Google Cloud · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
What is the correct order of the Google Cloud resource hierarchy from highest to lowest level?
Folder → Organization → Project → Resources
Organization → Folder → Project → Resources
The correct hierarchy is Organization at the top, followed by Folders, Projects, and individual Resources.
Project → Folder → Organization → Resources
Organization → Project → Folder → Resources
A startup creates its first Google Cloud project. Before deploying any paid resources, what must be linked to the project?
A Cloud Identity domain
An Organization resource node
A billing account
Every project that uses paid GCP services must have a billing account linked. Without it, resource creation for paid services will fail.
A Shared VPC host project
Which gcloud CLI command authenticates a developer's local environment with their Google account?
gcloud config set account [EMAIL]
gcloud auth login
`gcloud auth login` initiates the OAuth flow, authenticates the user, and stores credentials for subsequent CLI commands.
gcloud init --authenticate
gcloud accounts activate
A developer attempts to create a Cloud SQL instance but receives the error: 'API [sqladmin.googleapis.com] not enabled.' What is the correct resolution?
Assign the developer the Cloud SQL Admin IAM role
Request a quota increase for Cloud SQL in the project
Enable the Cloud SQL Admin API via APIs & Services > Library in the Console
Navigating to APIs & Services > Library and enabling the Cloud SQL Admin API resolves this error. It can also be done with `gcloud services enable sqladmin.googleapis.com`.
Create a new project — Cloud SQL is enabled by default in new projects
An application running on a Compute Engine VM needs to read objects from a Cloud Storage bucket in the same project. What is the recommended authentication approach?
Embed a developer's user account credentials in the application configuration file
Attach a service account with the Storage Object Viewer role to the VM
Service accounts attached to VMs allow applications to authenticate automatically via the metadata server. This eliminates the need to manage credentials directly.
Create an API key and store it as an environment variable on the VM
Grant the VM's IP address access to the bucket using a VPC firewall rule
A company organizes its GCP projects by business unit — Finance, Engineering, and Sales. Which resource is best suited to group these projects while applying shared IAM policies to all projects in each group?
Apply labels to each project to identify the business unit
Apply resource tags to each project for policy enforcement
Create GCP Folders for each business unit and add the relevant projects
Folders are the right level in the GCP hierarchy for grouping projects by business unit. IAM and Org Policies set on a Folder cascade to all child projects.
Create a Shared VPC host project for each business unit
Want more Setting up a cloud solution environment practice?
Practice this domainA compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?
Standard
Nearline
Coldline
Coldline is ideal for data accessed once per quarter or less. It offers low storage cost with a 90-day minimum storage duration, matching this use case.
Archive
A team needs to run a containerized HTTP API that scales to zero when idle and requires zero cluster or server management. Which GCP compute platform is the best fit?
Compute Engine with a managed instance group
Google Kubernetes Engine Autopilot
Cloud Run
Cloud Run is purpose-built for containerized HTTP services with zero-to-scale autoscaling, no infrastructure management, and per-request billing.
App Engine Flexible
A batch data processing job runs nightly for 4 hours and can tolerate interruption because it saves progress checkpoints every 15 minutes. Which VM option offers the greatest cost reduction?
Custom machine type VM with reduced memory
Spot VM
Spot VMs are available at up to 91% discount and are ideal for batch workloads that tolerate interruption and implement checkpointing.
Sole-tenant node VM
Shielded VM
A mobile app needs a managed database to store user profiles with flexible nested structures that evolve frequently — new fields are added without schema migrations. Which GCP database service is most appropriate?
Cloud SQL for PostgreSQL
Cloud Bigtable
Cloud Firestore
Cloud Firestore stores data as flexible JSON documents with nested fields, supporting schema evolution without migrations. It's purpose-built for mobile/web app backends.
Cloud Spanner
A global web application needs HTTPS traffic routed to backend services in multiple regions, directing each user to the nearest healthy endpoint. Which load balancer type should be used?
Regional external Network Load Balancer
Global external Application Load Balancer
This load balancer uses Google's global anycast network to route HTTPS traffic to the nearest healthy backend across multiple regions.
Regional internal Application Load Balancer
Regional internal TCP/UDP load balancer
A startup wants to minimize egress costs for a web service that exclusively serves customers within Europe. Which network service tier is most cost-effective?
Premium Tier
Standard Tier
Standard Tier routes traffic through the public internet, offering lower egress costs. It's suitable for services with regional traffic patterns where Google's global backbone is unnecessary.
Economy Tier
Free Tier
Want more Planning and configuring a cloud solution practice?
Practice this domainWhich gcloud command creates a Compute Engine VM named 'web-01' using the e2-medium machine type in zone us-central1-a?
gcloud vm create web-01 --zone=us-central1-a --machine=e2-medium
gcloud compute instances create web-01 --zone=us-central1-a --machine-type=e2-medium
This is the correct syntax. `gcloud compute instances create` is the command, `--zone` specifies the zone, and `--machine-type` specifies the VM size.
gcloud instances create web-01 --region=us-central1 --type=e2-medium
gcloud compute create-instance web-01 --zone=us-central1-a --size=e2-medium
A developer has a Kubernetes Deployment manifest in a file named 'api-deployment.yaml'. Which command creates the Deployment if it doesn't exist, or updates it if it does?
kubectl create -f api-deployment.yaml
kubectl run api-deployment.yaml
kubectl apply -f api-deployment.yaml
`kubectl apply -f` reads the manifest and creates or updates the resource declaratively — the standard command for deploying from YAML files.
kubectl deploy -f api-deployment.yaml
A team wants to deploy a container image at 'gcr.io/myproject/api:v2' as a Cloud Run service named 'api-service' in us-east1, accessible without authentication. Which command is correct?
gcloud run deploy api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --allow-unauthenticated
This is the correct syntax for deploying a Cloud Run service with public access. `--allow-unauthenticated` enables unauthenticated invocations.
gcloud run create api-service --image=gcr.io/myproject/api:v2 --zone=us-east1 --public
gcloud cloud-run deploy api-service --container=gcr.io/myproject/api:v2 --region=us-east1
gcloud run deploy --name=api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --no-auth
A team needs a GKE cluster named 'prod-cluster' in the us-central1 region with cluster autoscaling enabled, scaling between 3 and 10 nodes. Which command achieves this?
gcloud container clusters create prod-cluster --region=us-central1 --num-nodes=3 --enable-autoscaling --min-nodes=3 --max-nodes=10
This command creates a regional GKE cluster with the node autoscaler configured to scale between 3 and 10 nodes. `--region` creates a regional (multi-zone) cluster.
gcloud kubernetes clusters create prod-cluster --location=us-central1 --autoscale=3:10
gcloud container cluster create prod-cluster --zone=us-central1 --scaling=3-10
kubectl create cluster prod-cluster --region=us-central1 --autoscale --min=3 --max=10
Which command creates a Cloud Storage bucket named 'my-archive-bucket' in the US multi-region using the modern gcloud CLI?
gcloud storage mk gs://my-archive-bucket --location=US
gcloud storage buckets create gs://my-archive-bucket --location=US
This is the correct modern syntax. `gcloud storage buckets create` followed by the `gs://` bucket URI and `--location` creates the bucket in the US multi-region.
gcloud cloud-storage create my-archive-bucket --region=US
gsutil mk -l US gs://my-archive-bucket
A Cloud Function must execute automatically every time a new object is written to a specific Cloud Storage bucket. Which trigger type should be configured for the function?
HTTP trigger
Pub/Sub trigger
Cloud Storage trigger (object finalized event)
A Cloud Storage trigger on the `object.finalized` event fires the function immediately when a new object is created in the bucket — no intermediate service needed.
Cloud Scheduler trigger
Want more Deploying and implementing a cloud solution practice?
Practice this domainA team wants to receive an email alert when the average CPU utilization of VMs in a managed instance group exceeds 80% for more than 5 minutes. What should they create in Cloud Monitoring?
A dashboard with a CPU utilization chart
An alerting policy with a CPU utilization threshold condition
Alerting policies evaluate metric conditions continuously and send notifications via configured channels when thresholds are breached for the specified duration.
A log-based metric filter for high-CPU events
An uptime check targeting the managed instance group
A team wants logs from their Python application running on a Compute Engine VM to appear in Cloud Logging. What must be installed on the VM?
Cloud Trace SDK for the Python application
Ops Agent (Google Cloud's combined logging and monitoring agent)
The Ops Agent collects logs from system files and application log streams and forwards them to Cloud Logging. It must be installed explicitly on Compute Engine VMs.
Cloud Monitoring agent only
No installation needed — GCE VMs automatically stream logs to Cloud Logging
A security analyst needs to retrieve all Cloud Logging entries with severity ERROR or higher across all resource types in the current project. Which log query correctly filters these entries?
severity >= ERROR AND timestamp > now() - 24h
severity="ERROR" AND resource.type="gce_instance"
severity >= "ERROR"
`severity >= "ERROR"` correctly matches all entries at ERROR and above across all resource types. The time range is set separately via the console time picker.
logName="projects/my-project/logs/stderr" AND severity > "WARNING"
A managed instance group (MIG) is running 4 VMs with a CPU autoscaling target of 60%. A traffic spike drives average CPU to 90%. How does the autoscaler respond?
The MIG terminates the 2 least-used VMs to trigger a restart with higher performance settings
The autoscaler adds VMs until average CPU across the group drops to approximately 60%
The autoscaler computes how many VMs are needed to bring average utilization to the target and scales out accordingly.
The MIG live-migrates instances to larger machine types automatically
The MIG restarts all existing VMs to clear cached load
A load balancer is routing traffic to a VM where the application process has crashed, but the VM itself is still running. What prevents the load balancer from continuing to send traffic to this instance?
A VPC firewall rule blocking traffic to the VM
An HTTP health check configured on the backend service
HTTP health checks probe the application port. A crashed application fails the probe, causing the load balancer to stop directing traffic to that VM until it recovers.
A Cloud Armor security policy blocking the crashed instance's IP
The instance group autoscaling policy detecting the failure
A microservices application has intermittent high latency. The team wants to identify which specific service-to-service call in the request chain is causing the slowdown. Which Cloud Operations tool is designed for this?
Cloud Monitoring Metrics Explorer
Cloud Logging log viewer
Cloud Trace
Cloud Trace instruments requests as they flow through services, recording each span's duration and parent-child relationships, making it ideal for pinpointing latency in distributed systems.
Cloud Profiler
Want more Ensuring successful operation of a cloud solution practice?
Practice this domainA junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?
Editor
Owner
Viewer
Viewer grants read-only access to all project resources without any modification permissions — the correct minimum role for read-only access.
Browser
A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?
Rotate the key files every 90 days and redistribute them securely
Encrypt the JSON key files using Cloud KMS before distributing
Remove the key files and use service account impersonation or Workload Identity for workloads that need GCP access
Eliminating key files is the recommended approach. GCE VMs use attached service accounts; GKE uses Workload Identity; external systems use Workload Identity Federation — no downloadable keys needed.
Store the key files in Secret Manager and retrieve them at application startup
A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?
An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic
GCP's implied deny-all ingress rule (priority 65535) blocks all traffic not explicitly allowed. A single allow rule for port 443 is all that's needed.
An ingress allow rule for port 443 and a separate egress deny rule for all other ports
An ingress deny rule for all ports from 0.0.0.0/0, plus an ingress allow for port 443 with lower priority
A Cloud Armor policy allowing only HTTPS requests to port 443
An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?
Google-managed encryption keys (the default)
Customer-managed encryption keys (CMEK) using Cloud KMS
CMEK keys are created and controlled by the customer in Cloud KMS. GCP encrypts data using these keys, but the customer retains full control — including the ability to revoke access.
Client-side encryption before uploading to Cloud Storage, without using Cloud KMS
Shielded VM with vTPM enabled on the storage backend
A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?
As a plain-text environment variable in the Cloud Run service configuration
In a Cloud Storage bucket accessible to the service account
In Secret Manager, referenced as a mounted secret or accessed via the API at runtime
Secret Manager stores secrets encrypted, with IAM access control and full audit trails. Cloud Run can reference secrets as environment variables or volume mounts without exposing the value in configuration.
Baked into the container image at build time
A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?
System event audit logs
Admin Activity audit logs
Data Access audit logs
Data Access audit logs record API calls that read data — including BigQuery table reads and query executions. They must be explicitly enabled and can generate high log volume.
VPC flow logs
Want more Configuring access and security practice?
Practice this domainThe ACE exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.
Scenario questions on setting up GCP environments, deploying compute, configuring storage and databases, managing networking, and monitoring.
The exam covers 5 domains: Setting up a cloud solution environment, Planning and configuring a cloud solution, Deploying and implementing a cloud solution, Ensuring successful operation of a cloud solution, Configuring access and security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Google Cloud ACE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.