Google Cloud · ACE

15 Google ACE Practice Questions with Explanations (2026)

By CertSharp Team~15 min read

How to use this page

Read each question, pick an answer in your head before expanding the explanation. The explanation tells you why the right answer is right and why the trap distractors look right but fail. Target 80 percent or better across all 15 to consider yourself on track for the live exam.

How to use these questions

Most candidates who fail Google ACE do not lack knowledge — they lack the discipline of reading the full question. These 15 questions are designed to look easy on the first read and harder on the second. Pick an answer before expanding the explanation. If your answer disagrees with ours, read the explanation twice. The reasoning is the durable lesson; the question itself is disposable.

The 15 questions are distributed across all five exam domains in roughly the same proportions as the live exam: 3 questions from Domain 1, 3 from Domain 2, 4 from Domain 3 (the largest weight), 3 from Domain 4, 2 from Domain 5. For the full domain-by-domain study, see the ACE Roadmap 2026.

The 15 questions

Click each question to reveal the answer and explanation.

Q1 · Domain 1 — Setting up environment

You have an existing GCP organisation. A new team needs an isolated environment for a workload, with its own billing budget, but it must still inherit organisation-level IAM policies. What should you create for the team?

  1. A new GCP organisation
  2. A new project under the existing organisation
  3. A new billing account under the existing organisation
  4. A new folder containing a new organisation

Answer: B

Projects are the unit of isolation for workloads, billing, and resources, while still inheriting org-level IAM policies. (A) creating a second organisation is wrong: an organisation maps to a Google Workspace / Cloud Identity domain and is not how you isolate workloads. (C) a billing account is unrelated to workload isolation. (D) you cannot put an organisation inside a folder — folders sit under organisations, not the other way around.

Q2 · Domain 1 — Setting up environment

You are running gcloud commands in Cloud Shell, but every command returns "ERROR: (gcloud) The required property [project] is not currently set." What is the fastest fix?

  1. Run gcloud auth login
  2. Run gcloud init from scratch
  3. Run gcloud config set project PROJECT_ID
  4. Reinstall the Cloud SDK

Answer: C

The error explicitly says the project property is not set; gcloud config set project PROJECT_ID fixes that in one command. (A) is wrong: you are already authenticated, otherwise you would see an auth error. (B) gcloud init works but it is the long way around — it walks you through full reconfiguration. (D) reinstalling the SDK is unnecessary and Cloud Shell does not let you do it anyway.

Q3 · Domain 2 — Planning and configuring

Your team needs to run a stateless containerised web service. Traffic is bursty (zero for hours, then thousands of requests per second). You want zero infrastructure to manage and you want to pay $0 when there is no traffic. Which compute option should you choose?

  1. Compute Engine managed instance group with autoscaling
  2. GKE Standard with cluster autoscaler
  3. Cloud Run service
  4. App Engine standard environment with F1 instance class

Answer: C

Cloud Run scales to zero, charges per request and per CPU-second of actual processing, and has no infrastructure to manage. (A) MIGs do not scale to zero — you always pay for at least one VM. (B) GKE Standard always bills for nodes, even when idle. (D) App Engine standard scales close to zero but you pay for at least the front-end serving, and instance hours add up under traffic spikes. Cloud Run is the right answer for "scale to zero and bursty traffic."

Q4 · Domain 2 — Planning and configuring

You need to store 5 TB of archival data that will be accessed roughly once a year for compliance audits. Cost minimisation is the priority. Which Cloud Storage class should you choose?

  1. Standard
  2. Nearline
  3. Coldline
  4. Archive

Answer: D

Archive is designed for data accessed less than once per year, with the lowest at-rest storage cost of any class. (A) Standard is for frequently accessed data. (B) Nearline is designed for monthly access. (C) Coldline targets quarterly access. The retrieval fee on Archive is high, but with only annual reads that fee is paid once per year — total cost is still lower than Coldline.

Q5 · Domain 3 — Deploying and implementing

You are deploying a small team's new GKE cluster. The team has no Kubernetes operations experience, runs only stateless web workloads, and wants the lowest-ops cluster configuration. Which cluster mode should you choose?

  1. GKE Standard, zonal, with manual node-pool sizing
  2. GKE Standard, regional, with cluster autoscaler
  3. GKE Autopilot, regional
  4. Self-managed Kubernetes on Compute Engine VMs

Answer: C

Autopilot manages nodes for you, bills per pod, and removes node-pool maintenance. The team has no node-level requirements (no DaemonSets, privileged containers, or custom CNI mentioned), so Autopilot is the lowest-ops fit. (A) and (B) Standard requires you to manage node pools. (D) self-managed adds the most operational burden of all four options.

Q6 · Domain 3 — Deploying and implementing

You ran "gcloud compute instances create web-1 --machine-type=e2-medium --zone=us-central1-a" but the VM cannot reach the internet for OS updates. The VPC is default. What is the most likely cause?

  1. The VM was given an internal IP but no external IP
  2. The default VPC has no internet gateway
  3. The default firewall rule blocks egress to 0.0.0.0/0
  4. You need to attach a service account with internet-access role

Answer: A

The gcloud compute instances create command does assign an external IP by default — but only if you do not pass --no-address. The most likely cause of a VM unable to reach the internet on the default VPC is that it has only an internal IP. (B) is wrong: GCP VPCs implicitly route to the internet via the default internet gateway. (C) default firewall rules allow all egress. (D) "internet-access role" is not a real IAM role.

Q7 · Domain 3 — Deploying and implementing

Your application reads heavily from Cloud SQL Postgres and the read workload is impacting transactional performance. The application can tolerate sub-second replication lag for reads. What should you configure?

  1. Vertically scale the primary instance to a larger machine type
  2. Configure one or more read replicas and point read queries at them
  3. Migrate to Cloud Spanner
  4. Enable point-in-time recovery on the primary

Answer: B

Read replicas are the standard answer for offloading read traffic from a Cloud SQL primary. Replication is asynchronous with sub-second lag in normal conditions, which matches the scenario. (A) vertical scaling buys some headroom but is expensive and does not separate read and write paths. (C) Cloud Spanner is a much bigger architectural change and unjustified by the scenario. (D) PITR is a backup feature unrelated to read performance.

Q8 · Domain 4 — Ensuring operation

A developer says their Compute Engine VM is unreachable via SSH. You confirm the VM is running. You suspect their SSH access was revoked when they changed teams. The project uses OS Login. What should you do?

  1. Edit the project metadata and remove their SSH public key
  2. Edit the instance metadata and remove their SSH public key
  3. Grant the user the roles/compute.osLogin IAM role on the project
  4. Add a firewall rule allowing port 22 from their IP

Answer: C

OS Login binds SSH access to IAM. When OS Login is enabled, SSH keys in project or instance metadata are ignored. Granting roles/compute.osLogin (and optionally roles/compute.osAdminLogin for sudo) is the correct way to give a user SSH access. (A) and (B) are wrong because OS Login bypasses metadata SSH keys. (D) firewall rule is not the issue — the VM is reachable, the user is just not authorised.

Q9 · Domain 4 — Ensuring operation

You need to alert on-call when a Cloud Run service's 5xx error rate exceeds 1% over a 5-minute window. Where do you create the alert?

  1. A log-based metric in Cloud Logging, then an alert policy in Cloud Monitoring
  2. A new alert in the Cloud Run service settings page
  3. A custom dashboard in Cloud Trace
  4. A budget alert in Cloud Billing

Answer: A

Cloud Monitoring alert policies operate on metrics. For Cloud Run, you can use built-in request-count metrics filtered by response-code class, or define a log-based metric in Cloud Logging that counts 5xx responses, then alert on it from Cloud Monitoring. (B) Cloud Run does not have a built-in alert page. (C) Cloud Trace is for latency analysis, not alerting. (D) budget alerts are for cost, not application errors.

Q10 · Domain 5 — Access and security

A developer needs a service account that can read objects from one specific Cloud Storage bucket only — nothing else. What should you do?

  1. Grant the service account roles/storage.objectViewer on the project
  2. Grant the service account roles/storage.objectViewer on the bucket
  3. Grant the service account roles/owner on the project
  4. Download a JSON key and embed bucket-specific permissions in it

Answer: B

IAM bindings can be applied at the bucket level, not just the project level. Binding roles/storage.objectViewer on the bucket gives least-privilege access to that bucket only. (A) project-level binding grants viewer on all buckets — over-permissive. (C) roles/owner is the opposite of least privilege. (D) JSON keys do not carry permissions; IAM bindings do.

Q11 · Domain 5 — Access and security

A GKE workload needs to call the Cloud Storage API. The team's previous approach was to download a service-account JSON key and mount it as a secret. What is the Google-recommended modern alternative?

  1. Rotate the JSON key every 30 days
  2. Use Workload Identity to bind a Kubernetes service account to a Google service account
  3. Grant the GKE node service account roles/owner
  4. Store the JSON key in Secret Manager and mount it as a volume

Answer: B

Workload Identity is the Google-recommended pattern: it links a Kubernetes service account to a Google service account so pods get short-lived tokens automatically, with no JSON keys involved. (A) JSON keys are a footgun regardless of rotation cadence. (C) granting the node service account roles/owner is wildly over-permissive and breaks the security boundary between workloads. (D) Secret Manager is fine for some secrets, but JSON service-account keys should be avoided entirely, not just hidden.

Q12 · Domain 5 — Access and security

You are setting up firewall rules in a custom-mode VPC. You want internal communication only between VMs tagged "web" and VMs tagged "db", on port 3306. Which firewall rule configuration is correct?

  1. Direction: egress, source ranges: 0.0.0.0/0, target tags: db, ports: tcp:3306
  2. Direction: ingress, source tags: web, target tags: db, ports: tcp:3306
  3. Direction: ingress, source ranges: 10.0.0.0/8, target tags: db, ports: tcp:3306
  4. Direction: egress, source tags: db, target tags: web, ports: tcp:3306

Answer: B

Firewall rules on GCP default to ingress. Source tags filter on the VMs initiating the connection (web), target tags filter on the VMs receiving (db). Port 3306 is MySQL. (A) is egress on the wrong side and over-broad. (C) source ranges 10.0.0.0/8 would allow any internal VM, not just web-tagged ones. (D) inverts source and target tags and is on the wrong direction.

Q13 · Domain 3 — Deploying and implementing

You deployed a Cloud Run service. The deployment succeeded but external requests return "403 Forbidden." You confirmed the service is publicly exposed. What is the most likely cause?

  1. The service is missing the allUsers IAM binding with role roles/run.invoker
  2. The container is crashing on startup
  3. The service account does not have permission to deploy to Cloud Run
  4. A VPC firewall rule is blocking port 443

Answer: A

Cloud Run services require an explicit IAM binding to be publicly invokable. The standard binding is allUsers → roles/run.invoker. Without this, public requests return 403. (B) a crashing container would return 500 or 502, not 403. (C) deployment already succeeded, so deploy permissions are fine. (D) Cloud Run is a managed service; VPC firewall rules do not apply to its public ingress unless you have configured a VPC connector with restrictive egress.

Q14 · Domain 4 — Ensuring operation

You want to export all Cloud Logging audit logs from a GCP project to BigQuery for compliance review. What should you create?

  1. A Pub/Sub topic that fans out to BigQuery
  2. A log sink with the destination set to a BigQuery dataset
  3. A Cloud Function triggered on every log entry that writes to BigQuery
  4. An audit-logging IAM policy on BigQuery

Answer: B

Log sinks are the native, fully managed way to export logs to a destination. Setting the sink destination to a BigQuery dataset auto-creates tables and partitions for the exported logs. (A) Pub/Sub fan-out works but is more moving parts than needed. (C) Cloud Functions per-log-entry is wildly over-engineered. (D) the IAM policy is unrelated to export.

Q15 · Domain 2 — Planning and configuring

Your finance team needs to track GCP costs by team, with charges allocated to four cost centres. All four teams share a single GCP organisation. What is the most maintainable approach?

  1. Create a separate GCP organisation per cost centre
  2. Create a billing account per cost centre and link the respective projects
  3. Apply labels to every resource indicating its cost centre, and use billing exports filtered by label
  4. Manually reconcile bills monthly using the BigQuery billing export

Answer: C

Labels are the standard GCP cost-attribution mechanism. Apply a "cost-centre" label to every resource (or at the project level if simpler), enable BigQuery billing export, and query by label to allocate spend. (A) is heavy-handed and breaks shared IAM. (B) multiple billing accounts is possible but harder to administer than labels for cost-centre-level reporting. (D) manual reconciliation does not scale.

Scoring guide

  • 13-15 correct (87%+): You are in the ready zone. Book the exam and do one full-length 50-question mock from the CertSharp bank before sitting it.
  • 10-12 correct (67-80%): On track but not quite ready. Drill the domains where you missed questions. Aim for 80%+ on a full-length mock before booking.
  • 7-9 correct (47-60%): Solid foundation but real gaps. Spend another 2-3 weeks on the weak domains, especially Domain 3 (Deploying and implementing) which is 25% of the exam.
  • Below 7 (under 47%): Pause and follow the 6-week study plan. You will not pass ACE on this level of preparation.

One sample of 15 questions is not a precise predictor — but it is a good signal. Confirm with full-length mocks from the CertSharp bank under exam conditions (50 questions, 120-minute timer, no notes).

What to do next

  1. If you scored 80%+: Move to the full 500-question CertSharp ACE bank and run two timed 50-question mocks. Book the exam for the date your mocks consistently land 80%+.
  2. If you scored 60-80%: Identify your two weakest domains and drill them. The CertSharp bank lets you filter by domain so you can do 30-question Domain 3 batches, for example.
  3. If you scored below 60%: Step back to the 6-week study plan. Do not try to brute-force more practice questions before you understand the underlying concepts.

Frequently asked questions

Are these the actual Google ACE exam questions?

No. These are original practice questions written by CertSharp, modelled on the format, difficulty, and scenario style of the real ACE exam. Posting actual exam content would violate Google’s NDA and is the definition of a brain-dump — we do not publish those.

How representative are these of the real Google ACE exam?

They are representative in style, length, and difficulty. The full CertSharp bank of 500 ACE questions is calibrated slightly harder than the live exam so that scoring 80% on CertSharp predicts a comfortable pass. The 15 questions on this page are a cross-domain sample at average exam difficulty.

How many practice questions do I need before the Google ACE exam?

At least 400 unique practice questions spread across all five domains, plus two full-length 50-question timed mocks. The 500-question CertSharp bank is sized for exactly this — enough volume to drill weak areas without diluting the explanations.

Should I memorise practice questions?

No. The real exam recycles concepts but not question wording. Read the explanations carefully, not the questions. If you find yourself remembering the answer letter rather than the reasoning, do a fresh batch of questions instead of revisiting the ones you already saw.

What is a trap distractor?

A trap distractor is an option that looks correct because it uses familiar terminology or matches a partial reading of the scenario, but fails on a specific detail. Most ACE questions include one trap distractor and one obviously wrong option. Recognising which option is the trap is half the skill of multiple choice.

Go from 15 questions to 500

30 more free ACE questions in the CertSharp app — no signup, no credit card. Full 500-question bank is $11.99 lifetime, or $9.99/month Pro unlocks every CertSharp certification.

Try 30 Free QuestionsSee Pricing