The Google Associate Cloud Engineer (ACE) is the credential that says “I can deploy and operate things on Google Cloud.” Unlike AWS's Solutions Architect or Cloud Practitioner, ACE leans heavily on hands-on operational tasks — gcloud CLI commands, GKE cluster operations, IAM role assignments, monitoring and logging configuration. If you have never run a real GCP workload, the exam will catch you out.
This roadmap is built from 500 questions in Certsly's ACE bank, mapped to Google's published exam guide. It covers the five exam domains, the GCP services you must know cold, the trap-question patterns we see, and a study plan calibrated to ACE's real difficulty (Google's questions tend to be longer-prose and more scenario-heavy than AWS's).
Why ACE matters in 2026
Google Cloud is the third major hyperscaler and has carved out clear strongholds in data analytics (BigQuery), Kubernetes (GKE was the first managed Kubernetes service and remains the most mature), and AI/ML (Vertex AI plus access to Google's Gemini models). Many engineering teams in 2026 run hybrid stacks — AWS for general compute, GCP for data warehousing or ML, sometimes Azure for the Microsoft-tied workloads. Engineers who can move comfortably between providers are in short supply.
ACE is the credential that opens the GCP side of that door. It signals you can take a Terraform plan or a deploy spec and turn it into a working GCP environment without hand-holding. Hiring managers screening for SRE, DevOps, and platform engineering roles weight ACE strongly when the JD mentions GCP. For someone already AWS-certified, ACE is one of the highest-ROI second certs you can hold.
The 12 GCP services you must know cold
ACE is wide rather than deep. You do not need to be a GKE expert, but you need to know what each of these services does, when to pick it, and the most common gcloud commands.
- Compute Engine — VMs, machine types, preemptible/spot VMs, instance groups, custom images, startup scripts
- Google Kubernetes Engine (GKE) — clusters, node pools, Autopilot vs Standard, workload identity, regional vs zonal clusters
- Cloud Run — fully managed containers, services vs jobs, revisions, traffic splitting, concurrency settings
- App Engine — standard vs flexible environment, versions, traffic splitting (legacy but still on exam)
- Cloud Functions — gen 1 vs gen 2 (gen 2 runs on Cloud Run infrastructure), triggers, environment variables
- Cloud Storage — buckets, storage classes (Standard, Nearline, Coldline, Archive), object lifecycle policies, signed URLs, IAM vs ACLs
- Cloud SQL — managed MySQL/Postgres/SQL Server, read replicas, automated backups, HA configurations
- BigQuery — datasets, tables, query patterns, slot pricing vs on-demand, partitioning and clustering
- Cloud Pub/Sub — topics, subscriptions (push vs pull), dead-letter topics, ordering keys
- VPC — subnets, firewall rules, routes, peering, Shared VPC, Private Google Access, Cloud NAT
- Cloud IAM — roles (primitive, predefined, custom), service accounts, conditional bindings, IAM policy hierarchy
- Cloud Monitoring + Cloud Logging — workspaces, metrics, alerts, log sinks (Pub/Sub, BigQuery, Cloud Storage)
You should be able to write a one-line gcloud command to create, list, or modify each of these. If you cannot do that today, schedule hands-on CLI time before booking the exam.
What ACE actually tests
Five domains. Google publishes weights as percentages of total scoring:
| # | Domain | Weight | ~Questions |
|---|---|---|---|
| 1 | Setting up a cloud solution environment | 17.5% | 9 |
| 2 | Planning and configuring a cloud solution | 17.5% | 9 |
| 3 | Deploying and implementing a cloud solution | 25% | 12 |
| 4 | Ensuring successful operation of a cloud solution | 20% | 10 |
| 5 | Configuring access and security | 20% | 10 |
Domain 3 is the largest and the most hands-on. Domains 4 and 5 combined are 40 percent — operating and securing, which is where ACE diverges most from Cloud Digital Leader.
Domain 1 — Setting up a cloud solution environment (17.5%)
This domain is about getting GCP itself ready before you deploy anything.
What gets tested:
- Organisation → folder → project hierarchy and resource inheritance
- Billing: linking projects to billing accounts, billing alerts, budget exports to BigQuery
- Enabling APIs:
gcloud services enable - Cloud SDK installation and configuration:
gcloud init,gcloud auth login,gcloud config set project - Cloud Shell vs local SDK (when to use which)
Trap pattern we see most: quota questions. Google has three types of quotas: project-level, region-level, and global. The exam will give a scenario like “an instance group autoscaler stopped scaling at 20 VMs” and the answer is “regional CPU quota was hit, not project quota.” Memorise the distinction or you will lose easy points.
Domain 2 — Planning and configuring a cloud solution (17.5%)
Resource sizing and cost planning.
What gets tested:
- Choosing compute: when GCE, when GKE, when Cloud Run, when App Engine, when Cloud Functions
- Machine type families (e2, n2, n2d, c2, c3) and use cases
- Storage class selection: Standard (frequent), Nearline (~once a month), Coldline (~once a quarter), Archive (~once a year)
- Network sizing: VPC subnet sizing, regional vs global resources, choosing where to put load balancers
- Cost optimisation patterns: committed use discounts, sustained use discounts, preemptible/spot VMs, autoscaling configuration
Trap pattern: Compute selection. The exam loves scenarios where two services could work. Memorise these defaults:
- “HTTP-triggered, scales to zero, no infrastructure to manage” → Cloud Run
- “Existing Kubernetes manifests, need orchestration” → GKE
- “Event-driven, single-purpose function” → Cloud Functions Gen 2
- “Long-running, full OS control needed” → Compute Engine
- “Java/Python/Go app with no infrastructure ops” → App Engine
If the scenario says “lowest operational overhead” or “serverless,” start with Cloud Run or Cloud Functions. If it says “container orchestration at scale” or mentions Helm charts or DaemonSets, GKE is the answer.
Domain 3 — Deploying and implementing a cloud solution (25%)
The largest domain. Hands-on deployment and configuration.
What gets tested:
- Deploying VMs: instance templates, managed/unmanaged instance groups, regional vs zonal placement
- Deploying to GKE: clusters, node pools, deployments, services (ClusterIP, NodePort, LoadBalancer), Ingress, Horizontal Pod Autoscaler
- Deploying to Cloud Run: revisions, traffic splits, canary releases, min/max instances
- Configuring networking: VPCs, subnets, firewall rules (ingress vs egress, by network tag, by service account, by source range)
- Configuring Cloud Storage: bucket creation, lifecycle policies, signed URLs, IAM bindings, retention policies
- Configuring Cloud SQL: instance creation, HA configurations, read replicas, automated backups, point-in-time recovery
- BigQuery basics: dataset and table creation, loading data (from Cloud Storage, streaming, BigQuery Data Transfer), query patterns
Trap pattern: GKE Autopilot vs Standard. Autopilot manages nodes for you (you do not see them in gcloud compute instances list), bills per pod, and restricts which kubectl operations you can run. Standard gives you full node control and per-VM billing. If the scenario says “minimise cluster operations” or “reduce operational overhead,” the answer is Autopilot. If it says “need DaemonSets,” “privileged containers,” or “node-level access for a sidecar,” it is Standard.
Domain 4 — Ensuring successful operation (20%)
Monitoring, logging, and maintaining workloads in production.
What gets tested:
- Cloud Monitoring: workspaces, custom metrics, uptime checks, alert policies, notification channels (email, Slack, PagerDuty, SMS)
- Cloud Logging: log sinks (export to Pub/Sub, BigQuery, Cloud Storage), log-based metrics, retention periods
- Cloud Trace and Cloud Profiler (latency and CPU analysis — less common but tested)
- Managing compute: SSH into VMs (OS Login vs metadata SSH keys), startup scripts, shutdown scripts
- Managing storage: bucket permissions, object versioning, retention policies, lifecycle transitions
- Cost monitoring: BigQuery billing exports, budget alerts, the difference between budgets and quotas
Trap pattern: OS Login vs metadata-based SSH. Modern Google practice is OS Login (IAM-managed SSH access). The exam will have scenarios where you need to remove a former employee's SSH access — the OS Login answer is “revoke their IAM role”; the metadata SSH key answer is “edit project metadata to remove the key.” Both are valid but OS Login is the preferred Google practice and the typical exam answer.
Domain 5 — Configuring access and security (20%)
IAM, service accounts, and network security.
What gets tested:
- IAM roles: primitive (Owner, Editor, Viewer — avoid these), predefined (e.g.
roles/compute.instanceAdmin), custom roles - Service accounts: user-managed vs default, key rotation, service account impersonation
- Workload Identity: GKE pods authenticating as service accounts without downloading keys
- VPC firewall rules: priority ordering, direction (ingress/egress), target tags vs service accounts, source ranges
- Private Google Access + VPC Service Controls (data-exfiltration prevention)
- Cloud KMS: keyrings, keys, key rotation schedules, customer-managed encryption keys (CMEK) vs Google-managed
Trap pattern: Service account key management. Google's recommendation is avoid downloading service account keys — use Workload Identity (for GKE), short-lived tokens (impersonation), or attach service accounts directly to VMs and Cloud Run services. If a scenario describes “the developer downloaded a JSON key file,” that is almost always the wrong approach on the exam. Memorise: keyless is the default Google answer.
Sample question walkthrough
Sample Question (Domain 3 — GKE)
Your team wants to run a stateless web application on GKE. The team has no Kubernetes operations expertise and wants to minimise day-to-day cluster maintenance. The application does not need DaemonSets, privileged containers, or custom CNI plugins. Which cluster configuration should you choose?
- GKE Standard cluster, regional, with cluster autoscaler enabled
- GKE Autopilot cluster, regional
- GKE Standard cluster, zonal, with manual node-pool sizing
- Self-managed Kubernetes on Compute Engine VMs
Answer: B. The team wants minimal cluster ops and has no constraints requiring node-level access. Autopilot manages nodes for you, bills per pod, and is the lowest-ops GKE option. A is wrong because Standard still requires node-pool maintenance. C is worse: zonal + manual sizing adds operational burden. D is the most operationally expensive option.
Notice the question explicitly disqualifies Autopilot's limitations (no DaemonSets, no privileged containers, no custom CNI). That phrasing is the exam telling you “Autopilot is fine here.” If you missed that clause, you might have hedged toward Standard.
ACE vs Cloud Digital Leader — which to take?
Both are entry-level GCP certifications but they serve different audiences:
- Cloud Digital Leader (CDL) is the business-leader cert. It tests cloud value proposition, GCP product categories, and pricing/billing concepts. It does not require hands-on GCP usage. Roughly equivalent to AWS Cloud Practitioner. 90 minutes, ~50 questions, $99.
- Associate Cloud Engineer (ACE) is the engineer cert. It tests operational competence: actually deploying, configuring, and operating GCP workloads. Requires hands-on familiarity with the GCP console and gcloud CLI. 120 minutes, 50 questions, $200.
Take CDL if your role is sales, product management, or business analysis on cloud. Take ACE if you write deploy specs, run a GKE cluster, or operate the GCP control plane in any way. CDL is not a prerequisite for ACE.
6-week study plan
| Week | Focus | Hours | Practice Qs |
|---|---|---|---|
| 1 | Domain 1 + Domain 2 fundamentals. Set up free-tier GCP project, install gcloud CLI. | 8 | 50 |
| 2 | Compute services deep dive: GCE, GKE basics, Cloud Run, App Engine, Cloud Functions. | 10 | 75 |
| 3 | Storage and databases: Cloud Storage, Cloud SQL, BigQuery basics, Pub/Sub. | 10 | 75 |
| 4 | Networking: VPC, firewall rules, load balancers, Cloud NAT, peering. | 8 | 75 |
| 5 | IAM, service accounts, security, monitoring, logging. | 10 | 100 |
| 6 | Two full 50-Q timed mocks. Review weak topics. Drill Domain 3 if score < 80%. | 8 | 125 (2 mocks + drills) |
Total commitment: ~54 hours over 6 weeks plus the 500 Certsly questions and a free-tier GCP account for hands-on labs.
Hands-on labs you must do
Reading is not enough for ACE. Set aside time to actually run these labs in your free-tier GCP account before exam day:
- Create a project, link billing, enable Compute Engine API, launch and SSH into an e2-micro VM
- Build a custom VM image, create an instance template, deploy a managed instance group with autoscaling
- Create a GKE Autopilot cluster, deploy a 2-replica nginx Deployment, expose it via LoadBalancer service
- Deploy a containerised app to Cloud Run, split traffic 90/10 between two revisions
- Create a Cloud Storage bucket, set a lifecycle policy that transitions objects to Nearline after 30 days
- Create a Cloud SQL Postgres instance with a read replica, demonstrate failover
- Create a VPC with two subnets and a firewall rule that allows internal traffic only from specific tags
- Create a custom IAM role with two specific permissions, bind it to a service account, attach the SA to a VM
- Create an uptime check on a public URL with an email alert at 99% availability SLO
- Export logs to BigQuery with a log sink, run a SQL query against the exported logs
How to know you are ready
Score above 80 percent on full 50-question Certsly mocks (120-minute timer) across two attempts. Google's effective cut score is around 70 percent, but Certsly mocks are calibrated above exam difficulty so 80 percent on Certsly predicts a comfortable pass on the live ACE exam. If you are consistently in the 65 to 75 percent range, do another 100 questions and focus on Domains 3 and 5 (the biggest scoring weights).
Second signal: can you write — from memory, on paper — the gcloud commands to create a GKE cluster, deploy a workload, and expose it via a LoadBalancer? If yes, you are ready. If you find yourself googling flags mid-test, do more hands-on CLI time.
Common mistakes
- Studying without touching GCP. ACE is hands-on. Sign up for the free $300 trial and deploy a GKE cluster, a Cloud Run service, and a Cloud SQL instance. Concepts you read about make 5x more sense after you have done them once.
- Skipping gcloud CLI practice. Several ACE questions show a command and ask “what does this do” or “which flag is missing.” Memorise the common
gcloud compute,gcloud container,gcloud iam, andgsutilcommands. - Confusing primitive IAM with predefined IAM. Primitive (Owner, Editor, Viewer) is rarely the right answer — too broad. The expected answer is almost always a predefined role like
roles/compute.instanceAdminor a custom role. - Underestimating the time pressure. 50 questions in 120 minutes feels generous until you hit a 4-paragraph scenario question. Average ~2 minutes per question, flag the long ones, return at the end.
- Studying for Professional Cloud Architect by accident. ACE is operational (“how do I deploy / monitor / configure”). PCA is design (“which architecture should I choose, and why”). Stay on the operational lane.
- Skipping BigQuery basics. Several Domain 3 questions touch BigQuery loading and partitioning. You do not need to be a data engineer, but you need to know dataset/table/partition basics.
Frequently asked questions
How many questions are on the Google Associate Cloud Engineer (ACE) exam?
The ACE exam has 50 multiple-choice and multiple-select questions and a 120-minute time limit. The exam registration fee is $200. Google does not publish an exact passing score; community reports place it near 70 percent.
What is the passing score for the Google ACE exam?
Google does not publish an exact passing score for ACE or any of its associate or professional certifications. Community data and Google's own readiness assessments suggest a passing threshold near 70 percent. A safer readiness benchmark is consistently scoring above 80 percent on full-length practice exams.
How long should I study for the Google ACE exam?
With some prior cloud experience (any provider), 6 to 8 weeks of focused study (roughly 40 to 60 hours total) is typical. With no cloud background, plan on 8 to 12 weeks plus hands-on time in the GCP free tier. ACE is associate-tier so deeper architecture and security knowledge is not required.
Is the Google ACE certification worth it in 2026?
Yes for engineers, DevOps practitioners, and SREs working with or moving to Google Cloud. ACE validates operational competence with the GCP control plane (gcloud CLI, GKE, Cloud Run, IAM, VPC, Cloud Storage). It is the most relevant credential for junior to mid-level GCP roles and the prerequisite mindset for the Professional Cloud Architect (PCA) certification.
What is the difference between Google ACE and Cloud Digital Leader?
Cloud Digital Leader (CDL) is foundational and business-focused: cloud value proposition, GCP product categories, billing concepts. It is closer to AWS Cloud Practitioner. ACE is associate-tier and hands-on: actually deploying and operating GCP workloads. Take CDL if your role is sales, marketing, or business analysis on cloud. Take ACE if you deploy or operate things on GCP.
Do I need the gcloud CLI memorised for ACE?
You do not need to memorise every flag, but you need to recognise the common command patterns: gcloud compute instances create, gcloud container clusters create, gcloud iam service-accounts create, gcloud projects add-iam-policy-binding, gsutil cp. Several ACE questions show a command and ask either what it does or which flag is missing. Plan to spend at least 4 hours of practical CLI time during your study.
Ready to practise Google ACE?
30 free ACE questions — no signup, no credit card. Full 500-question bank is $11.99 lifetime, or $9.99/month Pro unlocks ACE plus every other Certsly certification.