Before you run production workloads on Google Cloud, we recommend you configure an initial foundation to support your work. Google Cloud setup helps administrators configure Google Cloud for scalable workloads. The setup process guides you through an interactive procedure that helps you create a foundational architecture with best practices in mind.
To help you align with your business needs, you can quickly deploy a default configuration or make adjustments throughout the setup process. Depending on your preferred deployment workflow, you can deploy your configuration directly from the console, or download and deploy Terraform to integrate with your own Infrastructure as Code (IaC) process.
This document includes steps and background information to help you complete the setup process, which is also available as an interactive guide in the Google Cloud console:
The setup process includes the following phases:
Establish your organization, administrators, and billing: Set up the top-level node of your hierarchy, create initial administrator users, and connect your payment method.
Create an initial architecture: Select an initial folder and project structure, assign access, configure logging, apply security settings, and set up your network.
Deploy your settings: Your initial architecture choices are compiled in Terraform configuration files. You can quickly deploy through the Google Cloud console, or download the files to customize and iterate using your own workflow.
Apply monitoring and support settings: Apply recommended monitoring and support settings to bolster your architecture.
Establish your organization, administrators, and billing
Organization
An organization resource in Google Cloud represents your business, and serves as the top level node of your hierarchy. To create your organization, you set up a Google identity service and associate it with your domain. When you complete this process, an organization resource is automatically created.
For an overview of the organization resource, see the following:
Who performs this task
The following two administrators perform this task:
An identity administrator responsible for assigning role-based access. You assign this person as the Cloud Identity super administrator. For more information about the super administrator user, see Prebuilt administrator roles.
A domain administrator with access to the company's domain host. This person edits your domain settings, such as DNS configurations, as part of the domain verification process.
What you do in this task
- If you haven't already, set up Cloud Identity, where you create a managed user account for your super administrator user.
- Link Cloud Identity to your domain (such as example.com).
- Verify your domain. This process creates the root node of your resource hierarchy, known as the organization resource.
Why we recommend this task
You must configure the following as part of your Google Cloud foundation:
- A Google identity service to centrally manage identities.
- An organization resource to establish the root of your hierarchy and access control.
Google identity service options
You use one or both of the following Google identity services to administer credentials for Google Cloud users:
- Cloud Identity: Centrally manages users and groups. You can federate identities between Google and other identity providers. For more information, see Overview of Cloud Identity.
- Google Workspace: Manages users and groups, and provides access to productivity and collaboration products like Gmail and Google Drive. For more information, see Google Workspace.
For detailed information about identity planning, see Planning the onboarding process for your corporate identities.
Before you begin
To understand how to manage a super administrator account, see Super administrator account best practices.
Configure an identity provider and verify your domain
The steps you complete in this task depend on whether you are a new or existing customer. Identify the option that fits your needs:
New customer: Set up Cloud Identity, verify your domain, and create your organization.
Existing Google Workspace customer: Use Google Workspace as your identity provider for users who access Google Workspace and Google Cloud. If you plan to create users who only access Google Cloud, enable Cloud Identity.
Existing Cloud Identity customer: Verify your domain, make sure your organization was created, and confirm that Cloud Identity is enabled.
New customer
New Customer: Set up Cloud Identity and create your organization
To create your organization resource, you first set up Cloud Identity, which helps you manage users and groups that access Google Cloud resources.
In this task, you set up Cloud Identity free edition.You can enable Cloud Identity premium edition after you complete your initial setup. For more information, see Compare Cloud Identity features and editions.
Identify the person who serves as the Cloud Identity administrator (also known as the super administrator) in your organization
Record the administrator's username in the following format: admin-name@example.com. For example, admin-maria@example.com. Specify this username when you create your first administrator user.
To complete the setup process and create the super administrator account, go to the Cloud Identity signup page.
If you get an error when you set up the administrator account, see 'Google Account already exists' error.
Verify your domain and create your organization resource
Cloud Identity requires you to verify that you are your domain owner. Once the verification is complete, your Google Cloud organization resource is automatically created for you.
Make sure you created a super administrator account when you configured your identity provider.
Verify your domain in Cloud Identity. As you complete the verification process, note the following:
- When prompted, don't click Create new users. You will create new users in a later task.
- If you are unable sign up your domain, see Can't sign up my domain for a Google service.
- The verification may require several hours to process.
For steps to verify your domain, see Verify your domain.
When you finish the domain verification steps, click Set up Google Cloud console now.
Sign in to the Google Cloud console as the super administrator user using the email address you specified. For example, admin-maria@example.com.
Go to Google Cloud setup: Organization. Your organization is created automatically.
Select your organization from the Select from drop-down list at the top of the page.
Request additional Cloud Identity user licenses
Cloud Identity free edition includes an allotment of user licenses. For steps to view and request licenses, see Your Cloud Identity free edition user cap.
Workspace customer
Existing Google Workspace customer: Verify your domain and enable Cloud Identity
If you are an existing Google Workspace customer, verify your domain, make sure that your organization resource is automatically created, and optionally enable Cloud Identity.
To verify your domain in Google Workspace, see Verify your domain. As you complete the verification process, note the following:
- When prompted, don't click Create new users. You will create new users in a later task.
- If you are unable sign up your domain, see Can't sign up my domain for a Google service.
- The verification may require several hours to process.
Sign in to the Google Cloud console as the super administrator user.
Go to Google Cloud setup: Organization.
Select I'm a current Google Workspace customer.
Make sure that your organization name is displayed in the Organization list.
If you want to create users who access Google Cloud, but don't receive Google Workspace licenses, do the following.
In Google Workspace, Enable Cloud Identity.
When you set up Cloud Identity, Disable automatic Google Workspace licensing.
Cloud Identity customer
Existing Cloud Identity customer: Verify your domain
If you are an existing Cloud Identity customer, make sure you have verified your domain, and that your organization resource was automatically created.
To make sure that you have verified your domain, see Verify your domain. As you complete the verification process, note the following:
- When prompted, don't click Create new users. You will create new users in a later task.
- If you are unable sign up your domain, see Can't sign up my domain for a Google service.
- The verification may require several hours to process.
Sign in to the Google Cloud console as the super administrator user.
Go to Google Cloud setup: Organization.
Select I'm a current Cloud Identity customer.
Make sure that your organization name is displayed in the Organization list.
Make sure that Cloud Identity is enabled in Google Admin console: Subscriptions. Sign in as a super administrator user.
What's next
Users and groups
In this task, you set up identities, users, and groups to manage access to Google Cloud resources.
For more information on access management on Google Cloud, see the following:
- Identity and Access Management (IAM) overview.
- For best practices, see Manage identity and access.
Who performs this task
You can perform this task if you have one of the following:
- The Google Workspace or Cloud Identity super administrator that you created in the Organization task.
- One of the following IAM roles:
- Organization Administrator (
roles/resourcemanager.organizationAdmin
). - Workforce Identity Pool Admin (
roles/iam.workforcePoolAdmin
).
- Organization Administrator (
What you do in this task
Connect to Cloud Identity or your external identity provider (IdP).
Create administrative groups and users that will perform the remainder of the Google Cloud setup steps. You grant access to these groups in a later task.
Why we recommend this task
This task helps you implement the following security best practices:
Principle of least privilege: Give users the minimum permissions required to perform their role, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their job role. Do not add permissions to individual user accounts.
You can use groups to efficiently apply IAM roles to a collection of users. This practice helps you simplify access management.
Select an identity provider
You can use one of the following to manage users and groups, and connect them to Google Cloud:
- Google Workspace or Cloud Identity: You create and manage users and groups in Google Workspace or Cloud Identity. You can choose to synchronize with your external identity provider later.
- Your external identity provider, such as Microsoft Entra ID or Okta: You create and manage users and groups in your external identity provider. You then connect your provider to Google Cloud to enable single-sign-on.
To select your identity provider, do the following:
Sign in to the Google Cloud console as one of the users you identified in Who performs this task.
Go to Google Cloud setup: Users & groups.
Review the task details and click Continue identity setup.
On the Select your identity provider page, select one of the following to begin a guided setup:
- Use Google to centrally manage Google Cloud users: Use Google Workspace or Cloud Identity to provision and manage users and groups as a super administrator of your verified domain. You can later synchronize with your external identity provider.
- Microsoft Entra ID (Azure AD): Use OpenID Connect to configure a connection to Microsoft Entra ID.
- Okta: Use OpenID Connect to configure a connection to Okta.
- OpenID Connect: Use the OpenID protocol to connect to a compatible identity provider.
- SAML: Use the SAML protocol to connect to a compatible identity provider.
- Skip setting up an external IdP for now: If you have an external identity provider and you're not ready to connect it to Google Cloud, You can create users and groups in Google Workspace or Cloud Identity.
Click Continue.
See one of the following for next steps:
Create users and groups in Cloud Identity
If you don't have an existing identity provider, or if you're not ready to connect your identity provider to Google Cloud, you can create and manager users and groups in Cloud Identity or Google Workspace. To create users and groups, you do the following:
- Create a group for each recommended administrative function, including organization, billing, and network administration.
- Create managed user accounts for administrators.
- Assign users to administrative groups that correspond to their responsibilities.
Before you begin
Find and migrate users that already have Google Accounts. For detailed information, see Add users with unmanaged accounts.
You must be a super administrator.
Create administrative groups
A group is a named collection of Google Accounts and service accounts. Each group has a unique email address, such as gcp-billing-admins@example.com. You create groups to manage users and apply IAM roles at scale.
The following groups are recommended to help you administer your organization's core functions and complete the Google Cloud setup process.
Group | Description |
gcp-organization-admins
|
Administer all organization resources. Assign this role only to your most trusted users. |
gcp-billing-admins
|
Set up billing accounts and monitor usage. |
gcp-network-admins
|
Create Virtual Private Cloud networks, subnets, and firewall rules. |
gcp-hybrid-connectivity-admins
|
Create network devices such as Cloud VPN instances and Cloud Router. |
gcp-logging-admins
|
Use all Cloud Logging features. |
gcp-logging-viewers
|
Read-only access to a subset of logs. |
gcp-monitoring-admins
|
Monitoring administrators have access to all features of Cloud Monitoring. |
gcp-security-admins |
Establishing and managing security policies for the entire organization, including access management and organization constraint policies. See the Google Cloud enterprise foundations blueprint for more information about planning your Google Cloud security infrastructure. |
gcp-developers
|
Design, code, and test applications. |
gcp-devops
|
Create or manage end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning. |
To create administrative groups, do the following:
On the Create Groups page, review the list of recommended administrative groups, and then do one of the following:
- To create all recommended groups, click Create all groups.
- If you want to create a subset of the recommended groups, click Create in the chosen rows.
Click Continue.
Create administrative users
We recommend that you initially add users who complete organizational, networking, billing, and other setup procedures. You can add other users after you complete the Google Cloud setup process.
To add administrative users who perform Google Cloud setup tasks, do the following:
Migrate consumer accounts to managed user accounts controlled by Cloud Identity. For detailed steps, see the following:
Sign in to Google Admin console using a super administrator account.
Use one of the following options to add users:
- To bulk add users, see Add or update multiple users from a CSV file.
- To add users individually, see Add an account for a new user.
When you're done adding users, return to Google Cloud setup: Users & groups (Create users).
Click Continue.
Add administrative users to groups
Add the users you created to administrative groups that correspond to their duties.
- Make sure you created administrative users.
In Google Cloud setup: Users & groups (Add users to groups), review the step details.
In each Group row, do the following:
- Click Add members.
- Enter the user's email address.
From the Group role drop-down list, select the user's group permission settings. For more information, see Set who can view, post, and moderate.
Each member inherits all IAM roles you grant to a group, regardless of the group role you select.
To add another user to this group, click Add another member and repeat these steps. We recommend that you add more than one member to each group.
When you're done adding users to this group, click Save.
When you're done with all groups, click Confirm users & groups.
If you want to federate your identity provider into Google Cloud, see the following:
- Reference architectures: using an external IdP.
- To automatically provision users and enable single sign-on, see the following:
- To sync Active Directory users and groups to Google Cloud, use Directory Sync or Google Cloud Directory Sync.
- For a comparison, see Compare Directory Sync with GCDS.
Connect your external identity provider to Google Cloud
You can use your existing identity provider to create and manage groups and users. You configure single sign-on to Google Cloud by setting up workforce identity federation with your external identity provider. For key concepts of this process, see Workforce Identity Federation.
To connect your external identity provider, you complete a guided setup that includes the following steps:
- Create a workforce pool: A workforce identity pool helps you manage
identities and their access to resources. You enter the following details in a
human-readable format.
- Workforce pool ID: A globally unique identifier used in IAM.
- Provider ID: A name for your provider, which users will specify when they log in to Google Cloud.
- Configure Google Cloud in your provider: The guided setup includes specific steps for your provider.
- Enter your provider's workforce pool details: To add your provider as a trusted authority to assert identities, retrieve details from your provider and add them to Google Cloud:
- Configure an initial set of administrative groups: The guided setup includes specific steps for your provider. You assign groups in your provider and establish a connection to Google Cloud. For a detailed description of each group, see Create administrative groups.
- Assign users to each group: We recommend that you assign more than one user to each group.
For background information on the connection process for each provider, see the following:
- Configure Workforce Identity Federation with Azure AD and sign in users.
- Configure Workforce Identity Federation with Okta and sign in users
- For other providers that support OIDC or SAML, see Configure Workforce Identity Federation
What's next
Administrative access
In this task, you use Identity and Access Management (IAM) to assign collections of permissions to groups of administrators at the organization level. This process gives administrators central visibility and control over every cloud resource that belongs to your organization.
For an overview of Identity and Access Management in Google Cloud, see IAM overview.
Who performs this task
To perform this task, you must be one of the following:
- A super administrator user.
- A user with the Organization Administrator role (
roles/resourcemanager.organizationAdmin
).
What you do in this task
Review a list of default roles assigned to each administrator group that you created in the Users and groups task.
If you want to customize a group, you can do the following:
- Add or remove roles.
- If you do not plan to use a group, you can delete it.
Why we recommend this task
You must explicitly grant all administrative roles for your organization. This task helps you implement the following security best practices:
Principle of least privilege: Give users the minimum permissions required to perform their jobs, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their jobs. Do not grant roles to individual user accounts.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
Grant access to administrator groups
To grant appropriate access to each administrator group that you created in the Users and groups task, review the default roles that are assigned to each group. You can add or remove roles to customize each group's access.
Make sure that you are logged in to the Google Cloud console as a super administrator user.
Alternatively, you can sign in as a user with the Organization Administrator role (
roles/resourcemanager.organizationAdmin
).Go to Google Cloud setup: Administrative access.
Select your organization name from the Select from drop-down list at the top of the page.
Review the task overview and click Continue administrative access.
Review the groups in the Group (Principal) column that you created in the Users & groups task.
For each group, review the default IAM roles. You can add or remove roles assigned to each group to fit the unique needs of your organization.
Each role contains multiple permissions that allow users to perform relevant tasks. For more information about the permissions in each role, see IAM basic and predefined roles reference.
When you are ready to assign roles to each group, click Save and grant access.
What's next
Set up billing.
Billing
In this task, you set up a billing account to pay for Google Cloud resources. To do this, you associate one of the following with your organization.
An existing Cloud Billing account. If you don't have access to the account, you can request access from your billing account administrator.
A new Cloud Billing account.
For more information on billing, see the Cloud Billing documentation.
Who performs this task
A person in the gcp-billing-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
- Create or use an existing self-serve Cloud Billing account.
- Decide whether to transition from a self-serve account to an invoiced account.
- Set up a Cloud Billing account and payment method.
Why we recommend this task
Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources you use, such as virtual machines, networking, and storage.
Determine your billing account type
The billing account that you associate with your organization is one of the following types.
Self-serve (or online): Sign up online using a credit or debit card. We recommend this option if you are a small business or individual. When you sign up online for a billing account, your account is automatically set up as a self-serve account.
Invoiced (or offline). If you already have a self-serve billing account, you might be eligible to apply for invoiced billing if your business meets eligibility requirements.
You cannot create an invoiced account online, but you can apply to convert a self-serve account to an invoiced account.
For more information, see Cloud Billing account types.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Set up the billing account
Now that you have chosen a billing account type, associate the billing account with your organization. When you complete this process, you can use your billing account to pay for Google Cloud resources.
Sign in to the Google Cloud console as a user from the
gcp-billing-admins@YOUR_DOMAIN
group.Go to Google Cloud setup: Billing.
Review the task overview, and then click Continue billing.
Select one of the following billing account options:
Create a new account
If your organization does not have an existing account, create a new account.
- Select I want to create a new billing account.
- Click Continue.
Select the billing account type you want to create. For detailed steps, see the following:
- To create a new self-serve account, see Create a new self-serve Cloud Billing account.
- To transition an existing self-serve account to invoiced billing, see Apply for monthly invoiced billing.
Verify that your billing account was created:
If you created an invoiced account, wait up to 5 business days to receive email confirmation.
Go to the Billing page.
Select your organization from the Select from list at the top of the page. If the account was created successfully, it is displayed in the billing account list.
Use my existing account
If you have an existing billing account, you can associate it with your organization.
- Select I identified a billing account from this list that I would like to use to complete the setup steps.
- From the Billing drop-down list, select the account you want to associate with your organization.
- Click Continue.
- Review the details and click Confirm billing account.
Use another user's account
If another user has access to an existing billing account, you can ask that user to associate the billing account with your organization, or the user can give you access to complete the association.
- Select I want to use a billing account that's managed by another Google user account.
- Click Continue.
- Enter the billing account administrator's email address.
- Click Contact administrator.
- Wait for the billing account administrator to contact you with further instructions.
What's next
Create an initial architecture
Hierarchy and access
In this task, you set up your resource hierarchy by creating and assigning access to the following resources:
- Folders
- Provide a grouping mechanism and isolation boundaries between projects. For example, folders can represent main departments in your organization such as finance or retail, or environments such as production or non-production.
- Projects
- Contain your Google Cloud resources, such as virtual machines, databases, and storage buckets.
For design considerations and best practices to organize your resources in projects, see Decide a resource hierarchy for your Google Cloud landing zone.
Who performs this task
A person in the gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task can
perform this task.
What you do in this task
- Create an initial hierarchy structure that includes folders and projects.
- Set IAM policies to control access to your folders and projects.
Why we recommend this task
Creating a structure for folders and projects helps you manage Google Cloud resources and assign access based on the way your organization operates. For example, you might organize and provide access to resources based on your organization's unique collection of geographic regions, subsidiary structures, or accountability frameworks.
Plan the resource hierarchy
Your resource hierarchy helps you create boundaries, and share resources across your organization for common tasks. You create your hierarchy using one of the following initial configurations, based on your organization structure:
Simple environment-oriented:
- Isolate environments like
Non-production
andProduction
. - Implement distinct policies, regulatory requirements, and access controls in each environment folder.
- Good for small companies with centralized environments.
- Isolate environments like
Simple team-oriented:
- Isolate teams like
Development
andQA
. - Isolate access to resources using child environment folders under each team folder.
- Good for small companies with autonomous teams.
- Isolate teams like
Environment-oriented:
- Prioritize the isolation of environments like
Non-production
andProduction
. - Under each environment folder, isolate business units.
- Under each business unit, isolate teams.
- Good for large companies with centralized environments.
- Prioritize the isolation of environments like
Business unit-oriented:
- Prioritize the isolation of business units like
Human Resources
andEngineering
to help ensure that users can only access the resources and data they need. - Under each business unit, isolate teams.
- Under each team, isolate environments.
- Good for large companies with autonomous teams.
- Prioritize the isolation of business units like
Each configuration has a Common
folder for projects that contain shared
resources. This might include logging and monitoring projects.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
Configure initial folders and projects
Select the resource hierarchy that represents your organization structure.
To configure initial folders and projects, do the following:
Sign in to the Google Cloud console as a user from the
gcp-organization-admins@YOUR_DOMAIN
group you created in the Users and groups task.Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Hierarchy & access.
Review the task overview, and then click Start next to Resource hierarchy.
Select a starting configuration.
Click Continue and configure.
Customize your resource hierarchy to reflect your organizational structure. For example, you can customize the following:
- Folder names.
Service projects for each team. To grant access to service projects, you can create the following:
- A group for each service project.
- Users in each group.
For an overview of service projects, see Shared VPC.
Projects required for monitoring, logging, and networking.
Custom projects.
Click Continue.
Grant access to your folders and projects
In the Administrative access task, you granted administrative access to groups at the organization level. In this task, you configure access to groups that interact with your newly configured folders and projects.
Projects, folders, and organizations each have their own IAM policies, which are inherited through the resource hierarchy:
- Organization: Policies apply to all folders and projects in the organization.
- Folder: Policies apply to projects and other folders within the folder.
- Project: Policies apply only to that project and its resources.
Update the IAM policies for your folders and projects:
In the Configure access control section of Hierarchy & access, grant your groups access to your folders and projects:
In the table, review the list of recommended IAM roles granted to each group for each resource.
If you want to modify the roles assigned to each group, click Edit in the desired row.
For more information about each role, see IAM basic and predefined roles.
Click Continue.
Review your changes and click Confirm draft configuration.
What's next
Centralize logging
In this task, you configure logging for your entire organization, including the projects you created in an earlier task.
Who performs this task
You must have one of the following:
- The Logging Admin role (
roles/logging.admin
). - Membership in the
gcp-logging-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Centrally organize logs that are created in projects across your organization to help with security, auditing, and compliance.
Why we recommend this task
Log storage and retention simplifies analysis and preserves your audit trail.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
Centrally organize logging
Cloud Logging helps you store, search, analyze, monitor, and alert on log data and events from Google Cloud. You can also collect and process logs from your applications, on-premises resources, and other clouds. We recommend that you use Cloud Logging to consolidate logs into a single log bucket.
For more information, see the following:
- For an overview, see Routing and storage overview.
- For information on logging on-premises resources, see Logging on-premises resources with BindPlane.
- For steps to change the log filter after you deploy your configuration, see Inclusion filters.
To store your log data in a central log bucket, do the following:
Sign in to the Google Cloud console as a user that you identified in Who performs this task.
Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Centralize logging.
Review the task overview and click Start logging configuration.
Review the task details.
To route logs to a central log bucket, ensure that Store organization-level admin activity audit logs in a log bucket is selected.
Expand Route logs to a Logging log bucket and do the following:
In the Log bucket name field, enter a name for the central log bucket.
From the Log bucket region list, select the region where your log data is stored.
For more information, see Log bucket locations.
We recommend storing logs for 365 days. To customize the retention period, enter the number of days in the Retention period field.
Logs stored for longer than 30 days incur a retention cost. For more information, see Cloud Logging pricing summary.
Export logs outside of Google Cloud
If you want to export logs to a destination outside of Google Cloud, you can export using Pub/Sub. For example, if you use multiple cloud providers, you might decide to export log data from each cloud provider to a third-party tool.
You can filter the logs you export to meet your unique needs and requirements. For example, you might choose to limit the types of logs you export to control costs or to reduce noise in your data.
For more information about exporting logs, see the following:
- For an overview, see What is Pub/Sub?
- For pricing information, see the following:
- For information on streaming to Splunk, see Deploy log streaming from Google Cloud to Splunk.
To export logs, do the following:
Click Stream your logs to other applications, other repositories, or third parties.
In the Pub/Sub topic ID field, enter an identifier for the topic that contains your exported logs. For information on subscribing to a topic, see Pull subscriptions.
To prevent one of the following recommended logs from being exported, clear its checkbox:
- Cloud Audit Logs: Admin Activity: API calls or actions that modify resource configuration or metadata.
- Cloud Audit Logs: System Event: Google Cloud actions that modify resource configuration.
- Access Transparency: Actions that Google personnel take when accessing customer content.
Select the following additional logs to export them:
- Cloud Audit Logs: Data Access: API calls that read resource configuration or metadata, and user-driven API calls that create, modify, or read user-provided resource data.
- Cloud Audit Logs: Policy Denied: Google Cloud service access denials to user or service accounts, based on security policy violations.
For information about each log type, see Understand Cloud Audit Logs.
Complete the logging configuration
To complete the logging task, do the following:
Click Continue.
Review your logging configuration details and click Confirm draft configuration.
Your logging configuration isn't deployed until you deploy your settings in a later task.
What's next
Security
In this task, you configure security settings and products to help protect your organization.
Who performs this task
You must have one of the following to complete this task:
- The Organization Administrator role (
roles/resourcemanager.organizationAdmin
). - Membership in one of the following groups that you created in the
Users and groups task:
gcp-organization-admins@<your-domain>.com
gcp-security-admins@<your-domain>.com
What you do in this task
Apply recommended organization policies based on the following categories:
- Access management.
- Service account behavior.
- VPC network configuration.
You also enable Security Command Center to centralize vulnerability and threat reporting.
Why we recommend this task
Applying recommended organization policies helps you limit user actions that don't align with your security posture.
Enabling Security Command Center helps you create a central location to analyze vulnerabilities and threats.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Start the security task
Sign in to the Google Cloud console with a user you identified in Who performs this task.
Select your organization from the Select from drop-down at the top of the page.
Go to Google Cloud setup: Security.
Review the task overview, and then click Start Security.
Centralize vulnerability and threat reporting
To centralize vulnerability and threat reporting services, enable Security Command Center. This helps you strengthen your security posture and mitigate risks. For more information, see Security Command Center overview.
On the Google Cloud setup: Security page, make sure that the Enable Security Command Center: Standard checkbox is enabled.
This task enables the free Standard tier. You can upgrade to the Premium version at a later time. For more information, see Security Command Center service tiers.
Click Apply Security Command Center configurations.
Apply recommended organization policies
Organization policies apply at the organization level, and are inherited by folders and projects. In this task, review and apply the list of recommended policies. You can modify organization policies at any time. For more information, see Introduction to the Organization Policy Service.
Review the list of recommended organization policies. If you don't want to apply a recommended policy, click its checkbox to remove it.
For a detailed explanation of each organization policy, see Organization policy constraints.
Click Confirm organization policy configurations.
The organization policies that you select are applied when you deploy your configuration in a later task.
What's next
VPC networks
In this task, you set up your initial networking configuration, which you can scale as your needs change.
Virtual Private Cloud architecture
A Virtual Private Cloud (VPC) network is a virtual version of a physical network that is implemented inside of Google's production network. A VPC network is a global resource that consists of regional subnetworks (subnets).
VPC networks provide networking capabilities to your Google Cloud resources such as Compute Engine virtual machine instances, GKE containers, and App Engine flexible environment instances.
Shared VPC connects resources from multiple projects to a common VPC network so that they can communicate with each other using the network's internal IP addresses. The following diagram shows the basic architecture of a Shared VPC network with attached service projects.
When you use Shared VPC, you designate a host project and attach one or more service projects to it. Virtual Private Cloud networks in the host project are called Shared VPC networks.
The example diagram has production and non-production host projects, which each contain a Shared VPC network. You can use a host project to centrally manage the following:
- Routes
- Firewalls
- VPN connections
- Subnets
A service project is any project that's attached to a host project. You can share subnets, including secondary ranges, between host and service projects.
In this architecture, each Shared VPC network contains public and private subnets:
- The public subnet can be used by internet-facing instances for external connectivity.
- The private subnet can be used by internal-facing instances that are not allocated public IP addresses.
In this task, you create an initial network configuration based on the example diagram.
Who performs this task
You need one of the following to perform this task:
- The
roles/compute.networkAdmin
role. - Inclusion in the
gcp-network-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Create an initial network configuration, including the following:
- Create multiple host projects to reflect your development environments.
- Create a Shared VPC network in each host project to allow distinct resources to share the same network.
- Create distinct subnets in each Shared VPC network to provide network access to service projects.
Why we recommend this task
Distinct teams can use Shared VPC to connect to a common, centrally-managed VPC network.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
Configure your network architecture
Create your initial network configuration with two host projects to segment non-production and production workloads. Each host project contains a Shared VPC network, which can be used by multiple service projects. You configure network details and then deploy a configuration file in a later task.
To configure your initial network, do the following.
Sign in to the Google Cloud console as a user from the
gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task.Select your organization from the Select an organization drop-down list at the top of the page.
Go to Google Cloud setup: Networking.
Review the default network architecture.
To edit the network name, do the following:
- Click more_vert Actions
- Select Edit network name.
- In the Network name field, enter lowercase letters, numbers, or hyphens. The network name cannot exceed 25 characters.
- Click Save.
Modify firewall details
The default firewall rules on the host project are based on recommended best practices. You can choose to disable one or more of the default firewall rules. For general information on firewall rules, see VPC firewall rules.
To modify firewall settings, do the following:
Click more_vert Actions.
Select Edit firewall rules.
For detailed information about each default firewall rule, see Pre-populated rules in the default network.
To disable a firewall rule, clear its corresponding checkbox.
To disable Firewall Rules Logging, click Off.
By default, traffic to and from Compute Engine instances are logged for auditing purposes. This process incurs costs. For more information, see Firewall Rules Logging.
Click Save.
Modify subnet details
Each VPC network contains at least one subnet, which is a regional resource with an associated IP address range. In this multi-regional configuration, you must have at least two subnets with non-overlapping IP ranges.
For more information, see Subnets.
Each subnet is configured using recommend best practices. If you want to customize each subnet, do the following:
- Click more_vert Actions
- Select Edit subnets.
- In the Name field, enter lowercase letters, numbers, or hyphens. The subnet name cannot exceed 25 characters.
From the Region drop-down, select a region that is close to your point of service.
We recommend a different region for each subnet. You can't change the region after you deploy your configuration. For information about choosing a region, see Regional resources.
In the IP address range field, enter a range in CIDR notation— for example, 10.0.0.0/24.
The range you enter must not overlap with other subnets in this network. For information on valid ranges, see IPv4 subnet ranges.
Repeat these steps for Subnet 2.
To configure additional subnets in this network, click Add subnet and repeat these steps.
Click Save.
Your subnets are automatically configured according to best practices. If you want to modify the configuration, in the Google Cloud Setup: VPC Networks page, do the following:
To turn off VPC Flow Logs, from the Flow logs column, select Off.
When flow logs are on, each subnet records network flows that you can analyze for security, expenses optimization, and other purposes. For more information, see Use VPC Flow Logs.
VPC Flow Logs incur costs. For more information, see Virtual Private Cloud pricing.
To turn off Private Google Access, from the Private access column, select Off.
When Private Google Access is on, VM instances that don't have external IP addresses can reach Google APIs and services. For more information, see Private Google Access.
To turn on Cloud NAT, from the Cloud NAT column, select On.
When Cloud NAT is on, certain resources can create outbound connections to the internet. For more information, see Cloud NAT overview.
Cloud NAT incurs costs. For more information, see Virtual Private Cloud pricing.
Click Continue to link service projects.
Link service projects to your host projects
A service project is any project that has been attached to a host project. This attachment allows the service project to participate in Shared VPC. Each service project can be operated and administered by different departments or teams to create a separation of responsibilities.
For more information about connection multiple projects to a common VPC network, see Shared VPC overview.
To link service projects to your host projects and complete the configuration, do the following:
For each subnet in the Shared VPC networks table, select a service project to connect. To do this, select from the Select a project drop-down in the Service project column.
You can connect a service project to multiple subnets.
Click Continue to Review.
Review your configuration, and make changes.
You can make edits until you deploy your configuration file.
Click Confirm draft configuration. Your network configuration is added to your configuration file.
Your network is not deployed until you deploy your configuration file in a later task.
What's next
Set up hybrid connectivity, which helps you connect on-premise servers or other cloud providers to Google Cloud.
Hybrid connectivity
In this task, you establish connections between your peer (on-premises or other cloud) networks and your Google Cloud networks, as in the following diagram.
This process creates an HA VPN, which is a high-availability (HA) solution that you can quickly create to transmit data over the public internet.
After you deploy your Google Cloud setup, we recommend creating a more robust connection using Cloud Interconnect.
For more information on connections between peer networks and Google Cloud, see the following:
Who performs this task
You must have the Organization Administrator role (roles/resourcemanager.organizationAdmin
).
What you do in this task
Create low-latency, high-availability connections between your VPC networks and your on-premises or other cloud networks. You configure the following components:
- Google Cloud HA VPN gateway: A regional resource that has two interfaces, each with its own IP address. You specify the IP stack type, which determines whether IPv6 traffic is supported in your connection. For background information, see HA VPN.
- Peer VPN gateway: The gateway on your peer network, to which the Google Cloud HA VPN gateway connects. You enter external IP addresses that your peer gateway uses to connect to Google Cloud. For background information, see Configure the peer VPN gateway.
- Cloud Router: Uses Border Gateway Protocol (BGP) to dynamically exchange routes between your VPC and peer networks. You assign an Autonomous System Number (ASN) as an identifier for your Cloud Router, and specify the ASN that your peer router uses. For background information, see Create a Cloud Router to connect a VPC network to a peer network.
- VPN tunnels: Connect the Google Cloud gateway to the peer gateway. You specify the Internet Key Exchange (IKE) protocol to use to establish the tunnel. You can enter your own previously generated IKE key or generate and copy a new key. For background information, see Configure IKE.
Why we recommend this task
An HA VPN provides a secure and highly available connection between your existing infrastructure and Google Cloud.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
- Configure your network in the VPC networks task.
Collect the following information from your peer network administrator:
- Your peer VPN gateway name: The gateway to which your Cloud VPN connects.
- Peer interface IP address 0: An external IP address on your peer network gateway.
- Peer interface IP address 1: A second external address, or you can reuse IP address 0 if your peer network only has a single external IP address.
- Peer Autonomous System Number (ASN): A unique identifier assigned to your peer network router.
- Cloud Router ASN: A unique identifier that you will assign to your Cloud Router.
- Internet Key Exchange (IKE) keys: Keys you use to establish two VPN tunnels with your peer VPN gateway. If you don't have existing keys, you can generate them during this setup and then apply them to your peer gateway.
Configure your connections
Do the following to connect your VPC networks to your peer networks:
Sign in as a user with the Organization Administrator role.
Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Hybrid connectivity.
Review the task details by doing the following:
Review the task overview and click Start hybrid connectivity.
Click each tab to learn about hybrid connectivity and click Continue.
See what to expect in each task step and click Continue.
Review the peer gateway configuration information that you need to collect and click Continue.
In the Hybrid connections area, identify the VPC networks that you want to connect, based on your business needs.
In the row for the first network you chose, click Configure.
In the Configuration overview area, read the description and click Next.
In the Google Cloud HA VPN gateway area, do the following:
In the Cloud VPN gateway name field, enter up to 60 characters using lowercase letters, numbers, and hyphens.
In the VPN tunnel inner IP stack type area, select one of the following stack types:
- IPv4 and IPv6 (recommended): Can support both IPv4 and IPv6 traffic. We recommend this setting if you plan to allow IPv6 traffic in your tunnel.
- IPv4: Can only support IPv4 traffic.
The stack type determines the type of traffic that is allowed in the tunnel between your VPC network and your peer network. You cannot modify the stack type after you create the gateway. For background information, see the following:
Click Next.
In the Peer VPN gateway area, do the following:
In the Peer VPN gateway name field, enter the name provided by your peer network administrator. You can enter up to 60 characters using lowercase letters, numbers, and hyphens.
In the Peer interface IP address 0 field, enter the peer gateway interface external IP address provided by your peer network administrator.
In the Peer interface IP address 1 field, do one of the following:
- If your peer gateway has a second interface, enter its IP address.
- If your peer gateway only has a single interface, enter the same address you entered in Peer interface IP address 0.
For background information, see Configure the peer VPN gateway.
Click Next.
In the Cloud Router area, do the following:
In the Cloud router ASN field, enter the Autonomous System Number you want to assign to your Cloud Router, as provided by your peer network administrator. For background information, see Create a Cloud Router.
In the Peer router ASN field, enter your peer network router's Autonomous System Number, as provided by your peer network administrator.
In the VPN tunnel 0 area, do the following:
In the Tunnel 0 name field, enter up to 60 characters using lowercase letters, numbers, and hyphens.
In the IKE version area, select one of the following:
- IKEv2 - recommended: Supports IPv6 traffic.
- IKEv1: Use this setting if you do not plan to allow IPv6 traffic in the tunnel.
For background information, see Configure VPN tunnels.
In the IKE pre-shared key field, enter the key you use in your peer gateway configuration, as provided by your peer network administrator. If you don't have an existing key, you can click Generate and copy, and then give the key to your peer network administrator.
In the VPN tunnel 1 area, repeat the previous step to apply settings for the second tunnel. You configure this tunnel for redundancy and additional throughput.
Click Save.
Repeat these steps for any other VPC networks that you want to connect to your peer network.
After you deploy
After you deploy your Google Cloud setup configuration, complete the following steps to ensure that your network connection is complete:
Work with your peer network administrator to align your peer network with your hybrid connectivity settings. After you deploy, specific instructions are provided for your peer network, including the following:
- Tunnel settings.
- Firewall settings.
- IKE settings.
Validate the network connections you created. For example, you can use Network Intelligence Center to check connectivity between networks. For more information, see Connectivity Tests overview.
If your business needs require a more robust connection, use Cloud Interconnect. For more information, see Choosing a Network Connectivity product.
What's next
Deploy your configuration, which includes settings for your hierarchy and access, logging, network, and hybrid connectivity.
Deploy your settings
Deploy or download
As you complete the Google Cloud setup process, your settings from the following tasks are compiled into Terraform configuration files:
To apply your settings, you review your selections and choose a deployment method.
Who performs this task
A person in the gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Deploy configuration files to apply your setup settings.
Why we recommend this task
You must deploy configuration files to apply the settings you selected.
Before you begin
You must complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
The following tasks are recommended:
- Consolidate log data in a single location in the Centralize logging task.
- Strengthen your security posture by setting up cost-free services in the Security task.
- Configure your initial network in the VPC networks task.
- Connect peer networks to Google Cloud in the Hybrid connectivity task.
Review your configuration details
Do the following to make sure that your configuration settings are complete:
Sign in to the Google Cloud console as a user from the
gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task.Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Deploy or download.
Review the configuration settings you selected. Click each of the following tabs and review your settings:
- Resource hierarchy & access
- Logging
- Security
- VPC networks
- Hybrid connectivity
Deploy your configuration
Now that you have reviewed your configuration details, use one of the following options:
Deploy directly from the console: Use this option if you don't have an existing Terraform deployment workflow, and want a simple deployment method. You can deploy using this method only once.
Download and deploy the Terraform file: Use this option if you want to automate resource management using a Terraform deployment workflow. You can download and deploy using this method multiple times.
Deploy using one of the following options:
Deploy directly
If you don't have an existing Terraform workflow and want a simple one-time deployment, you can deploy directly from the console.
Click Deploy directly.
Wait several minutes for the deployment to complete.
If the deployment fails, do the following:
- To reattempt the deployment, click Retry Process.
- If the deployment fails after multiple attempts, you can contact an administrator for help. To do this, click Contact organization administrator.
Download and deploy
If you want to iterate on your deployment using your Terraform deployment workflow, download and deploy configuration files.
To download your configuration file, click Download as Terraform.
The package you download contains Terraform configuration files based on the settings you selected in the following tasks:
- Hierarchy & access
- Centralize logging
- Security
- VPC networks
- Hybrid connectivity
If you only want to deploy configuration files that are relevant to your responsibilities, you can avoid downloading irrelevant files. To do this, clear the check boxes for the configuration files that you don't need.
Click Download. A
terraform.tar.gz
package that includes the selected files is downloaded to your local file system.For detailed deployment steps, see Deploy your foundation using Terraform downloaded from the console.
What's next
Apply monitoring and support settings
Monitoring
Cloud Monitoring is automatically configured for your Google Cloud projects. In this task, you learn about optional monitoring best practices.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Who performs this task
A person in the gcp-monitoring-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Review and implement optional monitoring best practices.
Why we recommend this task
You can implement monitoring best practices to do the following:
- Facilitate collaboration among users who monitor your organization.
- Monitor your Google Cloud infrastructure in one place.
- Collect important application metrics and logs.
Review and implement monitoring best practices
Cloud Monitoring collects metrics, events, and metadata from Google Cloud services, synthetic monitors, application instrumentation, and other common application components. Cloud Monitoring is automatically configured for your Google Cloud projects.
In this task, you can implement the following best practices to build on the default Cloud Monitoring configuration.
To aid collaboration, create an organization policy that grants the Monitoring Viewer role to every principal in your organization for every project.
To monitor your Google Cloud infrastructure in one place, configure a project to read metrics from multiple Google Cloud projects by using Metric Scopes.
To collect application metrics and logs for virtual machines, do the following:
- For Compute Engine, install the Ops Agent.
- For Google Kubernetes Engine (GKE), set up Google Cloud Managed Service for Prometheus.
What's next
Support
In this task, you choose a support plan that fits your business needs.
Who performs this task
A person in the gcp-organization-admins@YOUR_DOMAIN
group created in the Users and groups task.
What you do in this task
Choose a support plan based on your company's needs.
Why we recommend this task
A premium support plan provides business-critical support to quickly resolve issues with help from experts at Google Cloud.
Choose a support option
You automatically get free Basic Support, which includes access to the following resources:
We recommend that enterprise customers sign up for Premium Support, which offers one-on-one technical support with Google support engineers. To compare support plans, see Google Cloud customer care.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Enable support
Identify and select a support option.
Review and select a support plan. For more information, see Google Cloud Customer Care.
Sign in to the Google Cloud console with a user from the
gcp-organization-admins@<your-domain>.com
group that you created in the Users and groups task.Go to Google Cloud setup: Support.
Review the task details and click View support offerings to select a support option.
After you set up your support option, go back to the Google Cloud setup: Support page and click Mark task as completed.
What's next
Now that you have completed the Google Cloud setup, you are ready to extend your initial setup, deploy prebuilt solutions, and migrate your existing workflows. For more information, see Extend your initial setup and start building.