and restore a disk snapshot.
- Review Cloud Logging entries with filters.
- Create a Cloud Monitoring alert.
- Compare built-in and custom metrics.
- Review Cloud Run revisions and rollback behavior.
- Review GKE node pools and Pod resource requests.
- Review database backups and restore options.
- Reserve static internal and external IP addresses.
- Configure Cloud NAT for private VM egress.
Phase 5: Master IAM and identity
Practice the differences between:
- Human users and groups.
- Service accounts.
- Service-account impersonation.
- Short-lived credentials.
- Workload Identity Federation.
- Workload Identity Federation for GKE.
- Workforce Identity Federation.
Phase 6: Simulate exam reasoning
When reviewing practice questions:
- State the requirement in one sentence.
- Identify the required service category.
- Remove answers from the wrong category.
- Remove answers with excessive scope or privilege.
- Prefer the managed option that meets the requirement directly.
- Check whether the question asks for design, deployment, operation, troubleshooting, or optimization.
4. Core Concepts by Domain
Domain 1 — Setting Up a Cloud Solution Environment
4.1 Resource hierarchy
| Scope |
Best use |
| Organization |
Company-wide governance |
| Folder |
Department, business unit, environment, or policy boundary |
| Project |
Workload boundary, billing linkage, API enablement, quotas, and many IAM grants |
| Resource |
Narrow access when a project-wide grant is too broad |
Decision rule: Apply policy at the highest level that covers the intended resources, but not higher.
Example:
- All finance projects need the same guardrail → apply it at the Finance folder.
- Every project in the company must follow the same restriction → apply it at the organization.
- One bucket must be readable by one workload → apply a bucket-level IAM role.
4.2 Organization policies versus IAM
| Mechanism |
Purpose |
| IAM allow policy |
Grants principals permission to perform actions |
| Organization policy |
Restricts allowed configurations across the hierarchy |
| Billing account |
Controls payment relationship and cost reporting |
| VPC firewall rule or Cloud NGFW policy |
Controls network traffic |
Common trap: Granting an IAM role does not enforce a resource configuration restriction. If the scenario says “prevent public IP addresses” or “restrict a configuration across projects,” think organization policy.
4.3 Cloud Identity groups
Grant roles to groups rather than editing individual bindings repeatedly.
Use a group when:
- Team membership changes frequently.
- Multiple people need the same role.
- Access should remain stable while membership changes.
Avoid sharing a service account key with a workforce team. A service account represents a workload identity, not a shared human login.
4.4 API enablement
Before creating resources in a project, verify that the required API is enabled.
Typical failure pattern:
Project exists
Billing is linked
IAM appears correct
Deployment still fails
→ Check whether the service API is enabled
4.5 Quotas and geographical availability
Quotas can apply by project, service, region, or resource type. Check capacity before deployment.
Also verify that the product, accelerator, and required feature exist in the target region or zone. A product name alone does not guarantee regional availability.
4.6 Cloud Asset Inventory and Gemini Cloud Assist
Use Cloud Asset Inventory to inspect and analyze the resource estate across projects. The updated blueprint also includes using Gemini Cloud Assist to assist with resource analysis.
4.7 Workforce Identity Federation
Use Workforce Identity Federation when external human users or groups authenticate through an external identity provider and need controlled access to supported Google Cloud resources.
Do not confuse it with workload federation, which is designed for machines and external workloads.
4.8 Billing configuration
| Requirement |
Correct approach |
| Link a project to payment responsibility |
Link the project to a billing account |
| Separate subsidiary invoicing |
Use separate billing accounts |
| Receive spend notifications |
Create budgets and alerts |
| Analyze detailed usage and cost |
Export billing data to BigQuery |
Important: A budget alert is not a hard spending cap by default. It notifies; it does not automatically stop workloads.
Domain 2 — Planning and Implementing a Cloud Solution
4.9 Compute selection
| Requirement |
Best choice |
Why |
| Full OS control, custom software, legacy runtime |
Compute Engine |
Direct VM administration |
| Kubernetes APIs, orchestration, multi-service platform |
GKE |
Managed Kubernetes |
| Stateless HTTP container with minimal infrastructure management |
Cloud Run |
Serverless container execution |
| Small event-driven function |
Cloud Run functions with an event source such as Eventarc |
Minimal operations for event processing |
| Managed AI agent runtime |
Agent Runtime on Gemini Enterprise Agent Platform |
Purpose-built managed agent execution |
Elimination rule: If the scenario explicitly says “do not manage servers or nodes,” remove Compute Engine and usually remove GKE Standard.
4.10 Compute Engine essentials
VM storage
| Storage |
Best use |
| Zonal Persistent Disk |
Durable zonal block storage |
| Regional Persistent Disk |
Cross-zone replicated block storage for higher resilience |
| Hyperdisk |
Workload-specific block-storage performance profiles |
| Local SSD |
High-performance ephemeral local storage |
Trap: Local SSD is not a durable backup. If the VM is removed, do not treat Local SSD data as persistent.
VM scaling
For identical VMs that must scale automatically:
- Create an instance template.
- Create a managed instance group.
- Configure autoscaling.
OS Login
Use OS Login for centrally managed SSH access through IAM. Avoid manually distributing shared private SSH keys.
VM Manager
Use VM Manager for centralized VM operating-system management and inventory capabilities.
Spot VMs
Use Spot VMs for interruptible workloads that can restart, such as fault-tolerant batch jobs. Avoid them for workloads that cannot tolerate termination.
Custom machine types
Use a custom machine type when standard CPU-to-memory ratios waste resources.
4.11 GKE essentials
| Requirement |
Best choice |
| Reduce node-management work |
GKE Autopilot |
| Need direct node-pool control |
GKE Standard |
| Control-plane resilience across zones |
Regional GKE cluster |
| Nodes should avoid public IP addresses |
Private GKE cluster |
| Manage Kubernetes resources from CLI |
kubectl |
Core Kubernetes objects:
| Object |
Purpose |
| Pod |
Running workload unit |
| Deployment |
Manages stateless replicated Pods and rollout behavior |
| Service |
Stable network endpoint for Pods |
| StatefulSet |
Stable identities and ordered behavior for stateful workloads |
| Node pool |
Group of GKE worker nodes with a shared configuration |
4.12 Serverless events
Use an event-driven serverless pattern when code should execute after an event such as:
- Pub/Sub message delivery.
- Cloud Storage object creation or modification.
- Eventarc-supported events.
Avoid running a polling VM unless the scenario explicitly requires a self-managed polling process.
4.13 GPUs and TPUs
Identify whether the workload has been validated for GPU or TPU acceleration. Then confirm:
- Framework compatibility.
- Machine or runtime compatibility.
- Regional or zonal availability.
- Quota availability.
4.14 Data-service selection
| Service |
Best fit |
Avoid when |
| Cloud SQL |
Managed traditional relational OLTP workload |
You need global horizontal relational scale |
| AlloyDB |
Demanding PostgreSQL-compatible relational workload |
The workload is analytical rather than operational |
| Spanner |
Horizontally scalable relational database with strong consistency |
A small conventional relational database is enough |
| Firestore |
Document-oriented application database |
You need warehouse-style analytical joins |
| Bigtable |
Low-latency, high-throughput wide-column workloads such as time series |
You need relational joins and transactions |
| BigQuery |
Serverless analytics and data warehousing |
You need an OLTP application database |
| Memorystore |
Managed in-memory cache |
You need a durable system of record |
| Pub/Sub |
Asynchronous event delivery and decoupling |
You need batch transformation |
| Dataflow |
Managed batch and streaming data-processing pipelines |
You only need message transport |
| Managed Service for Apache Kafka |
Kafka-compatible managed broker semantics |
Kafka compatibility is not required |
4.15 Storage selection
| Service |
Interface |
Best use |
| Cloud Storage |
Object |
Files, objects, archives, data-lake style storage |
| Persistent Disk |
Block |
Durable VM disks |
| Hyperdisk |
Block |
VM block storage with workload-specific performance needs |
| Filestore |
File |
Managed shared NFS-style access |
| Google Cloud NetApp Volumes |
File |
Enterprise file workloads requiring managed NFS or SMB capabilities |
| Google Cloud Managed Lustre |
Parallel POSIX file |
Throughput-intensive AI and HPC workloads |
| Local SSD |
Local ephemeral block |
Temporary high-performance VM-local data |
Cloud Storage classes:
| Class |
Typical pattern |
| Standard |
Frequent access |
| Nearline |
Infrequent access |
| Coldline |
Rare access |
| Archive |
Very rare access and long retention |
Rule: Choose the storage interface first: object, block, shared file, or parallel file. Then choose durability, performance, and access-frequency tradeoffs.
4.16 Loading data
| Scenario |
Correct tool |
| Upload local files to a bucket from terminal |
Google Cloud CLI, such as gcloud storage |
| Load files already stored in Cloud Storage into BigQuery |
BigQuery load job |
| Move a large existing dataset into Cloud Storage through a managed transfer workflow |
Storage Transfer Service |
| Transform streaming or batch data |
Dataflow |
4.17 VPC designs
| Requirement |
Correct choice |
| Explicit subnet CIDRs and regions |
Custom mode VPC |
| Central network team owns subnets; application projects consume them |
Shared VPC |
| Independently administered VPCs need private connectivity |
VPC Network Peering |
| Encrypted on-premises connectivity across the public internet |
Cloud VPN |
| Private high-throughput on-premises connectivity |
Cloud Interconnect |
Critical distinction: Shared VPC is about centralized ownership of subnets. VPC Network Peering is about private connectivity between separately administered VPC networks.
4.18 Firewalls and Cloud NGFW
A firewall decision depends on:
- Direction: ingress or egress.
- Action: allow or deny.
- Source or destination.
- Target.
- Protocol.
- Port.
- Priority.
- Governed targeting, such as secure Tags or service accounts where appropriate.
Trap: An egress rule cannot authorize inbound HTTPS traffic.
4.19 Load balancing, Cloud NAT, and Network Service Tiers
| Requirement |
Service |
| Distribute inbound traffic to application backends |
Load balancer |
| Allow private resources without external IP addresses to reach the internet outbound |
Cloud NAT |
| Publish DNS records |
Cloud DNS |
| Compare premium Google network path versus eligible lower-cost internet routing |
Network Service Tiers |
Do not use Cloud NAT as an inbound load balancer.
4.20 Infrastructure as code and tooling
| Tool |
Use |
| Terraform |
Versioned, repeatable infrastructure deployment and state management |
| Config Connector |
Kubernetes-style declarative management of Google Cloud resources |
| Helm |
Package and parameterize Kubernetes application manifests |
| Fabric FAST |
Infrastructure-as-code foundation accelerator |
| Gemini CLI, Gemini Cloud Assist, Google Antigravity, Application Design Center |
AI-assisted planning and implementation where appropriate |
For exam questions, prefer repeatable, version-controlled infrastructure over undocumented manual console-only changes when the scenario asks for consistency across environments.
Domain 3 — Ensuring the Successful Operation of a Cloud Solution
4.21 Compute Engine operations
Know how to:
- View running instances.
- Connect remotely using an approved method.
- Use OS Login-backed SSH where appropriate.
- Create, view, delete, and schedule snapshots.
- Create reusable VM images.
- Attach supported GPUs or TPUs after validating compatibility and availability.
Snapshot versus image
| Item |
Best use |
| Snapshot |
Point-in-time disk backup and restoration |
| Image |
Reusable VM boot-disk baseline for new VM creation |
4.22 GKE operations
Know how to:
- Inspect nodes, Pods, Services, and workload events.
- Configure access to private Artifact Registry images.
- Add, edit, remove, and autoscale node pools.
- Work with Pods, Services, Deployments, and StatefulSets.
- Manage Pod resource requests in Autopilot.
Autoscaling comparison:
| Mechanism |
Changes |
| Node-pool autoscaling |
Number of worker nodes |
| Horizontal Pod Autoscaler |
Number of Pod replicas |
| Vertical Pod Autoscaler |
CPU and memory requests for Pods |
| Cloud Run autoscaling |
Number of Cloud Run instances |
4.23 Cloud Run operations
Cloud Run releases create revisions. Use revisions to:
- Deploy a new version.
- Roll back if needed.
- Split traffic between revisions.
- Limit maximum instances to protect a downstream dependency.
- Perform canary-style rollouts.
Trap: Changing a DNS record is not the same as configuring revision-level traffic splitting.
4.24 AI agent and developer environment operations
The updated blueprint includes:
- Deploying an agent to Agent Runtime on Gemini Enterprise Agent Platform.
- Managing notebooks in Gemini Enterprise Agent Platform Workbench and BigQuery.
- Managing developer environments such as Cloud Workstations.
Recognize the terminology transition from former Vertex AI product names.
4.25 Cloud Storage operations
Know how to:
- Grant bucket-level or object-level access appropriately.
- Use IAM rather than making objects public unless public access is truly required.
- Configure Object Lifecycle Management.
- Estimate cost based on storage class, retention, retrieval, and operations.
Example lifecycle pattern:
New object
→ Standard storage
→ Transition to colder class after age threshold
→ Delete after retention requirement
4.26 Database operations
Know how to:
- Execute targeted queries against the correct database instance.
- Configure backups.
- Test restoration.
- Review job status for BigQuery and Dataflow.
- Use Database Center to manage database-fleet visibility.
- Configure CMEK when the customer must control the encryption-key lifecycle.
Trap: High availability does not eliminate the need for backup and restore testing.
4.27 Network operations
| Task |
Correct action |
| Subnet is running out of IPv4 addresses |
Expand the subnet range to a larger non-overlapping range where supported |
| Stable private endpoint address |
Reserve a static internal IP |
| Stable public endpoint address |
Reserve a static external IP |
| Send traffic for a CIDR to a designated next hop |
Add a custom static route |
| Private VM outbound internet access |
Configure Cloud NAT |
| Authoritative records for a domain |
Create or update a Cloud DNS managed zone |
| Connectivity issue after security change |
Review firewall rules and Cloud NGFW policies |
4.28 Monitoring, logging, and diagnostics
Monitoring
Use Cloud Monitoring to:
- Create alerts based on metrics and thresholds.
- Ingest custom metrics from applications or logs.
- Use Gemini Cloud Assist for Cloud Monitoring where appropriate.
- Review Active Assist recommendations before applying changes.
- Use Cloud Hub for operational context, active events, and application-health data.
Logging
Use Cloud Logging to:
- Filter entries by service, severity, time, resource, and other fields.
- Inspect detailed log messages.
- Route selected logs through log router sinks.
- Export logs to BigQuery or external systems.
- Configure log buckets and retention.
- Use Log Analytics for analytics-capable log queries.
- Review audit logs, VPC Flow Logs, and firewall logs for investigations.
Diagnostics
| Problem |
Best tool |
| Request latency path |
Cloud Trace |
| Code-level performance profile |
Cloud Profiler |
| Slow database SQL statements |
Query Insights |
| Index recommendations from observed workload patterns |
Index advisor |
| Suspected Google Cloud service disruption |
Personalized Service Health |
VM telemetry
Use Ops Agent to collect supported VM logs and metrics.
Prometheus metrics
Use Google Cloud Managed Service for Prometheus for Prometheus-compatible managed monitoring.
Domain 4 — Configuring Access and Security
4.29 IAM inheritance
IAM allow policies inherit down the hierarchy.
Organization role
→ inherited by folders
→ inherited by projects
→ inherited by eligible child resources
If a user has unexpected access, check:
- Direct resource policy.
- Project IAM.
- Parent folder IAM.
- Organization IAM.
- Group membership.
- Service-account impersonation pathways.
4.30 Role types
| Role type |
Use |
| Basic role |
Broad legacy-style access; generally avoid when a narrower role exists |
| Predefined role |
Preferred default for standard least-privilege access |
| Custom role |
Use when no predefined role fits and the required permissions are supported |
Trap: Owner and Editor are usually too broad for workload-specific requirements.
4.31 Service accounts
A service account is a workload identity.
Best-practice pattern:
- Create a dedicated service account.
- Grant only the required permissions.
- Attach it to the runtime.
- Avoid unnecessary long-lived key files.
- Use impersonation or another short-lived credential flow when appropriate.
4.32 Attached service account versus key file
| Scenario |
Best choice |
| Workload runs on a Google Cloud runtime that supports an attached identity |
Attach a service account |
| Human operator temporarily needs to act as a service account |
Service-account impersonation |
| External machine workload needs Google Cloud access without a key file |
Workload Identity Federation |
| GKE Pod needs Google Cloud API access without a key file |
Workload Identity Federation for GKE |
| External human users authenticate through an external IdP |
Workforce Identity Federation |
4.33 Workforce versus workload federation
| Identity type |
Correct federation pattern |
| Human users and groups from an external identity provider |
Workforce Identity Federation |
| External CI/CD pipeline, AWS-hosted application, or other machine workload |
Workload Identity Federation |
| GKE workload |
Workload Identity Federation for GKE |
Fast memory rule:
Workforce = people. Workload = machines. GKE workload identity = Pods.
4.34 Google-managed service accounts
Some managed services use Google-managed service accounts. Do not delete or over-grant them blindly. Preserve only the permissions required for the service to operate.
5. Service Selection Guide
Compute decision tree
Need direct OS control?
├── Yes → Compute Engine
└── No
Need Kubernetes APIs or orchestration?
├── Yes → GKE
│ ├── Minimize node operations → Autopilot
│ └── Need direct node-pool control → Standard
└── No
Stateless container or HTTP service?
├── Yes → Cloud Run
└── Event-driven function?
├── Yes → Cloud Run functions + Eventarc-supported event source
└── Managed AI agent? → Agent Runtime on Gemini Enterprise Agent Platform
Database decision tree
Analytics warehouse?
├── Yes → BigQuery
└── No
Cache?
├── Yes → Memorystore
└── No
Document database?
├── Yes → Firestore
└── No
Wide-column, time-series, very high throughput?
├── Yes → Bigtable
└── No
Relational database?
├── Conventional managed relational workload → Cloud SQL
├── Demanding PostgreSQL-compatible workload → AlloyDB
└── Global horizontal relational scale + strong consistency → Spanner
Messaging and pipeline decision tree
Need asynchronous message delivery and decoupling?
├── Yes → Pub/Sub
└── No
Need Kafka-compatible broker semantics?
├── Yes → Managed Service for Apache Kafka
└── No
Need batch or streaming transformations?
└── Yes → Dataflow
Storage decision tree
Object storage?
├── Yes → Cloud Storage
└── No
VM block storage?
├── Yes → Persistent Disk or Hyperdisk
└── No
Shared file access?
├── General managed NFS-style access → Filestore
├── Enterprise NFS or SMB requirements → Google Cloud NetApp Volumes
└── Parallel POSIX throughput for AI or HPC → Google Cloud Managed Lustre
Connectivity decision tree
Need on-premises connectivity?
├── Encrypted over public internet → Cloud VPN
└── Private high-throughput connection → Cloud Interconnect
Need connectivity between VPC networks?
├── Central network ownership and shared subnets → Shared VPC
└── Separately administered VPCs connected privately → VPC Network Peering
Need outbound internet from private resources?
└── Cloud NAT
Need inbound traffic distribution?
└── Load balancer
Identity decision tree
Human users from external IdP?
└── Workforce Identity Federation
External machine workload?
└── Workload Identity Federation
GKE Pod calling Google Cloud API?
└── Workload Identity Federation for GKE
Google Cloud workload with attached identity support?
└── Attach a dedicated service account
Human temporarily acting as service account?
└── Service-account impersonation
6. Architecture Patterns
Pattern 1: Governed department projects
Organization
└── Finance folder
├── finance-prod
└── finance-dev
Use:
- Folder-level IAM when finance teams need shared access.
- Folder-level organization policies when finance projects need shared restrictions.
- Separate billing account only when payment responsibility must differ.
Pattern 2: Central networking with application autonomy
Shared VPC host project
├── centrally managed subnets
└── firewall governance
Service projects
├── application project A
└── application project B
Use Shared VPC when network administrators must own subnets while application teams deploy resources into service projects.
Pattern 3: Stateless web API with minimal operations
Client
→ Load balancer or managed endpoint as required
→ Cloud Run service
→ Managed database or backend
Use Cloud Run when the application is stateless and the team wants minimal infrastructure management. Configure revision traffic splitting for a gradual rollout and maximum instances to protect downstream dependencies.
Pattern 4: Kubernetes platform
Artifact Registry
→ GKE cluster
├── Deployment
├── Service
├── node pools
└── autoscaling
Use:
- Regional GKE cluster for greater control-plane resilience.
- Private cluster when nodes should avoid public IPs.
- Workload Identity Federation for GKE for keyless API access from Pods.
- Node-pool autoscaling, HPA, and VPA for the correct scaling layers.
Pattern 5: Private VM outbound internet access
Private VM without external IP
→ Cloud NAT
→ Internet
Use Cloud NAT for outbound access without exposing the VM directly to inbound internet traffic.
Pattern 6: Event-driven processing
Cloud Storage object event or Pub/Sub message
→ Eventarc-supported event flow
→ Cloud Run function
Use this instead of a polling VM when minimal operations and event-driven execution are required.
Pattern 7: External CI/CD without key files
External CI/CD identity
→ Workload Identity Federation
→ short-lived Google Cloud credentials
→ deployment action
Avoid downloading a long-lived service-account JSON key.
Pattern 8: Human partner access through external identity provider
Partner employee
→ external identity provider
→ Workforce Identity Federation
→ authorized Google Cloud resources
Do not use workload federation for a human-browser-access scenario.
Pattern 9: Operational observability
Application and infrastructure signals
├── Cloud Monitoring metrics and alerts
├── Cloud Logging filters, buckets, and sinks
├── Ops Agent for VM telemetry
├── Managed Service for Prometheus
├── Cloud Trace / Cloud Profiler
├── Query Insights / index advisor
├── Personalized Service Health
└── Cloud Hub
Pattern 10: Cost-aware object retention
Cloud Storage bucket
→ object lifecycle rule
→ transition to colder storage class
→ delete after retention requirement
Choose storage class based on expected access, retrieval, and retention patterns.
7. Exam Traps
7.1 Choosing a related service from the wrong category
Examples:
- Cloud NAT is not an inbound load balancer.
- Cloud DNS is not an authentication or routing engine for application traffic.
- BigQuery is not the default OLTP database.
- Cloud SQL is not a global horizontally scalable relational database.
- A billing alert is not a runtime scaler.
- Monitoring alerts detect conditions; they do not implement configuration changes.
7.2 Selecting a technically possible but operationally heavier option
If Cloud Run directly meets the requirement, a manually managed VM is usually inferior when the scenario emphasizes minimal operations.
If GKE Autopilot meets the requirement, GKE Standard is usually inferior when the scenario emphasizes minimizing node management.
7.3 Excessive IAM scope
Watch for:
- Organization Owner for a project-level task.
- Project Editor for bucket read-only access.
- Shared private keys for a changing workforce.
- Broad service-account permissions when one narrowly scoped role is enough.
7.4 Confusing organization policy with IAM
- IAM grants permissions.
- Organization policy restricts allowed configurations.
- Firewall rules control traffic.
- Billing accounts control payment linkage.
7.5 Confusing identities
- Workforce Identity Federation → humans.
- Workload Identity Federation → external machine workloads.
- Workload Identity Federation for GKE → Pods.
- Service-account impersonation → controlled short-lived use of a service account.
- Attached service account → preferred for supported Google Cloud runtimes.
7.6 Confusing network designs
| Wrong assumption |
Correct idea |
| Shared VPC and VPC Network Peering are interchangeable |
Shared VPC centralizes subnet ownership; peering connects separate networks |
| Cloud VPN is always a dedicated private connection |
VPN is encrypted connectivity over the public internet |
| Cloud NAT accepts inbound application traffic |
NAT provides outbound access for private resources |
| DNS records replace load balancing |
DNS publishes names; a load balancer distributes traffic |
7.7 Confusing storage types
- Cloud Storage is object storage.
- Persistent Disk and Hyperdisk are VM block storage.
- Filestore and NetApp Volumes are shared file services.
- Managed Lustre is a parallel POSIX file service for demanding workloads.
- Local SSD is ephemeral.
7.8 Confusing scaling layers
- Managed instance-group autoscaling → VM count.
- Node-pool autoscaling → GKE worker-node count.
- HPA → Pod replica count.
- VPA → per-Pod CPU and memory requests.
- Cloud Run autoscaling → Cloud Run instance count.
7.9 Confusing backup with availability
High availability is not a replacement for backup. A restore path should be tested.
7.10 Ignoring scope words
Pay attention to words such as:
- Organization-wide.
- Department-only.
- One project.
- One bucket.
- One subnet.
- One service account.
- Private resources.
- Public endpoint.
- Multi-region.
- Cross-zone.
The scope words often eliminate half the options immediately.
7.11 Ignoring the requested operational stage
The same product can appear in different questions, but the required action changes:
| Stage |
Example |
| Plan |
Choose Cloud Run versus GKE |
| Deploy |
Create a new Cloud Run service or GKE workload |
| Operate |
Split traffic, configure autoscaling, inspect logs |
| Troubleshoot |
Review Query Insights, Cloud Logging, or Personalized Service Health |
| Optimize |
Review Active Assist recommendations |
7.12 Assuming every recommendation should be applied automatically
Active Assist and index-advisor recommendations must be reviewed in workload context. A recommendation is input to an engineering decision, not an automatic command.
8. Quick Memory Rules
Governance
- Organization = company.
- Folder = department or policy boundary.
- Project = workload and billing-linkage boundary.
- Organization policy restricts configurations.
- IAM grants permissions.
- Budget alerts notify; they do not normally stop spend automatically.
- Billing export → BigQuery for analysis.
Compute
- OS control → Compute Engine.
- Kubernetes → GKE.
- Serverless stateless container → Cloud Run.
- Event-driven function → Cloud Run functions plus event source.
- Identical scalable VMs → instance template plus managed instance group.
- Restart-tolerant batch → Spot VM.
- IAM-backed SSH → OS Login.
GKE
- Minimize node operations → Autopilot.
- Need node-pool control → Standard.
- Cross-zone control-plane resilience → regional cluster.
- Avoid public node IPs → private cluster.
- Replica count → HPA.
- Pod requests → VPA.
- Node count → node-pool autoscaling.
- Stable stateful Pods → StatefulSet.
Data and storage
- Analytics → BigQuery.
- Traditional relational OLTP → Cloud SQL.
- Demanding PostgreSQL-compatible OLTP → AlloyDB.
- Global scalable relational consistency → Spanner.
- Document database → Firestore.
- Wide-column and time series → Bigtable.
- Cache → Memorystore.
- Messages → Pub/Sub.
- Transformations → Dataflow.
- Kafka compatibility → Managed Service for Apache Kafka.
- Object → Cloud Storage.
- VM block → Persistent Disk or Hyperdisk.
- Shared NFS-style file → Filestore.
- Enterprise NFS or SMB → NetApp Volumes.
- Parallel AI/HPC file system → Managed Lustre.
Networking
- Explicit CIDRs → custom mode VPC.
- Central network team and shared subnets → Shared VPC.
- Separate VPC administrations with private connectivity → VPC Network Peering.
- Encrypted public-internet hybrid path → Cloud VPN.
- Private high-throughput hybrid path → Cloud Interconnect.
- Private VM outbound internet → Cloud NAT.
- Inbound distribution → load balancer.
- DNS records → Cloud DNS.
Identity and security
- People → Workforce Identity Federation.
- External machines → Workload Identity Federation.
- Pods → Workload Identity Federation for GKE.
- Temporary act-as access → service-account impersonation.
- Supported Google Cloud runtime → attach service account, avoid key file.
- Least privilege → narrowest suitable role and scope.
- Customer controls encryption-key lifecycle → CMEK.
Operations
- Disk backup → snapshot.
- Reusable VM baseline → image.
- Slow request path → Cloud Trace.
- Code profiling → Cloud Profiler.
- Slow SQL → Query Insights.
- Index suggestions → index advisor.
- Google Cloud incident relevance → Personalized Service Health.
- VM logs and metrics → Ops Agent.
- Prometheus-compatible managed monitoring → Managed Service for Prometheus.
- Operational overview → Cloud Hub.
9. Final Revision Notes
One-page revision sequence
Review these topics in this order during the final days:
- Compute selection: Compute Engine, GKE, Cloud Run, functions, and Agent Runtime.
- Database and storage selection.
- Shared VPC versus VPC Network Peering versus Cloud VPN versus Cloud Interconnect.
- Cloud NAT versus load balancing versus Cloud DNS.
- IAM hierarchy and least privilege.
- Service-account attachment, impersonation, and federation.
- GKE scaling layers.
- Cloud Run revisions, traffic splitting, and autoscaling.
- Snapshots, images, backups, restore testing, and CMEK.
- Monitoring, logging, Query Insights, index advisor, Personalized Service Health, Ops Agent, Prometheus, Active Assist, and Cloud Hub.
Top confusing pairs
| Pair |
Fast distinction |
| Organization policy vs IAM |
Restriction vs permission |
| Folder vs project scope |
Department-wide vs workload-specific |
| Shared VPC vs VPC Peering |
Central subnet ownership vs separate networks connected privately |
| Cloud VPN vs Cloud Interconnect |
Encrypted public-internet path vs private high-throughput path |
| Cloud NAT vs load balancer |
Outbound private-resource access vs inbound traffic distribution |
| Cloud Run vs GKE |
Minimal serverless container operations vs Kubernetes orchestration |
| Snapshot vs image |
Backup point in time vs reusable VM baseline |
| HPA vs VPA |
Pod count vs Pod resource requests |
| Workforce vs workload federation |
Humans vs machines |
| Pub/Sub vs Dataflow |
Messaging vs processing |
| BigQuery vs Cloud SQL |
Analytics vs OLTP |
| Filestore vs Managed Lustre |
Shared file access vs high-throughput parallel file access |
Option-elimination checklist
When two options look plausible:
- Remove the option that grants more privilege than necessary.
- Remove the option that operates at the wrong hierarchy scope.
- Remove the option that solves monitoring when the question asks for configuration.
- Remove the option that solves payment or billing when the question asks for capacity or runtime behavior.
- Remove the option that uses a public endpoint when the scenario asks for private access.
- Remove the option that introduces manual infrastructure when a managed service directly meets the requirement.
- Remove the option designed for humans when the caller is a machine.
- Remove the option designed for machine workloads when the caller is a person.
- Prefer the answer that directly maps to the stated interface: object, block, file, database, message, pipeline, DNS, NAT, VPN, or load balancing.
- Verify that the answer matches the requested operational stage: choose, deploy, scale, monitor, troubleshoot, or optimize.
Updated terminology to recognize
The updated blueprint includes terminology tied to Gemini Enterprise Agent Platform. Be ready to recognize:
- Agent Runtime on Gemini Enterprise Agent Platform, formerly Vertex AI Agent Engine.
- Gemini Enterprise Agent Platform Workbench, formerly Vertex AI Workbench.
- Gemini Cloud Assist for resource analysis and Cloud Monitoring support.
- AI-assisted planning and implementation tooling such as Gemini CLI, Google Antigravity, Gemini Cloud Assist, and Application Design Center.
10. Exam-Day Checklist
Before starting:
- Confirm whether your exam date uses the current or the June 30 updated English blueprint.
- Read each scenario for scope, workload type, security constraint, and operational goal.
- Identify whether the question expects one answer or multiple answers.
- Mark questions that require extra review and return to them later.
- Avoid spending too long on one service-name detail.
For every question:
- Ask: “What is the simplest managed solution that directly meets the requirement?”
- Check whether the option uses the correct hierarchy scope.
- Reject broad Owner or Editor access unless the scenario genuinely requires it.
- Reject long-lived keys when attached identities, impersonation, or federation are supported.
- Distinguish people from workloads.
- Distinguish inbound traffic from outbound connectivity.
- Distinguish object, block, and file storage.
- Distinguish analytics from transactional databases.
- Distinguish scaling signals from scaling layers.
- Distinguish detection tools from configuration tools.
Final confidence check:
- I can choose Compute Engine, GKE, Cloud Run, functions, and Agent Runtime correctly.
- I can choose relational, document, wide-column, analytical, cache, messaging, and pipeline services correctly.
- I can choose object, block, shared file, enterprise file, and parallel file storage correctly.
- I understand Shared VPC, peering, VPN, Interconnect, load balancing, NAT, DNS, and firewall decisions.
- I understand IAM inheritance, role scope, service accounts, impersonation, and federation.
- I can operate snapshots, images, autoscaling, traffic splitting, backups, CMEK, monitoring, logging, and diagnostics.
- I can eliminate distractors that solve the wrong problem category.
Official Alignment References
- Google Cloud Associate Cloud Engineer certification page:
https://cloud.google.com/learn/certification/cloud-engineer
- Updated English standard exam guide scheduled for June 30:
https://services.google.com/fh/files/misc/063026_associate_cloud_engineer_exam_guide_english.pdf