Google Cloud Associate Cloud Engineer: Complete Exam-Ready Masterclass

Associate Cloud Engineer (official definition)

An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Google Cloud pricing calculator

The Google Cloud pricing calculator is a tool that lets you add and configure products to get a cost estimate to share with your team.

Network Service Tiers

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

Region

A specific geographic area, such as us-central1 or europe-west1, where you can run resources and store data. Regions contain one or more zones.

Zone

An isolated deployment of infrastructure within a region, such as us-central1-a. Multiple zones in a region provide higher availability when used together.

Project

A core container in Google Cloud that holds resources, APIs, IAM policies, and billing configuration. Every resource belongs to exactly one project.

Compute Engine

Google Cloud's virtual machine service, giving you OS-level control and the ability to run custom software, with features like managed instance groups.

Google Kubernetes Engine (GKE)

A managed Kubernetes service where Google manages the control plane and you run containerized workloads using Kubernetes APIs.

Cloud Run

A fully managed compute platform that runs stateless containers, automatically scaling based on HTTP requests or events and scaling to zero when idle.

Organization (Google Cloud)

The top-level node in the Google Cloud resource hierarchy, representing a company or domain managed by Cloud Identity or Google Workspace. It owns all folders and projects beneath it and is where org-wide policies and IAM can be applied.

Folder

An optional grouping node under an organization used to organize projects (and other folders) by department, environment, region, or other logical structure. IAM and organization policies attached to a folder are inherited by its child projects and resources.

Project

The main container for Google Cloud resources, APIs, and services. Projects are the primary boundary for billing, quotas, and many IAM policies. Every resource such as a VM or bucket belongs to exactly one project.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Basic roles

Legacy, broad roles (Owner, Editor, Viewer) that apply at the project or higher level and grant large sets of permissions across many services. Simple but not aligned with least-privilege for production use.

Predefined roles

Service-specific roles curated by Google Cloud that group permissions for common tasks (for example, roles/storage.objectViewer). They are more granular than basic roles and are the recommended default for most use cases.

Billing account

A Google Cloud billing entity that holds payment methods and pays for usage from one or more linked projects. Each project can link to only one billing account at a time.

Budget

A configuration on a billing account that tracks actual and forecasted costs against a target amount and triggers alerts (email/Pub/Sub) when thresholds are reached.

Billing export to BigQuery

A feature that continuously exports detailed cost and usage data from a billing account into a BigQuery dataset for SQL-based analysis and reporting.

Billing export to Cloud Storage

A feature that writes periodic CSV/JSON billing data files from a billing account into a Cloud Storage bucket, useful for archiving or external integrations.

Quota

A limit on resource usage or API calls (often per project and region) that protects against accidental overuse and abuse. Some quotas are adjustable via requests.

Quota increase request

A request submitted from the Quotas page to raise the limit for a specific metric (such as CPUs in a region), including justification and desired new value.

Cloud Shell

A Google-managed Debian VM you access from the browser. It comes with `gcloud` and other tools preinstalled, uses your Google identity, and has a small persistent home directory.

Cloud SDK

The collection of command-line tools for Google Cloud, including the `gcloud` CLI, `gsutil`, and `bq`, installed on your local machine.

gcloud configuration

A named set of `gcloud` settings (such as account, project, region, and zone) that acts like a profile for a specific environment (for example, dev, test, prod).

Command to initialize gcloud on a new machine

`gcloud init`

Command to switch the active project

`gcloud config set project PROJECT_ID`

Command to list Compute Engine instances

`gcloud compute instances list`

Compute Engine – primary strength

Provides virtual machines with full OS-level control, ideal for lift-and-shift migrations, custom images, legacy apps, and workloads needing specialized hardware or deep OS customization.

GKE – primary strength

Managed Kubernetes for containerized workloads that need Kubernetes APIs, multi-service deployments, sidecars, and advanced traffic and deployment strategies.

Cloud Run – primary strength

Fully managed serverless platform for stateless containers, offering automatic scaling (including to zero), request-based billing, and minimal operational overhead.

Cloud Functions – primary strength

Event-driven Functions-as-a-Service for single-purpose functions triggered by HTTP, Pub/Sub, Cloud Storage, Firestore, and other events, with very low operational overhead.

Best fit: lift-and-shift with custom OS image

Compute Engine. It lets you create and run custom images with the exact OS and packages your legacy app requires.

Best fit: multiple microservices using Kubernetes APIs

GKE. It supports Deployments, Services, ConfigMaps, Secrets, and other Kubernetes features for multi-service architectures.

Cloud Storage

Google Cloud's object storage service for unstructured data such as images, backups, and log files. Data is stored as immutable objects in buckets, with multiple storage classes and locations for balancing performance and cost.

Cloud Storage Standard class

A Cloud Storage class optimized for frequently accessed (hot) data, offering low latency and high throughput. Recommended for active content, web assets, and data being processed.

Cloud Storage lifecycle rule

A bucket-level configuration that automatically performs actions such as changing storage class or deleting objects based on conditions like object age, current class, or name prefix.

Cloud SQL

A fully managed relational database service on Google Cloud that supports MySQL, PostgreSQL, and SQL Server, suitable for transactional (OLTP) workloads requiring SQL and ACID properties.

Cloud SQL high availability (HA)

A configuration where Cloud SQL maintains a primary and standby instance in different zones within a region, using synchronous replication and automatic failover to reduce downtime during zonal failures.

Cloud SQL read replica

An asynchronous copy of a Cloud SQL primary instance used to offload read-only queries and reporting workloads, improving read scalability but not providing strongly consistent reads.

Virtual Private Cloud (VPC)

A global, logically isolated virtual network in Google Cloud that contains subnets, routes, and firewall rules for your resources.

Subnet

A regional segment of a VPC’s IP space with a non-overlapping CIDR range from which internal IPs are assigned to resources.

Custom Mode VPC

A VPC where you manually create and manage all subnets and IP ranges, giving fine-grained control and avoiding automatic subnet creation.

Route

A VPC configuration that specifies a destination IP range and a next hop, determining where packets go when leaving a VM’s network interface.

Firewall Rule

A stateful, VPC-level rule that allows or denies ingress or egress traffic to VM instances based on priority, targets, sources/destinations, and ports.

Cloud NAT

A managed network address translation service that lets VMs without external IPs access the internet for outbound connections.

Google Cloud pricing calculator

The Google Cloud pricing calculator is a tool that lets you add and configure products to get a cost estimate to share with your team.

Associate Cloud Engineer (role expectation)

An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.

Network Service Tiers

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

When is Cloud Run typically more cost-efficient than Compute Engine?

When traffic is highly variable or low most of the time, and you want to avoid paying for idle VMs. Cloud Run bills per request and resource-seconds and can scale to zero.

Sustained Use Discount (SUD)

An automatic discount applied to many long-running Compute Engine VMs when they run a large portion of the month, reducing the effective hourly price.

Committed Use Discount (CUD)

A discount you receive when you commit to using a certain amount of vCPU/RAM or specific services for 1 or 3 years, in exchange for lower prices than on-demand.

Shared VPC: Host Project

The project that owns the shared VPC network, subnets, routes, and firewall rules, and shares them with service projects in the same organization.

Shared VPC: Service Project

A project that hosts workloads (VMs, GKE clusters) which attach to subnets defined in the host project’s shared VPC.

Compute Network User role

An IAM role that lets principals create resources (like VMs) that use shared VPC networks and subnets, without granting permission to modify the network itself.

Global external HTTP(S) load balancer

A Layer 7 load balancer with a global anycast IP for internet-facing HTTP(S) traffic, ideal for web apps and APIs serving users worldwide.

Internal TCP/UDP load balancer

A regional, internal Layer 4 load balancer that distributes non-HTTP traffic (like database connections) among backends within a VPC or hybrid network.

Cloud NAT

A managed network address translation service that lets resources without external IPs initiate outbound connections to the internet using shared external IP addresses.

Compute Engine instance

A virtual machine running on Google Cloud where you choose the machine type, disks, image, network, and service account.

Custom image

A bootable disk image you create from an existing disk, snapshot, or image, typically used as a golden base with preinstalled software.

Snapshot

A point-in-time, incremental backup of a disk used for backup and recovery, which can be restored into a new disk.

Instance template

A resource that stores VM configuration (machine type, disks, image, metadata, tags, service account) and is used by managed instance groups.

Managed instance group (MIG)

A group of identical VMs created from an instance template that supports autoscaling, autohealing, and rolling updates.

Startup script

A script specified in metadata that runs automatically when a VM boots, often used to install software or configure services.

GKE Standard

GKE operation mode where Google manages the control plane but you manage node pools (machine type, size, autoscaling, upgrades). Best when you need fine-grained control over nodes, OS images, and hardware such as GPUs.

GKE Autopilot

GKE operation mode where Google manages both control plane and nodes. You specify Pod resource requests, and Google provisions capacity automatically. Billing is Pod-based and node management is abstracted away.

Zonal GKE cluster

A cluster whose nodes (and typically control plane) run in a single zone, such as `us-central1-a`. Simpler and cheaper but vulnerable to zone-level outages.

Regional GKE cluster

A cluster whose control plane and node pools span multiple zones within a region, such as `us-central1-a/b/c`, providing higher availability against single-zone failures.

Private GKE cluster

A cluster where nodes have only internal IP addresses and the control plane endpoint can be restricted to private IP, improving isolation. Typically uses VPC-native networking and Cloud NAT for outbound internet.

Node pool

A group of GKE nodes with shared configuration (machine type, disk, labels, taints). A cluster can have multiple node pools for different workload types and cost strategies.

Cloud Run service

A regional, fully managed serverless resource that runs a container image and exposes a stable HTTPS endpoint. It consists of one or more immutable revisions, and you can configure autoscaling, concurrency, and traffic splitting at the service level.

Cloud Run revision

An immutable snapshot of a Cloud Run service's container image and configuration (environment variables, resources, concurrency). Each deployment that changes code or config creates a new revision, and traffic can be routed across revisions.

Cloud Functions trigger

The mechanism that invokes a Cloud Function, such as an HTTP(S) request, a Pub/Sub message, a Cloud Storage object event, or other Eventarc-supported events. In 2nd gen, triggers are defined via event types and filters.

Concurrency (Cloud Run)

The number of simultaneous requests that a single Cloud Run container instance can handle. Default is 80; you can adjust it to trade off between isolation and resource efficiency.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Cloud Storage bucket location type

Defines how broadly data is replicated: Region (single region), Dual-region (two specific regions), or Multi-region (multiple regions in a large geographic area). Independent from storage class.

Cloud Storage storage class

Determines cost and performance characteristics for objects: Standard for frequent access, Nearline for monthly, Coldline for quarterly, Archive for annual or less frequent access.

Lifecycle rule (Cloud Storage)

A JSON-defined policy attached to a bucket that automatically performs actions like Delete or SetStorageClass on objects when conditions (such as age in days) are met.

Cloud SQL private IP

Connectivity option where the Cloud SQL instance receives an internal IP address in a VPC, keeping traffic within Google Cloud’s private network and improving security.

Cloud SQL availability-type=REGIONAL

High availability mode that creates a standby instance in another zone within the same region, enabling automatic failover if the primary zone becomes unavailable.

Point-in-time recovery (PITR)

Cloud SQL feature that, when enabled with automated backups, lets you restore a database to any point within a retention window, not just to the time of the last full backup.

App Engine Standard environment

A managed runtime environment using language-specific sandboxes with fast autoscaling, support for certain languages only, no custom runtimes, and limits on local disk and background processes.

App Engine Flexible environment

An App Engine environment that runs Docker containers on managed Compute Engine VMs, supporting custom runtimes, more resources, and background processes, with slower scaling and VM-like billing.

App Engine service

A logical component of an App Engine application (such as default, api, worker) that can have multiple versions, each representing a specific deployment of code and configuration.

App Engine version

A specific deployment of code and configuration for a given App Engine service. Each deployment creates a new version that can receive traffic independently.

Traffic splitting

An App Engine feature that lets you route a percentage of incoming traffic to different versions of the same service, supporting canary and blue/green deployments.

Rollback in App Engine

The process of moving traffic back to a previous stable version by updating traffic splitting, rather than redeploying old code.

Virtual Private Cloud (VPC)

A global, logically isolated virtual network in Google Cloud that spans regions. You create regional subnets inside it to host resources like VMs and GKE nodes.

Custom mode VPC

A VPC where you manually create each subnet and choose its IP range and region. Preferred for production, on-prem connectivity, and precise IP planning.

Shared VPC host project

The project that owns one or more VPC networks and subnets, which are shared with service projects so their resources can attach to the same network.

Shared VPC service project

A project that does not own the shared VPC itself but can attach its resources (VMs, GKE clusters) to subnets in the host project’s VPC.

Firewall rule (Google Cloud)

A stateful rule at the VPC level that allows or denies ingress or egress traffic to VM network interfaces based on IPs, tags, service accounts, protocols, and ports.

External HTTP(S) Load Balancer

A global, Layer 7 load balancer with a single anycast IP that terminates HTTP/HTTPS from the internet and routes traffic to backends like instance groups or NEGs.

Compute Engine VM lifecycle: Start vs Stop vs Reset vs Delete

**Start** boots a stopped VM and resumes compute billing. **Stop** gracefully shuts down the OS and stops vCPU/RAM billing while disks remain. **Reset** is a hard reboot with no OS shutdown. **Delete** permanently removes the VM; disks may or may not be deleted depending on settings.

Persistent disk snapshot

An incremental, point-in-time backup of a persistent disk stored in Cloud Storage. Used for backup and recovery, and to create new disks in the same or different zones/regions.

Image (Compute Engine)

A bootable disk template containing an OS and optional software. Used to create new VMs and boot disks, ideal for cloning standardized configurations across regions or projects.

Guest environment / guest agent

Scripts and agents inside the VM (for example, google-guest-agent) that integrate the OS with Google Cloud, handling metadata, SSH keys, OS Login, and feeding data to features like OS patch management.

Serial console usage

Out-of-band access to a VM’s serial port. Used to troubleshoot boot issues, kernel panics, and broken SSH by logging in via the console even when network access fails.

Cloud Monitoring role for VMs

Collects metrics such as CPU, memory (with agent), disk, and network for GCE instances. Supports dashboards, metrics explorer, and alerting policies to track performance and availability.

Horizontal Pod Autoscaler (HPA)

A Kubernetes feature that automatically adjusts the number of pod replicas in a replication controller, deployment, or replica set based on observed metrics such as CPU utilization or custom metrics.

Cluster autoscaler (GKE)

A GKE feature that automatically adjusts the size of a node pool based on the scheduling needs of pods. It adds nodes when pods are unschedulable due to lack of resources and removes nodes when they are underutilized.

GKE node pool

A group of nodes within a GKE cluster that all have the same configuration, including machine type and node image. You can upgrade, scale, and configure autoscaling per node pool.

Cloud Run concurrency

The maximum number of concurrent requests that a single Cloud Run instance can handle. Lower values improve isolation and latency; higher values reduce instance count and cost.

Cloud Run revision

An immutable snapshot of a Cloud Run service configuration and container image created with each deployment. Traffic can be routed between revisions for canary or rollback.

Cloud Functions idempotency

The property of a Cloud Function's handler that ensures processing the same event multiple times has the same effect as processing it once, which is crucial because event deliveries may be retried.

Cloud Storage lifecycle rule

A bucket-level configuration that automatically performs actions (such as changing storage class or deleting objects) when specified conditions like object age, creation date, live status, or prefix/suffix filters are met.

Object versioning in Cloud Storage

A feature that keeps multiple versions of an object in the same bucket. When enabled, overwrites and deletions create noncurrent versions instead of permanently deleting data, allowing recovery of older copies.

Signed URL (Cloud Storage)

A time-limited URL that grants access to a specific Cloud Storage object without requiring a Google identity or IAM role. Commonly used to let clients download or upload objects directly after a backend authorizes them.

Cloud SQL automated backup

A scheduled backup of a Cloud SQL instance taken automatically within a defined window and retained for a configured period, used for disaster recovery and point-in-time recovery.

Point-in-time recovery (PITR) in Cloud SQL

A capability that uses transaction logs (such as binary logs) to restore a database to an exact time within a retention window, typically by creating a new instance representing the state at that time.

Cloud SQL high availability (HA)

A regional configuration where a Cloud SQL primary instance has a synchronous standby in another zone of the same region, enabling automatic failover if the primary zone or instance becomes unavailable.

Cloud Monitoring workspace

A logical container in a host project that stores dashboards, alerting policies, uptime checks, SLOs, and metrics from one or more monitored projects.

Metric type

The identifier for what is being measured, such as `compute.googleapis.com/instance/cpu/utilization` or `run.googleapis.com/request_count`.

Monitored resource type

The kind of resource a metric is attached to, like `gce_instance`, `k8s_container`, or `cloud_run_revision`.

Uptime check

An external probe that regularly tests whether an endpoint (HTTP(S) or TCP) is reachable and responding correctly, often used to drive availability alerts.

Service Level Objective (SLO)

A target level of reliability or performance over time (for example, 99.9% success rate over 30 days), built from service-level indicators like error rate or latency.

Alerting policy

A configuration in Cloud Monitoring that defines conditions on metrics, uptime checks, or SLOs and sends notifications through channels like email or Pub/Sub when triggered.

Log bucket

A storage container in Cloud Logging that holds log entries with specific retention, location, and IAM settings. Examples include the default `_Default` bucket, the always-on `_Required` bucket, and custom buckets you create.

Log view

A filtered window into a log bucket that defines which log entries are visible. IAM can be granted on the view to control access to subsets of logs without moving data.

Log Router sink

A configuration object that matches logs using a filter at ingestion time and routes copies to destinations such as BigQuery, Cloud Storage, Pub/Sub, or other log buckets.

Logging query language

The filter language used in Logs Explorer and sinks to select log entries based on fields such as resource.type, severity, logName, labels, and payload contents.

Admin Activity audit logs

Audit logs that record administrative operations that modify configuration or metadata, such as creating VMs or changing IAM policies. They are always enabled and stored in the `_Required` bucket.

Data Access audit logs

Audit logs that record read and write operations on user data, such as reading objects from Cloud Storage. Often disabled by default for volume reasons and must be explicitly enabled.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

User vs Group

A user is an individual person’s account. A group is a Google Group that contains multiple users; you assign IAM roles to the group email so membership changes automatically update access.

service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Basic roles

The broad, legacy roles `roles/viewer`, `roles/editor`, and `roles/owner`. They apply across most services in a project and are not aligned with least privilege.

Predefined roles

Google-managed roles tailored to specific services or job functions (for example, `roles/storage.objectViewer`). Preferred for most use cases because they are maintained and updated by Google.

Custom roles

Roles you create at the project or organization level by choosing specific permissions. Used when no single predefined role matches the required permission set.

service account (canonical definition)

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Identity and Access Management (IAM) (canonical definition)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Least privilege for service accounts

Grant service accounts only the roles they need, ideally at the narrowest scope (specific bucket, topic, or project), and avoid broad roles like Owner or Editor unless absolutely necessary.

Service account key

A long-lived private key (typically JSON) for a service account that allows external code to authenticate as that account. As of 2026, this is discouraged for most workloads in favor of keyless, short-lived credentials.

Keyless access

An authentication model where workloads obtain short-lived tokens from the Google Cloud metadata server or Workload Identity, without storing long-lived service account key files.

Service account impersonation

A pattern where a caller (user or service account) with roles/iam.serviceAccountTokenCreator on a target service account obtains short-lived credentials to act as that target service account.

Cloud Audit Logs: Admin Activity logs

Admin Activity logs record administrative operations that modify configuration or metadata (for example, creating a VM or changing IAM). They are always on and free, and are the primary source to answer "who changed what" questions.

Cloud Audit Logs: Data Access logs

Data Access logs record operations that read or write user data (for example, reading a Cloud Storage object or running a BigQuery query). Many Data Access logs are not fully enabled by default due to volume and cost.

Organization policy constraint

A constraint is a predefined rule in the Organization Policy Service that controls a specific behavior, such as allowed regions (gcp.resourceLocations) or whether VMs can have external IPs (compute.vmExternalIpAccess).

Organization policy inheritance

Organization policies apply at the organization, folder, or project level and inherit down the resource hierarchy. A project’s effective policy is the combination of its own policy and inherited policies from its parent folder and organization.

IAM Condition

An IAM Condition is a context-aware expression attached to an IAM binding. It uses Common Expression Language (CEL) and can reference attributes like request.time to create time-bound or attribute-based access control.

Policy Denied logs

Policy Denied logs are audit log entries generated when an operation is blocked by an organization policy constraint. They help explain why an action was denied and which constraint was triggered.

Associate Cloud Engineer (role description)

An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

service account (definition)

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Shared VPC

A networking model where a central host project owns the VPC, and multiple service projects attach to it so their resources share subnets, routes, and firewall rules managed centrally.

Managed instance group (MIG)

A group of identical Compute Engine VMs created from an instance template that supports autoscaling, autohealing, and rolling updates, commonly used behind HTTP(S) Load Balancers.

Cloud SQL vs BigQuery

Cloud SQL is a managed relational database for transactional workloads; BigQuery is a serverless data warehouse optimized for analytical SQL queries over large datasets.

Associate Cloud Engineer (role focus)

An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Network Service Tiers

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

Google Cloud pricing calculator

The Google Cloud pricing calculator is a tool that lets you add and configure products to get a cost estimate to share with your team.

Least privilege principle

Give identities (users, groups, service accounts) only the minimum roles and permissions they need to perform their tasks, and at the narrowest resource scope that works.