⏳
Loading cheatsheet...
Structured prep notes, exam domains, architecture pointers, and revision checklist for GCP certifications.
| Level | Exam Code | Focus | Prerequisite |
|---|---|---|---|
| Foundational | GCP-CLF | Cloud concepts, billing, core GCP services | None |
| Associate — Cloud Engineer | GCP-ACE | Deploy apps, monitor, manage enterprise solutions | None (6+ mo recommended) |
| Professional — Architect | GCP-PCE | Design & plan GCP solutions, estimate costs | ACE recommended |
| Professional — Data Engineer | GCP-PDE | Design data processing systems, ML pipelines | ACE recommended |
| Professional — Cloud DevOps | GCP-PDO | SRE practices, CI/CD, monitoring, SLAs | ACE recommended |
| Professional — Security | GCP-PSE | Secure GCP infra, access control, incident response | ACE + experience |
| AWS Service | GCP Equivalent | Notes |
|---|---|---|
| EC2 | Compute Engine (GCE) | GCE uses custom machine types |
| Lambda | Cloud Functions / Cloud Run | Cloud Run supports containers (any language) |
| S3 | Cloud Storage | Multi-regional, dual-regional, regional tiers |
| RDS / Aurora | Cloud SQL / Spanner / AlloyDB | Spanner is globally distributed |
| DynamoDB | Firestore / Bigtable | Firestore (Doc DB), Bigtable (wide-column) |
| VPC | VPC (Shared VPC supported) | GCP VPC is global, not regional |
| CloudWatch | Cloud Monitoring (formerly Stackdriver) | Unified logs + metrics |
| IAM | Cloud IAM (Resource Manager) | Organization-level IAM policies |
| CloudFormation | Deployment Manager / Terraform | Google recommends Terraform for IaC |
| Route 53 | Cloud DNS | Managed DNS with low latency |
| Capability | GCP Service | Why It Stands Out |
|---|---|---|
| Big Data & Analytics | BigQuery | Serverless data warehouse, SQL, petabyte scale |
| ML Platform | Vertex AI | End-to-end ML: AutoML, custom training, pipelines |
| Global Load Balancing | Cloud Load Balancing | Single anycast IP, global HTTP(S) LB |
| Container Orchestration | GKE (Kubernetes) | Managed K8s (GKE Autopilot is serverless) |
| Data Processing | Dataflow (Apache Beam) | Managed Apache Beam for batch + streaming |
| Serverless Containers | Cloud Run | Run any container, auto-scale to zero |
| Collaboration | Google Workspace + Identity | Native integration with Gmail, Drive, Docs |
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Setting Up Cloud Environment | 22% | Cloud Resource Manager, Projects, IAM (roles, policies, service accounts), Organization policy, billing, enabling APIs |
| Domain 2: Planning & Configuring Data Solutions | 14% | Cloud Storage (classes, lifecycle), Cloud SQL, Firestore, BigQuery basics, Cloud Memorystore, data transfer |
| Domain 3: Deploying & Implementing Cloud Solutions | 20% | Compute Engine, Cloud Run, Cloud Functions, GKE, App Engine, service accounts, VPC networking |
| Domain 4: Ensuring Operation & Reliability | 21% | Cloud Monitoring, Cloud Logging, Cloud Trace, Error Reporting, Alerting, uptime checks, SLIs/SLOs |
| Domain 5: Configuring Security & Compliance | 15% | Cloud IAM best practices, VPC Service Controls, Cloud KMS, Secret Manager, DLP API, audit logs |
| Domain 6: Managing Resources | 8% | Terraform + gcloud CLI, Deployment Manager, Resource Manager, quotas, billing quotas, cost estimation |
Q1: You need to deploy a containerized microservice that auto-scales
to zero when there is no traffic. Which GCP service should you use?
A) App Engine Standard B) Cloud Run
C) GKE Autopilot D) Compute Engine
→ Answer: B (Cloud Run runs any container, scales to zero)
Q2: A team needs shared VPC access to deploy resources in a
centralized network. Which GCP feature enables this?
A) VPC Peering B) Shared VPC
C) VPN Gateway D) Cloud Interconnect
→ Answer: B (Shared VPC allows service projects to use host VPC)
Q3: Your BigQuery costs are unexpectedly high. What should you do
FIRST to reduce costs?
A) Switch to flat-rate pricing
B) Create authorized views to limit data access
C) Use partitioned/clustered tables + slot reservations
D) Export data to Cloud Storage
→ Answer: C (Partitioning + clustering reduces bytes scanned)# ── Project & IAM ──
gcloud projects create my-project --name="My Project"
gcloud config set project my-project
# Enable APIs
gcloud services enable compute.googleapis.com
gcloud services enable storage.googleapis.com
gcloud services enable bigquery.googleapis.com
# IAM roles
gcloud iam service-accounts create my-app-sa --display-name="My App Service Account"
gcloud projects add-iam-policy-binding my-project --member="serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com" --role="roles/storage.objectViewer"
# ── Compute Engine ──
gcloud compute instances create web-server --machine-type=e2-medium --zone=us-central1-a --image-family=debian-11 --image-project=debian-cloud --tags=http-server
# ── Cloud Storage ──
gsutil mb gs://my-bucket-name
gsutil cp file.txt gs://my-bucket-name/
gsutil iam ch allUsers:objectViewer gs://my-bucket-name
# ── Cloud Run ──
gcloud run deploy my-service --source=./app --region=us-central1 --allow-unauthenticated| Role | Permissions | Use Case |
|---|---|---|
| roles/owner | All permissions + billing | Project owner (avoid for apps) |
| roles/editor | Read/write most resources | Developer access (too broad) |
| roles/viewer | Read-only most resources | Read-only access |
| roles/storage.objectAdmin | S3-like full access | App writing to GCS |
| roles/cloudsql.client | Connect to Cloud SQL | App with database access |
| roles/logging.logWriter | Write logs | Service account for logging |
| roles/monitoring.metricWriter | Write metrics | App exporting metrics |
| roles/bigquery.dataViewer | Query datasets | Analyst querying BigQuery |
| roles/run.invoker | Invoke Cloud Run | Authenticated Cloud Run callers |
| roles/container.developer | Deploy to GKE | Kubernetes developer access |
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Designing & Planning Cloud Solution Architecture | 20% | Requirements gathering, Well-Architected Framework, cost estimation, SLAs/SLOs, migration strategy (lift-shift vs refactor) |
| Domain 2: Managing & Provisioning Infrastructure | 20% | VPC design, Shared VPC, Cloud Interconnect, Cloud CDN, Cloud Armor, GKE networking, Network Service Tiers |
| Domain 3: Designing for Security & Compliance | 18% | Organization policy, VPC SC, IAM hierarchy, encryption (CMEK, CSEK), DLP, Security Command Center |
| Domain 4: Analyzing & Optimizing Technical & Business Processes | 18% | BigQuery architecture, Dataflow, Pub/Sub, data pipelines, cost optimization, performance tuning |
| Domain 5: Managing Implementation | 12% | Terraform, Deployment Manager, CI/CD for infra, blue-green, canary deployments |
| Domain 6: Ensuring Solution & Operations Reliability | 12% | Cloud Monitoring, Cloud Logging, Error Reporting, incident response, disaster recovery, multi-region design |
Q1: A company needs to migrate 200+ on-prem MySQL databases to GCP
with minimal downtime. Which migration strategy is BEST?
A) Export/import using mysqldump
B) Database Migration Service (DMS) with continuous replication
C) Rebuild on Cloud SQL from scratch
D) Use BigQuery as a replacement
→ Answer: B (DMS supports near-zero-downtime with CDC replication)
Q2: You are designing a multi-region application with RPO=0. Which
database service should you choose?
A) Cloud SQL (regional) B) Cloud Spanner (multi-region)
C) Firestore (multi-region) D) Bigtable (multi-region)
→ Answer: B (Spanner provides synchronous multi-region replication)
Q3: An application needs global HTTP load balancing with SSL
termination and DDoS protection. Which GCP service?
A) Network Load Balancer B) HTTP(S) Load Balancer + Cloud Armor
C) Cloud CDN only D) Traffic Director
→ Answer: B (Global HTTP(S) LB + Cloud Armor = best combo)| Requirement | Recommended GCP Service |
|---|---|
| Serverless containers (any language) | Cloud Run |
| Managed Kubernetes with auto-pilot | GKE Autopilot |
| Serverless HTTP application | App Engine Standard |
| Virtual machines (full control) | Compute Engine |
| Global relational DB (RPO=0) | Cloud Spanner |
| OLTP with PostgreSQL/MySQL | Cloud SQL |
| Serverless analytics (petabyte scale) | BigQuery |
| Stream processing | Dataflow (Apache Beam) |
| Message queue (pub/sub) | Cloud Pub/Sub |
| NoSQL document store | Firestore |
| Wide-column, time-series, high throughput | Cloud Bigtable |
| In-memory caching | Cloud Memorystore (Redis/Memcached) |
| Pattern | Services | Use Case |
|---|---|---|
| Hybrid connectivity | Cloud Interconnect / Cloud VPN | On-prem ↔ GCP (high bandwidth) |
| Service mesh | Traffic Director / Anthos Service Mesh | Microservice traffic management |
| Zero-trust access | BeyondCorp Enterprise + IAP | Access without VPN (identity-based) |
| VPC Service Controls | VPC SC perimeter + Access Context Manager | Data exfiltration prevention |
| Global CDN | Cloud CDN + Global HTTP(S) LB | Cache at edge for low latency |
| Private Google Access | Private Service Connect | Access Google APIs without public IPs |
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Designing Data Processing Systems | 18% | Data lifecycle, storage options, batch vs streaming, data modeling, schema design, serialization (Avro/Parquet) |
| Domain 2: Building & Operationalizing ML Models | 16% | Vertex AI, AutoML, Feature Store, ML pipelines, model serving, MLOps, batch prediction |
| Domain 3: Building Data Pipelines | 28% | Dataflow (Apache Beam), Dataproc, Pub/Sub, BigQuery scheduled queries, Cloud Composer (Airflow), Transfer Service |
| Domain 4: Designing for Reliability & Compliance | 18% | Data quality, monitoring, SLIs/SLOs, Data Loss Prevention (DLP), VPC SC, IAM for data, audit logging |
| Domain 5: Migrating & Modernizing Data Solutions | 8% | Database Migration Service, BigQuery migration assessment, ETL modernization, on-prem to cloud |
| Domain 6: Ensuring Data Quality | 12% | Data validation, BigQuery assertions, Cloud Dataform, dbt, data lineage, anomaly detection |
Q1: You need to process 50 TB of JSON files daily stored in Cloud
Storage, transforming and loading into BigQuery. Which is BEST?
A) Dataproc (Spark) + bq load
B) Dataflow (Apache Beam) with BigQuery IO connector
C) BigQuery scheduled queries
D) Cloud Composer (Airflow) + custom operators
→ Answer: B (Dataflow with Beam is optimized for GCS → BigQuery)
Q2: A streaming pipeline ingests 1M events/sec from IoT devices.
Which combination provides EXACTLY-ONCE delivery?
A) Cloud Pub/Sub → Dataflow → BigQuery
B) Cloud Pub/Sub → Cloud Functions → Firestore
C) Cloud Pub/Sub → Dataproc → HDFS
D) Cloud IoT Core → Cloud Storage → Dataflow
→ Answer: A (Pub/Sub at-least-once + Dataflow with windowing = exactly-once)
Q3: You need to detect and mask PII in BigQuery tables. Which
GCP service should you use?
A) Cloud KMS B) DLP API C) Cloud IAM D) VPC SC
→ Answer: B (DLP API inspects, classifies, and redacts PII)| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Shaping Org Structure & Policies | 17% | Organization hierarchy, folders, projects, Organization Policies, IAM conditions, security perimeters |
| Domain 2: Designing Security Infrastructure | 25% | VPC SC, BeyondCorp, IAP, Cloud Armor, Security Command Center, firewall rules, Binary Authorization |
| Domain 3: Protecting Data & Privacy | 17% | Cloud KMS (CMEK, CSEK, HSM), Secret Manager, DLP API, VPC SC data exfiltration prevention, certificate management |
| Domain 4: Operating Securely | 24% | Audit logs, Cloud Monitoring security dashboards, incident response, Security Health Analytics, Event Threat Detection |
| Domain 5: Managing Risk & Compliance | 17% | Assured Workloads, Access Transparency, Access Approval, Compliance reports manager, ISO/SOC/PCI controls |
| Service | Purpose | Key Feature |
|---|---|---|
| Security Command Center | Centralized security & risk dashboard | Premium tier: finding + investigation + remediation |
| VPC Service Controls | Create data security perimeters | Prevent data exfiltration, restrict API access |
| Cloud Armor | DDoS protection + WAF | Preconfigured WAF rules, rate limiting, geo-blocking |
| BeyondCorp Enterprise | Zero-trust access | Context-aware access without VPN |
| Cloud KMS | Key management service | CMEK, CSEK, HSM-backed keys, auto-rotation |
| Secret Manager | Store API keys, passwords, certs | Auto-rotation, IAM-based access, versioning |
| DLP API | Discover, classify, redact PII | Info types: SSN, email, credit card, custom |
| Binary Authorization | Deploy only trusted containers | Attestation-based admission to GKE |
| Layer | Description | Best Practice |
|---|---|---|
| Organization | Root node, billing, organization policies | Set constraints: regions, services, networks |
| Folders | Logical grouping (env, dept) | Dev / Staging / Prod separation |
| Projects | Resource container, billing unit | 1 project per application or environment |
| Service Accounts | Identity for services/apps | Use short-lived tokens, disable creation |
| Users/Groups | Google Workspace identities | Use Google Groups for role assignment |
| Resource | Type | Cost | Best For |
|---|---|---|---|
| Google Cloud Skills Boost | Official courses + labs | Free / $29/mo | Official learning paths, Qwiklabs |
| Google Cloud Training YouTube | Video tutorials | Free | Concept overview, feature walkthroughs |
| Coursera — GCP Specialization | Structured course | Free audit / $49/mo | University-style structured learning |
| Dan Sullivan (Pluralsight) | Video courses | ~$29/mo | Deep-dive into architecture patterns |
| Tutorials Dojo | Practice exams | ~$20-40 | Realistic practice questions |
| Whizlabs | Practice exams | ~$20-40 | Additional practice variety |
| Google Cloud Documentation | Official docs | Free | Authoritative reference for services |
| Google Cloud Blog | Best practices | Free | Architecture patterns, case studies |
| Qwiklabs / Google Cloud Skills Boost | Hands-on labs | Free credits | Sandbox environments for practice |
| Week | Focus | Activities |
|---|---|---|
| 1-2 | Core Services | GCE, Cloud Storage, Cloud SQL, BigQuery, VPC, IAM fundamentals, gcloud CLI |
| 3-4 | Advanced + Domain Specific | GKE, Cloud Run, Dataflow, Cloud Armor, KMS, Monitoring, cost optimization |
| 5-6 | Hands-on Labs | Qwiklabs quests: baseline, deploy, data, security (50+ labs) |
| 7 | Practice Exams | Take 3-5 practice exams, review wrong answers, study weak areas |
| 8 | Final Review | Review notes, re-read key docs, take one more practice exam |
#!/bin/bash
# ── GCP ACE Study Checklist ──
echo "☑ Cloud Resource Manager: organizations, folders, projects"
echo "☑ Cloud IAM: roles, service accounts, IAM conditions"
echo "☑ VPC: networks, subnets, firewall rules, NAT, Cloud NAT"
echo "☑ Compute Engine: instances, templates, groups, autoscaling"
echo "☑ GKE: clusters, pods, services, Ingress, Workload Identity"
echo "☑ Cloud Run: deploy, traffic splitting, IAM, concurrency"
echo "☑ Cloud Functions: triggers, runtime, environment vars"
echo "☑ App Engine: standard vs flexible, versions, traffic split"
echo "☑ Cloud Storage: classes, lifecycle, IAM, signed URLs"
echo "☑ Cloud SQL: instances, replicas, HA, failover, backups"
echo "☑ BigQuery: datasets, tables, queries, cost control"
echo "☑ Cloud Monitoring: dashboards, alerts, SLOs, uptime checks"
echo "☑ Cloud Logging: log-based metrics, sinks, exclusions"
echo "☑ Cloud KMS: keys, encrypt/decrypt, CMEK"
echo "☑ Cloud Pub/Sub: topics, subscriptions, ordering, dead-letter"
echo "☑ gcloud CLI & gsutil: project mgmt, compute, storage"
echo "☑ Terraform: providers, resources, modules, state"| Strategy | Description |
|---|---|
| Read case studies carefully | Professional exams have 4-5 company scenarios. Note each company's constraints. |
| Think "managed first" | GCP prefers managed services: Cloud SQL > self-managed MySQL, GKE > self-managed K8s. |
| Cost matters | Many questions have cost constraints. Pick the most cost-effective valid solution. |
| Know quotas & limits | Understand default quotas (API limits, project limits, VPC limits) and how to request increases. |
| Multi-select answers | Some questions require selecting 2-3 answers. All correct must be selected, no partial credit. |
| Networking is critical | VPC, firewall rules, and load balancing appear in every GCP exam. Study deeply. |
| Terraform knowledge | Google recommends Terraform for IaC. Know Terraform basics for the ACE exam. |
| Monitoring = Cloud Monitoring | Formerly Stackdriver — know dashboards, alerting policies, SLOs. |
| Pitfall | Why It's Wrong |
|---|---|
| Using owner/editor roles for apps | Too permissive — always use least-privilege predefined or custom roles |
| Choosing Compute Engine for everything | Cloud Run / GKE / App Engine are often more cost-effective |
| Ignoring data residency | GDPR/CCPA may require specific regions — choose regional or dual-regional storage |
| Forgetting about quotas | API enablement has project-level quotas; know how to request increases |
| Overlooking IAM conditions | Conditional IAM (time-based, IP-based) reduces attack surface |
| Choosing Cloud SQL for global scale | Cloud SQL is regional — use Spanner for multi-region global DBs |
| Level | AWS Cost | GCP Cost |
|---|---|---|
| Foundational | $150 (CLF-C02) | $0 (free courses only, no exam) |
| Associate | $150 (SAA/DVA/SOA) | $125 (ACE) |
| Professional | $300 (SAP-C02) | $200 (PCE/PDE/PDO/PSE) |
| Specialty | $300 (SCS-C02, MLS-C01) | $200 (PSE — only security specialty) |
| Total: Foundation → Associate → Professional | $600 (CLF+SAA+SAP) | $325 (ACE+PCE) |
| Your Situation | Recommendation |
|---|---|
| Starting cloud career, company uses AWS | CLF-C02 → SAA-C03 |
| Starting cloud career, company uses GCP | GCP-ACE |
| Cloud architect with mixed environments | SAA-C03 + GCP-PCE (both) |
| Data engineer (any cloud) | GCP-PDE (best data analytics platform) |
| DevOps / SRE career path | AWS DOP-C02 + GCP-PDO |
| Security specialist | AWS SCS-C02 + GCP-PSE |
| Enterprise architect (vendor-neutral) | TOGAF + 2 cloud certs (AWS + GCP or Azure) |
| Job market generalist | AWS SAA-C03 (highest demand) + AZ-900 |
| Certification | Difficulty | Pass Rate (est.) |
|---|---|---|
| AWS Cloud Practitioner | ★★☆☆☆ | 85% |
| GCP Cloud Engineer (ACE) | ★★★☆☆ | 65-70% |
| AWS SAA-C03 | ★★★☆☆ | 60-65% |
| GCP Professional Architect | ★★★★☆ | 50-55% |
| GCP Professional Data Engineer | ★★★★☆ | 45-55% |
| AWS Security Specialty | ★★★★★ | 40-50% |
| GCP Professional Security | ★★★★★ | 40-50% |
| AWS Professional SA | ★★★★★ | 45-50% |
| Certification | Job Postings (approx.) | Salary Premium |
|---|---|---|
| AWS SAA-C03 | Highest (35K+ postings) | +$15K average |
| AWS Solutions Architect Pro | Very High (10K+) | +$25K average |
| GCP Cloud Engineer | High (15K+ postings) | +$12K average |
| GCP Professional Architect | Medium (5K+ postings) | +$20K average |
| Azure Solutions Architect | Very High (25K+) | +$15K average |
| Kubernetes CKA/CKAD | High (12K+) | +$12K average |
| HashiCorp Terraform | High (8K+) | +$10K average |
| CompTIA Security+ | Highest overall (50K+) | +$8K average |