The Google Associate Cloud Engineer (ACE) is Google Cloud's foundational hands-on certification. It tests your ability to deploy applications, monitor operations, and manage enterprise solutions on Google Cloud Platform. You'll need to know which service to use for a given workload and the gcloud commands to configure and deploy it. If you're building a career in cloud or want a vendor-recognized credential for GCP, the ACE is where to start.
This guide covers what the exam tests, which topics trip people up most, and how to prepare efficiently.
Exam Overview
| Detail | Value |
|---|---|
| Exam code | ACE |
| Questions | ~50 (multiple choice and multiple select) |
| Time limit | 2 hours |
| Passing score | Not published (~70% per community reports) |
| Cost | $125 USD |
| Delivery | Online with remote proctor or Kryterion testing center |
| Certification validity | 3 years |
| Prerequisites | None (6+ months of hands-on experience recommended) |
The two-hour window is comfortable for most candidates. The trickier questions are command-recognition questions where you need to identify the right gcloud flag or subcommand. Reading through documentation once won't build that muscle memory. You need to practice.
Exam Domains
| Domain | Weight |
|---|---|
| Deploying and implementing a cloud solution | 25% |
| Ensuring successful operation of a cloud solution | 20% |
| Configuring access and security | 20% |
| Planning and configuring a cloud solution | 18% |
| Setting up a cloud solution environment | 17% |
Deploying and implementing carries the most weight at 25%. It's the broadest domain, covering Compute Engine, GKE, Cloud Run, App Engine, Cloud Functions, Cloud Storage, and database services. Access and security at 20% is heavily tested and often where candidates lose points they didn't expect to.
Core Services to Master
Compute Options
The ACE exam tests your ability to pick the right compute service for a scenario. You need to know when to use each one.
- Compute Engine: IaaS virtual machines. Use when you need full OS control, custom software, or lift-and-shift migrations. You manage patching, scaling, and configuration.
- Google Kubernetes Engine (GKE): Managed Kubernetes clusters. Use for containerized applications that need orchestration. GKE handles the control plane; you manage the workloads.
- Cloud Run: Fully managed containers. Use for stateless HTTP services that scale to zero. No infrastructure to manage, no cluster to configure.
- App Engine: PaaS for web applications. Standard environment supports specific runtimes with strict constraints. Flexible environment runs custom containers. Standard is cheaper and scales to zero faster.
- Cloud Functions: Event-driven serverless functions. Use for single-purpose tasks triggered by Cloud Storage events, Pub/Sub messages, or HTTP requests.
The exam often gives a scenario and asks you to pick the most appropriate service. Key distinctions: Compute Engine if you need OS-level control, GKE if you're orchestrating containers, Cloud Run for stateless containers without managing infrastructure, Cloud Functions for event-driven glue code.
Storage and Databases
Getting storage questions right requires knowing which service is optimized for which access pattern.
- Cloud Storage: Object storage for any unstructured data. Storage classes include Standard, Nearline (access once a month), Coldline (access once a quarter), and Archive (access once a year or less). Know when to use each class and how lifecycle policies automate transitions.
- Cloud SQL: Managed relational databases. Supports PostgreSQL, MySQL, and SQL Server. Use for traditional RDBMS workloads where you want Google managing backups, patching, and failover.
- Cloud Spanner: Fully managed, horizontally scalable relational database with global consistency. Use when you need SQL semantics at planet-scale with multi-region replication.
- Firestore: Managed NoSQL document database with strong consistency and real-time sync. Use for mobile and web app backends.
- Bigtable: Managed wide-column NoSQL database designed for massive throughput at low latency. Use for IoT telemetry, time-series data, or financial data with millions of writes per second.
- BigQuery: Serverless data warehouse for analytics. Use for running SQL queries over large datasets, not for transactional workloads.
Networking
VPC and networking questions appear throughout the exam. Know the core building blocks.
- VPC networks: Your private network in Google Cloud. Resources in a VPC can communicate over internal IPs. Subnets are regional, but VPC networks are global.
- Firewall rules: Control traffic to and from VM instances based on IP range, protocol, and port. The default is implied deny-all ingress and implied allow-all egress. Always evaluate priority order.
- Cloud Load Balancing: External HTTP(S) load balancing handles global traffic at layer 7. Network load balancing handles TCP/UDP at layer 4. Internal load balancers keep traffic within your VPC.
- Cloud VPN and Cloud Interconnect: Cloud VPN creates encrypted tunnels to on-premises networks over the public internet. Cloud Interconnect provides dedicated private connectivity for high throughput and low latency requirements.
- Cloud DNS: Managed DNS service for hosting public and private DNS zones.
IAM and Security
IAM is deeply tested across every domain. Get comfortable with how Google Cloud structures access control.
- Roles: Primitive roles (Owner, Editor, Viewer) are coarse-grained and should be avoided in production. Predefined roles give specific access to individual services. Custom roles let you define exactly which permissions to grant.
- Service accounts: Identities for applications and VMs, not people. Attach service accounts to resources to grant them permissions to call Google Cloud APIs.
- Organization policy: Service-level controls that apply across your entire organization regardless of IAM bindings. Use to enforce constraints like restricting which regions resources can be created in.
- Cloud KMS: Managed key management. Create, rotate, and destroy cryptographic keys. Use Customer-Managed Encryption Keys (CMEK) when you need control over the key lifecycle.
- Secret Manager: Store API keys, passwords, and certificates. Applications fetch secrets at runtime rather than hardcoding them in config.
Monitoring and Operations
The operations domain covers Cloud Monitoring, Cloud Logging, and the tools you use to observe and troubleshoot running systems.
- Cloud Monitoring: Collects metrics from Google Cloud services and your VMs. Create dashboards, alerting policies, and uptime checks. Metrics Explorer lets you explore time-series data interactively.
- Cloud Logging: Centralized log management. Logs from Google Cloud services and applications land here automatically. Use log-based metrics to turn log data into Monitoring metrics. Log sinks export logs to BigQuery, Cloud Storage, or Pub/Sub.
- Cloud Trace: Shows request latency and how time is spent across your services. Useful for finding bottlenecks in distributed applications.
- Error Reporting: Aggregates and displays application errors with stack traces, so you can identify what's breaking and how often.
Common Exam Traps
Compute choice scenarios: The exam loves giving you a scenario and asking which compute service is "most appropriate." Read carefully for clues. "Stateless HTTP workload that needs to scale to zero" points to Cloud Run. "Legacy application requiring a specific OS version" points to Compute Engine. "Containerized microservices at scale" points to GKE.
Storage class minimum durations: Archive storage has a 365-day minimum storage duration. Coldline has 90 days. Nearline has 30 days. Deleting objects before the minimum doesn't save money; you're charged for the full duration.
IAM role granularity: Primitive roles apply broadly. If a question asks for the least-privilege solution, the answer is almost always a predefined or custom role, not Editor or Owner.
VPCs are global, subnets are regional: This catches people coming from AWS. In Google Cloud, a single VPC can span every region. Subnets are regional resources within that VPC.
gcloud command structure: Many questions test specific gcloud commands and flags. The pattern is gcloud <component> <resource-type> <command> --flags. For example, gcloud compute instances create or gcloud container clusters get-credentials. Know the most common subcommands for compute, container, and storage.
Default service account permissions: The default compute service account has Editor-level access on the project. The exam consistently rewards answers that use dedicated service accounts with the minimum necessary permissions instead.
Study Plan
| Week | Focus |
|---|---|
| 1 | Setup and planning: IAM, billing, gcloud CLI basics, resource hierarchy (org, folder, project) |
| 2 | Compute services: Compute Engine, GKE, Cloud Run, App Engine, Cloud Functions |
| 3 | Storage and databases: Cloud Storage classes, Cloud SQL, Spanner, Bigtable, Firestore, BigQuery |
| 4 | Networking: VPC, firewall rules, load balancing, Cloud VPN, Cloud Interconnect |
| 5 | Operations and security: Cloud Monitoring, Cloud Logging, IAM deep dive, KMS, Secret Manager |
| 6 | Practice exams, weak-area review, gcloud command drill |
Most candidates with some cloud background need 4-6 weeks. If you're coming from another cloud provider, mapping the service equivalents takes a week to internalize. If you're new to cloud entirely, plan for 8-10 weeks and spend real time in Cloud Console and Cloud Shell doing hands-on tasks.
Recommended Resources
- Cloud Skills Boost: Google's official ACE learning path includes labs where you work in real Google Cloud environments. The labs are the most valuable part.
- Official exam guide: The Google Cloud ACE exam guide lists every topic in scope. Use it to audit your preparation.
- Google Cloud documentation: The service-level docs are thorough. For any service you're unsure about, the "Overview" and "Key concepts" pages in the official docs are usually more useful than third-party summaries.
- gcloud cheat sheet: Google publishes a gcloud CLI cheat sheet. Drill the most common commands for compute, container, and storage.
- Practice exams: Work through multiple question sets to build command-recognition reflexes and catch gaps in your conceptual knowledge before exam day.
Final Thoughts
The ACE exam rewards people who actually use Google Cloud. Reading documentation builds awareness; hands-on practice builds the muscle memory you need for command-recognition questions. Spend time in Cloud Console and Cloud Shell alongside your study materials, not just in textbooks.
When you're scoring consistently above 80% on practice sets, you're ready to book the exam.
Ready to test where you stand? Try our ACE practice exams and find out which domains need more attention.