GCP Associate Cloud Engineer Certification Path

Google Cloud - Associate Cloud Engineer

Google Cloud – Associate Cloud Engineer Certification learning path

📋 Last Updated: June 2026 — This guide has been updated to reflect the current ACE exam guide, including Cloud Run, Spot VMs, AlloyDB, Terraform/IaC tools, and the deprecation of Deployment Manager.

Google Cloud – Associate Cloud Engineer certification exam is for individuals who deploy applications, monitor operations, and manage enterprise solutions on Google Cloud. The exam validates production-ready skills including deploying and securing applications, configuring networks and IAM, monitoring systems, and automating routine tasks.

Google Cloud – Associate Cloud Engineer Certification Summary

  • Has 50-60 questions (typically ~50) to be answered in 2 hours.
  • Registration fee: $125 (plus tax where applicable).
  • Available in English, Japanese, Spanish, and Portuguese.
  • Covers wide range of Google Cloud services and what they actually do. It focuses heavily on IAM, Compute (including Cloud Run and Cloud Functions), Storage with networking and monitoring/observability.
  • Hands-on is a must. Covers Cloud SDK, CLI commands and Console operations that you would use for day-to-day work. If you have not worked on GCP before make sure you do lot of labs else you would be absolute clueless for some of the questions and commands.
  • The exam includes multiple-select questions where you must choose 2 or 3 correct answers from 4-5 options.
  • Make sure you understand Infrastructure as Code tools (Terraform, Config Connector) as Deployment Manager has been deprecated.

Google Cloud – Associate Cloud Engineer Certification Topics

General Services

  • Cloud Billing
    • Understand how Cloud Billing works. Monthly vs Threshold and which has priority
    • Budgets can be set to alert for projects
    • How to change a billing account for a project and what roles you need. Hint – Project Owner and Billing Administrator for the billing account
    • Cloud Billing can be exported to BigQuery and Cloud Storage
  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Understand organizational policies and how they constrain resource configurations across the hierarchy.
  • Cloud SDK
    • Understand gcloud commands esp. when dealing with
      • configurations i.e. gcloud config
        • activate profiles – gcloud config configurations activate
        • GKE setting default cluster i.e. gcloud config set container/cluster CLUSTER_NAME
        • set project gcloud config set project mygcp-demo
        • set region gcloud config set compute/region us-west1
        • set zone gcloud config set compute/zone us-west1-a
      • Get project list and ids gcloud projects list
      • Auth i.e gcloud auth
        • Auth login using user gcloud auth login
        • Auth login using service account gcloud auth activate-service-account --key-file=sa_key.json
      • VPC firewalls i.e. gcloud compute firewall-rules

Network Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets and host applications within them. Hint – VPC spans across regions
    • Understand how Firewall rules work and how they are configured. Hint – Focus on Network Tags and Service Accounts for targeting. Also, there are 2 implicit firewall rules – default ingress deny and default egress allow
    • Understand creating ingress and egress firewall rules and policies (IP subnets, network tags, service accounts)
    • Understand VPC Peering and Shared VPC
    • Understand the concept of internal and external IPs and difference between static and ephemeral IPs
    • Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
    • Understand Cloud DNS and Cloud NAT configuration and management.
  • Cloud Load Balancing
    • Understand Google Cloud Load Balancing
    • Know load balancer options and differences esp. HTTPS and SSL proxy when handling SSL termination.
    • Understand Network Service Tiers (Premium vs Standard) and their impact on routing and availability.

Identity Services

  • Identity and Access Management – IAM
    • Identity and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand the difference between Basic (formerly Primitive), Predefined and Custom roles and their use cases
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Basically Permissions -> Roles -> (IAM Policy) -> Members (Principals)
    • Need to know and understand the roles for the following services at least
      • Cloud Storage – Admin vs Creator vs Viewer
      • Compute Engine – Admin vs Instance Admin
      • Spanner – Viewer vs Database User
      • BigQuery – User vs JobUser
    • Know how to copy roles to different projects or organization. Hint – gcloud iam roles copy
    • Know how to use service accounts with applications
    • Understand service account impersonation and creating short-lived credentials
    • Apply principle of least privilege when assigning service accounts to resources
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity providers like Active Directory.
    • Know how to manage users and groups in Cloud Identity (manually and automated)

Compute Services

  • Make sure you know all the compute services: Compute Engine, App Engine, Google Kubernetes Engine, Cloud Run, and Cloud Functions. They are heavily covered in the exam.
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control
    • Know how to create a Compute Engine instance, connect to it using Cloud Shell or SSH keys
    • Difference between backups and images and how to create instances from the same.
    • Instance templates with managed instance groups. Instance template cannot be edited, create a new one and attach.
    • Difference between managed vs unmanaged instance groups and auto-healing feature
    • Spot VMs (replacement for Preemptible VMs) and their use cases. HINT – Spot VMs can be terminated any time when Compute Engine needs resources, but unlike Preemptible VMs they have NO 24-hour maximum lifetime. Same pricing model as Preemptible VMs. Google recommends using Spot VMs instead of Preemptible VMs for new workloads.
    • Understand custom machine types for right-sizing compute resources
    • Upgrade an instance without downtime using Live Migration
    • Managing access using OS Login or project and instance metadata
    • Configure VM Manager for OS patch management and compliance
    • Prevent accidental deletion using deletion protection flag
    • In case of any issues or errors, how to debug the same
  • Google App Engine
    • Google App Engine is mainly the best option for PaaS with platforms supported and features provided.
    • Deploy an application with App Engine and understand how versioning and rolling deployments can be done
    • Understand how to keep auto scaling and traffic splitting and migration.
    • Know App Engine is a regional resource and understand the steps to migrate or deploy application to different region and project.
    • Know the difference between App Engine Flexible vs Standard
  • Google Kubernetes Engine (GKE)
    • Google Kubernetes Engine enables you to run containers on Google Cloud Platform.
    • GKE takes care of provisioning and maintaining the underlying virtual machine cluster, scaling your application, and operational logistics such as logging, monitoring, and cluster health management.
    • Be sure to Create a Kubernetes Cluster and configure it to host an application
    • Understand different cluster configurations: Autopilot (fully managed, recommended for most workloads), Standard, regional clusters, and private clusters
    • Understand GKE Enterprise for multi-cluster management
    • Understand how to make the cluster auto-repairable and upgradable. Hint – Node auto-upgrades and auto-repairing feature
    • Very important to understand where to use gcloud commands (to create a cluster) and kubectl commands (manage the cluster components)
    • Very important to understand how to increase cluster size, enable autoscaling, and manage node pools (add, edit, remove)
    • Know how to manage secrets like database passwords
    • Understand Horizontal and Vertical Pod Autoscaler configurations
    • Know how to configure GKE to access Artifact Registry for container images
  • Cloud Run
    • Cloud Run is a fully managed serverless platform for running containerized applications.
    • Deploy containerized applications without managing infrastructure
    • Understand traffic splitting between revisions for canary deployments
    • Configure scaling parameters (min/max instances, concurrency)
    • Understand event-driven architecture with Eventarc and Pub/Sub triggers
    • Know when to choose Cloud Run vs App Engine vs GKE vs Cloud Functions
  • Cloud Functions
    • Cloud Functions is a serverless execution environment for building and connecting cloud services.
    • Best for event-driven, single-purpose functions (e.g., responding to Cloud Storage events, Pub/Sub messages)
    • Understand triggers: HTTP, Pub/Sub, Cloud Storage, Eventarc
    • Know the difference between Cloud Functions and Cloud Run for serverless workloads

Storage Services

  • Understand each storage service options and their use cases.
  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data.
    • Very important to know the different storage classes and their use cases:
      • Standard (frequent access — replaces the legacy Regional and Multi-Regional classes)
      • Nearline (access less than once per 30 days)
      • Coldline (access less than once per 90 days)
      • Archive (access less than once per year — coldest tier, ideal for long-term retention and compliance)
    • Understand lifecycle management. HINT – Changes are in accordance to object creation date
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand access control and permissions – IAM vs ACLs (fine-grained control). IAM is recommended for uniform bucket-level access.
    • Understand best practices esp. uploading and downloading the data. HINT using parallel composite uploads
  • Relational Databases
    • Cloud SQL
      • Cloud SQL is a fully-managed service that provides MySQL, PostgreSQL, and SQL Server
      • Supports up to 64TB storage and is a regional service.
      • Difference between Failover and Read replicas. Failover provides High Availability and almost zero downtime while Read replicas provide scalability. Cross-region Read Replicas are supported.
      • Perform Point-In-Time recovery. Hint – requires binary logging and backups
    • AlloyDB for PostgreSQL
      • AlloyDB is a fully managed, PostgreSQL-compatible database designed for demanding enterprise workloads.
      • Provides up to 4x faster transactional performance than standard PostgreSQL.
      • Features automatic storage scaling, columnar engine for analytics, and 99.99% availability SLA.
      • Best for enterprise applications needing PostgreSQL compatibility with superior performance and availability.
      • Now included in the ACE exam guide as a data solution option.
    • Cloud Spanner
      • Is a fully managed, mission-critical relational database service.
      • Provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at global scale.
      • Globally distributed and can scale and handle more than 10TB.
      • Not a direct replacement for Cloud SQL and would need migration.
  • NoSQL Databases
    • Firestore
      • Highly scalable and serverless NoSQL document database with MongoDB compatibility.
      • Suitable for mobile, web, and IoT applications requiring real-time sync.
      • Now included in the ACE exam guide as both a deployment and management topic.
    • Bigtable
      • Cloud-native wide-column database for large-scale, low-latency workloads (IoT, analytics, time-series data).
  • Data Warehousing
    • BigQuery
      • Provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
      • Remember it is most suitable for historical analysis and analytics.
      • Know how to perform a preview or dry run. Hint – price is determined by bytes read not bytes returned.
      • Supports federated tables or external tables that can support Cloud Storage, Bigtable, Google Drive and Cloud SQL.
      • Understand how to review job status and estimate costs.

Data Services

  • Although there are only a few references to data services in the exam, it is important to know the data analytics stack to understand which service fits the different layers of ingest, store, process, and analytics:
    • Cloud Storage as the medium to store data as a data lake
    • Pub/Sub as the messaging service to capture real-time data esp. IoT. Designed to provide reliable, many-to-many, asynchronous messaging between applications.
    • Dataflow to process, transform, and transfer data — the key service for stream and batch processing pipelines.
    • BigQuery for storage and analytics. Remember BigQuery provides a cost-effective option for storage similar to Cloud Storage.
    • Managed Service for Apache Spark (formerly Cloud Dataproc) for existing Hadoop/Spark jobs. Hint – Use it to replace existing Hadoop infrastructure. Renamed from Dataproc in 2025.

⚠️ Deprecated Data Services:

  • Cloud Datalab — Deprecated since September 2, 2022. Replaced by Vertex AI Workbench for interactive data exploration, analysis, and visualization.
  • Cloud Dataprep — Now “Dataprep by Trifacta” (operated by Alteryx). Consider Cloud Data Fusion for data preparation and integration on Google Cloud.

Monitoring and Observability

  • Google Cloud Operations Suite (formerly Stackdriver)
    • The suite includes Cloud Monitoring, Cloud Logging, Cloud Trace, Cloud Profiler, and Error Reporting.
    • Create Cloud Monitoring alerts based on resource metrics
    • Create and ingest custom metrics (from applications or logs)
    • Export logs to external systems (on-premises, BigQuery)
    • Configure log buckets, log analytics, and log routers
    • View and filter logs in Cloud Logging; view specific log message details
    • Use cloud diagnostics to research application issues
    • Configure and deploy Ops Agent (replaces the legacy Monitoring and Logging agents)
    • Deploy Managed Service for Prometheus for Kubernetes workload monitoring
    • Configure audit logs for security and compliance
    • Remember audits and troubleshooting primarily involve checking Cloud Logging and Cloud Monitoring

DevOps and Infrastructure as Code

  • Infrastructure as Code (IaC)
    • The ACE exam now focuses on modern IaC tooling:
    • Terraform — The recommended IaC tool for Google Cloud. Supports declarative infrastructure provisioning with HCL.
    • Infrastructure Manager — Google Cloud’s managed Terraform service for deploying and managing infrastructure.
    • Config Connector — Kubernetes add-on for managing Google Cloud resources using Kubernetes-style YAML.
    • Cloud Foundation Toolkit — Reference templates and best practices for Terraform deployments.
    • Helm — Package manager for Kubernetes applications.

⚠️ Deployment Manager — DEPRECATED

Google Cloud Deployment Manager support ended December 31, 2025 and reached End of Life on March 31, 2026.

Migration Options:

  • Terraform (recommended) — Multi-cloud support, richer module ecosystem, expressive configuration language
  • Infrastructure Manager — Google Cloud’s managed Terraform service
  • Config Connector — For Kubernetes-native resource management

The ACE exam guide now references Terraform, Config Connector, Cloud Foundation Toolkit, and Helm as IaC tools instead of Deployment Manager.

  • Google Cloud Marketplace (formerly Cloud Launcher)
    • Provides a way to launch common software packages (e.g., Jenkins, WordPress) and stacks on Google Compute Engine with just a few clicks — a prepackaged solution.
    • Can help minimize deployment time and can be used without detailed knowledge about the product.

Google Cloud – Associate Cloud Engineer Certification Exam Domains (2025/2026)

The current exam guide covers five sections:

  • Section 1: Setting up a cloud solution environment (~20%) — Resource hierarchy, organizational policies, IAM roles, Cloud Identity, billing configuration
  • Section 2: Planning and configuring a cloud solution (~17.5%) — Compute choices (Compute Engine, GKE, Cloud Run, Cloud Functions), data storage options, network resources
  • Section 3: Deploying and implementing a cloud solution (~25%) — Compute Engine, GKE (Autopilot, regional, private clusters), Cloud Run & Cloud Functions, data solutions (Cloud SQL, Firestore, BigQuery, Spanner, AlloyDB, Pub/Sub, Dataflow), networking, IaC (Terraform, Config Connector, Helm)
  • Section 4: Ensuring successful operation (~20%) — Managing Compute Engine, GKE, Cloud Run resources; storage/database management; networking; monitoring and logging (Ops Agent, Managed Prometheus)
  • Section 5: Configuring access and security (~17.5%) — IAM policies, role types, service accounts, impersonation, short-lived credentials

Google Cloud – Associate Cloud Engineer Certification Resources