This chapter provides a comprehensive overview of Google Cloud Platform (GCP) as a whole, covering its global infrastructure, core services, and architectural philosophy. Understanding GCP's structure is foundational for the ACE exam, as it directly supports objectives in the 'Setting up a cloud solution environment' domain (approximately 10-15% of exam questions). We will explore regions, zones, projects, and the major service categories—compute, storage, networking, and IAM—to give you a solid mental model of how GCP operates.
Jump to a section
Imagine Google Cloud Platform as a modern, well-planned city. The city has a central power grid (Google's global network) that supplies electricity to every building. The city's zoning laws define regions and zones: each region is a metropolitan area, and each zone is a specific neighborhood within that metro area, with its own power substation and water supply. Compute Engine is like leasing a prefabricated building in a neighborhood: you choose the size (machine type), the neighborhood (zone), and you can move the building (migrate) if needed. App Engine is like renting a fully managed office space where the city handles maintenance, security, and utilities. Cloud Storage is the city's public warehouse system: you can store boxes (objects) in different warehouses (buckets), with different access speeds (standard, nearline, coldline, archive). IAM is the city's ID card system: every resident (user) has a card with specific permissions (roles) to enter buildings (resources) based on their job. VPC is the city's road network: you can build private roads (subnets) that connect your buildings, with traffic lights (firewall rules) and gateways (Cloud NAT, VPN) to the outside world. The analogy is mechanistic: just as a city's infrastructure is designed for scalability, redundancy, and security, GCP's components work together to provide a reliable, global platform. When you deploy an application, you are essentially constructing a mini-city within the larger GCP metropolis, using the same underlying services (roads, power, warehouses) that Google provides.
What is Google Cloud Platform?
Google Cloud Platform (GCP) is a suite of cloud computing services offered by Google that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, and YouTube. GCP provides a range of services including compute, storage, networking, big data, machine learning, and security, all delivered over the internet. The platform is designed to be scalable, reliable, and cost-effective, leveraging Google's global network, which is one of the largest and most advanced in the world.
Global Infrastructure: Regions and Zones
GCP's infrastructure is organized hierarchically into regions and zones. A region is a specific geographical location where Google has data centers, such as us-central1 (Iowa), europe-west1 (Belgium), or asia-east1 (Taiwan). Each region is composed of multiple zones, which are isolated locations within a region that are independent from each other in terms of power, cooling, and networking. Zones are typically 10-100 kilometers apart within a region to provide low-latency connectivity while ensuring that a failure in one zone does not affect others. For example, the region us-central1 has zones a, b, c, and f (us-central1-a, us-central1-b, us-central1-c, us-central1-f).
As of the ACE exam, GCP has over 30 regions and more than 100 zones globally. This is a key exam point: you need to know that resources like Compute Engine instances are deployed in a specific zone, while managed services like Cloud SQL or Cloud Spanner can be regional (spanning multiple zones for high availability).
Multi-Region is a concept for some services like Cloud Storage, where data is replicated across multiple regions (e.g., US, EU, or Asia) for global access and durability. The default storage class for multi-region is Standard, which provides 99.99% availability and 11 nines (99.999999999%) annual durability.
Projects: The Fundamental Organizational Unit
A project is the base-level container in GCP that holds all your resources. Every resource (Compute Engine instance, Cloud Storage bucket, VPC network) belongs to exactly one project. Projects are used to organize resources, control access via IAM, and manage billing. Each project has:
A unique project ID (globally unique, user-assigned, cannot be changed)
A project name (human-readable, can be changed)
A project number (automatically assigned, globally unique, used for some API calls)
Projects are organized under a hierarchy: Organization -> Folders -> Projects. The Organization node is the root, typically representing your company. Folders allow grouping projects by department or environment (e.g., dev, prod). This hierarchy is critical for applying IAM policies at scale: you can assign roles at the organization level, and they are inherited by all folders and projects underneath.
Identity and Access Management (IAM)
IAM is GCP's unified access control system. It defines who (identity) has what access (role) to which resource (resource). The core components:
- Members: Can be a Google Account, a service account, a Google Group, a G Suite domain, or a Cloud Identity domain.
- Roles: Collections of permissions. There are three types:
- Primitive roles: Owner, Editor, Viewer (legacy, broad, not recommended for production)
- Predefined roles: Fine-grained roles like roles/compute.instanceAdmin or roles/storage.objectViewer
- Custom roles: User-defined roles with specific permissions (you must list the exact permissions)
- Policy: Attached to a resource (project, folder, organization) that binds members to roles.
IAM policies are inherited down the resource hierarchy. For example, granting a role at the organization level automatically grants it to all folders and projects. However, policies are additive: you cannot explicitly deny access (except with Organization Policies, which are not part of IAM but can restrict resource usage).
Compute Services
GCP offers several compute options, each designed for different use cases: - Compute Engine: Infrastructure-as-a-Service (IaaS) providing virtual machines (VMs) with customizable machine types, persistent disks, and networking. You can choose from predefined machine families (E2, N2, N2D, C2, M1, M2, etc.) or create custom machine types. Key exam values: default disk size is 10 GB for boot disks, and you can attach up to 127 additional persistent disks per instance. - Google Kubernetes Engine (GKE): Managed Kubernetes service for running containerized applications. It provides automated cluster management, node pools, and integration with other GCP services. The exam tests concepts like node auto-repair, auto-upgrade, and cluster autoscaling. - App Engine: Platform-as-a-Service (PaaS) for building and deploying applications without managing infrastructure. It offers two environments: Standard (sandboxed, restricted runtime, auto-scaling) and Flexible (runs in Docker containers, supports any runtime). App Engine is ideal for web applications and mobile backends. - Cloud Functions: Function-as-a-Service (FaaS) for event-driven, serverless compute. Functions run in response to events (e.g., Cloud Storage object change, Pub/Sub message) and automatically scale. Execution timeout defaults to 60 seconds, max 540 seconds (9 minutes). - Cloud Run: Managed compute platform for running stateless containers that are invocable via HTTP requests. It automatically scales from zero based on traffic and charges only for resources used. Cloud Run is serverless and supports any container runtime.
Storage Services
GCP provides several storage options, categorized by use case: - Cloud Storage: Object storage for unstructured data. It offers multiple storage classes: Standard (frequently accessed), Nearline (30-day minimum storage), Coldline (90-day minimum), and Archive (365-day minimum). Data is stored in buckets, which have a globally unique name and are associated with a project. Key exam values: maximum object size is 5 TB, and the maximum upload size in a single request is 5 GB (larger objects must use multipart upload or resumable upload). - Persistent Disk: Block storage for Compute Engine instances. Disks can be standard (HDD) or SSD, and can be either zonal or regional (replicated across two zones). The default disk size is 10 GB for boot disks. Snapshots are used for backup and can be created at any time. - Cloud SQL: Managed relational database service for MySQL, PostgreSQL, and SQL Server. It provides automated backups, replication, and failover. The exam tests that Cloud SQL is not suitable for high transaction throughput (use Cloud Spanner instead) and that it supports read replicas. - Cloud Spanner: Globally distributed, horizontally scalable relational database service. It provides strong consistency and high availability across regions. It is designed for large-scale applications that need ACID transactions. - Cloud Bigtable: NoSQL wide-column database for large analytical and operational workloads. It is ideal for time-series data, IoT, and ad tech. Bigtable is not a relational database and does not support SQL queries (use BigQuery for SQL on Bigtable data via external tables). - Firestore: NoSQL document database for mobile and web applications. It is the next generation of Datastore and provides real-time synchronization with client SDKs.
Networking Services
Networking in GCP is built around the Virtual Private Cloud (VPC) concept: - VPC Networks: Each project has a default VPC network, but you can create custom VPC networks. VPCs are global resources (span all regions), while subnets are regional. You can create auto-mode or custom-mode VPCs. Auto-mode VPCs automatically create subnets in each region, while custom-mode VPCs give you full control. - Firewall Rules: Stateful firewall rules that allow or deny traffic to VMs based on source/destination IP, protocol, and port. They are applied to VPC networks and can be global or regional. - Cloud Load Balancing: Fully distributed, software-defined load balancing that supports HTTP(S), TCP/SSL, and UDP traffic. It is a single anycast IP address that distributes traffic across backends in multiple regions. The exam tests differences between external and internal load balancers. - Cloud NAT: Network Address Translation service that allows VMs without external IP addresses to access the internet. It is implemented as a Cloud Router with NAT configuration. - Cloud VPN: IPSec VPN tunnel that connects your on-premises network to a VPC. It supports site-to-site VPN and dynamic routing with BGP. - Cloud Interconnect: Dedicated or partner connections for high-bandwidth, low-latency connectivity to GCP.
Big Data and Machine Learning
GCP offers a suite of big data and ML services, but the ACE exam focuses on understanding their existence and basic use cases: - BigQuery: Serverless, highly scalable data warehouse for analytics. It supports SQL queries and can analyze petabytes of data. Pricing is based on the amount of data processed (on-demand) or flat-rate reservations. - Pub/Sub: Asynchronous messaging service for event-driven systems. It supports at-least-once delivery and can ingest millions of events per second. - Dataflow: Stream and batch data processing service based on Apache Beam. It is used for ETL and real-time data pipelines. - AI Platform: Managed service for training and deploying machine learning models. It integrates with TensorFlow and other frameworks.
Operations and Monitoring
Cloud Monitoring: Provides visibility into the performance, uptime, and health of your GCP resources. It collects metrics, logs, and traces. You can create dashboards and alerting policies.
Cloud Logging: Centralized log management service. It collects logs from GCP services and custom applications. Logs can be exported to BigQuery, Cloud Storage, or Pub/Sub.
Cloud Audit Logs: Records administrative actions and data access within your GCP projects. Audit logs are enabled by default and retained for 400 days.
Key Defaults and Limits for the Exam
Project: You can have up to 100 projects per billing account (soft limit, can be increased).
Compute Engine: Default disk size 10 GB. Max VMs per project: 100 (soft limit).
Cloud Storage: Bucket names must be globally unique. Max object size 5 TB. Single upload limit 5 GB.
VPC: You can create up to 5 VPC networks per project (soft limit). Max subnets per VPC: 100.
Firewall Rules: Max 100 firewall rules per VPC network.
IAM: Max 300 custom roles per project.
How Services Interact
A typical application might use Compute Engine for web servers, Cloud SQL for the database, and Cloud Storage for static assets. These resources are all in the same project, using a VPC network for private communication. IAM controls who can access each service. Cloud Monitoring tracks performance, and Cloud Logging captures application logs. The services are designed to work together seamlessly, with many integrations built-in (e.g., Cloud Functions can be triggered by Cloud Storage events).
Understanding this ecosystem is crucial for the ACE exam, as you will be asked to select the appropriate service for a given scenario, understand the hierarchy, and apply IAM policies correctly.
Create a GCP Project
Navigate to the Cloud Console (console.cloud.google.com) and click on the project drop-down, then 'New Project'. Enter a unique project name and project ID (the ID becomes part of the URL and cannot be changed later). Optionally, select an organization and folder. Billing must be enabled for most services. This step establishes the container for all resources. The project number is auto-generated and used in API calls. For the exam, remember that project IDs are globally unique and immutable.
Enable Billing and APIs
Link the project to a billing account. Without billing, you cannot use most GCP services. Then, enable the necessary APIs for the services you plan to use (e.g., Compute Engine API). Each service has its own API that must be enabled. This is done via the 'APIs & Services' dashboard. The exam may test that some APIs are enabled by default (e.g., Cloud Storage) while others require explicit enabling.
Set Up IAM Permissions
In the IAM & Admin console, add members (users, service accounts, groups) and assign roles. For example, assign the roles/compute.instanceAdmin role to a user who needs to manage VMs. IAM policies are inherited down the hierarchy. The exam often tests that granting a role at the project level gives access to all resources in that project, but not to other projects. Also, remember that there is no deny in IAM; only allow.
Create a VPC Network
In the VPC network console, create a new VPC network. Choose between auto-mode (subnets in every region automatically) or custom-mode (you define subnets). Auto-mode is good for learning but not recommended for production due to subnet overlap risk. Specify subnet IP ranges in CIDR notation (e.g., 10.0.0.0/24). Firewall rules are attached to VPC networks. The default VPC comes with pre-populated firewall rules that allow certain traffic (e.g., SSH, RDP, ICMP).
Deploy a Compute Engine Instance
In the Compute Engine console, click 'Create Instance'. Name the instance, choose a region and zone (e.g., us-central1-a). Select a machine series (e.g., E2) and machine type (e.g., e2-medium). For the boot disk, choose an OS image (e.g., Debian 10). Optionally, add additional disks and configure networking (select the VPC and subnet). Under 'Firewall', check 'Allow HTTP traffic' and 'Allow HTTPS traffic' to automatically create firewall rules. Click 'Create'. The instance will start within minutes. The exam tests that you can specify tags for network firewall rules.
Enterprise Scenario 1: E-commerce Platform Migration
A large e-commerce company with millions of users wants to migrate from on-premises to GCP for better scalability and reliability. They have a three-tier application: web servers, application servers, and a MySQL database. The solution uses Compute Engine for web and app tiers, with managed instance groups for autoscaling. Cloud SQL for MySQL is used for the database, with a read replica for reporting. Cloud Load Balancing distributes traffic across multiple regions (e.g., us-central1 and europe-west1) for low latency. Cloud CDN caches static assets like images and CSS. IAM roles are assigned to developers (compute.instanceAdmin) and DBAs (cloudsql.admin). The company uses Cloud Interconnect for a dedicated connection to their on-premises data center. Common pitfalls: forgetting to enable Cloud SQL API, using the wrong machine type (e.g., using N1 instead of N2 for better price/performance), and not setting up proper firewall rules (e.g., allowing traffic only from the load balancer's IP ranges).
Enterprise Scenario 2: Data Analytics Pipeline
A media company needs to process terabytes of log data daily. They use Cloud Storage to ingest raw logs, Cloud Pub/Sub for streaming events, and Dataflow for real-time processing. The processed data is stored in BigQuery for analytics. Cloud Functions trigger on new log files in Cloud Storage to publish messages to Pub/Sub. The entire pipeline is serverless, minimizing operational overhead. IAM is used to grant BigQuery data viewers to analysts and Dataflow workers to the Dataflow service account. The company uses VPC Service Controls to prevent data exfiltration. A common mistake is using the wrong storage class for logs (e.g., using Standard instead of Nearline, increasing costs) or not setting up a dead-letter topic for Pub/Sub messages that fail to process.
Performance and Cost Considerations
In production, monitoring is critical. Cloud Monitoring alerts on CPU utilization, disk IOPS, and network latency. Cloud Logging is used to debug errors. Cost management involves using committed use discounts for predictable workloads, preemptible VMs for batch jobs, and appropriate storage classes. The exam expects you to know that nearline storage has a 30-day minimum storage duration, and early deletion incurs a fee. Also, understanding that Cloud SQL backups are stored for 7 days by default (configurable up to 365 days).
What Goes Wrong
Misconfigurations often involve IAM: giving too broad permissions (e.g., primitive roles) or forgetting to grant a service account access to a resource (e.g., a Compute Engine instance cannot access a Cloud Storage bucket because the service account lacks the storage.objectViewer role). Networking issues include using the wrong VPC network (e.g., deploying a VM in the default VPC when it should be in a custom VPC) or misconfiguring firewall rules (e.g., allowing all traffic from 0.0.0.0/0 unnecessarily).
What the ACE Exam Tests on This Topic
The ACE exam blueprint includes objective 1.1 'Setting up cloud solutions' which covers understanding GCP's global infrastructure, projects, and basic service categories. Approximately 10-15% of exam questions relate to this overview. Specific areas tested: - Region vs. Zone: You must know that zones are isolated failure domains within a region, and that some resources are zonal (e.g., Compute Engine instances) while others are regional (e.g., Cloud SQL instances) or global (e.g., VPC networks). - Project Hierarchy: Understanding the organization -> folder -> project structure and how IAM policies inherit. The exam may ask which resource is at the top of the hierarchy (Organization). - IAM Roles: Distinguishing between primitive, predefined, and custom roles. The exam often tests that primitive roles are not recommended for production. - Service Categories: Given a scenario, choose the correct compute (e.g., App Engine vs. Compute Engine) or storage service (e.g., Cloud Storage vs. Persistent Disk).
Common Wrong Answers and Why
'Compute Engine instances can be moved between zones without restarting.' This is false. Moving an instance requires stopping it, which changes its internal IP. You can migrate it using live migration (for maintenance), but not manually across zones without downtime.
'All GCP services are available in every region.' False. Some services are only available in certain regions (e.g., Cloud Spanner is not in every region). The exam tests that you should check region availability.
'IAM policies can be used to deny access to a specific resource.' False. IAM only supports allow policies. To deny, you must use Organization Policies or set up firewall rules.
'A project can have multiple billing accounts.' False. Each project is linked to exactly one billing account, but a billing account can be linked to multiple projects.
Specific Numbers and Terms
Regions: Over 30, Zones: Over 100.
Project limit: 100 per billing account (soft).
Default disk size: 10 GB.
Max object size in Cloud Storage: 5 TB.
Max upload size in single request: 5 GB.
Retention for Audit Logs: 400 days.
Cloud Functions timeout: default 60 seconds, max 540 seconds.
Cloud Run: scales to zero, charges per 100ms of CPU and memory.
Edge Cases and Exceptions
Preemptible VMs: These are Compute Engine instances that can be terminated at any time (max 24 hours). They are cheaper but not suitable for stateful workloads.
Sole-tenant nodes: Compute Engine instances that are physically isolated from other projects. Used for licensing or security requirements.
VPC Peering: Allows connectivity between VPCs in different projects. The exam tests that it is not transitive (i.e., if VPC A peers with VPC B, and VPC B peers with VPC C, A cannot reach C unless explicitly peered).
How to Eliminate Wrong Answers
If a question asks about a service that needs a relational database with ACID transactions, eliminate Cloud Bigtable (NoSQL) and Cloud Storage (object storage).
If the question mentions 'serverless' and 'HTTP requests', Cloud Run is a better answer than Compute Engine.
If the question says 'global load balancing', the answer is Cloud Load Balancing (not a regional load balancer).
Use the hierarchy: if the question asks about applying a policy to all projects, the answer is at the organization or folder level, not the project level.
GCP has over 30 regions and 100+ zones; resources are deployed in zones or regions depending on the service.
The resource hierarchy is Organization > Folders > Projects > Resources; IAM policies are inherited downward.
IAM has three role types: primitive (legacy), predefined (recommended), and custom.
Compute Engine is IaaS; App Engine is PaaS; Cloud Functions is FaaS; Cloud Run is serverless containers.
Cloud Storage offers four storage classes: Standard, Nearline (30-day min), Coldline (90-day min), Archive (365-day min).
Default project limit is 100 per billing account; default disk size is 10 GB; max object size is 5 TB.
Cloud Audit Logs are retained for 400 days; Cloud Functions timeout max is 540 seconds.
Preemptible VMs are cheaper but can be terminated at any time; suitable for batch jobs.
VPC networks are global; subnets are regional; firewall rules are stateful.
Cloud Load Balancing provides a single anycast IP for global traffic distribution.
These come up on the exam all the time. Here's how to tell them apart.
Compute Engine
IaaS: full control over VMs and OS.
You manage scaling, patching, and capacity.
Billed per second for VM usage.
Suitable for any workload, including stateful.
Requires manual setup of load balancers.
App Engine
PaaS: you only deploy code; platform manages infrastructure.
Automatic scaling and patching.
Billed per instance hour (Standard) or per container (Flexible).
Best for stateless web apps and APIs.
Built-in load balancing and traffic splitting.
Cloud Storage (Object Storage)
Unstructured data: images, videos, backups.
Accessed via HTTP/HTTPS (REST API).
Durability: 99.999999999% (11 nines).
Scalable to exabytes.
Not mountable as a filesystem.
Persistent Disk (Block Storage)
Structured data: databases, application files.
Attached to a VM as a block device.
Durability: 99.99% for zonal, 99.999% for regional.
Max size 64 TB per disk.
Mountable as a filesystem (ext4, NTFS).
Mistake
GCP regions are the same as availability zones in AWS.
Correct
GCP regions contain multiple zones, which are analogous to AWS availability zones. However, GCP zones are typically closer together (10-100 km) and have higher bandwidth interconnects, while AWS AZs can be farther apart. Both provide isolation, but GCP's zones are designed for low latency.
Mistake
You can have multiple default VPC networks in a single project.
Correct
Each project has exactly one default VPC network. You can create additional custom VPC networks, but only one is designated as 'default'.
Mistake
App Engine Standard environment supports any programming language.
Correct
App Engine Standard supports only specific runtimes: Python, Java, Node.js, Go, Ruby, PHP, and .NET. For other languages, you must use App Engine Flexible or Cloud Run.
Mistake
Cloud Storage buckets are regional resources.
Correct
Cloud Storage buckets can be regional, dual-region, or multi-region. They are not tied to a single zone. The location type is chosen at bucket creation and cannot be changed later.
Mistake
IAM roles applied at the project level are automatically applied to all resources in that project.
Correct
Yes, that is correct. IAM roles are inherited down the hierarchy, so a role granted at the project level applies to all resources within that project. However, this is not a misconception; the misconception is that it also applies to resources in other projects, which it does not.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A region is a specific geographic location containing multiple zones. Zones are isolated failure domains within a region, each with independent power and cooling. Resources like Compute Engine VMs are zonal, while managed services like Cloud SQL can be regional (spanning zones). The exam tests that you should deploy instances in multiple zones for high availability.
Use Compute Engine when you need full control over the VM, custom OS, or specific software configurations. Use App Engine when you want to focus on code and let Google manage scaling, patching, and infrastructure. App Engine is ideal for web apps and APIs, while Compute Engine is for any workload including stateful applications.
The hierarchy is: Organization (top-level, represents your company) -> Folders (optional, for grouping projects) -> Projects (contain resources) -> Resources (e.g., VMs, buckets). IAM policies are inherited downward. The exam tests that you can apply policies at the organization level to affect all projects.
No. The location type (regional, dual-region, multi-region) is set at bucket creation and cannot be changed. To move data, you must create a new bucket in the desired location and copy objects using tools like gsutil or Storage Transfer Service.
The default VPC comes with four ingress firewall rules: allow SSH (port 22) from any source, allow RDP (port 3389), allow ICMP, and allow internal traffic (all protocols) within the VPC. There is also an egress rule allowing all outbound traffic. These rules can be modified or deleted.
Each project is linked to a billing account. You are billed for usage of resources (e.g., VM hours, storage GB, network egress). Billing accounts can be self-serve (credit card) or invoiced. You can set budget alerts and export billing data to BigQuery for analysis.
Cloud SQL is a managed relational database for MySQL, PostgreSQL, and SQL Server, suitable for moderate workloads (up to ~30 GB storage and ~60K QPS). Cloud Spanner is a globally distributed, horizontally scalable relational database with strong consistency, designed for large-scale applications (petabytes, millions of QPS). The exam tests that Cloud Spanner is more expensive and complex but handles global transactions.
You've just covered Google Cloud Platform Overview — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?