Quick Reference scope
This Quick Reference supports independent preparation for the Google Cloud (Google Cloud Certified: Associate Cloud Engineer – ACE) exam, code ACE. It focuses on the decisions an associate cloud engineer is expected to make quickly: configuring projects, deploying workloads, selecting managed services, securing access, and troubleshooting common Google Cloud operations.
Use it as a compact review sheet after you already understand the basics of Google Cloud Console, Cloud Shell, gcloud, IAM, networking, and managed services.
ACE mental model
| Exam task pattern | Know how to do it | Common exam cue |
|---|
| Set up a cloud environment | Create/select project, link billing, enable APIs, set gcloud config, use Cloud Shell | “A new project needs to use Compute Engine” |
| Plan and configure resources | Pick region/zone, VPC/subnet, IAM roles, service account, storage/database | “Minimize operations” or “least privilege” |
| Deploy workloads | Use Compute Engine, managed instance groups, Cloud Run, App Engine, GKE, Cloud Functions | “Deploy a container” or “autoscale stateless app” |
| Operate workloads | Monitor, log, alert, inspect health checks, restart/resize/roll back | “Users report errors” or “instance unhealthy” |
| Secure workloads | IAM, service accounts, Secret Manager, Cloud KMS, firewall rules, private access | “No external IP” or “avoid service account keys” |
High-yield answer patterns
| If the question says… | Prefer… | Avoid… |
|---|
| Least privilege | Predefined role scoped to the narrowest resource; custom role only if needed | Owner, Editor, broad project-level grants |
| Reduce operations | Managed/serverless service that satisfies requirements | Self-managed VMs when managed service fits |
| VM has no external IP but needs outbound internet | Cloud NAT | Assigning external IPs to every VM |
| VM has no external IP but needs Google APIs | Private Google Access on the subnet, plus IAM | Cloud NAT as the only answer when it only needs Google APIs |
| Workload needs Google Cloud credentials | Attached service account, impersonation, or Workload Identity Federation | Downloaded long-lived service account keys |
| App needs secrets | Secret Manager, sometimes Cloud KMS for encryption keys | Hardcoded secrets, VM metadata, source control |
| Asynchronous decoupling | Pub/Sub | Synchronous direct calls between every service |
| Analytics over large datasets | BigQuery | Cloud SQL for analytical scans |
| Relational OLTP | Cloud SQL or Spanner depending scale/global needs | BigQuery or Bigtable |
| Cost grouping | Labels, billing export, budgets/alerts | Treating labels as IAM or hierarchy controls |
Environment setup: projects, billing, APIs, and CLI
Resource setup checklist
| Step | What to verify | Why it matters |
|---|
| Select project | Correct PROJECT_ID in Console or gcloud config | Many errors are wrong-project errors |
| Billing | Project is linked to an active billing account | APIs/resources may fail without billing |
| APIs | Required service APIs are enabled | Permissions are not enough if API is disabled |
| Region/zone | Defaults match intended deployment location | Avoid accidental cross-region resources |
| IAM | User or service account has required role | Console visibility and deployment both depend on IAM |
| Quotas | Resource quota is available | Quota failures are not fixed by IAM alone |
Essential gcloud setup commands
gcloud init
gcloud auth list
gcloud config configurations list
gcloud config set project PROJECT_ID
gcloud config set compute/region REGION
gcloud config set compute/zone ZONE
gcloud services list --enabled
gcloud services enable compute.googleapis.com run.googleapis.com container.googleapis.com
| Command pattern | Use when | Trap |
|---|
gcloud auth login | Authenticate the CLI as a user | Does not automatically provide application credentials to local code |
gcloud auth application-default login | Test local code using Application Default Credentials | Not the same as a service account attached to a deployed workload |
gcloud config set project | Set default project for commands | Some commands still need explicit region/zone |
gcloud services enable SERVICE | Enable an API before using a product | API enabled does not grant IAM permission |
| Cloud Shell | Quick admin tasks in browser | Cloud Shell still operates in the selected project/config |
Resource hierarchy, IAM, and service accounts
Resource hierarchy
| Level | Purpose | Exam notes |
|---|
| Organization | Root for company-owned Google Cloud resources | Central IAM, org policies, folders |
| Folder | Group projects by team, app, environment, or business unit | IAM and policies can inherit down |
| Project | Main boundary for APIs, billing linkage, IAM grants, quotas, resources | Most ACE tasks happen at project scope |
| Resource | VM, bucket, dataset, cluster, topic, etc. | Some resources support resource-level IAM |
IAM allow policies inherit downward: organization → folder → project → resource. A broad role at a high level can unintentionally grant access to many resources.
IAM decision table
| Need | Use | Avoid / trap |
|---|
| Grant standard product access | Predefined role, such as storage object viewer/admin, compute admin, logs viewer | Basic roles unless explicitly appropriate |
| Grant only a few permissions | Custom role | Custom roles add maintenance overhead |
| Grant temporary/conditional access | IAM Conditions when supported | Relying on manual cleanup |
| Let a user deploy a VM using a service account | Grant service account attachment permission, commonly Service Account User, on that service account | Granting the user all permissions the service account has |
| Let a workload access Google Cloud APIs | Attach a service account to the workload and grant that service account target permissions | Embedding user credentials or key files |
| Investigate who changed something | Cloud Audit Logs | Application logs alone |
| Block allowed access in specific cases | IAM deny policy or organization policy, if configured | Assuming an allow grant always wins |
Role types
| Role type | Scope | Use for ACE scenarios |
|---|
| Basic roles: Owner, Editor, Viewer | Very broad project-level roles | Rarely the best answer for least privilege |
| Predefined roles | Google-managed roles for specific products/tasks | Default choice for exam answers |
| Custom roles | User-defined permission sets | When predefined roles are too broad and exact permissions are known |
Service account traps
| Concept | Correct interpretation |
|---|
| Service account as identity | A workload can run as a service account. That service account needs permissions on target resources. |
| Service account as resource | A user may need permission to attach, impersonate, or manage the service account itself. |
| Service Account User | Lets a principal run/attach resources as the service account, depending on context. It does not automatically grant all target-resource permissions to the human user. |
| Service Account Token Creator | Used for impersonation/token creation scenarios. More sensitive than simple viewing. |
| Key files | Long-lived credentials. Prefer attached service accounts, impersonation, or Workload Identity Federation where possible. |
| Default service accounts | Convenient, but do not assume they are least-privilege or safe for production. |
Common IAM troubleshooting path
- Confirm active identity: user, group, service account, or workload identity.
- Confirm correct project, folder, or resource.
- Confirm API is enabled.
- Check allow policy at resource and inherited levels.
- Check deny policies or organization policies if access still fails.
- For VMs/GKE/serverless, check the runtime service account, not only the deployer’s account.
- For BigQuery, check both job permissions on the project and data permissions on datasets/tables.
Compute and deployment selection
Compute service selection matrix
| Requirement | Choose | Why | Watch for |
|---|
| Full OS control, custom agents, custom networking | Compute Engine | Infrastructure as a Service VMs | You manage patching, scaling design, OS config |
| Identical VM fleet with autoscaling/autohealing | Managed instance group | Uses instance template, health checks, rolling updates | Instance template changes require rollout |
| Run stateless container without managing cluster | Cloud Run | Serverless containers, scales based on traffic/events | Container must fit Cloud Run execution model |
| Event-driven function | Cloud Functions | Deploy function code triggered by events or HTTP | Less control than full container/VM |
| PaaS app from source with built-in scaling | App Engine | Managed application platform | App Engine app location is an important early choice |
| Kubernetes orchestration | Google Kubernetes Engine | Pods, services, deployments, cluster ecosystem | More Kubernetes concepts and operational responsibility |
| Fault-tolerant batch or interruptible work | Spot/preemptible VMs, Batch, or managed autoscaled workers | Lower-cost compute for restartable work | Do not use for stateful critical workloads without recovery |
Compute Engine quick reference
| Feature | Use | Exam trap |
|---|
| Machine type | CPU/memory sizing | Resize may require stop/start depending change |
| Boot disk | OS disk for VM | Deleting VM may delete boot disk depending setting |
| Persistent Disk | Durable block storage for VMs | Not shared POSIX file storage |
| Local SSD | Very high performance ephemeral storage | Data is not durable through all lifecycle events |
| Snapshot | Point-in-time disk backup | Snapshot is not a bootable image by itself in the same way an image is |
| Custom image | Reusable VM boot disk image | Good for consistent VM creation |
| Instance template | Defines VM configuration for MIGs | Immutable; create a new template for changes |
| Startup script | Bootstrap VM on boot/create | Not a full configuration management system |
| Metadata | VM/project metadata | Do not store secrets in plain metadata |
| Shielded VM | Integrity protections for VMs | Security feature, not an IAM substitute |
Managed instance group decisions
| Need | MIG feature |
|---|
| Replace unhealthy VMs | Autohealing with health check |
| Add/remove VMs based on demand | Autoscaling |
| Update a fleet gradually | Rolling update |
| Serve traffic through load balancer | Backend service uses instance group |
| Keep consistent VM config | Instance template |
Serverless deployment comparison
| Service | Deployable unit | Common trigger | Best fit |
|---|
| Cloud Run | Container image | HTTP, events, jobs depending configuration | Portable stateless services and APIs |
| Cloud Functions | Function source/code | HTTP or event trigger | Small event-driven units of logic |
| App Engine | Application source | HTTP app traffic | Managed web apps with minimal infrastructure control |
GKE essentials
| Kubernetes/GKE concept | What to know for ACE |
|---|
| Cluster | Control plane plus worker capacity. Regional/zonal choice affects availability and latency. |
| Node pool | Group of nodes with similar machine/config. Standard mode exposes more node management. |
| Autopilot | More Google-managed cluster/node operations. Less node-level control. |
| Pod | Smallest deployable Kubernetes unit. Usually managed by higher-level controllers. |
| Deployment | Manages replica rollout/rollback for stateless pods. |
| Service | Stable virtual endpoint for pods. Types include internal and external exposure patterns. |
| Ingress / Gateway | HTTP(S) routing into services. Often integrates with load balancing. |
| ConfigMap | Non-secret configuration. |
| Kubernetes Secret | Kubernetes-native secret object; not the same as Secret Manager. |
| Workload Identity Federation for GKE | Preferred way for pods to access Google Cloud APIs without service account key files. |
Useful GKE commands:
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project PROJECT_ID
kubectl get pods -A
kubectl get services -A
kubectl describe pod POD_NAME -n NAMESPACE
kubectl logs POD_NAME -n NAMESPACE
kubectl rollout status deployment/DEPLOYMENT_NAME -n NAMESPACE
Deployment command patterns
## Compute Engine VM
gcloud compute instances create VM_NAME \
--zone ZONE \
--machine-type MACHINE_TYPE \
--image-family IMAGE_FAMILY \
--image-project IMAGE_PROJECT \
--service-account SERVICE_ACCOUNT_EMAIL
## Cloud Run service
gcloud run deploy SERVICE_NAME \
--image REGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG \
--region REGION
## App Engine app
gcloud app deploy
## Cloud Functions
gcloud functions deploy FUNCTION_NAME \
--gen2 \
--runtime RUNTIME \
--region REGION \
--source . \
--entry-point ENTRY_POINT \
--trigger-http
Storage, databases, and analytics
Storage service selection
| Requirement | Choose | Why | Avoid / trap |
|---|
| Object storage for images, backups, static assets | Cloud Storage | Durable object storage with buckets and lifecycle rules | Not a mounted POSIX file system by default |
| Block disk for VM | Persistent Disk | VM-attached durable block storage | Not independent object storage |
| Shared file system for applications | Filestore | Managed NFS file storage | Not a relational database |
| Ephemeral high-speed scratch disk | Local SSD | High I/O temporary storage | Data loss risk on certain VM events |
| Long-term object retention / archive | Cloud Storage lifecycle + colder storage classes | Lower storage cost for infrequent access | Retrieval/access patterns matter |
| Static website assets | Cloud Storage, often with load balancing/CDN pattern | Simple object hosting | Dynamic application logic needs compute |
Cloud Storage quick reference
| Feature | Use | Exam trap |
|---|
| Bucket | Container for objects | Bucket names are globally unique |
| Object | Stored file/blob | Objects are not edited in-place like normal files |
| Location | Region, dual-region, or multi-region | Choose based on latency, availability, data locality |
| Storage class | Cost/access optimization | Do not choose archive class for frequently accessed data |
| Lifecycle rule | Automatically transition/delete objects | Good for cost control and retention workflows |
| Object versioning | Keep older versions | Can increase storage usage |
| Uniform bucket-level access | IAM-based bucket/object access model | Avoid mixing legacy ACL expectations |
| Signed URL | Temporary access to an object | Does not require making bucket public |
| Retention policy | Prevent deletion/modification for retention period | Different from lifecycle deletion |
Cloud Storage commands:
gcloud storage buckets create gs://BUCKET_NAME --location=REGION --uniform-bucket-level-access
gcloud storage cp FILE_NAME gs://BUCKET_NAME/PREFIX/
gcloud storage ls gs://BUCKET_NAME
gcloud storage rm gs://BUCKET_NAME/PREFIX/OBJECT_NAME
Database and data service selection
| Requirement | Choose | Why | Avoid / trap |
|---|
| Managed relational database for common apps | Cloud SQL | MySQL, PostgreSQL, SQL Server managed service | Not designed for unlimited horizontal/global relational scale |
| Globally scalable relational database | Spanner | Relational schema, strong consistency, horizontal scale | Overkill for small/simple relational workloads |
| Document database for app/mobile/serverless data | Firestore | NoSQL document model, serverless | Not relational joins/complex SQL analytics |
| Very large low-latency wide-column workloads | Bigtable | Time series, IoT, large analytical/operational key-value style | Not SQL OLTP; schema design is key |
| Serverless analytics warehouse | BigQuery | SQL analytics over large datasets | Not transactional OLTP |
| In-memory cache | Memorystore | Managed Redis/Memcached-compatible caching options | Cache is not the source of truth |
| Messaging/event ingestion | Pub/Sub | Decouple producers/consumers, async events | Design consumers to handle redelivery/idempotency |
| Stream/batch data processing | Dataflow | Apache Beam managed processing | More appropriate for pipelines than simple queries |
| Managed Spark/Hadoop | Dataproc | Lift/operate Spark/Hadoop-style jobs | Not the first choice for serverless SQL analytics |
| Workflow orchestration | Workflows or Cloud Composer | Service orchestration or Airflow DAGs | Pub/Sub is messaging, not full workflow orchestration |
BigQuery quick reference
| Concept | Know this |
|---|
| Dataset | Access and location boundary for tables/views |
| Table | Structured analytical data |
| Job | Query/load/extract/copy execution unit |
| SQL dialect | Standard SQL is generally preferred |
| Access | Project-level job permission plus dataset/table data permission may both be required |
| Cost control | Partitioning, clustering, selective queries, budgets/alerts, query review |
| Trap | BigQuery is for analytics, not low-latency row-by-row OLTP |
Example:
bq query --use_legacy_sql=false \
'SELECT name, COUNT(*) AS total
FROM `PROJECT_ID.DATASET.TABLE`
GROUP BY name
ORDER BY total DESC
LIMIT 10'
Networking and connectivity
VPC essentials
| Concept | Quick reference | Exam trap |
|---|
| VPC network | Global logical network | Subnets are regional |
| Subnet | Regional IP range inside a VPC | Resources must be in compatible region/network design |
| Custom mode VPC | You define subnets | Preferred for controlled production designs |
| Auto mode VPC | Google-created subnets | Convenient but less controlled |
| Routes | Determine next hop for traffic | Firewall allow does not help if route is missing |
| Firewall rule | Stateful allow/deny control for ingress/egress | Target tags/service accounts and priority matter |
| External IP | Public internet reachability | Avoid when private access is required |
| Cloud NAT | Outbound internet for private resources | Does not allow inbound connections |
| Private Google Access | Private VM access to Google APIs/services through internal IP path | Must be enabled on the subnet |
| Shared VPC | Central host project shares network to service projects | IAM separation between network and app teams |
| VPC Network Peering | Private RFC1918 connectivity between VPCs | Not transitive; overlapping ranges are a problem |
| Private Service Connect / private services access | Private access to supported producer or managed services | Different products use different private connectivity patterns |
Private connectivity chooser
| Need | Choose |
|---|
| Private VM needs outbound internet updates | Cloud NAT |
| Private VM needs Cloud Storage, BigQuery, or other Google APIs | Private Google Access, plus IAM |
| On-premises network to Google Cloud over encrypted internet tunnel | Cloud VPN |
| On-premises network to Google Cloud with dedicated connectivity | Cloud Interconnect option |
| Central networking team manages VPC, app teams deploy in separate projects | Shared VPC |
| Two VPCs need private connectivity | VPC Network Peering, if non-overlapping and non-transitive design is acceptable |
| Serverless service needs private VPC resources | Serverless VPC Access or direct VPC egress where supported |
Load balancing quick reference
| Requirement | Choose | Notes |
|---|
| External HTTP(S) app | External Application Load Balancer | URL maps, host/path routing, managed certs, Cloud CDN, Cloud Armor patterns |
| Internal HTTP(S) app | Internal Application Load Balancer | Private L7 routing inside VPC |
| TCP/UDP traffic | Network load balancer option | L4 traffic patterns |
| Internal private TCP/UDP service | Internal load balancer | Private service exposure inside VPC |
| Global static frontend for web app | Global external Application Load Balancer pattern | Often paired with MIGs, Cloud Run/serverless NEG, buckets, or backends |
| Content caching | Cloud CDN with supported load balancing backend | CDN is not a database cache |
Network troubleshooting checklist
| Symptom | Check first | Likely fix |
|---|
| VM cannot reach internet | External IP or Cloud NAT, route, egress firewall, DNS | Add Cloud NAT or correct routing/firewall |
| VM cannot reach Google APIs without external IP | Private Google Access on subnet, DNS, IAM | Enable Private Google Access and grant IAM |
| App cannot receive traffic | Load balancer frontend/backend, firewall, health check, service port | Open correct firewall path and fix backend health |
| Health checks fail | Health check path/port/protocol, app listener, firewall allowing probes | Align health check with app and allow health check traffic |
| VPC peering fails | IP overlap, routes, non-transitive assumption | Redesign CIDR or connectivity model |
| Cloud Run cannot reach private DB | VPC egress connector/direct egress, DB private IP, firewall | Configure supported serverless-to-VPC path |
| DNS name resolves incorrectly | Cloud DNS zone, record, split-horizon/private zone | Correct managed zone or record scope |
Security, secrets, and governance
Security service selection
| Need | Use | Trap |
|---|
| Store API keys/passwords | Secret Manager | Do not store secrets in source code, metadata, or plain env vars |
| Manage encryption keys | Cloud KMS | IAM on key is separate from IAM on encrypted resource |
| Customer-managed encryption key | CMEK with supported service | Must grant service agent access to use the key |
| Audit administrative activity | Cloud Audit Logs | Data Access logs may need explicit consideration |
| Enforce org-wide constraints | Organization Policy Service | IAM grants may still be limited by org policy |
| Protect web apps from common attacks | Cloud Armor with supported load balancer | Firewall rules are not L7 WAF rules |
| Manage certificates | Google-managed certificates / Certificate Manager patterns | Certificate lifecycle differs from DNS and LB config |
| Discover asset/config inventory | Cloud Asset Inventory | Not the same as live monitoring metrics |
Audit log categories
| Audit log type | What it captures |
|---|
| Admin Activity | Administrative changes to resources |
| Data Access | Reads/writes of user data where enabled/applicable |
| System Event | Google Cloud system actions that affect resources |
| Policy Denied | Access denied by policy controls |
Governance and cost controls
| Need | Tool / pattern | Exam note |
|---|
| Group resources for billing/reporting | Labels | Labels are not IAM and do not create hierarchy |
| Enforce location or service restrictions | Organization policies | Usually configured above project level |
| Notify about spend | Budgets and alerts | Alerts notify; they are not a simple hard spending cap |
| Analyze detailed billing | Cloud Billing export to BigQuery | Good for custom cost reporting |
| Separate environments | Separate projects, folders, or both | Stronger boundary than labels |
| Control resource consumption | Quotas | Quotas are not permissions |
| Reduce compute cost for steady workloads | Committed-use or rightsizing patterns | Do not sacrifice required availability/performance |
| Reduce fault-tolerant batch cost | Spot/preemptible compute | Must tolerate interruption |
Operations, observability, and troubleshooting
Observability service selection
| Need | Use | Notes |
|---|
| Metrics and dashboards | Cloud Monitoring | CPU, uptime, service metrics, custom metrics |
| Alert on conditions | Cloud Monitoring alerting policy | Alerts need notification channels and useful thresholds |
| Logs search and analysis | Cloud Logging Logs Explorer | Filter by resource, severity, labels, trace |
| Export logs | Log sinks to BigQuery, Cloud Storage, Pub/Sub, or another destination | Sink destination needs permissions |
| Create metrics from logs | Logs-based metrics | Useful when metric is only visible in logs |
| VM system/application metrics | Ops Agent | Install/configure on supported VMs when needed |
| Error aggregation | Error Reporting | Good for application exceptions |
| Latency tracing | Cloud Trace | Requires app/framework integration for best value |
| Deployment/build history | Cloud Build logs, Cloud Deploy records, service revision history | Start with the service-specific activity/logs |
Example log query:
gcloud logging read \
'resource.type="gce_instance" AND severity>=ERROR' \
--limit=20 \
--format=json
Troubleshooting decision table
| Problem | Check | Practical fix |
|---|
PERMISSION_DENIED | Active identity, project, IAM role, inherited deny/org policy, service account | Grant least-privilege role at correct scope |
API has not been used or service unavailable | API enabled in current project | Enable required API |
| Resource not found | Project, region, zone, name | Use explicit --project, --region, --zone |
| Cloud Run returns 403 | Invoker IAM, authentication setting, ingress setting | Grant invoker or adjust auth/ingress appropriately |
| Cloud Run revision not serving | Container port, startup failure, env vars/secrets, logs | Fix container and redeploy |
| GKE pod pending | Node capacity, scheduling constraints, quotas | Resize node pool or adjust requests/constraints |
| GKE image pull error | Image path, Artifact Registry IAM, tag exists | Grant reader role to runtime identity and correct image name |
| MIG instances keep recreating | Health check failing, startup script failure, app not listening | Fix startup/app health endpoint/firewall |
| BigQuery query denied | Job permission on project, data permission on dataset/table | Grant correct BigQuery roles at correct scope |
| Logs missing | Wrong resource filter, severity, log exclusion, agent not installed | Adjust query/sink/agent configuration |
| High latency | Region distance, load balancer backend health, database location, autoscaling | Co-locate services and tune scaling/backends |
CI/CD and artifacts
| Requirement | Choose | Notes |
|---|
| Store container images and packages | Artifact Registry | Grant runtime service account read access |
| Build from source | Cloud Build | Uses build steps and service account permissions |
| Trigger build on repository changes | Cloud Build trigger | Requires source connection and IAM |
| Deploy to Cloud Run/GKE/App Engine | Cloud Build step or service-specific deploy command | Build identity needs deploy permissions |
| Progressive delivery | Cloud Deploy | More relevant for release pipelines than one-off deploys |
Example minimal build/deploy pattern:
steps:
- name: gcr.io/cloud-builders/docker
args: ["build", "-t", "REGION-docker.pkg.dev/PROJECT_ID/REPO/APP:$COMMIT_SHA", "."]
- name: gcr.io/cloud-builders/docker
args: ["push", "REGION-docker.pkg.dev/PROJECT_ID/REPO/APP:$COMMIT_SHA"]
- name: gcr.io/google.com/cloudsdktool/cloud-sdk
args:
- "gcloud"
- "run"
- "deploy"
- "SERVICE_NAME"
- "--image=REGION-docker.pkg.dev/PROJECT_ID/REPO/APP:$COMMIT_SHA"
- "--region=REGION"
Backup, availability, and recovery patterns
| Resource type | Common protection pattern | Exam note |
|---|
| Compute Engine boot/data disk | Snapshots, images, managed instance groups | Snapshot for backup; image for reusable boot baseline |
| Stateless web tier | MIG across zones, load balancing, health checks | Replace instances instead of repairing manually |
| Cloud SQL | Automated backups, point-in-time recovery where configured, HA/read replicas as needed | Backups and replicas solve different problems |
| Cloud Storage | Versioning, retention policy, lifecycle rules, dual/multi-region if needed | Versioning can increase cost |
| GKE app | Kubernetes manifests, container images, backups for stateful data | Recreate stateless workloads from config |
| BigQuery | Table snapshots/copies/exports depending requirement | Dataset location and access matter |
| Pub/Sub consumers | Idempotent processing and retry handling | Messages may be delivered more than once |
Exam traps to review before practice
| Trap | Correct exam instinct |
|---|
| “Give Owner so it works” | Use least-privilege predefined role at the narrowest useful scope |
| Confusing deployer identity with runtime identity | Check both user permissions and service account permissions |
| Confusing IAM with network access | IAM authorizes API/resource actions; firewall/routes authorize network paths |
| Cloud NAT for inbound traffic | Cloud NAT is outbound only |
| Private Google Access as general internet access | It is for private access to Google APIs/services, not arbitrary public sites |
| BigQuery for transactional app backend | Use Cloud SQL, Spanner, Firestore, or Bigtable based on data model |
| Cloud Storage as POSIX shared file system | Use Filestore for managed NFS file workloads |
| Labels as security boundary | Labels help organize/report; IAM/projects/folders enforce access boundaries |
| Budget alert as hard cap | Budgets alert; use quotas, policies, and automation for stronger controls |
| Service account key as default solution | Prefer attached service account, impersonation, or federation |
| Wrong region/zone/project | Make location and project explicit in commands and troubleshooting |
| Health check failure blamed only on load balancer | Check app listener, firewall, route, startup time, and health path |
Final ACE review checklist
Before taking ACE practice sets, verify you can quickly answer:
- Which Google Cloud compute service fits VM, container, function, PaaS, and Kubernetes requirements.
- How to configure
gcloud project, region, zone, authentication, and API enablement. - How IAM inheritance, predefined roles, service accounts, and impersonation differ.
- When to use Cloud NAT, Private Google Access, VPC peering, Shared VPC, VPN, and Interconnect.
- Which storage/database service fits object, block, file, relational, document, wide-column, cache, and analytics workloads.
- How to troubleshoot permission, project/location, health check, serverless, GKE, and logging issues.
- How Cloud Monitoring, Cloud Logging, audit logs, alerts, and log sinks support operations.
- How labels, budgets, quotas, org policies, and billing export support governance and cost visibility.
Next step
Use this Quick Reference as a checklist, then drill mixed ACE practice questions that force service selection, IAM troubleshooting, networking decisions, and command-line configuration under time pressure.