GCP Cloud Engineer Guide: Google Cloud Associate Cloud Engineer Exam Guide

Google Cloud Associate Cloud Engineer Exam Guide

Prove your Google Cloud expertise with this comprehensive Associate Cloud Engineer study guide covering project setup, compute and storage services, networking, IAM, and deployment management. This guide prepares you for the hands-on, scenario-based exam format with gcloud CLI exercises, architecture decision trees, and practice questions that reflect the real exam difficulty. Google Cloud emphasizes practical skills over memorization, and this guide mirrors that philosophy with runnable commands and real-world deployment scenarios throughout every section.

Key Features

• All exam domains covered with study priorities based on exam weighting
• gcloud CLI mastery with commands for every major operation — the exam heavily tests CLI skills
• Compute decision framework for choosing between Compute Engine, GKE, Cloud Run, Cloud Functions, and App Engine
• IAM and security deep dives covering roles, service accounts, organization policies, and VPC Service Controls
• Networking architecture including VPCs, subnets, firewall rules, Cloud NAT, and load balancing
• Storage and database selection guides with performance and cost comparisons
• Deployment patterns using Deployment Manager, Terraform, and managed instance groups

Study Plan

Week 1-2: Setting Up a Cloud Solution Environment (15% of exam)

• Creating projects, enabling APIs, and setting up billing
• IAM roles: primitive, predefined, and custom roles
• Service accounts: creation, key management, and impersonation
• Cloud SDK installation, configuration, and project switching

Week 3-4: Planning and Configuring Cloud Solutions (20% of exam)

• Compute selection: VMs, containers, serverless, and managed services
• Storage selection: Cloud Storage, Persistent Disk, Filestore, Cloud SQL, BigQuery
• Network planning: VPCs, shared VPCs, subnets, IP ranges, and regions
• Resource estimation using the Google Cloud Pricing Calculator

Week 5-6: Deploying and Implementing Cloud Solutions (25% of exam)

• Compute Engine: instances, templates, managed instance groups, preemptible VMs
• Google Kubernetes Engine: cluster creation, node pools, workload deployment
• Cloud Run and Cloud Functions for serverless workloads
• Cloud Storage: bucket creation, lifecycle rules, access control

Week 7-8: Ensuring Successful Operation (20% of exam)

• Cloud Monitoring: dashboards, alerting policies, uptime checks
• Cloud Logging: log sinks, log-based metrics, and log routing
• Managing snapshots, images, and instance group updates
• Debugging, troubleshooting, and performance optimization

Week 9-10: Configuring Access and Security (20% of exam)

• IAM policies and bindings at organization, folder, project, and resource levels
• Service account best practices and workload identity
• VPC firewall rules, Cloud Armor, and Identity-Aware Proxy
• Audit logging and data access logs

Key Topics

Domain	Weight	Core Services
Setting Up Environment	15%	Projects, IAM, billing, SDK
Planning Solutions	20%	Compute, storage, networking decisions
Deploying Solutions	25%	GCE, GKE, Cloud Run, Cloud Storage
Ensuring Operations	20%	Monitoring, Logging, troubleshooting
Access and Security	20%	IAM, service accounts, firewall, audit

Practice Questions

Q1: A team needs to run a stateless web application that automatically scales to zero when not in use and handles HTTP requests. They want minimal infrastructure management. Which compute service should they use?

A1: Cloud Run. It is a fully managed serverless platform for containerized applications that scales to zero, auto-scales based on requests, and requires no cluster management. You deploy a container image and Cloud Run handles the rest. Cloud Functions is also serverless but is better for event-driven functions, while Cloud Run supports full HTTP services with any language/framework.

Q2: An organization has multiple projects and needs to ensure that VMs can only be created in the us-central1 and europe-west1 regions across all projects. What is the most scalable approach?

A2: Create an Organization Policy with a constraint on constraints/gcp.resourceLocations. Set the allowed values to in:us-central1-locations and in:europe-west1-locations. Apply the policy at the organization or folder level. This automatically applies to all current and future projects without per-project configuration.

Q3: A data analyst needs read-only access to BigQuery datasets across three projects but should not be able to create or modify any resources. Which IAM role should be granted?

A3: Grant the predefined role roles/bigquery.dataViewer on each of the three projects. This role provides permission to read data from tables and views without the ability to modify datasets, tables, or run jobs that write data. For query execution, also grant roles/bigquery.jobUser on the analyst's own project so they can run queries.

Q4: A Compute Engine VM needs to access Cloud Storage buckets and Pub/Sub topics. The application currently uses a downloaded service account key. How should this be improved for security?

A4: Remove the downloaded key and attach a service account directly to the VM instance with the necessary IAM roles. VMs automatically receive credentials via the metadata server — no keys to manage or rotate. Use gcloud compute instances set-service-account to change the attached service account. Grant roles/storage.objectViewer and roles/pubsub.subscriber to the service account.

Lab Exercises

Lab 1: Project Setup and IAM Configuration

# Create a new project
gcloud projects create my-lab-project-2026 --name="Lab Project"

# Set the active project
gcloud config set project my-lab-project-2026

# Enable required APIs
gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable cloudfunctions.googleapis.com

# Create a service account
gcloud iam service-accounts create lab-sa \
  --display-name="Lab Service Account"

# Grant roles to the service account
gcloud projects add-iam-policy-binding my-lab-project-2026 \
  --member="serviceAccount:lab-sa@my-lab-project-2026.iam.gserviceaccount.com" \
  --role="roles/storage.objectViewer"

Lab 2: Deploy a Managed Instance Group

# Create an instance template
gcloud compute instance-templates create web-template \
  --machine-type=e2-medium \
  --image-family=debian-12 \
  --image-project=debian-cloud \
  --tags=http-server \
  --metadata=startup-script='#!/bin/bash
    apt-get update && apt-get install -y nginx
    echo "Hello from $(hostname)" > /var/www/html/index.html'

# Create a managed instance group with autoscaling
gcloud compute instance-groups managed create web-mig \
  --template=web-template \
  --size=2 \
  --zone=us-central1-a

# Configure autoscaling
gcloud compute instance-groups managed set-autoscaling web-mig \
  --zone=us-central1-a \
  --min-num-replicas=2 \
  --max-num-replicas=10 \
  --target-cpu-utilization=0.6

Lab 3: VPC and Firewall Configuration

# Create a custom VPC
gcloud compute networks create lab-vpc --subnet-mode=custom

# Create subnets in two regions
gcloud compute networks subnets create lab-subnet-us \
  --network=lab-vpc --range=10.0.1.0/24 --region=us-central1

gcloud compute networks subnets create lab-subnet-eu \
  --network=lab-vpc --range=10.0.2.0/24 --region=europe-west1

# Create firewall rules
gcloud compute firewall-rules create allow-http \
  --network=lab-vpc --allow=tcp:80 --target-tags=http-server

gcloud compute firewall-rules create allow-ssh \
  --network=lab-vpc --allow=tcp:22 --source-ranges=0.0.0.0/0

Exam Tips

1. gcloud CLI is king — the exam heavily tests CLI commands; practice until they are muscle memory
2. Know the compute decision tree — VMs for lift-and-shift, GKE for containers, Cloud Run for serverless containers, Functions for event-driven
3. IAM inheritance flows downward — org > folder > project > resource; policies are additive (union of all levels)
4. Service accounts — understand the difference between user-managed and default service accounts; always prefer attached credentials over downloaded keys
5. Preemptible/Spot VMs — can be terminated at any time, up to 80% cheaper, max 24-hour lifetime; use for fault-tolerant batch workloads
6. Questions are scenario-based — read the full scenario, identify constraints, then pick the simplest solution that meets all requirements

Resources

• Associate Cloud Engineer Exam Guide
• Google Cloud Documentation
• gcloud CLI Reference
• Google Cloud Architecture Framework

---

This is 1 of 11 resources in the Certification Prep Pro toolkit. Get the complete [GCP Cloud Engineer Guide] with all files, templates, and documentation for $49.

Get the Full Kit →

Or grab the entire Certification Prep Pro bundle (11 products) for $249 — save 30%.

Get the Complete Bundle →

---

Related Articles

• AWS DevOps Professional Guide: AWS DevOps Professional Exam Guide DOP-C02
• AWS SA Associate Study Guide: AWS Solutions Architect Associate Exam Guide SAA-C03
• Azure Administrator (AZ-104) Guide: Azure Administrator Exam Guide AZ-104