Back to Google Associate Cloud Engineer questions

Scenario-based practice

Hard Difficulty Questions

Practise Google Associate Cloud Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
ACE
exam code
Google Cloud
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related ACE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A company runs a stable production workload on 20 n2-standard-8 VMs that run continuously year-round. Which pricing commitment maximizes cost savings on these VMs?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a policy requiring all new GCP projects to be created within specific folders and linked to approved billing accounts only. Which combination of features enforces this at scale?

Question 3hardmultiple choice
Full question →

A platform team is deploying a multi-tier application on GKE: a frontend Deployment, a backend Deployment, and a Redis StatefulSet. The backend must be reachable by name from the frontend, but not from outside the cluster. Which Kubernetes resource enables internal name-based service discovery?

Question 4hardmultiple choice
Full question →

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

Question 5hardmultiple choice
Full question →

A DevOps team uses Terraform to manage GCP infrastructure and wants to store Terraform state in a shared location that all team members can access securely, with state locking to prevent concurrent modifications. Which backend configuration achieves this?

Question 6hardmultiple choice
Full question →

A managed instance group serves production traffic. During a rolling update to a new VM template, 30% of instances become unhealthy (failing health checks). The update has not completed yet. What should the team do to immediately restore service?

Question 7hardmultiple choice
Full question →

A SaaS company serves 200 enterprise customers, each requiring complete data isolation in separate databases. The company needs to provision a new customer database within minutes and manage 200 databases with minimal overhead. Which GCP approach scales most efficiently?

Question 8hardmultiple choice
Full question →

A compliance requirement mandates that all VM-to-VM traffic within a GCP project must be encrypted in transit, even for internal VPC traffic. Which feature enforces this for Compute Engine?

Question 9hardmultiple choice
Full question →

A security team discovers that a service account key was accidentally committed to a public GitHub repository 48 hours ago. What should be the immediate steps to remediate this incident?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A team runs a Kubernetes Deployment with 3 replicas behind a Service. They want to expose it externally with HTTPS and route traffic based on URL paths (/api → backend service, / → frontend service). Which Kubernetes resource handles path-based routing at Layer 7?

Question 11hardmultiple choice
Full question →

A CI/CD pipeline running outside GCP (on GitHub Actions) needs to authenticate to GCP to push images to Artifact Registry, without storing any long-lived service account key files. Which authentication mechanism achieves this?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores patient data in Cloud Storage. Compliance requires that even GCP (Google) cannot decrypt this data. The company manages encryption keys entirely on their own infrastructure. Which encryption option satisfies this?

Question 13hardmultiple choice
Full question →

A team builds a GKE application that processes healthcare data. Regulatory requirements mandate that data in transit between GKE nodes must be encrypted. GKE is running on GCP. What provides encrypted node-to-node traffic within the cluster?

Question 14hardmultiple choice
Full question →

A Cloud Run service requires access to a private Cloud SQL instance in the same VPC. The Cloud SQL instance is not publicly accessible. How should the Cloud Run service connect to Cloud SQL without using the Cloud SQL Auth Proxy separately?

Question 15hardmultiple choice
Full question →

A Cloud Build pipeline builds a container image and pushes it to Artifact Registry. The next step needs to deploy the image to Cloud Run. The pipeline runs as the Cloud Build service account. What minimum permission does the Cloud Build SA need for the deployment step?

Question 16hardmultiple choice
Full question →

A team runs `gcloud organizations list` and sees no output even though they know their company has a GCP organization. What is the most likely cause, and how should they resolve it?

Question 17hardmultiple choice
Full question →

You are managing a GKE cluster that runs a mixed workload: latency-sensitive web services and batch data processing jobs. The batch jobs run for hours and consume significant CPU/memory. During batch peaks, the web services experience CPU throttling. What is the best configuration to prevent batch jobs from impacting web service latency?

Question 18hardmultiple choice
Full question →

You need to ensure that a Cloud Run service can only be invoked by specific Cloud Scheduler jobs and not from the public internet, while still receiving HTTP requests. The Cloud Run service currently allows unauthenticated invocations. What configuration changes are required?

Question 19hardmultiple choice
Full question →

You need to configure a GCP organization so that when new projects are created, a specific set of default IAM bindings is automatically applied (e.g., the security team's group gets Security Reviewer on every new project). Which approach achieves this without requiring manual post-creation steps?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

An e-commerce application has a read-heavy database workload: 95% reads, 5% writes. The primary Cloud SQL instance is experiencing CPU saturation during peak read traffic. What is the most appropriate GCP-native solution that minimizes changes to application code?

These ACE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style ACE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.