Know the gcloud CLI commands cold: gcloud init (first setup), gcloud auth login (authenticate), gcloud config set project (switch project), gcloud compute instances list (list VMs). The resource hierarchy determines where IAM policies and billing are applied — policies inherit downward from parent to child.

• Creating and managing Google Cloud projects
• Managing billing accounts and budgets
• Enabling APIs and services
• Google Cloud CLI (gcloud) — init, auth, config
• Cloud Console and Cloud Shell
• Resource hierarchy: Organisation → Folder → Project → Resource

Service selection is the most heavily tested skill. Key decision tree: stateless short-lived container → Cloud Run; orchestrated containers → GKE; managed VM fleet → Managed Instance Groups; event-driven function → Cloud Functions; relational data (single region) → Cloud SQL; relational data (global) → Cloud Spanner; unstructured objects → Cloud Storage.

• Choosing compute: Compute Engine (IaaS), GKE (containers), Cloud Run (serverless containers), App Engine (PaaS), Cloud Functions (serverless)
• Choosing storage: Cloud Storage (objects), Cloud SQL (relational), Cloud Spanner (global relational), Bigtable (wide-column NoSQL), Firestore (document NoSQL)
• Designing VPC networks: subnets, firewall rules, routes
• Estimating costs with Google Cloud Pricing Calculator

The largest domain — expect hands-on scenario questions. Know the key commands: gcloud compute instances create (VM), gcloud container clusters create (GKE), gcloud run deploy (Cloud Run), gsutil mb (create bucket), gcloud sql instances create (Cloud SQL). For GKE, kubectl apply -f deployment.yaml deploys workloads from a manifest.

• Compute Engine: creating VMs, instance templates, managed instance groups (MIGs), startup scripts
• GKE: creating clusters, deploying workloads with kubectl, Autopilot mode
• Cloud Run: deploying container images with gcloud run deploy
• Cloud Functions: deploying event-triggered functions
• Cloud Storage: creating buckets, setting lifecycle policies, object versioning
• Cloud SQL: creating instances, connecting from applications, read replicas

Monitoring and logging questions are reliably tested. Cloud Monitoring = metrics and alerts (CPU, memory, latency). Cloud Logging = log ingestion and analysis. Cloud Trace = distributed request tracing. To receive alerts, create an alerting policy in Cloud Monitoring with a notification channel (email, SMS, PagerDuty).

• Cloud Monitoring: metrics, dashboards, alerting policies, uptime checks
• Cloud Logging: log-based metrics, log sinks, log exclusions
• Cloud Trace and Cloud Profiler (application performance)
• Managing and updating instances: rolling updates, canary deployments
• Autoscaling and load balancing
• Backup and disaster recovery strategies

IAM is tested heavily — know the three role types. Primitive roles are too broad for production. Predefined roles are service-specific (e.g. roles/compute.instanceAdmin). Custom roles allow exact permission sets. For service accounts: assign them to VMs and Cloud Functions so they authenticate API calls without embedding keys in code.

• IAM roles: primitive (Owner/Editor/Viewer), predefined, custom
• Service accounts: creating, granting roles, key management, workload identity
• VPC firewall rules: ingress/egress, priority, allow/deny
• Cloud Armor: WAF policies, security rules, DDoS protection
• Secret Manager: storing and accessing secrets from applications
• Binary Authorization: ensuring only trusted images are deployed to GKE