This document teaches you how to set up your various Google Cloud resources to avoid common issues and enable best practices for access control and cost management. The guide walks through design decisions and configuration options that help set you up for success in administering your cloud resources.
Goals of this guide
- Provide a conceptual overview of the various resources involved with billing.
- Show you how to set up your Cloud Billing resources efficiently and for ease of management, to align your strategic priorities with cloud usage and maintain a well-functioning account.
- Help you avoid the most common billing-related issues faced by Google Cloud customers.
- Teach you about best practices when configuring resource access permissions to ensure redundancy and security.
- Provide step-by-step instructions to help you set up your financial governance tools for greater clarity, accountability, and control.
Overview
This guide is organized into two main sections. The first section provides you with a conceptual overview of the various resources and roles involved with managing Google Cloud billing. The second section walks you through the steps necessary to configure your Google Cloud resources optimized for your billing needs.
Section 1: Concepts
- Resource Overview and Hierarchy: A high-level visual representation of the various Google Cloud resources that impact your billing and how they relate to one another.
- Roles Overview: A summary of the access roles, organized by resource, that are directly relevant to your billing set up.
Section 2: Setup Guide
- A step-by-step configuration walkthrough covering Google Cloud onboarding topics relevant to your billing setup, including guidance for customization based on your organization's needs.
Cloud Billing Concepts
Before working through the setup guide section, familiarize yourself with these concepts. Understanding the key concepts will help you with configuration decisions for your cloud environment. If you need additional information, see the overview of Cloud Billing concepts.
Resource Overview
What is a resource?
In the context of Google Cloud, resource can refer to the service-level resources that are used to process your workloads (for example, virtual machines) as well as to the account-level resources that sit above the services, such as projects, folders, and the organization.
What is resource management?
Resource management is focused on how you should configure and grant access to the various Google Cloud resources for your company or team, specifically the setup and organization of the account-level resources that sit above the service-level resources. Account-level resources are the resources involved in setting up and administering your Google Cloud account. This document provides prescriptive advice on configuring your account-level resources and the roles necessary to manage them to maintain a well-functioning account.
Resource Hierarchy
Google Cloud resources are organized hierarchically. This hierarchy lets you map your organization's operational structure to Google Cloud, and to manage access control and permissions for groups of related resources. The following diagram shows an example resource hierarchy illustrating the core account-level resources involved in administering your Google Cloud account.
The
domain is the mechanism to manage the users in your organization and is directly related to the organization resource.The
organization resource represents an entire organization (for example, a company) and is the top-level node of the hierarchy. The organization resource provides central visibility and control over all Google Cloud resources further down in the hierarchy.Next in the hierarchy are
folders. You can use folders to isolate requirements for different departments and teams in the parent organization. You can similarly use folders to separate production resources from development resources.At the bottom of the hierarchy are projects. Projects contain the service-level resources (such as computing, storage, and networking resources) that process your workloads and constitute your apps.
Resources can be further categorized using
labels. You can label the service-level resources (for example, virtual machines), as well as your account-level resources (for example, projects).Cloud Billing accounts are linked to and pay for projects.
Cloud Billing accounts are connected to a
Google payments profile. The payments profile is a Google-level resource and you pay for Google services (such as AdWords and Google Cloud) using the payment methods that are attached to that profile.
You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the correct access and permissions within your organization.
The structure you define is flexible and allows you to adapt to evolving requirements. If you're just beginning your Google Cloud journey, adopt the simplest structure that satisfies your initial requirements. See the Resource Manager overview for full details.
Roles Overview
What are roles?
Roles grant one or more privileges to a user that allow performing a common business function.
How do roles work in Google Cloud?
Google Cloud offers Identity and Access Management (IAM) to manage access control to your Google Cloud resources. IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. To assign permissions to a user, you use IAM policies to grant specific roles to a user. Roles have one or more permissions bundled within them, controlling user access to resources.
You can set an IAM policy (roles) at the organization level, the folder level, the project level, or (in some cases) on the service-level resource. Resources inherit the policies of the parent node. If you set a policy at the Organization level, it's inherited by all its child folders and projects. If you set a policy at the project level, it's inherited by all its child resources.
The diagram below represents the Google Cloud resource hierarchy in complete form, and calls out the important high-access roles at each level:
Domain | ||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Google payments profile | ||||||
---|---|---|---|---|---|---|
|
Setup Guide
Each section in the setup guide provides information about decision points, offers best-practice recommendations, describes important roles, and provides a configuration checklist. Information about potential issues is also provided, with the ultimate goal of helping you configure your Google Cloud resources optimized for your billing needs. The guidelines help to ensure your setup is best protected against the most common access and billing issues faced by Google Cloud customers.
Before you begin
Before working through the setup guide, familiarize yourself with the Cloud Billing concepts. Understanding the key concepts will help you with configuration decisions for your cloud environment. Watch the following video to learn more.
Best Practices: Google Cloud Resource Organization and Access Management (Cloud Next '19)
There are a variety of different ways that you can organize your resources and set up access controls when using Google Cloud. To ensure your team can continuously access and manage these resources effectively requires following some essential best practices. In this session, you'll learn each of the Google Cloud resources available and receive a best practices checklist that you can use to prevent you from running into some of the most common and problematic account configuration issues that customers experience.
The setup guide contains the following sections:
- Domain and Organization
- Cloud Billing Accounts
- Google payments Profiles and Accounts
- Projects, Folders, and Labels
Domain and Organization
The Domain and Organization sit at the top of the resource hierarchy. Together, the Google Cloud Domain and Organization let you centrally administer all of your users and Google Cloud resources.
The Domain lets you manage the users in your organization.
The Organization lets you manage your Google Cloud resources and which users have what type of access to those resources.
Domain and Identity
Your company Domain is the primary identity of your organization and establishes your company's identity with Google services, including Google Cloud. The Domain is linked to either a Google Workspace or Cloud Identity account.
Identity is used for authentication and access management of your users to Google Cloud resources. When first starting out with Google Cloud, it's important to decide how you want to manage your user authentication and identity. We offer flexible ways to manage access with Google Workspace and Cloud Identity.
Key Decision: Cloud Identity and Google Workspace
For user authentication and identity, should you use Cloud Identity or Google Workspace?
The Organization resource is closely associated with a Google Workspace or Cloud Identity account. You acquire an Organization resource only if you're also a Google Workspace or Cloud Identity customer. Each Google Workspace or Cloud Identity account can have exactly one Organization. Once an Organization resource is created for a domain, all Google Cloud projects created by members of the account domain will, by default, belong to the Organization resource.
Google Cloud uses Google Accounts for authentication and access management. Google recommends using fully managed corporate Google accounts for increased visibility, auditing, and control over access to Google Cloud resources.
|
|
||||
For more information, see Getting an Organization resource and Setting up Cloud Identity. |
Important Roles
Domain Super Admin The Super Admin can grant the Organization Admin role (or any other role) and recover accounts at the Domain level. |
Recommended Assignee The Super Admin is usually someone who manages accesses at a high level, like a Domain Administrator. |
Learn more about Google Workspace administrator roles and Cloud Identity admin roles. |
Checklist
1. Create the Resource | |
---|---|
❑ | Cloud Identity or
Google Workspace.
|
Choose
2. Configure Access | |
❑ | Review the patterns for adding or synchronizing users and groups. |
❑ | Add users and groups using the admin console, via Google Cloud Directory Sync, or using the Admin SDK API. |
❑ | Set up more than one Super Admin and ensure other project owners, administrators, and employees know who they are, so they can reach out in case of account access issues or if there is a need to delegate another Organization Admin. |
3. Configure the Resource | |
❑ | Check the number of licenses provided. By default, Google provides a fixed number of free-of-charge licenses. If you need additional licenses, contact us. |
❑ | Cloud Identity provides a diverse set of security and user management features. For a list of what's included, see the features and editions comparison chart. |
Organizations
An Organization is the root node of the Google Cloud hierarchy of resources. An Organization is associated with exactly one Domain. All resources that belong to an Organization are grouped under the Organization node, which provides insight into and access control over every resource in the Organization.
Best Practice: Configure an Organization
Google Cloud users aren't required to have an Organization resource. However, if you need to manage more than one user account, we strongly recommend configuring an Organization. The Organization resource provides many benefits, including: IAM policy inheritance and resource access recovery.
For more information, see Creating and managing Organizations.
Important Roles
Role: Organization Admin The Organization Admin can administer any resource and grant any role within the Organization. |
Recommended Assignee The Organization Admin is usually someone who manages access control, like an IT Administrator. |
Learn more about Organization roles. |
Checklist
1. Create the Resource | |
---|---|
❑ | Obtain an Organization resource. If you followed the steps for Domain and Identity, you already have an organization. |
2. Configure Access | |
❑ | Set up multiple Organization Administrators who will be responsible for defining IAM policies and delegating responsibility for resources throughout your organization, like Cloud Billing and Project management. |
❑ | Grant IAM roles at the Organization level that you want everyone to use, while keeping in mind the security principle of least privilege. |
3. Configure the Resource | |
❑ |
Migrate your Projects and Billing Accounts into your Organization.
Once migrated, if an owner of a project or billing account loses access to their account or leaves the company, ownership of the project or billing account can be recovered by the Organization Admin. |
Cloud Billing Accounts
Billing accounts pay for projects. A project and its service-level resources are always paid for by a single billing account. A billing account operates in a single currency and is linked to a Google payments profile.
A billing account can be linked to one or more projects. Project usage is tracked and charged to the linked billing account. Projects that are not linked to a billing account can't use Google Cloud or Google Maps Platform services. This is true even if you only use services that are free.
Key Decision: One Billing Account or Multiple Billing Accounts?
We recommend creating one central Cloud Billing account that lives in your Organization. For most customers, adding additional billing accounts creates unneeded extra overhead, making them more difficult to track and manage. And multiple billing accounts might not behave in the way you expect with Committed Use Discounts or might cause issues with any promotional credits.
You may need multiple Cloud Billing accounts if you have any of these requirements:
- You need to split charges for legal or accounting reasons.
- You need to pay in multiple currencies.
Key Decision: Pay with Credit or Debit Card or Use Invoiced Billing?
When you first set up a Cloud Billing account using the Google Cloud console, by default, you create a self-serve billing account, connected to a credit or debit card as the payment instrument.
If you have a dedicated Finance or Accounting team, or if you anticipate a large amount of spend when you first start on Google Cloud, you might be better off using invoiced billing. To learn if your organization is eligible for invoiced billing, contact Cloud Billing Support. You must be a billing administrator of your organization's current billing account to apply.
Important Roles
Role: Billing Account Admin The Billing Account Admin can:
|
Recommended Assignee This role is typically filled by someone with financial control at your company, for example, a business lead that owns the P&L or a technical team member with budget management responsibility. Importantly, because this role is required to contact Billing Support, you shouldn't use a service account or mailing list as a billing administrator. |
Role: Billing User Billing Users can:
|
Recommended Assignee This role is usually issued broadly in concert with the Project Creator role. Trusted Project Creators in your organization typically need this role so they can link their projects to a billing account. |
Learn more about Billing roles. |
Checklist
1. Create the Resource | |
---|---|
❑ | Create or Identify your main Billing Account that you want to use. If you have an invoiced account, this step is already done for you. |
2. Configure Access | |
❑ | Grant access to view Billing Reports to people in finance and other departments and roles where users need to track spend or need to review cost anomalies. |
❑ | Assign multiple Billing Account Administrators to each Billing Account – you might also consider using Organization-level permissions. |
3. Configure the Resource | |
❑ |
|
Consolidate multiple Billing Accounts into your main Billing Accounts.
❑ |
|
Settle and close any other billing accounts that you no longer intend to
use to avoid potential issues in the future.
❑ | recommended next steps
after you create a Cloud Billing account.
|
Review the
❑ | Set up budget alerts with multiple alert thresholds to reduce spending surprises and unexpected cost overruns. |
❑ | export billing data to BigQuery. | Set up automatic exports of billing data to use for monitoring and analyzing costs. Learn how to
Key Concepts: Billing Export, Billing Reports, and Invoices
Your usage is reported from your Projects to your Billing Accounts and your usage data is made available to you in a variety of ways, all of which can be used to help you understand the full picture of your spend.
- Your invoice tells you what you owe.
- Billing reports tell you why and where your costs came from.
To answer cost questions, we recommend looking at billing reports first.
Billing Export outputs your daily usage estimates to a dataset or
file you specify. You can use it to run analysis on your usage data.
Billing Export to BigQuery includes an invoice.month
field so you can match your exported data to your invoices.
- Late-reported usage might cause your data to not map directly to your invoice; that is, some product usage at the very end of a month may be charged to the next month's invoice.
- Exported billing data doesn't include any tax accrued or credits issued to a billing account.
- You can use Looker Studio to visualize your spend over time.
Billing Reports uses the same data that Billing Export uses, and displays an interactive chart that plots usage costs for all projects linked to a billing account. Use billing reports to get an at-a-glance overview of your usage costs and discover and analyze trends.
- You access billing reports in the Google Cloud console.
- If you have multiple billing accounts, the billing report displays usage costs for one billing account at a time, not aggregated across all billing accounts.
- Depending on your level of access, your view of usage costs may be limited to viewing the costs of certain projects, rather than all of the projects linked to a billing account.
Invoices represent the canonical amount you're billed for each month and provide an exact breakdown of what usage you were billed for. Review your invoice PDF or CSV line items each month and review the Google payments center for credit memos and invoice payments history.
Google payments Profiles and Accounts
Your business is represented by a Google payments profile, and you pay for Google services using the payment methods that are attached to that profile. The payments profile is a Google-level resource managed at payments.google.com and is linked to a Cloud Billing account.
separate roles and permissions and is not governed by your Google Cloud organization; your IAM roles don't apply. For Google payments profiles, you can add and remove users or change permissions in the Google payments center.
Warning: The payments profile is not a Google Cloud resource. It's managed withKey Decision: Use One or Multiple Google payments profiles?
Similar to Cloud Billing accounts, for administrative purposes, fewer payments profiles are generally recommended. For most customers, creating additional payments profiles adds more overhead and exposure to potential issues.
You might want to create multiple payments profiles if:
- You want separate personal and business payments profiles tied to your Google Account.
- You want to manage payments profiles for more than one business or organization.
- You want payments profiles in multiple countries. You might have to create a new profile when changing countries.
Your Cloud Billing accounts need to be linked to an appropriate Google payments profile.
Important Roles
Google payments profile
Admin The payments profile Admin can:
|
Recommended Assignee The Google payments profile Admins in your organization are typically part of your Finance or Accounting teams. |
Google payments profile
Read access The payments profile Read access user can:
|
Recommended Assignee Assign Read access to users who just need to receive email notifications (for invoices). |
Learn more about Google payments profile user permissions. |
Checklist
1. Create the Resource | |
---|---|
❑ | Create a Business type payments profile for use with Google Cloud. If an invoiced Cloud Billing account was created for you, this step is already done for you. If you're setting up a Cloud Billing account online, you'll create (or select) a Google payments profile as part of the billing-account-creation process. |
2. Configure Access | |
❑ | Assign more than one Google payments profile Admin to be in charge of editing information like addresses, payment methods, tax information, and other account settings. |
❑ | For invoiced billing, assign multiple invoice delivery addresses, both for email delivery and for paper invoice delivery, to ensure that you're always aware of when a new invoice has been sent out. |
❑ | For electronic notifications and monthly statements, add users and set their email preferences to receive documents and notices. |
3. Configure the Resource | |
❑ | Regularly review the information on your Google payments profile to ensure it's up to date, especially physical and email addresses, payments users, and payment instruments. |
❑ | If not on invoiced billing:
|
❑ | For invoiced billing:
|
Projects, Folders, and Labels
Projects, folders, and labels help you create logical groupings of resources that support your management and cost attribution requirements.
Overview
Projects are:
- Required to use resources (such as Compute Engine virtual machines, Pub/Sub topics, and Cloud Storage buckets)
- The base-level organizing entity in Google Cloud – all service-level resources are parented by projects
- Used to form the basis for enabling services, APIs, and IAM permissions
Folders are:
- A grouping mechanism for projects and can contain both projects and other folders
- Used to group resources that share common IAM policies
- Mapped under an Organization node (you must have an Organization node to use folders)
Labels are:
- Used to categorize your Google Cloud resources (such as Compute Engine instances)
- Key-value pairs you attach to resources, letting you filter resources based on their labels
- Great for cost tracking at a granular-level because they're forwarded to the billing system so you can analyze your charges by label
Key Decision: Folders and Projects Strategy
Projects are required. Folders are optional, but recommended.
Why use projects? Projects are the basic organizing entity in Google Cloud. Projects are required to use service-level resources, such as Compute Engine and Cloud Storage. Service-level resources inherit project settings and permissions. You might need to create multiple projects, depending on the number of products or services you're running on Google Cloud. You'll want to define a meaningful naming strategy for your projects so you can easily identify them. For more details about projects, see Creating and managing projects.
Why use folders? Folders group projects, centrally applying consistent policies and permissions across them. You might want to group your resources together logically using folders, depending on the number of people and teams you have who will be using Google Cloud, and the number of products and services you'll be running on Google Cloud. For example, you could set up separate folders for development, staging, and production projects for a service. Or, you might choose to spread the projects and services across folders that reflect different environments. You could use folders to organize your projects by departments within your company. One benefit of using folders is you can enforce different IAM policies on each folder. For more details about using folders, see Creating and managing folders.
Why use labels? Labels annotate resources within and across projects. Depending on your cost tracking requirements, you might want to apply labels to resources to identify them by what they are, what they do, or what team they're related to. For example, you might label all of your Compute Engine instances that are HTTP servers, or label all of the components that are related to your database service. For more details about using labels, see Creating and Managing Labels.
Important Roles
Role: Project Creator The Project Creator role lets you create Projects and inherently lets resources be spun up on Google Cloud and incur usage. |
Recommended Assignee Project Creators in your organization might be team leads or service accounts (for automation). |
Role: Project Owner and
User The Project Owner and User role lets you see costs and usage in a project and label resources. |
Recommended Assignee Project owners and users in your organization might be team leads or developers. |
Learn more about Project roles. |
Role: Folder Administrator The Folder Administrator can create and edit the IAM policy of folders. They decide how roles are inherited by Projects in the folders. |
Recommended Assignee The Folder Administrator manages finer access control, and is typically a department head or team manager. |
Learn more about Folder roles. |
Checklist
1. Create the Resource | |
---|---|
❑ | Create Projects to group resources together that share a common goal, theme, or purpose. If a product or service needs to use multiple Google Cloud resources, like Compute and Storage, use Projects to group them together. |
❑ | Name Projects meaningfully. Decide on a strategy for naming your projects. For example, you could name your project to reflect the service and the collection of resources it contains, such as productname-prod. The project name is a human-readable way to identify your projects. The project ID is generated from the project name you enter when you create the project in the Google Cloud Console. |
❑ | Set up folders to mirror the way you work in your organization and on your infrastructure. |
2. Configure Access | |
❑ | Use Folders to specify IAM permissions for teams, products, services, or environments. |
❑ | Set project-level IAM permissions as needed (if you aren't using folders or need another level of granularity). |
3. Configure the Resource | |
❑ | Place a lien on critical projects. To prevent projects from being accidentally deleted, add protections against project deletion with liens. You can place a lien upon a project to block the project's deletion until you remove the lien. This can be useful to protect important projects. |
❑ | Use Labels to further categorize your resources. You can use labels to tag resources cross-Project and cross-Folder. Each resource can be tagged with multiple labels. Information about labels is forwarded to the billing system and picked up in Billing Export so they're useful in cost reporting and analysis. |
❑ | Decide whether or not you'll be purchasing Committed Use Discounts (CUDs) for your Projects and understand how Sustained Use Discounts (SUDs) apply to your Compute Engine resources and bills. |
❑ | If needed, review how quotas work and request a quota increase. |
❑ | If needed, enable APIs for your projects. Enabling an API associates it with the current project, adds monitoring pages, and enables billing for that API if billing is enabled for the project. |
Learn More
Cloud OnAir: Getting Started with Google Cloud Cost Management
To maximize the move to Google Cloud, organizations need a clear understanding of their Google Cloud costs. During this webinar, we'll share best practices for how to get started with managing your Google Cloud costs and usage. We'll demo how to set up billing accounts, organizations, projects, basic permissions, and budgets. We'll also introduce Billing reports to help you understand your current cost trends and forecast your spend at month-end so that you can prevent budget overruns.
Organizing Your Resources for Cost Management on Google Cloud (Cloud Next '19)
How much do all of my front-end servers cost? How many resources are used in my staging environment? How do I understand and optimize my spending across departments? Google Cloud tools such as organizations, folders, projects, and labels help you create logical groupings of resources that support your management and cost attribution requirements at scale. In this session, you'll learn how to use these tools to take control of your costs, whether you're a solo developer or a multinational corporation.
Establishing Financial Governance Controls on Google Cloud (Cloud Next '19)
Planning for cloud spend is a critical step in understanding if you're in control. During this session, you'll learn how to put proactive and reactive financial governance controls in place, including budgets, quotas, and permissions. In addition, we'll demo how to use programmatic budget notifications to take automated actions to throttle or cap your cloud usage and costs.
Creating Interactive Cost and KPI Dashboards Using BigQuery (Cloud Next '19)
Want more granular insight into your cloud costs, usage, and overall spend per KPI? During this session, you'll learn how to export billing data using BigQuery, write advanced billing and KPI-related queries, share custom views with internal stakeholders, and build detailed dashboards in Looker Studio and Elastic to better understand your cost drivers. PerimeterX will join us on stage to speak to exactly how they use this functionality as a customer to tie their Google Cloud costs to key business metrics.
Monitoring and Controlling Your Google Cloud Costs (Cloud Next '19)
Managing Google Cloud usage and cost trends is easier than you think. In this session, you'll learn how to quickly view your Google Cloud costs, forecast your month-end bill, and provide an overview of some of the controls you can put in place to prevent budget overruns. In addition, we'll provide a live demo of how to set up custom dashboards to further analyze your billing data.
Saving Even More Money on Compute Engine (Cloud Next '19)
In the time since Next '18's Saving More Money on Compute Engine, a lot has changed, but customers like you are still looking to control costs and get the most capability out of every cloud dollar. In this talk, you'll learn about the latest products and techniques for optimizing your usage to get the most compute for the lowest bill.