ACE — (Google Cloud Certified: Associate Cloud Engineer – ) Exam Blueprint

Practical exam blueprint for Google Cloud ACE candidates preparing for the Google Cloud Certified: Associate Cloud Engineer exam.

How to Use This Exam Blueprint

This checklist is for candidates preparing for the Google Cloud (Google Cloud Certified: Associate Cloud Engineer – ACE) exam, code ACE. Use it as a practical readiness map: review each topic area, confirm you can perform the task, and identify weak spots before moving into final practice.

The ACE exam is commonly associated with day-to-day Google Cloud engineering work: configuring cloud resources, deploying workloads, managing access, operating services, and troubleshooting common issues. This page does not assign exact weights or claim official scoring rules. Treat the sections below as readiness areas to verify before exam day.

Topic-Area Readiness Table

Readiness areaWhat to reviewYou are ready when you can…
Google Cloud resource hierarchyOrganizations, folders, projects, resources, labels, naming, project selectionExplain where policies apply and choose the correct project, folder, or organization scope for a task
Identity and access managementIAM roles, principals, service accounts, least privilege, policy bindingsGrant only the access needed and identify when a service account is required
Billing and cost awarenessBilling accounts, project billing, budgets, alerts, labels, committed or sustained usage concepts at a high levelConnect projects to billing, use labels for cost allocation, and recognize basic cost-control choices
Cloud Shell and CLI basicsGoogle Cloud console, Cloud Shell, gcloud, configuration, active project, region, zoneUse the CLI safely without accidentally targeting the wrong project or location
Compute EngineVM instances, machine types, boot disks, images, metadata, startup scripts, instance groupsChoose, deploy, connect to, resize, stop, troubleshoot, and monitor VM-based workloads
Google Kubernetes EngineClusters, nodes, workloads, Services, Ingress, autoscaling concepts, kubectl basicsDeploy a containerized workload, expose it, inspect pods, and identify common cluster issues
Serverless and application hostingCloud Run, App Engine, Cloud Functions at a practical selection levelChoose an appropriate managed compute option based on container, event, request, and operational needs
Storage servicesCloud Storage, persistent disks, Filestore basics, backup/snapshot conceptsPick the right storage option for object, block, or shared file needs
Databases and data servicesCloud SQL, Firestore, Bigtable, Spanner, Memorystore, BigQuery at a service-selection levelMatch database options to relational, document, wide-column, global, cache, and analytics scenarios
NetworkingVPCs, subnets, firewall rules, routes, external/internal IPs, Cloud NAT, load balancing, DNS, VPN/interconnect conceptsExplain how traffic flows and troubleshoot basic connectivity problems
Security controlsIAM, service accounts, firewall rules, encryption concepts, Secret Manager, OS Login, audit logsApply least privilege and identify where access should be controlled
Deployment and configurationInfrastructure setup, deployment commands, container images, environment variables, rollout checksDeploy resources predictably and verify that the expected version/configuration is running
Monitoring, logging, and operationsCloud Logging, Cloud Monitoring, alerts, metrics, uptime checks, error reporting conceptsFind logs and metrics, create basic alerts, and diagnose service health problems
Backup, resiliency, and recoverySnapshots, managed backups, multi-zone/regional concepts, restart behavior, health checksIdentify how to reduce downtime and recover from common failure scenarios
Troubleshooting workflowPermissions, quotas, network paths, health checks, logs, service status, misconfigurationNarrow a problem using evidence rather than guessing

Core Google Cloud Foundations

Resource Hierarchy and Project Control

Checklist:

  • Explain the relationship between organization, folders, projects, and resources.
  • Identify which project a command or deployment will affect.
  • Recognize when a policy should be applied at project, folder, or organization level.
  • Use labels to organize resources for cost, ownership, environment, or application tracking.
  • Distinguish project identity from billing identity.
  • Understand that many Google Cloud resources are regional, zonal, or global.

Can you answer these?

PromptReady answer
A team needs separate dev and prod environments. Where can separation happen?Usually by separate projects and/or folders, with IAM, billing, network, and policy separation as needed
A user cannot see a resource. What do you check first?Active project, IAM permissions, resource location, and whether the resource exists in the expected scope
A cost report needs to group resources by team. What helps?Consistent labels and project structure

Console, Cloud Shell, and CLI Readiness

You should be comfortable moving between the Google Cloud console and CLI.

Key command patterns to recognize:

gcloud config list
gcloud config set project PROJECT_ID
gcloud config set compute/region REGION
gcloud config set compute/zone ZONE
gcloud auth list

Readiness checks:

  • Confirm the active account before running a command.
  • Confirm the active project before creating or deleting resources.
  • Know when to specify --project, --region, or --zone.
  • Understand that an operation may fail because the wrong project, account, region, or zone is selected.
  • Use describe, list, and logs before changing a resource.

Common trap: running a command successfully, but in the wrong project or zone.

IAM and Security Readiness

IAM Roles, Principals, and Policy Bindings

ConceptWhat to know for ACE readiness
PrincipalA user, group, service account, or identity that can receive access
RoleA collection of permissions
Basic rolesBroad roles that are often too permissive for least-privilege design
Predefined rolesGoogle-managed roles for common job functions
Custom rolesRoles created for specific permission sets when predefined roles do not fit
Policy bindingConnects a principal to a role at a resource scope
Service accountIdentity used by workloads and services, not a human user

Checklist:

  • Grant a user or group access to a project.
  • Grant a service account access to another resource.
  • Explain why least privilege matters.
  • Identify when a predefined role is safer than a broad basic role.
  • Recognize that permissions are inherited through the resource hierarchy.
  • Distinguish granting access to a service account from allowing a user to act as that service account.
  • Understand that some Google Cloud services use service agents.

Example command patterns:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:person@example.com" \
  --role="roles/viewer"

gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
  --display-name="App runtime service account"

Security Scenario Checks

ScenarioWhat the exam may testGood decision path
A VM application needs to read from Cloud StorageWorkload identity and least privilegeAttach or configure a service account with an appropriate storage role
A developer needs temporary troubleshooting visibilityLeast privilege and scopeGrant a focused role at the narrowest practical scope
A user can deploy but the application cannot access a databaseHuman IAM vs workload IAMCheck the runtime service account and database permissions
A port is unreachable from the internetNetwork security pathCheck firewall rules, external IP, load balancer, routes, and service health
Secrets are stored in code or environment filesSecret handlingUse a managed secret approach such as Secret Manager where appropriate

IAM Weak Areas

  • Confusing project owner/editor/viewer with least-privilege roles.
  • Granting permissions to a human user when the workload’s service account needs them.
  • Forgetting inherited permissions from folder or organization level.
  • Assuming an IAM role fixes a network firewall problem.
  • Assuming a firewall rule fixes an IAM denial.
  • Not checking whether the active account is the expected identity.

Compute Engine Checklist

VM Deployment and Operations

Be ready to work through common VM lifecycle tasks.

TaskReadiness check
Create a VMSelect project, zone, machine family, boot disk, image, network, firewall needs, and service account
Connect to a VMUse SSH or browser-based connection methods and understand firewall or OS Login implications
Resize a VMKnow that machine type changes and restart behavior may matter
Use metadataRecognize startup scripts, custom metadata, and instance-level configuration
Manage disksUnderstand boot disks, additional persistent disks, snapshots, and image usage
Use instance templatesKnow why templates support repeatable instance creation
Use managed instance groupsUnderstand health checks, autoscaling, rolling updates, and self-healing concepts
Troubleshoot VM bootCheck serial console output, logs, startup scripts, disk/image issues, and permissions

Command patterns to recognize:

gcloud compute instances list

gcloud compute instances describe INSTANCE_NAME \
  --zone=ZONE

gcloud compute ssh INSTANCE_NAME \
  --zone=ZONE

VM Scenario Cues

Cue in a questionLikely topic
“Single VM failed and traffic stopped”Need for managed instance group, load balancing, or more resilient design
“Startup script did not install the app”Metadata, script syntax, logs, package repository access, network egress
“VM cannot reach the internet without external IP”Cloud NAT or controlled egress path
“Need identical VMs for scaling”Instance template and managed instance group
“Need to preserve disk state before change”Snapshot or image planning

Containers and Google Kubernetes Engine

GKE Concepts to Review

ConceptYou should be able to…
ClusterExplain the control plane and node pool relationship at a practical level
Node poolUnderstand that workloads run on nodes and node pools can vary by machine type/configuration
PodRecognize the smallest deployable unit in Kubernetes
DeploymentUse it to manage replicas and rolling updates
ServiceExpose pods inside or outside the cluster depending on type
IngressRoute HTTP/S traffic into services when configured
ConfigMap and SecretSeparate configuration and sensitive values from container images
AutoscalingRecognize workload or node scaling concepts
Image registryUnderstand how container images are built, stored, and deployed

Useful kubectl checks:

kubectl get pods
kubectl get deployments
kubectl get services
kubectl describe pod POD_NAME
kubectl logs POD_NAME
kubectl apply -f manifest.yaml

Readiness checklist:

  • Deploy a containerized app to GKE.
  • Expose a workload using a Kubernetes Service.
  • Check pod status and events.
  • Read container logs.
  • Recognize image pull, scheduling, readiness, and crash loop symptoms.
  • Understand the difference between Kubernetes IAM/RBAC concepts and Google Cloud IAM at a high level.
  • Know when a managed container platform such as Cloud Run may be simpler than GKE.

GKE Troubleshooting Cues

SymptomFirst checks
Pod stuck pendingNode capacity, scheduling constraints, node pool health
Pod crash loopingContainer logs, command/entrypoint, environment variables, dependencies
Service has no trafficService selector, pod labels, endpoints, firewall/load balancer status
Image pull failureImage name, registry access, service account permissions
App deployed but old version still servedRollout status, image tag, deployment update, load balancer caching/path

Serverless and Application Hosting

Service Selection

NeedService direction to consider
Run stateless containers with minimal infrastructure managementCloud Run
Host an application on a platform-managed runtimeApp Engine
Run event-driven code in response to cloud events or HTTP triggersCloud Functions
Run full VMs with OS controlCompute Engine
Orchestrate containers with Kubernetes APIs and cluster controlGoogle Kubernetes Engine

Checklist:

  • Distinguish container-based, function-based, platform-based, VM-based, and Kubernetes-based compute.
  • Recognize when stateless design helps scaling and recovery.
  • Identify where environment variables, service accounts, and secrets affect runtime behavior.
  • Understand how request-driven scaling differs from always-on compute.
  • Know how logs and revisions help validate a deployment.

Deployment Readiness

Can you do this?

  • Deploy an app and verify the active revision or version.
  • Roll back to a previous known-good version when supported by the service.
  • Configure the service account used by the runtime.
  • Send traffic to the intended version or revision.
  • Check runtime logs after a failed deployment.
  • Explain whether a workload needs persistent local state, long-running processes, background workers, or request-based execution.

Storage and Database Exam Blueprint

Storage Service Selection

RequirementLikely Google Cloud service or concept
Store objects such as images, backups, exports, or static assetsCloud Storage
Attach block storage to a VMPersistent Disk
Share file storage among supported compute workloadsFilestore
Preserve a point-in-time copy of a diskSnapshot
Serve static web assetsCloud Storage, often with appropriate access and routing design
Move or archive large object dataCloud Storage lifecycle and storage class concepts

Cloud Storage readiness:

  • Create and manage buckets.
  • Understand bucket location choices at a practical level.
  • Configure object access using IAM and appropriate access controls.
  • Recognize lifecycle management use cases.
  • Understand retention and versioning concepts at a high level.
  • Use gsutil or gcloud storage command patterns conceptually.

Command patterns:

gcloud storage buckets list

gcloud storage cp ./file.txt gs://BUCKET_NAME/path/file.txt

gcloud storage ls gs://BUCKET_NAME

Database Service Selection

RequirementService direction to review
Managed relational databaseCloud SQL
Globally scalable relational database with strong consistency needsCloud Spanner
Document database for app dataFirestore
Wide-column database for high-throughput, low-latency workloadsBigtable
In-memory cacheMemorystore
Analytics warehouseBigQuery

Readiness checklist:

  • Choose relational vs document vs wide-column vs analytics storage.
  • Recognize when Cloud SQL is a better fit than running a database on a VM.
  • Understand backups, maintenance, replicas, and connection methods at a practical level.
  • Identify when BigQuery is for analytics rather than serving low-latency transactional app requests.
  • Recognize when Memorystore is used as a cache, not the system of record.

Storage and Database Traps

  • Choosing persistent disk for object storage use cases.
  • Choosing Cloud Storage for frequently updated relational records.
  • Treating BigQuery like an OLTP application database.
  • Ignoring backup and restore requirements.
  • Forgetting IAM or network controls around managed databases.
  • Confusing object lifecycle management with application-level data retention logic.

Networking Readiness

VPC, Subnets, Firewalls, and IPs

TopicWhat to know
VPC networkLogical network boundary for resources
SubnetRegional IP range within a VPC
Firewall ruleControls allowed or denied traffic based on direction, targets, sources, protocols, and ports
Internal IPPrivate communication inside VPC-connected resources
External IPInternet-reachable address when allowed by configuration
RouteDetermines traffic path
Cloud NATProvides outbound internet access for resources without external IPs
Cloud DNSManaged DNS service
Load balancingDistributes traffic across backends and supports resilient service access
Hybrid connectivityVPN and interconnect concepts for connecting external networks

Readiness checklist:

  • Explain the difference between a VPC and a subnet.
  • Identify whether a subnet is regional.
  • Check firewall rules for source, target, protocol, and port.
  • Distinguish ingress and egress rules.
  • Determine whether a VM has internal-only or external connectivity.
  • Recognize when Cloud NAT is needed for outbound access.
  • Understand how load balancer health checks affect backend availability.
  • Know that DNS resolution and firewall access are separate concerns.

Network Troubleshooting Workflow

    flowchart TD
	    A[Connectivity problem] --> B{Correct project and region?}
	    B -- No --> B1[Fix context]
	    B -- Yes --> C{Resource has expected IP/path?}
	    C -- No --> C1[Check subnet, route, address]
	    C -- Yes --> D{Firewall allows traffic?}
	    D -- No --> D1[Review ingress/egress rule]
	    D -- Yes --> E{IAM or service auth required?}
	    E -- Yes --> E1[Check identity and permissions]
	    E -- No --> F{Backend healthy?}
	    F -- No --> F1[Check app logs and health checks]
	    F -- Yes --> G[Check DNS, load balancer, client path]

Networking Scenario Cues

Scenario wordingThink about
“VM has no external IP but needs package updates”Cloud NAT or private access pattern
“Traffic reaches load balancer but not backend”Backend health checks, firewall rules, service port, named ports where relevant
“Two resources cannot communicate internally”VPC, subnet, firewall, routes, service account/IAM if using managed service APIs
“Public users cannot access application”External IP/load balancer, firewall, DNS, TLS/certificate configuration, backend health
“Need private connectivity to on-premises”VPN or dedicated connectivity concepts
“Need to restrict inbound SSH”Firewall source ranges, OS Login, IAM, bastion or managed access patterns

Operations, Monitoring, and Logging

Observability Checklist

AreaYou should be able to…
Cloud LoggingFind application, audit, VM, and service logs
Cloud MonitoringView metrics and create alerting policies conceptually
Uptime checksRecognize use for external availability monitoring
DashboardsUnderstand how to visualize service health
Error ReportingIdentify application errors when supported
Audit logsUse for who-did-what investigation
Health checksConnect backend health to load balancing and managed instance group behavior

Readiness checklist:

  • Locate logs for a VM, container, serverless service, or managed service.
  • Interpret error messages before changing configuration.
  • Create or recognize an alerting policy based on a metric condition.
  • Identify whether an issue is application, infrastructure, IAM, or network related.
  • Use audit logs to investigate administrative changes.
  • Recognize the role of health checks in autoscaling and load balancing.
  • Know that monitoring a service requires useful metrics and alert thresholds, not just logs.

Troubleshooting Prompts

Can you work through these?

  • A deployment succeeded, but users see errors. Check service logs, revision/version, backend health, configuration, and recent changes.
  • A VM is running but the app is unavailable. Check process status, listening port, firewall, route, logs, and health check.
  • A service account permission error appears in logs. Identify the runtime identity and grant the minimum required role.
  • A load balancer shows unhealthy backends. Check health check path/port, firewall rules, application response, backend service configuration.
  • Costs increased unexpectedly. Check billing reports, labels, recently created resources, scaling behavior, and idle resources.

Deployment, Configuration, and Change Management

Practical Deployment Skills

TaskReadiness target
Repeatable configurationUse templates, manifests, scripts, or managed deployment tools where appropriate
Version control awarenessUnderstand that infrastructure and app configuration should be reproducible
Rollout validationConfirm the new version is serving traffic and healthy
Rollback planningKnow how to return to a previous version, image, snapshot, or configuration
Environment separationKeep dev/test/prod resources isolated through projects, folders, networks, and IAM
Runtime configurationUse environment variables, secrets, and service accounts correctly

Checklist:

  • Verify deployment target before applying changes.
  • Validate service health after deployment.
  • Check logs immediately after rollout.
  • Avoid embedding secrets in source code or container images.
  • Understand how image tags, revisions, and rollout state can create confusion.
  • Know when a snapshot, backup, or export should be created before a risky change.

Billing, Cost, and Governance

Cost-Awareness Checklist

You do not need to memorize prices, but you should understand cost drivers and governance controls.

  • Identify which project is linked to billing.
  • Use budgets and alerts conceptually to detect spending changes.
  • Understand that idle resources can continue to cost money.
  • Recognize that storage, compute, network egress, logs, and managed services can all contribute to cost.
  • Use labels and project structure to allocate costs.
  • Recognize when autoscaling can both help efficiency and increase spend if traffic or misconfiguration grows.
  • Know that deleting an application may not delete all associated disks, IPs, snapshots, or logs.

Governance Scenario Checks

ScenarioStrong response
A team needs to track cost by applicationUse labels and project/resource organization
A project should stop generating charges after testingIdentify and delete or stop all billable resources, including disks and external IPs where applicable
A workload must not use overly broad accessApply least privilege IAM and service accounts
Multiple teams need separationUse project/folder structure, IAM boundaries, and network separation as appropriate
Unexpected spend appearsReview billing reports, recent deployments, scaling events, logs volume, and idle resources

Backup, Resiliency, and Recovery

Resiliency Topics to Review

Workload typeReadiness checks
VM workloadSnapshots, images, managed instance groups, health checks, zones/regions, startup automation
Container workloadReplica count, deployment rollout, node pool health, service exposure, image availability
Serverless workloadRevision/version management, service configuration, runtime identity, event source behavior
Database workloadBackups, replicas, maintenance windows, connection failover concepts, restore testing
Object storageVersioning, lifecycle, retention, access control, replication/location concepts
Load-balanced appBackend health, autoscaling, firewall rules, health check configuration

Can you explain?

  • Difference between backup, snapshot, image, and replica at a practical level.
  • Why a single VM is less resilient than a managed group behind a load balancer.
  • Why regional or multi-zone design may matter for availability.
  • Why recovery plans must include data, configuration, IAM, networking, and DNS.
  • How to validate recovery rather than assuming a backup works.

High-Value “Can You Do This?” Checklist

Use this section as a quick readiness test. If any item feels uncertain, review that area before taking full practice exams.

Environment and Resource Management

  • Set the active project, region, and zone in gcloud.
  • Identify whether a resource is global, regional, or zonal.
  • Create a project-level label strategy for ownership and environment.
  • Determine where an IAM policy should be applied.
  • Explain how folders and projects help separate workloads.

IAM and Security

  • Grant a user a role at the narrowest useful scope.
  • Create and use a service account for an application.
  • Identify whether a permission error belongs to the user identity or runtime identity.
  • Explain why basic roles may be too broad.
  • Use audit logs conceptually to investigate administrative actions.
  • Choose Secret Manager or a managed secret pattern instead of hard-coded secrets.

Compute and Application Hosting

  • Create and troubleshoot a Compute Engine VM.
  • Use an instance template and managed instance group conceptually.
  • Deploy a containerized workload to GKE or choose Cloud Run when cluster management is unnecessary.
  • Inspect pod status and logs.
  • Select between Compute Engine, GKE, Cloud Run, App Engine, and Cloud Functions for a scenario.
  • Verify a rollout and identify the running version.

Storage and Data

  • Select Cloud Storage for object data.
  • Select persistent disk for VM block storage.
  • Select Cloud SQL for common managed relational needs.
  • Recognize when BigQuery is the analytics service.
  • Identify backup and restore requirements for a database.
  • Configure object access without making data unnecessarily public.

Networking

  • Explain VPC, subnet, route, firewall, and IP address roles.
  • Troubleshoot an unreachable VM or service.
  • Determine when Cloud NAT is useful.
  • Understand load balancer, backend, and health check relationships.
  • Diagnose whether a connectivity problem is DNS, firewall, routing, IAM, or application health.

Operations

  • Find logs for the affected service.
  • Create or interpret a basic metric alert.
  • Use health checks to reason about load-balanced backends.
  • Investigate a failed deployment through logs and recent changes.
  • Identify cost spikes through billing, labels, scaling, and idle resource review.

Scenario and Decision-Point Practice

Choose the Right Compute Option

ScenarioBest readiness reasoning
Need full OS control and custom agentsCompute Engine is likely appropriate
Need Kubernetes APIs and container orchestrationGKE is likely appropriate
Need to run a stateless container without managing serversCloud Run is likely appropriate
Need event-triggered lightweight codeCloud Functions may fit
Need a managed app platform with supported runtime modelApp Engine may fit

Decision prompts:

  • Does the workload require OS-level control?
  • Is the app packaged as a container?
  • Does the team want to manage Kubernetes?
  • Is traffic request-driven or continuously running?
  • Does the workload need persistent local state?
  • What identity will the runtime use?

Choose the Right Storage or Database

ScenarioBetter direction
User uploads images and documentsCloud Storage
App needs a managed MySQL/PostgreSQL-style relational databaseCloud SQL
App needs document-style data accessFirestore
Analytics team queries large datasetsBigQuery
App needs a cache for session or frequently accessed dataMemorystore
VM needs attached block storagePersistent Disk

Decision prompts:

  • Is the data structured, semi-structured, object, block, or analytical?
  • Is the access pattern transactional or analytical?
  • Does the application need SQL semantics?
  • Is global scale or strong consistency a major requirement?
  • What are the backup and restore needs?
  • Who or what identity needs access?

Troubleshoot Access Problems

Error patternCheck first
PERMISSION_DENIED from an applicationRuntime service account permissions
User cannot view project resourceUser/group IAM binding and active project
VM cannot connect to databaseNetwork path, database authorized access/private connectivity, service account/IAM if applicable
Container cannot pull imageRegistry path and workload identity/service account permissions
Public object access deniedBucket/object IAM and access configuration

Troubleshoot Connectivity Problems

SymptomPossible causes
Cannot SSH to VMFirewall, OS Login/IAM, external IP, network path, instance state
App port unreachableFirewall, app not listening, wrong port, route, health check failure
Backend unhealthyHealth check path/port, firewall, app response, instance group configuration
Private VM cannot reach internetNo NAT path or restricted egress
DNS resolves but app failsBackend health, firewall, TLS, application errors
App works internally but not externallyLoad balancer, external IP, firewall, DNS, certificate, backend service

Command and Artifact Readiness

You do not need to memorize every command flag, but you should recognize common command structure and know what information each command helps confirm.

gcloud Context

gcloud config list
gcloud config set project PROJECT_ID
gcloud auth list

Use for:

  • Confirming active project.
  • Confirming active account.
  • Avoiding accidental changes in the wrong environment.

Compute Engine Inspection

gcloud compute instances list
gcloud compute instances describe INSTANCE_NAME --zone=ZONE

Use for:

  • Instance status.
  • Zone placement.
  • Network interfaces.
  • Service account.
  • Tags or labels.
  • Attached disks.

IAM Review

gcloud projects get-iam-policy PROJECT_ID

Use for:

  • Checking role bindings.
  • Finding whether a principal has project-level access.
  • Spotting overly broad permissions.

Kubernetes Inspection

kubectl get pods
kubectl describe pod POD_NAME
kubectl logs POD_NAME

Use for:

  • Container state.
  • Scheduling events.
  • Crash loops.
  • Application errors.
  • Image pull problems.

Cloud Storage Inspection

gcloud storage ls gs://BUCKET_NAME
gcloud storage cp SOURCE DESTINATION

Use for:

  • Verifying bucket/object paths.
  • Copying data.
  • Confirming object availability.

Common Weak Areas and Exam Traps

Weak areaWhy it hurtsWhat to practice
IAM vs networkingCandidates often try to solve permission errors with firewalls or connectivity errors with IAMClassify the error before choosing a fix
Wrong project/zoneMany commands work but target the wrong contextAlways check active project, region, and zone
Service account confusionWorkloads use service accounts, not the human deployer’s identityIdentify runtime identity in every scenario
Overly broad rolesBasic roles may solve the symptom but violate least privilegeChoose focused predefined roles when possible
GKE troubleshootingKubernetes has multiple layers: pod, service, node, image, cluster, IAM, networkUse get, describe, and logs in order
Load balancer healthTraffic failures often trace to unhealthy backendsCheck health checks, firewall, backend service, app response
Storage mismatchObject, block, file, relational, and analytics storage solve different problemsMap access pattern before choosing service
Serverless assumptionsServerless does not remove IAM, networking, config, or logging concernsCheck runtime identity, environment, and logs
Cost blind spotsDeleted apps may leave disks, IPs, snapshots, logs, or databasesReview all related resources
Backup confidenceA backup is only useful if restore is understoodPractice restore reasoning, not just backup creation

Final-Week Checklist

7 to 5 Days Out

  • Review each readiness area and mark weak topics.
  • Revisit IAM, service accounts, and least privilege.
  • Practice scenario questions that require service selection.
  • Review networking flows: VPC, subnet, firewall, route, NAT, load balancer, DNS.
  • Review Compute Engine, GKE, Cloud Run, Cloud Storage, and Cloud SQL operations.
  • Make a one-page list of commands and troubleshooting workflows.

4 to 2 Days Out

  • Take timed practice sets and review every missed question.
  • For each miss, identify whether the cause was concept, wording, service selection, or command familiarity.
  • Practice explaining why the correct answer is better than plausible alternatives.
  • Review logs/monitoring/troubleshooting scenarios.
  • Review cost-control and governance scenarios.
  • Avoid deep memorization of exact limits unless they appear in your official exam-prep materials.

Final 24 Hours

  • Recheck high-value service selection tables.
  • Review IAM vs network vs application troubleshooting.
  • Review gcloud context commands.
  • Review common GKE pod and service failure symptoms.
  • Review storage and database use cases.
  • Sleep, manage timing, and avoid last-minute overload.

Readiness Self-Assessment

Score yourself honestly:

ScoreMeaning
1I recognize the topic but cannot apply it
2I can answer definition questions only
3I can solve straightforward scenarios
4I can troubleshoot multi-step scenarios
5I can explain tradeoffs and eliminate distractors

Use this quick grid:

AreaScore 1-5Review needed?
Resource hierarchy and projects
IAM and service accounts
Compute Engine
GKE and containers
Serverless services
Storage and databases
Networking
Monitoring and logging
Billing and governance
Troubleshooting workflows

Practical Next Step

After reviewing this Exam Blueprint, move into scenario-based practice. For each practice question, force yourself to identify the service, the scope, the identity, the network path, and the operational evidence before choosing an answer. That habit is one of the best ways to turn Google Cloud knowledge into ACE exam readiness.