Google Cloud Associate Cloud Engineer: Complete Exam-Ready Masterclass

Official definition of an Associate Cloud Engineer

An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.

Associate Cloud Engineer exam section 1 (in order)

Setting up a cloud solution environment

Associate Cloud Engineer exam section 2 (in order)

Planning and configuring a cloud solution

Associate Cloud Engineer exam section 3 (in order)

Deploying and implementing a cloud solution

Associate Cloud Engineer exam section 4 (in order)

Ensuring successful operation of a cloud solution

Associate Cloud Engineer exam section 5 (in order)

Configuring access and security

Organization (Google Cloud)

The top-level resource in the Google Cloud resource hierarchy that typically corresponds to a company or domain and contains all folders and projects.

Folder

An optional grouping node between the organization and projects, used to organize resources by departments, environments, or other structures and to apply IAM and policies to groups of projects.

Project

The fundamental unit of organization in Google Cloud that contains resources, defines IAM and quota boundaries, and links to a billing account. Every resource belongs to exactly one project.

Project ID vs Project Name

Project name is human-friendly and changeable. Project ID is globally unique, used in APIs and URLs, chosen at creation and typically not reusable after deletion.

Billing Account

A resource that represents how you pay for Google Cloud usage. One billing account can fund multiple projects, and each project must be linked to a billing account to incur charges.

Label (Google Cloud)

A key-value pair attached to projects or resources, used for filtering, cost allocation, and automation (for example, env=prod, team=web).

Google Cloud pricing calculator

The Google Cloud pricing calculator is a tool that lets you add and configure products to get a cost estimate to share with your team.

Billing account

A Cloud Billing object linked to a Google payments profile that pays for usage from one or more Google Cloud projects.

Project–billing linkage rule

Each project can be linked to zero or one active billing account at a time, while a billing account can fund multiple projects.

Budget

A Cloud Billing configuration that tracks actual and optionally forecasted costs for a billing account and triggers alerts when thresholds are reached.

Budget alerts behavior

Budget alerts send notifications (email or Pub/Sub) at configured thresholds but do not automatically stop or delete resources.

Committed use discounts

Discounts you receive by committing to use a certain amount of resources (such as vCPU or memory) or specific services for 1 or 3 years.

Cloud SDK

A collection of command-line tools for Google Cloud, including gcloud, gsutil, and bq, used to manage and automate Google Cloud resources.

gcloud init

An interactive command that authenticates you, creates or selects a configuration, and sets defaults such as project, region, and zone for the gcloud CLI.

gcloud config set project PROJECT_ID

Command to set the default project for gcloud so that subsequent commands target the specified PROJECT_ID without needing explicit --project flags.

gcloud auth login vs gcloud auth application-default login

`gcloud auth login` authenticates the CLI as a user for interactive commands; `gcloud auth application-default login` configures Application Default Credentials for applications and client libraries.

Application Default Credentials (ADC)

A mechanism that allows Google Cloud client libraries and tools to automatically find credentials from the environment, such as a service account attached to a resource or locally configured credentials.

gsutil mb

The gsutil subcommand used to create (make) a new Cloud Storage bucket, for example: `gsutil mb -l us-central1 gs://my-bucket/`.

Compute choices for a given workload

The four core options are: Compute Engine, Google Kubernetes Engine, Cloud Run, Cloud Functions.

Compute Engine (when to use)

Best when you need full OS control, custom drivers or agents, lift-and-shift of legacy apps, or long-running stateful workloads that expect a traditional server.

Google Kubernetes Engine (GKE) core idea

Managed Kubernetes service where Google runs the control plane and you run containers as Kubernetes workloads, ideal for microservices and teams using Kubernetes.

GKE Standard vs Autopilot

Standard: you manage nodes and pay for VMs. Autopilot: Google manages nodes, you define pod resources and pay per pod request, reducing operational overhead.

Cloud Run (when to use)

For stateless, containerized HTTP services or event-driven workloads where you want serverless autoscaling, minimal ops, and pay-per-use pricing, including scaling to zero.

Cloud Functions (when to use)

For small, event-driven pieces of logic triggered by events (Cloud Storage, Pub/Sub, HTTP) where you do not want to manage infrastructure or containers.

Data storage product choices (list all 5 in order)

The data storage product choices are: Cloud SQL, BigQuery, Firestore, Spanner, Bigtable.

Cloud SQL – primary role and typical workloads

Cloud SQL is a managed relational database service (MySQL, PostgreSQL, SQL Server). It fits transactional applications, OLTP workloads, and legacy migrations that need ACID transactions, joins, and schemas with minimal code changes.

BigQuery – what is it optimized for?

BigQuery is a serverless analytics data warehouse optimized for large-scale SQL analytics, BI, and reporting over huge datasets, with separation of storage and compute.

Firestore – data model and best-fit use cases

Firestore is a NoSQL document database using collections and documents. It is best for mobile and web apps needing flexible schemas, real-time sync, and offline support, especially via Firebase.

Spanner – when choose it over Cloud SQL?

Choose Spanner over Cloud SQL when you need global or regional horizontal scaling, strong external consistency across regions, and relational SQL with multi-row ACID transactions for mission-critical OLTP.

Bigtable – core characteristics and use cases

Bigtable is a wide-column NoSQL store designed for petabyte-scale data, very high throughput, and low-latency access using a row key. It fits time series, IoT, personalization, and large key-value workloads.

Cloud Storage

Google Cloud's foundational object storage service for unstructured data, using buckets and objects with high durability and strong consistency.

Bucket

A top-level container in Cloud Storage that holds objects and defines location, default storage class, access control, and lifecycle rules.

Standard storage class

Cloud Storage class optimized for frequently accessed hot data, with low latency and high throughput.

Nearline storage class

Cloud Storage class for data accessed about once a month or less, with lower storage cost but higher access and retrieval costs than Standard.

Coldline storage class

Cloud Storage class for data accessed about once a quarter or less, with very low storage cost and higher access and retrieval costs.

Archive storage class

Cloud Storage class with the lowest storage cost, intended for data accessed less than once a year, with the highest access and retrieval costs.

VPC network

A global virtual network in Google Cloud that spans regions and contains regional subnets, routes, and firewall rules for connecting and securing resources.

Subnet

A regional IP range (CIDR block) within a VPC used to allocate internal IP addresses to resources like VM instances; can also have secondary ranges for services such as GKE Pods.

Custom mode VPC

A VPC where you manually create and manage all subnets and IP ranges, recommended for production to avoid IP conflicts and to control topology.

Firewall rule priority

An integer where lower numbers mean higher priority. Among rules that match a packet, the one with the lowest priority number is evaluated first and determines allow or deny.

Network Service Tiers

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

Premium Tier

The network tier that uses Google’s global backbone as much as possible, offering lower latency, more consistent performance, and support for global anycast IPs.

Google Cloud pricing calculator

The Google Cloud pricing calculator is a tool that lets you add and configure products to get a cost estimate to share with your team.

Four compute choices for a given workload

Compute Engine, Google Kubernetes Engine, Cloud Run, Cloud Functions.

Data storage product choices (5 items)

Cloud SQL, BigQuery, Firestore, Spanner, Bigtable.

Cloud Storage classes in this course (5 items)

Standard, Nearline, Coldline, Archive, Regional Persistent Disk.

Network Service Tiers definition

Network Service Tiers is a Google Cloud networking feature that lets you optimize network performance and cost by choosing between different network quality tiers for outbound traffic.

When are serverless compute options usually cheaper?

When workloads are bursty, low-volume, or have long idle periods, because you pay per request and resource-seconds instead of per VM-hour.

Compute Engine instance

A virtual machine (VM) running on Google Cloud's infrastructure. You configure its machine type, disks, network, service account, metadata, and more.

Machine type

A predefined or custom combination of vCPUs and memory for a Compute Engine instance, such as e2-medium or n2-standard-4.

Boot disk vs data disk

The boot disk holds the operating system and is required for the VM to start. Data disks are additional persistent disks used to store application and user data.

Snapshot

A point-in-time, incremental backup of a persistent disk that can be used to create or restore disks in any region.

Image

A disk template, usually containing an operating system and optional software, used to create boot disks for new instances or instance templates.

Instance template

A resource that defines the configuration for VM instances (machine type, disks, image, metadata, tags) and is used by managed instance groups to create identical VMs.

Google Kubernetes Engine (GKE)

A managed Kubernetes service on Google Cloud where Google runs the Kubernetes control plane and you run containerized workloads on worker nodes.

GKE Autopilot mode

An operation mode where Google fully manages the cluster's nodes and you are billed mainly for pod resources, focusing on workloads instead of infrastructure.

GKE Standard mode

An operation mode where you manage node pools, machine types, and some maintenance, and are billed per node VM plus related cluster costs.

Zonal vs Regional cluster

Zonal: control plane and nodes in one zone, lower cost but less resilient. Regional: control plane (and often nodes) spread across zones in a region for higher availability.

Private GKE cluster

A cluster where nodes have internal IPs only and control plane access can be private, reducing exposure to the public internet.

Pod

The smallest deployable Kubernetes unit, usually one container, sharing network and storage with any sidecar containers.

Cloud Run service

The top-level Cloud Run resource that has a stable URL and routes incoming HTTP(S) requests to one or more immutable revisions according to configured traffic percentages.

Cloud Run revision

An immutable snapshot of a Cloud Run service's container image and configuration (CPU, memory, environment variables, concurrency, etc.) created on each deployment.

Traffic splitting (Cloud Run)

A feature that lets you route different percentages of a Cloud Run service's traffic to multiple revisions, enabling gradual rollouts and canary deployments without extra load balancers.

Cloud Functions trigger

The configuration that defines how a Cloud Function is invoked, such as an HTTP trigger (HTTPS endpoint) or an event-driven trigger from services like Pub/Sub, Cloud Storage, or Firestore.

Event-driven function

A Cloud Function that runs automatically in response to events from Google Cloud services (for example, a new object in Cloud Storage or a Pub/Sub message), rather than direct HTTP requests.

Autoscaling (Cloud Run)

Cloud Run's ability to automatically adjust the number of container instances based on concurrent HTTP request load, within optional min and max instance limits and concurrency settings.

App Engine application

A top-level construct tied to a Google Cloud project and region. Each project can have at most one App Engine application, and its region cannot be changed after creation.

App Engine service

A logical component within an App Engine application, defined by its own `app.yaml`. Services (like `default`, `api`, `worker`) have independent code, configuration, scaling, and traffic settings.

App Engine version

An immutable deployment of a service. Each deployment creates a new version. Multiple versions can run at once, enabling testing, gradual rollouts, and quick rollbacks.

App Engine standard environment

An App Engine environment that runs apps in Google-managed language sandboxes, with fast automatic scaling, a free tier, and some runtime restrictions (e.g., limited local disk writes and background work).

App Engine flexible environment

An App Engine environment that runs apps in Docker containers on Compute Engine VMs, supporting custom runtimes and system libraries with more control but slower scaling and higher minimum cost.

automatic_scaling (standard)

A scaling mode where App Engine adjusts instance count based on traffic and CPU. You configure settings like `min_instances`, `max_instances`, and `target_cpu_utilization` in `app.yaml`.

Cloud Storage bucket location

The region or multi-region where bucket data is stored. It affects latency, data residency, and must be compatible with BigQuery dataset locations for load/export jobs.

Cloud Storage classes (name all)

The Cloud Storage classes are: Standard, Nearline, Coldline, Archive, Regional Persistent Disk.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Cloud SQL private IP vs public IP

Private IP lets resources in the same VPC connect without traversing the public internet (often with Serverless VPC Access). Public IP is reachable over the internet and should be restricted using authorized networks and secure clients.

BigQuery dataset

A top-level container in BigQuery that holds tables and views and is bound to a specific location (region or multi-region).

VPC network

A global, logically isolated virtual network in Google Cloud that spans all regions and contains regional subnets where resources like VMs and GKE clusters are deployed.

Subnet

A regional segment of a VPC network with its own IP range in CIDR notation; resources attach to a specific subnet in a specific region.

Custom mode VPC

A VPC where you manually create and manage subnets and IP ranges, giving full control over network layout; preferred for production.

Shared VPC

A feature that lets you configure a VPC network in a host project and share its subnets with service projects in the same organization for centralized networking.

Host project (Shared VPC)

The project that owns the Shared VPC network, its subnets, and firewall rules, and shares them with attached service projects.

Service project (Shared VPC)

A project that uses subnets from a host project's Shared VPC to deploy its own resources into the shared network.

Instance lifecycle: RUNNING vs TERMINATED billing

RUNNING: you pay for vCPU, RAM, and attached disks. TERMINATED: you stop paying for vCPU/RAM, but persistent disks and static external IPs still incur charges until deleted or released.

Managed instance group (MIG)

A group of identical VM instances created from an instance template. It supports autoscaling, autohealing, and rolling updates, and is used for stateless, horizontally scaled workloads.

Instance template

A reusable configuration for VM instances, including machine type, image, disks, metadata, startup scripts, and service account. MIGs use it to create and update instances.

Rolling update: maxSurge

The maximum number of additional instances (above the target size) that can be created during an update. Higher values speed up updates but can increase cost and capacity spikes.

Rolling update: maxUnavailable

The maximum number of instances that can be unavailable during an update. Lower values protect availability but slow the rollout.

On host maintenance: MIGRATE vs TERMINATE

MIGRATE uses live migration to move VMs to another host during maintenance without rebooting. TERMINATE stops the VM; it may restart later if automatic restart is enabled.

Deployment (GKE)

A Kubernetes controller that manages ReplicaSets and provides declarative updates to pods, including rolling updates and rollbacks. It is the main object you scale and update for stateless workloads.

Horizontal Pod Autoscaler (HPA)

A Kubernetes feature that automatically adjusts the number of pod replicas in a scalable resource (such as a Deployment) based on observed metrics like CPU utilization.

Cluster autoscaler (GKE)

A feature that automatically adjusts the number of nodes in a node pool based on pods that cannot be scheduled due to insufficient resources, within configured min and max node counts.

Cloud Run revision

An immutable snapshot of a Cloud Run service's code and configuration (image, env vars, CPU/memory, concurrency, etc.). Each deployment or config change creates a new revision, and traffic can be routed to one or more revisions.

Cloud Run concurrency

The number of simultaneous requests a single Cloud Run container instance can handle. Lower values can reduce latency but may increase the number of instances and cost.

Cloud Run min-instances

A setting that keeps at least a specified number of Cloud Run container instances warm, reducing cold-start latency at the cost of running resources even when idle.

App Engine service

A logical component of an App Engine application (such as default, api, worker), each with its own configuration, scaling settings, and traffic splitting.

App Engine version

A specific deployment of an App Engine service, consisting of code and configuration. Multiple versions can exist at once; traffic can be routed to one or split between several.

Automatic scaling (App Engine standard)

Scaling mode where App Engine automatically adjusts the number of instances based on request rate, response latency, and other factors. You can tune min_instances, max_instances, and related parameters.

Cold start (App Engine / Cloud Functions)

The extra latency experienced when a platform must create a new instance to handle a request or event, typically after a period of idleness or during scale-out.

Cloud Functions 2nd gen

The newer generation of Cloud Functions built on Cloud Run and Eventarc, supporting higher concurrency, more trigger types, and additional configuration options such as CPU.

Max instances (Cloud Functions)

A configuration limit that caps how many instances of a function can run concurrently. Too low can cause throttling and backlogs; higher values increase parallelism and potential cost.

Cloud Storage lifecycle rule

A configuration on a bucket that automatically transitions objects between storage classes or deletes them based on conditions such as object age, storage class, or version state, helping manage cost and retention.

Object versioning in Cloud Storage

A feature that keeps multiple generations of an object when it is overwritten or deleted, allowing recovery of previous versions at the cost of additional storage usage.

Retention policy in Cloud Storage

A bucket-level setting that enforces a minimum time before objects can be deleted or overwritten. Once locked, it cannot be shortened or removed, supporting compliance requirements.

Automated backups in Cloud SQL

Daily backups taken automatically during a configured window, stored for a defined retention period, and used for restoring instances or enabling point-in-time recovery.

High availability (HA) in Cloud SQL

A configuration where a primary instance replicates synchronously to a standby in another zone within the same region, enabling automatic failover on primary failure.

BigQuery partitioning

A table design technique that divides data into segments, typically by date or ingestion time, so queries that filter on the partition column scan fewer bytes and cost less.

Cloud Logging

Google Cloud’s central logging service used to collect, store, view, and route logs from Google Cloud services and applications.

Cloud Monitoring

Google Cloud’s core monitoring service used to collect metrics, build dashboards, configure uptime checks, and create alerting policies.

Log-based metric

A metric derived from log entries that match a specified filter, typically used as a counter or distribution in Cloud Monitoring.

Gauge metric

A metric type that represents the current value at a point in time, such as CPU utilization or memory usage.

Cumulative metric

A metric type that represents a value that increases over time and may reset, such as total bytes sent.

Logs Explorer

The Cloud Logging interface where you can query, filter, and inspect log entries using a UI builder or logging query language.

Log bucket (Cloud Logging)

A storage container in Cloud Logging that holds log entries with its own location, retention, and access control, separate from Cloud Storage buckets.

Log sink

A routing rule attached to the Cloud Logging router that selects log entries with filters and sends them to a destination such as a log bucket, Cloud Storage, BigQuery, or Pub/Sub.

Log-based metric

A Cloud Monitoring metric derived from log entries that match a filter in Cloud Logging, used to count events or measure distributions like latency.

Counter vs Distribution log-based metrics

Counter metrics count how many log entries match a filter. Distribution metrics extract a numeric value from each matching entry and track its distribution over time.

Common IAM error pattern in logs

Messages containing PERMISSION_DENIED or insufficient authentication scopes, often with principalEmail, indicating missing or incorrect IAM roles or service accounts.

Common quota error pattern in logs

Messages containing RESOURCE_EXHAUSTED, Quota exceeded, or HTTP 429, indicating that a service-specific quota or rate limit has been reached.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Principal (identity)

An entity that can be granted access in IAM, such as a user, group, service account, domain, or special identities like allUsers.

Resource hierarchy (top to bottom)

Organization → Folder(s) → Project → Child resources (e.g., buckets, VMs, datasets). IAM policies can attach at each level and inherit downwards.

IAM role types (list them)

Three IAM role types: basic, predefined, custom.

basic roles

roles/viewer, roles/editor, roles/owner. Very broad, span many services in a project. Historically called primitive roles; now referred to as basic roles.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Three IAM role types

The IAM role types are: basic, predefined, custom.

Basic roles

Legacy, broad roles: `roles/viewer`, `roles/editor`, `roles/owner`. They apply across most services in a project and should be used carefully due to over-privilege.

Predefined roles

Google-managed roles tailored to specific services and job functions, such as `roles/compute.instanceAdmin` or `roles/storage.objectViewer`. Preferred for least privilege when they fit.

Custom roles

User-defined roles at the project or organization level that bundle selected permissions when predefined roles do not meet exact requirements.

Service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Least privilege for service accounts

Grant each service account only the specific predefined or custom roles it needs on specific resources, avoid project-level basic roles like Editor, and use separate service accounts for different applications or trust boundaries.

Service account key risk

JSON key files are long-lived secrets. If leaked, an attacker can act as the service account until the key is revoked. Modern best practice is to avoid keys and use impersonation or platform-managed short-lived tokens.

Service account impersonation

A pattern where a user or service account with roles like roles/iam.serviceAccountTokenCreator obtains short-lived tokens to act as another service account, without needing to download a key file.

Workload Identity (GKE)

A mechanism that maps Kubernetes service accounts to Google Cloud service accounts so that GKE workloads can obtain short-lived credentials to call Google Cloud APIs without node-wide credentials or JSON keys.

GKE KSA vs GSA

A Kubernetes service account (KSA) is an identity inside the cluster for pods. A Google Cloud service account (GSA) is an IAM identity used to call Google Cloud APIs. Workload Identity links a KSA to a GSA.

Shared VPC: host project

The project that owns the VPC network(s), subnets, routes, and firewall rules and shares them with one or more service projects.

Shared VPC: service project

A project that attaches its resources (such as VM instances or GKE clusters) to subnets in a Shared VPC host project while keeping its own IAM and billing.

Firewall rule priority

An integer from 0 (highest) to 65535 (lowest). Rules are evaluated in order of increasing priority number; the first match wins.

Implicit firewall behavior

Firewall rules are stateful and there is an implicit deny-all rule at the end. If no rule matches, traffic is blocked.

Private Google Access

A subnet-level setting that lets VMs without external IP addresses reach Google APIs and services using their internal IPs.

Private Service Connect (high level)

A feature that creates private endpoints in your VPC so you can access Google APIs, Google-managed services, or third-party services without using public IPs.

Cloud Audit Logs: Admin Activity

Audit logs that record administrative operations that modify configuration or metadata (for example, creating VMs, changing firewall rules, modifying IAM policies). Always enabled and stored at no additional cost within quotas.

Cloud Audit Logs: Data Access

Audit logs that record API calls which read or write user data (for example, reading Cloud Storage objects, querying BigQuery tables). Often disabled or partially disabled by default due to volume; enable them per project/service as needed.

Cloud Audit Logs: System Event

Audit logs that record Google-managed operations affecting your resources, such as infrastructure maintenance or autoscaling-related actions.

Cloud Audit Logs: Policy Denied

Audit logs that record requests blocked by organization policies or perimeter controls (such as Org Policy constraints or VPC Service Controls) before they reach the target service.

Logs Explorer

The Cloud Logging interface where you can search, filter, and view logs (including Cloud Audit Logs) across your projects, folders, and organizations.

Log Sink

A Cloud Logging configuration that routes selected logs (based on a filter) to a destination such as Cloud Storage, BigQuery, or Pub/Sub, often used for long-term retention or external analysis.

Associate Cloud Engineer

An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.

Identity and Access Management (IAM)

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

IAM role types

Three types: basic (Owner, Editor, Viewer), predefined (service-specific curated roles), custom (you choose individual permissions).

service account

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Compute choices for a workload

Compute Engine, Google Kubernetes Engine, Cloud Run, Cloud Functions.

Data storage product choices

Cloud SQL, BigQuery, Firestore, Spanner, Bigtable.