ACE — (Google Cloud Certified: Associate Cloud Engineer – ) Quick Reference

Compact Google Cloud ACE quick reference for IAM, compute, storage, networking, deployment, operations, and exam decision points.

Quick Reference scope

This Quick Reference supports independent preparation for the Google Cloud (Google Cloud Certified: Associate Cloud Engineer – ACE) exam, code ACE. It focuses on the decisions an associate cloud engineer is expected to make quickly: configuring projects, deploying workloads, selecting managed services, securing access, and troubleshooting common Google Cloud operations.

Use it as a compact review sheet after you already understand the basics of Google Cloud Console, Cloud Shell, gcloud, IAM, networking, and managed services.

ACE mental model

Exam task patternKnow how to do itCommon exam cue
Set up a cloud environmentCreate/select project, link billing, enable APIs, set gcloud config, use Cloud Shell“A new project needs to use Compute Engine”
Plan and configure resourcesPick region/zone, VPC/subnet, IAM roles, service account, storage/database“Minimize operations” or “least privilege”
Deploy workloadsUse Compute Engine, managed instance groups, Cloud Run, App Engine, GKE, Cloud Functions“Deploy a container” or “autoscale stateless app”
Operate workloadsMonitor, log, alert, inspect health checks, restart/resize/roll back“Users report errors” or “instance unhealthy”
Secure workloadsIAM, service accounts, Secret Manager, Cloud KMS, firewall rules, private access“No external IP” or “avoid service account keys”

High-yield answer patterns

If the question says…Prefer…Avoid…
Least privilegePredefined role scoped to the narrowest resource; custom role only if neededOwner, Editor, broad project-level grants
Reduce operationsManaged/serverless service that satisfies requirementsSelf-managed VMs when managed service fits
VM has no external IP but needs outbound internetCloud NATAssigning external IPs to every VM
VM has no external IP but needs Google APIsPrivate Google Access on the subnet, plus IAMCloud NAT as the only answer when it only needs Google APIs
Workload needs Google Cloud credentialsAttached service account, impersonation, or Workload Identity FederationDownloaded long-lived service account keys
App needs secretsSecret Manager, sometimes Cloud KMS for encryption keysHardcoded secrets, VM metadata, source control
Asynchronous decouplingPub/SubSynchronous direct calls between every service
Analytics over large datasetsBigQueryCloud SQL for analytical scans
Relational OLTPCloud SQL or Spanner depending scale/global needsBigQuery or Bigtable
Cost groupingLabels, billing export, budgets/alertsTreating labels as IAM or hierarchy controls

Environment setup: projects, billing, APIs, and CLI

Resource setup checklist

StepWhat to verifyWhy it matters
Select projectCorrect PROJECT_ID in Console or gcloud configMany errors are wrong-project errors
BillingProject is linked to an active billing accountAPIs/resources may fail without billing
APIsRequired service APIs are enabledPermissions are not enough if API is disabled
Region/zoneDefaults match intended deployment locationAvoid accidental cross-region resources
IAMUser or service account has required roleConsole visibility and deployment both depend on IAM
QuotasResource quota is availableQuota failures are not fixed by IAM alone

Essential gcloud setup commands

gcloud init
gcloud auth list
gcloud config configurations list

gcloud config set project PROJECT_ID
gcloud config set compute/region REGION
gcloud config set compute/zone ZONE

gcloud services list --enabled
gcloud services enable compute.googleapis.com run.googleapis.com container.googleapis.com
Command patternUse whenTrap
gcloud auth loginAuthenticate the CLI as a userDoes not automatically provide application credentials to local code
gcloud auth application-default loginTest local code using Application Default CredentialsNot the same as a service account attached to a deployed workload
gcloud config set projectSet default project for commandsSome commands still need explicit region/zone
gcloud services enable SERVICEEnable an API before using a productAPI enabled does not grant IAM permission
Cloud ShellQuick admin tasks in browserCloud Shell still operates in the selected project/config

Resource hierarchy, IAM, and service accounts

Resource hierarchy

LevelPurposeExam notes
OrganizationRoot for company-owned Google Cloud resourcesCentral IAM, org policies, folders
FolderGroup projects by team, app, environment, or business unitIAM and policies can inherit down
ProjectMain boundary for APIs, billing linkage, IAM grants, quotas, resourcesMost ACE tasks happen at project scope
ResourceVM, bucket, dataset, cluster, topic, etc.Some resources support resource-level IAM

IAM allow policies inherit downward: organization → folder → project → resource. A broad role at a high level can unintentionally grant access to many resources.

IAM decision table

NeedUseAvoid / trap
Grant standard product accessPredefined role, such as storage object viewer/admin, compute admin, logs viewerBasic roles unless explicitly appropriate
Grant only a few permissionsCustom roleCustom roles add maintenance overhead
Grant temporary/conditional accessIAM Conditions when supportedRelying on manual cleanup
Let a user deploy a VM using a service accountGrant service account attachment permission, commonly Service Account User, on that service accountGranting the user all permissions the service account has
Let a workload access Google Cloud APIsAttach a service account to the workload and grant that service account target permissionsEmbedding user credentials or key files
Investigate who changed somethingCloud Audit LogsApplication logs alone
Block allowed access in specific casesIAM deny policy or organization policy, if configuredAssuming an allow grant always wins

Role types

Role typeScopeUse for ACE scenarios
Basic roles: Owner, Editor, ViewerVery broad project-level rolesRarely the best answer for least privilege
Predefined rolesGoogle-managed roles for specific products/tasksDefault choice for exam answers
Custom rolesUser-defined permission setsWhen predefined roles are too broad and exact permissions are known

Service account traps

ConceptCorrect interpretation
Service account as identityA workload can run as a service account. That service account needs permissions on target resources.
Service account as resourceA user may need permission to attach, impersonate, or manage the service account itself.
Service Account UserLets a principal run/attach resources as the service account, depending on context. It does not automatically grant all target-resource permissions to the human user.
Service Account Token CreatorUsed for impersonation/token creation scenarios. More sensitive than simple viewing.
Key filesLong-lived credentials. Prefer attached service accounts, impersonation, or Workload Identity Federation where possible.
Default service accountsConvenient, but do not assume they are least-privilege or safe for production.

Common IAM troubleshooting path

  1. Confirm active identity: user, group, service account, or workload identity.
  2. Confirm correct project, folder, or resource.
  3. Confirm API is enabled.
  4. Check allow policy at resource and inherited levels.
  5. Check deny policies or organization policies if access still fails.
  6. For VMs/GKE/serverless, check the runtime service account, not only the deployer’s account.
  7. For BigQuery, check both job permissions on the project and data permissions on datasets/tables.

Compute and deployment selection

Compute service selection matrix

RequirementChooseWhyWatch for
Full OS control, custom agents, custom networkingCompute EngineInfrastructure as a Service VMsYou manage patching, scaling design, OS config
Identical VM fleet with autoscaling/autohealingManaged instance groupUses instance template, health checks, rolling updatesInstance template changes require rollout
Run stateless container without managing clusterCloud RunServerless containers, scales based on traffic/eventsContainer must fit Cloud Run execution model
Event-driven functionCloud FunctionsDeploy function code triggered by events or HTTPLess control than full container/VM
PaaS app from source with built-in scalingApp EngineManaged application platformApp Engine app location is an important early choice
Kubernetes orchestrationGoogle Kubernetes EnginePods, services, deployments, cluster ecosystemMore Kubernetes concepts and operational responsibility
Fault-tolerant batch or interruptible workSpot/preemptible VMs, Batch, or managed autoscaled workersLower-cost compute for restartable workDo not use for stateful critical workloads without recovery

Compute Engine quick reference

FeatureUseExam trap
Machine typeCPU/memory sizingResize may require stop/start depending change
Boot diskOS disk for VMDeleting VM may delete boot disk depending setting
Persistent DiskDurable block storage for VMsNot shared POSIX file storage
Local SSDVery high performance ephemeral storageData is not durable through all lifecycle events
SnapshotPoint-in-time disk backupSnapshot is not a bootable image by itself in the same way an image is
Custom imageReusable VM boot disk imageGood for consistent VM creation
Instance templateDefines VM configuration for MIGsImmutable; create a new template for changes
Startup scriptBootstrap VM on boot/createNot a full configuration management system
MetadataVM/project metadataDo not store secrets in plain metadata
Shielded VMIntegrity protections for VMsSecurity feature, not an IAM substitute

Managed instance group decisions

NeedMIG feature
Replace unhealthy VMsAutohealing with health check
Add/remove VMs based on demandAutoscaling
Update a fleet graduallyRolling update
Serve traffic through load balancerBackend service uses instance group
Keep consistent VM configInstance template

Serverless deployment comparison

ServiceDeployable unitCommon triggerBest fit
Cloud RunContainer imageHTTP, events, jobs depending configurationPortable stateless services and APIs
Cloud FunctionsFunction source/codeHTTP or event triggerSmall event-driven units of logic
App EngineApplication sourceHTTP app trafficManaged web apps with minimal infrastructure control

GKE essentials

Kubernetes/GKE conceptWhat to know for ACE
ClusterControl plane plus worker capacity. Regional/zonal choice affects availability and latency.
Node poolGroup of nodes with similar machine/config. Standard mode exposes more node management.
AutopilotMore Google-managed cluster/node operations. Less node-level control.
PodSmallest deployable Kubernetes unit. Usually managed by higher-level controllers.
DeploymentManages replica rollout/rollback for stateless pods.
ServiceStable virtual endpoint for pods. Types include internal and external exposure patterns.
Ingress / GatewayHTTP(S) routing into services. Often integrates with load balancing.
ConfigMapNon-secret configuration.
Kubernetes SecretKubernetes-native secret object; not the same as Secret Manager.
Workload Identity Federation for GKEPreferred way for pods to access Google Cloud APIs without service account key files.

Useful GKE commands:

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project PROJECT_ID

kubectl get pods -A
kubectl get services -A
kubectl describe pod POD_NAME -n NAMESPACE
kubectl logs POD_NAME -n NAMESPACE
kubectl rollout status deployment/DEPLOYMENT_NAME -n NAMESPACE

Deployment command patterns

## Compute Engine VM
gcloud compute instances create VM_NAME \
  --zone ZONE \
  --machine-type MACHINE_TYPE \
  --image-family IMAGE_FAMILY \
  --image-project IMAGE_PROJECT \
  --service-account SERVICE_ACCOUNT_EMAIL

## Cloud Run service
gcloud run deploy SERVICE_NAME \
  --image REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG \
  --region REGION

## App Engine app
gcloud app deploy

## Cloud Functions
gcloud functions deploy FUNCTION_NAME \
  --gen2 \
  --runtime RUNTIME \
  --region REGION \
  --source . \
  --entry-point ENTRY_POINT \
  --trigger-http

Storage, databases, and analytics

Storage service selection

RequirementChooseWhyAvoid / trap
Object storage for images, backups, static assetsCloud StorageDurable object storage with buckets and lifecycle rulesNot a mounted POSIX file system by default
Block disk for VMPersistent DiskVM-attached durable block storageNot independent object storage
Shared file system for applicationsFilestoreManaged NFS file storageNot a relational database
Ephemeral high-speed scratch diskLocal SSDHigh I/O temporary storageData loss risk on certain VM events
Long-term object retention / archiveCloud Storage lifecycle + colder storage classesLower storage cost for infrequent accessRetrieval/access patterns matter
Static website assetsCloud Storage, often with load balancing/CDN patternSimple object hostingDynamic application logic needs compute

Cloud Storage quick reference

FeatureUseExam trap
BucketContainer for objectsBucket names are globally unique
ObjectStored file/blobObjects are not edited in-place like normal files
LocationRegion, dual-region, or multi-regionChoose based on latency, availability, data locality
Storage classCost/access optimizationDo not choose archive class for frequently accessed data
Lifecycle ruleAutomatically transition/delete objectsGood for cost control and retention workflows
Object versioningKeep older versionsCan increase storage usage
Uniform bucket-level accessIAM-based bucket/object access modelAvoid mixing legacy ACL expectations
Signed URLTemporary access to an objectDoes not require making bucket public
Retention policyPrevent deletion/modification for retention periodDifferent from lifecycle deletion

Cloud Storage commands:

gcloud storage buckets create gs://BUCKET_NAME --location=REGION --uniform-bucket-level-access
gcloud storage cp FILE_NAME gs://BUCKET_NAME/PREFIX/
gcloud storage ls gs://BUCKET_NAME
gcloud storage rm gs://BUCKET_NAME/PREFIX/OBJECT_NAME

Database and data service selection

RequirementChooseWhyAvoid / trap
Managed relational database for common appsCloud SQLMySQL, PostgreSQL, SQL Server managed serviceNot designed for unlimited horizontal/global relational scale
Globally scalable relational databaseSpannerRelational schema, strong consistency, horizontal scaleOverkill for small/simple relational workloads
Document database for app/mobile/serverless dataFirestoreNoSQL document model, serverlessNot relational joins/complex SQL analytics
Very large low-latency wide-column workloadsBigtableTime series, IoT, large analytical/operational key-value styleNot SQL OLTP; schema design is key
Serverless analytics warehouseBigQuerySQL analytics over large datasetsNot transactional OLTP
In-memory cacheMemorystoreManaged Redis/Memcached-compatible caching optionsCache is not the source of truth
Messaging/event ingestionPub/SubDecouple producers/consumers, async eventsDesign consumers to handle redelivery/idempotency
Stream/batch data processingDataflowApache Beam managed processingMore appropriate for pipelines than simple queries
Managed Spark/HadoopDataprocLift/operate Spark/Hadoop-style jobsNot the first choice for serverless SQL analytics
Workflow orchestrationWorkflows or Cloud ComposerService orchestration or Airflow DAGsPub/Sub is messaging, not full workflow orchestration

BigQuery quick reference

ConceptKnow this
DatasetAccess and location boundary for tables/views
TableStructured analytical data
JobQuery/load/extract/copy execution unit
SQL dialectStandard SQL is generally preferred
AccessProject-level job permission plus dataset/table data permission may both be required
Cost controlPartitioning, clustering, selective queries, budgets/alerts, query review
TrapBigQuery is for analytics, not low-latency row-by-row OLTP

Example:

bq query --use_legacy_sql=false \
'SELECT name, COUNT(*) AS total
 FROM `PROJECT_ID.DATASET.TABLE`
 GROUP BY name
 ORDER BY total DESC
 LIMIT 10'

Networking and connectivity

VPC essentials

ConceptQuick referenceExam trap
VPC networkGlobal logical networkSubnets are regional
SubnetRegional IP range inside a VPCResources must be in compatible region/network design
Custom mode VPCYou define subnetsPreferred for controlled production designs
Auto mode VPCGoogle-created subnetsConvenient but less controlled
RoutesDetermine next hop for trafficFirewall allow does not help if route is missing
Firewall ruleStateful allow/deny control for ingress/egressTarget tags/service accounts and priority matter
External IPPublic internet reachabilityAvoid when private access is required
Cloud NATOutbound internet for private resourcesDoes not allow inbound connections
Private Google AccessPrivate VM access to Google APIs/services through internal IP pathMust be enabled on the subnet
Shared VPCCentral host project shares network to service projectsIAM separation between network and app teams
VPC Network PeeringPrivate RFC1918 connectivity between VPCsNot transitive; overlapping ranges are a problem
Private Service Connect / private services accessPrivate access to supported producer or managed servicesDifferent products use different private connectivity patterns

Private connectivity chooser

NeedChoose
Private VM needs outbound internet updatesCloud NAT
Private VM needs Cloud Storage, BigQuery, or other Google APIsPrivate Google Access, plus IAM
On-premises network to Google Cloud over encrypted internet tunnelCloud VPN
On-premises network to Google Cloud with dedicated connectivityCloud Interconnect option
Central networking team manages VPC, app teams deploy in separate projectsShared VPC
Two VPCs need private connectivityVPC Network Peering, if non-overlapping and non-transitive design is acceptable
Serverless service needs private VPC resourcesServerless VPC Access or direct VPC egress where supported

Load balancing quick reference

RequirementChooseNotes
External HTTP(S) appExternal Application Load BalancerURL maps, host/path routing, managed certs, Cloud CDN, Cloud Armor patterns
Internal HTTP(S) appInternal Application Load BalancerPrivate L7 routing inside VPC
TCP/UDP trafficNetwork load balancer optionL4 traffic patterns
Internal private TCP/UDP serviceInternal load balancerPrivate service exposure inside VPC
Global static frontend for web appGlobal external Application Load Balancer patternOften paired with MIGs, Cloud Run/serverless NEG, buckets, or backends
Content cachingCloud CDN with supported load balancing backendCDN is not a database cache

Network troubleshooting checklist

SymptomCheck firstLikely fix
VM cannot reach internetExternal IP or Cloud NAT, route, egress firewall, DNSAdd Cloud NAT or correct routing/firewall
VM cannot reach Google APIs without external IPPrivate Google Access on subnet, DNS, IAMEnable Private Google Access and grant IAM
App cannot receive trafficLoad balancer frontend/backend, firewall, health check, service portOpen correct firewall path and fix backend health
Health checks failHealth check path/port/protocol, app listener, firewall allowing probesAlign health check with app and allow health check traffic
VPC peering failsIP overlap, routes, non-transitive assumptionRedesign CIDR or connectivity model
Cloud Run cannot reach private DBVPC egress connector/direct egress, DB private IP, firewallConfigure supported serverless-to-VPC path
DNS name resolves incorrectlyCloud DNS zone, record, split-horizon/private zoneCorrect managed zone or record scope

Security, secrets, and governance

Security service selection

NeedUseTrap
Store API keys/passwordsSecret ManagerDo not store secrets in source code, metadata, or plain env vars
Manage encryption keysCloud KMSIAM on key is separate from IAM on encrypted resource
Customer-managed encryption keyCMEK with supported serviceMust grant service agent access to use the key
Audit administrative activityCloud Audit LogsData Access logs may need explicit consideration
Enforce org-wide constraintsOrganization Policy ServiceIAM grants may still be limited by org policy
Protect web apps from common attacksCloud Armor with supported load balancerFirewall rules are not L7 WAF rules
Manage certificatesGoogle-managed certificates / Certificate Manager patternsCertificate lifecycle differs from DNS and LB config
Discover asset/config inventoryCloud Asset InventoryNot the same as live monitoring metrics

Audit log categories

Audit log typeWhat it captures
Admin ActivityAdministrative changes to resources
Data AccessReads/writes of user data where enabled/applicable
System EventGoogle Cloud system actions that affect resources
Policy DeniedAccess denied by policy controls

Governance and cost controls

NeedTool / patternExam note
Group resources for billing/reportingLabelsLabels are not IAM and do not create hierarchy
Enforce location or service restrictionsOrganization policiesUsually configured above project level
Notify about spendBudgets and alertsAlerts notify; they are not a simple hard spending cap
Analyze detailed billingCloud Billing export to BigQueryGood for custom cost reporting
Separate environmentsSeparate projects, folders, or bothStronger boundary than labels
Control resource consumptionQuotasQuotas are not permissions
Reduce compute cost for steady workloadsCommitted-use or rightsizing patternsDo not sacrifice required availability/performance
Reduce fault-tolerant batch costSpot/preemptible computeMust tolerate interruption

Operations, observability, and troubleshooting

Observability service selection

NeedUseNotes
Metrics and dashboardsCloud MonitoringCPU, uptime, service metrics, custom metrics
Alert on conditionsCloud Monitoring alerting policyAlerts need notification channels and useful thresholds
Logs search and analysisCloud Logging Logs ExplorerFilter by resource, severity, labels, trace
Export logsLog sinks to BigQuery, Cloud Storage, Pub/Sub, or another destinationSink destination needs permissions
Create metrics from logsLogs-based metricsUseful when metric is only visible in logs
VM system/application metricsOps AgentInstall/configure on supported VMs when needed
Error aggregationError ReportingGood for application exceptions
Latency tracingCloud TraceRequires app/framework integration for best value
Deployment/build historyCloud Build logs, Cloud Deploy records, service revision historyStart with the service-specific activity/logs

Example log query:

gcloud logging read \
'resource.type="gce_instance" AND severity>=ERROR' \
--limit=20 \
--format=json

Troubleshooting decision table

ProblemCheckPractical fix
PERMISSION_DENIEDActive identity, project, IAM role, inherited deny/org policy, service accountGrant least-privilege role at correct scope
API has not been used or service unavailableAPI enabled in current projectEnable required API
Resource not foundProject, region, zone, nameUse explicit --project, --region, --zone
Cloud Run returns 403Invoker IAM, authentication setting, ingress settingGrant invoker or adjust auth/ingress appropriately
Cloud Run revision not servingContainer port, startup failure, env vars/secrets, logsFix container and redeploy
GKE pod pendingNode capacity, scheduling constraints, quotasResize node pool or adjust requests/constraints
GKE image pull errorImage path, Artifact Registry IAM, tag existsGrant reader role to runtime identity and correct image name
MIG instances keep recreatingHealth check failing, startup script failure, app not listeningFix startup/app health endpoint/firewall
BigQuery query deniedJob permission on project, data permission on dataset/tableGrant correct BigQuery roles at correct scope
Logs missingWrong resource filter, severity, log exclusion, agent not installedAdjust query/sink/agent configuration
High latencyRegion distance, load balancer backend health, database location, autoscalingCo-locate services and tune scaling/backends

CI/CD and artifacts

RequirementChooseNotes
Store container images and packagesArtifact RegistryGrant runtime service account read access
Build from sourceCloud BuildUses build steps and service account permissions
Trigger build on repository changesCloud Build triggerRequires source connection and IAM
Deploy to Cloud Run/GKE/App EngineCloud Build step or service-specific deploy commandBuild identity needs deploy permissions
Progressive deliveryCloud DeployMore relevant for release pipelines than one-off deploys

Example minimal build/deploy pattern:

steps:
  - name: gcr.io/cloud-builders/docker
    args: ["build", "-t", "REGION-docker.pkg.dev/PROJECT_ID/REPO/APP:$COMMIT_SHA", "."]
  - name: gcr.io/cloud-builders/docker
    args: ["push", "REGION-docker.pkg.dev/PROJECT_ID/REPO/APP:$COMMIT_SHA"]
  - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    args:
      - "gcloud"
      - "run"
      - "deploy"
      - "SERVICE_NAME"
      - "--image=REGION-docker.pkg.dev/PROJECT_ID/REPO/APP:$COMMIT_SHA"
      - "--region=REGION"

Backup, availability, and recovery patterns

Resource typeCommon protection patternExam note
Compute Engine boot/data diskSnapshots, images, managed instance groupsSnapshot for backup; image for reusable boot baseline
Stateless web tierMIG across zones, load balancing, health checksReplace instances instead of repairing manually
Cloud SQLAutomated backups, point-in-time recovery where configured, HA/read replicas as neededBackups and replicas solve different problems
Cloud StorageVersioning, retention policy, lifecycle rules, dual/multi-region if neededVersioning can increase cost
GKE appKubernetes manifests, container images, backups for stateful dataRecreate stateless workloads from config
BigQueryTable snapshots/copies/exports depending requirementDataset location and access matter
Pub/Sub consumersIdempotent processing and retry handlingMessages may be delivered more than once

Exam traps to review before practice

TrapCorrect exam instinct
“Give Owner so it works”Use least-privilege predefined role at the narrowest useful scope
Confusing deployer identity with runtime identityCheck both user permissions and service account permissions
Confusing IAM with network accessIAM authorizes API/resource actions; firewall/routes authorize network paths
Cloud NAT for inbound trafficCloud NAT is outbound only
Private Google Access as general internet accessIt is for private access to Google APIs/services, not arbitrary public sites
BigQuery for transactional app backendUse Cloud SQL, Spanner, Firestore, or Bigtable based on data model
Cloud Storage as POSIX shared file systemUse Filestore for managed NFS file workloads
Labels as security boundaryLabels help organize/report; IAM/projects/folders enforce access boundaries
Budget alert as hard capBudgets alert; use quotas, policies, and automation for stronger controls
Service account key as default solutionPrefer attached service account, impersonation, or federation
Wrong region/zone/projectMake location and project explicit in commands and troubleshooting
Health check failure blamed only on load balancerCheck app listener, firewall, route, startup time, and health path

Final ACE review checklist

Before taking ACE practice sets, verify you can quickly answer:

  • Which Google Cloud compute service fits VM, container, function, PaaS, and Kubernetes requirements.
  • How to configure gcloud project, region, zone, authentication, and API enablement.
  • How IAM inheritance, predefined roles, service accounts, and impersonation differ.
  • When to use Cloud NAT, Private Google Access, VPC peering, Shared VPC, VPN, and Interconnect.
  • Which storage/database service fits object, block, file, relational, document, wide-column, cache, and analytics workloads.
  • How to troubleshoot permission, project/location, health check, serverless, GKE, and logging issues.
  • How Cloud Monitoring, Cloud Logging, audit logs, alerts, and log sinks support operations.
  • How labels, budgets, quotas, org policies, and billing export support governance and cost visibility.

Next step

Use this Quick Reference as a checklist, then drill mixed ACE practice questions that force service selection, IAM troubleshooting, networking decisions, and command-line configuration under time pressure.