Google Cloud setup checklist

This checklist helps you set up Google Cloud for scalable, production-ready enterprise workloads. The checklist is designed for administrators who are trusted with complete control over the company's Google Cloud resources.

The checklist consists of 10 tasks that have step-by-step procedures. Some tasks can be accomplished multiple ways; in general, we describe the way that will be helpful to the largest number of users. As you go through the checklist, take into account your own business needs. If you make choices that differ from what we've recommended, keep track of those differences for later tasks in the checklist.

Click a checklist item to see the detailed steps for that item.

Checklist

Set up or confirm an identity account

You must use Cloud Identity or Google Workspace to centrally manage Google Cloud and create the organization resource that is required to perform many actions in the checklist. To enable employees to use their existing identity with Google Cloud, you must federate Cloud Identity or Google Workspace with your external identity provider.

In this task, you create an identity that you can use to work in Google Cloud using Google Workspace, Cloud Identity, or a combination of the two:

If you are a Google Workspace customer (that is, your company has corporate Gmail and other Google services), your Google Workspace user license lets you manage your Google Cloud resources.
If you are not a Google Workspace customer, you may use Cloud Identity, which is an identity as a service (IDaaS) solution for centrally creating and managing the users and groups who can access your cloud resources. (In a later task, you configure the resources that those users and groups can access.)
Cloud Identity may be used with Google Workspace to provide licenses for users who do not require the more robust and costly features of Google Workspace.

You can also let employees use their existing identity and credentials to sign in to Google services by federating a Cloud Identity or Google Workspace account with an external identity provider (IdP).

You can learn about Google Workspace and Cloud Identity.

Each Google Workspace or Cloud Identity account is associated with exactly one organization. An organization is associated with exactly one domain, which is set when the organization resource is created. You must use an organization resource in Cloud Console to perform tasks later in this checklist.

The following section provides instructions for setting up both identity services.

Who performs this task

This task requires multiple people:

A person who will act as the identity administrator for Google Cloud for your company. You can give this access to a group of people later. If your company already uses a paid Google Workspace service, a person with Google Workspace Super Admin access must perform this step.
A person with access to the company's domain host, to see and edit domain settings such as DNS configurations.

What you do

If you are a new customer, sign up for a Cloud Identity account, and verify your company's domain.
If you are a Google Workspace customer, you can optionally enable Cloud Identity, and disable automatic Google Workspace licensing.

Why we recommend this task

You need either a Cloud Identity or a Google Workspace account in order to:

Manage users and groups to control access to your cloud resources.
Establish a Google Cloud organization.
Create organizational controls and structure.

If you use Google Workspace, but some of your users don't need its robust features, you can save costs by providing these users with licenses via Cloud Identity.

Set up or confirm an identity account

New customers

Cloud Identity provides a paid, Premium edition as well as a free tier with a subset of Premium features. To compare the editions, see Compare Cloud Identity features and editions. This checklist shows steps for the free edition, but you can choose to upgrade to the Premium edition at any time.

To complete this process, the domain that you want to use needs to be registered, and you need access to your domain settings through your domain host.

Create your Cloud Identity account and first admin user.

This starts a multi-page process where you specify your user and company information. In the last step of the process, provide a username. Cloud Identity adds <username>@<your-domain>.com as a Super Admin for Cloud Identity. Super Admin accounts can manage all aspects of your organization's account.

When it asks you how you'll sign in, we recommend that you use the username admin-[user] (for example, admin-maria).
Verify your domain. If you run into issues, see the Troubleshooting section.

When you're prompted to add users to your account, skip that process because you add users later on. To skip this step:
1. Click the Create users button.
2. Select the I have finished adding users for now checkbox, and then click the Next button.
3. Click the Continue to Cloud Console button.

By default, the free edition of Cloud Identity provides 50 user licenses. This checklist requires you to set up 4 users. You can view existing licenses at the Google Admin console Billing page. If you need additional free licenses, you can request them by completing the following steps:

Sign in to Google Admin console with the Super Admin account that was created in the preceding procedure.
Go to the Your Cloud Identity free edition user cap page and follow the instructions for increasing the number of available licenses.

Google Workspace customers

To set up Cloud Identity for existing Google Workspace accounts:

Enable Cloud Identity.
Disable automatic Google Workspace licensing. After you enable Cloud Identity, by default, all new users you add to your organization automatically become users of the free edition of Cloud Identity. If you don't disable automatic Google Workspace licensing, new users also receive a paid Google Workspace license. You can still add paid Google Workspace user accounts after completing this step.

By default, you receive 50 licenses for the free edition of Cloud Identity. This checklist requires you to set up 4 users. You can view existing licenses at the Google Admin console Billing page. If you need additional free licenses, you can request them by completing the following steps:

Sign in to Google Admin console with the admin email address that was created in the previous procedure.
Visit the Your Cloud Identity free edition user cap page and follow the instructions for increasing the number of available licenses.

Troubleshooting

Unable to sign up my domain for a Google service

For more information about common problems and solutions, see Can't sign up my domain for a Google service.

The Google account already exists

See 'Google Account already exists' error for a workaround.

Add users and groups to your identity account

For this task, you create managed Google accounts for your administrator users.

Who performs this task

A person that will act as the identity administrator for Google Cloud for your company.

What you do

Add users to your Cloud Identity account who will participate in the checklist tasks.
Create a set of Google Groups.
Add users to the Google Groups who will participate in the checklist tasks.

Why we recommend this task

Creating these user accounts and Google Groups are a requirement for assigning Identity and Access Management (IAM) roles in order to control access later.

Add initial users

For the purpose of this onboarding checklist, we recommend that you initially add users who will participate in the checklist tasks, such as administrators and decision makers involved with cloud setup practices. You can continue the rest of the checklist without adding all users. You create groups of users later in this task. After you've finished this checklist, you can scale to a larger number of users using one of the tools we will describe later.

Sign in to Google Admin console using the Super Admin account that was created when a Cloud Identity account was set up in task 1.
Add users using one of the following options:
- Add several users at once.
- Add users individually.

Create Google Groups

Next, you create a set of Google Groups. Google Groups enable you to quickly assign permissions to a group of Cloud Identity or Google Workspace users. You set permissions for the groups later in this checklist.

We recommend that you initially create the following Google Groups:

gcp-organization-admins
gcp-network-admins
gcp-security-admins
gcp-billing-admins
gcp-devops
gcp-developers

These groups will be essential in the setup process later when you start adding Google Cloud access permissions. For more information why we recommend these groups, see the Best practices for enterprise organizations guide.

Open the Ways to create groups topic, select In the Admin console, and follow the instructions to create each of the recommended Google Groups.
Add users to each Google Group. To be able to complete this checklist, you must add at least one user to each of the following groups:
- gcp-organization-admins
- gcp-network-admins
- gcp-billing-admins
- gcp-devops
Note: We recommend assigning at least two people to these administrative groups. Having multiple people in a group avoids having only a single point of contact for the group.

Assess existing consumer accounts

Assess whether some of your organization's employees are currently using consumer accounts to access Google services, and decide whether you want to migrate them to Cloud Identity or Google Workspace.

Automate user provisioning and enable single sign-on

If your organization already uses an identity provider such as Active Directory, Azure AD, Okta, or Ping Identity, then you can integrate Google Cloud with this external IdP by using federation:

Federate Cloud Identity with Active Directory to automatically provision users and enable single sign-on.
Integrate with Azure Active Directory.
Create a custom solution by using the Google Workspace Admin SDK.

Set up administrator access to your organization

In this task you set up administrator access for your organization, which gives the administrators central visibility and control over every cloud resource that belongs to your organization.

Who performs this task

If your company already uses a paid Google Workspace service, a person with Google Workspace Super Admin access must perform this step. If not, use the Cloud Identity account that was created in task 2.

What you do

Verify that your organization was created.
Assign administrative roles to the gcp-organization-admins@<your-domain>.com group that was created in task 2.
Add administrative permissions to yourself, and to other administrators in your organization, so that you can perform later tasks in the checklist.

Why we recommend this task

For security reasons, you must explicitly define all administrative roles for your organization.

Verify that your organization was created

Log in to the Cloud Console using either your Google Workspace super administrator account, or using the Cloud Identity Super Admin account that you set up in task 1.
Go to the Identity & Organization page to finish creating the organization. After you go to the link, you might need to wait a few minutes for the process to complete.
Make sure that your organization name appears in the Select an organization list. It can take a few minutes for your organization to be created from the steps in task 1. If you don't see the organization name, wait a few minutes and then refresh the page.

Set up administrator access

Next, you assign administrative roles to the gcp-organization-admins@<your-domain>.com group that was created in task 2.

Complete the steps at Grant access, with the following changes:
- After you open the IAM page in the Cloud Console, make sure that your organization name is selected in the organization list at the top of the page.
- When you're asked to enter an email address, use gcp-organization-admins@<your-domain>.com.
- When you're asked to select a role, select Resource Manager > Organization Administrator.
After you've added the first role, click Add another role and then add the following additional roles for the gcp-organization-admins@<your-domain>.com member:
- Resource Manager > Folder Admin
- Resource Manager > Project Creator
- Billing > Billing Account User
- Roles > Organization Role Administrator
- Organization Policy > Organization Policy Administrator
- Security Center > Security Center Admin
- Support > Support Account Administrator
When you're done adding roles, click Save.

Set up billing

In this task, you set up a billing account to pay for Google Cloud resources, and you set administrator access for your billing accounts.

Who performs this task

This task requires multiple people:

A person in the gcp-organization-admins@<your-domain>.com group that was created in task 2.
A person in the gcp-billing-admins@<your-domain>.com group that was created in task 2.

What you do

Assign administrative access to the gcp-billing-admins@<your-domain>.com group that was created in task 2.
Set up a billing account and a payment method.

Why we recommend this task

A Cloud Billing account is required to use Google Cloud products. Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources you use, such as virtual machines, networking, and storage. IAM roles control access to Cloud Billing accounts.

Set up administrator access

Team members who are assigned the Billing Account Administrator IAM role can complete tasks such as managing payments and invoices, setting budgets, and associating projects with billing accounts. The role does not give team members permission to view the contents of the projects.

Make sure that you're logged in to the Cloud Console as a user in the gcp-organization-admins Google Group that was created in task 2.
Complete the steps at Grant access, with the following changes:
- When you're asked to enter an email address, use gcp-billing-admins@<your-domain>.com.
- When you're asked to select a role, select Billing > Billing Account Administrator.
- After you've added the first role, click Add another role and then add the following additional roles for the gcp-billing-admins@<your-domain>.com member:
  - Billing > Billing Account Creator
  - Resource Manager > Organization Viewer

Set up the billing account

Next, you set up a Cloud Billing account. There are two types of billing accounts:

Self-serve. You sign up online using a credit or debit card, or ACH direct debit. Costs are charged automatically.
Invoiced. You pay by check or wire transfer. Invoices are sent by mail or electronically.

When you sign up online for a billing account, your account is automatically set up as a self-serve type of account. You cannot sign up online for an invoiced type of account, rather, you must apply for invoiced billing. For more information, see Billing account types.

Self-serve accounts

Log in to the Cloud Console as a user in the gcp-billing-admins Google Group that was created in task 2.
Create a new billing account.
To verify that the billing account was created, go to the Billing page, and then select your organization in the Select an organization list. If the billing account was successful, you see it in the billing account list.

Invoiced accounts

Contact your Google sales representative to request an invoiced account. Your sales representative will submit a request on your behalf.

Learn more about how to apply for monthly invoiced billing, including eligibility requirements for invoiced billing accounts.
Wait to receive email confirmation. This process can take up to 5 business days.
To verify that the invoiced billing account was created, go to the Billing page, and then select your organization in the Select an organization list. If the invoiced billing account is available, you see it in the billing account list.

After you set up the billing account

To monitor your costs and avoid surprises on your bill, after you have set up your Cloud Billing account, we recommend you implement the following billing best practices for each billing account:

For a detailed discussion of billing best practices, see the Billing and management section in Best practices for enterprise organizations.

Set up the resource hierarchy

In this task, you create a basic structure for folders and projects in your resource hierarchy:

Folders provide a grouping mechanism and isolation boundaries between projects. For example, they can represent the main departments in your organization such as finance or retail, or environments such as production versus non-production.
Projects contain your cloud resources, such as virtual machines, databases, and storage buckets. For best practices related to projects, see Specify your project structure.

You can set IAM policies to control access at different levels of the resource hierarchy. You will set these policies as a later task in this checklist.

Who performs this task

A person in the gcp-organization-admins@<your-domain>.com group that was created in task 2.

What you do

Create the initial hierarchy structure with folders and projects.

Why we recommend this task

Creating the structure is a requirement for a later task where you set IAM policies in order to control access at different levels of the resource hierarchy.

Resource hierarchy diagram

There are many ways to create your resource hierarchy. The following diagram shows a typical example.

Sample resource hierarchy

In the example, the organization resource hierarchy contains three levels of folders:

Environment (non-production and production). By isolating environments from each other, you can better control access to production environments and avoid non-production changes accidentally impacting production.
Business units. In the diagram, these are represented by Dept X and Dept Y, which might be business units such as Engineering and Marketing, and a Shared folder that has projects that contain resources shared across the hierarchy, such as networking, logging, and monitoring.
Teams. In the diagram, these are represented by Team A, Team B, and Team C, which might be teams like Development, Data Science, QA, and so on.

Create the initial resource hierarchy

In these checklist steps, you create basic folders and projects for your initial setup, as shown in the following diagram. These folders and projects are used in the remaining tasks of the checklist. Later on, you can build on this hierarchy to mirror your organization and customize it to your company's needs as you grow your workloads on Google Cloud.

Initial resource hierarchy

Make sure that you're logged in to the Cloud Console as a user in the gcp-organization-admins Google Group that was created in task 2.
Create folders. Follow the procedure four times to create the following folders:
1. Production
2. Non-Production
3. Shared, using Production as a parent folder
4. Shared, using Non-Production as a parent folder

Next, you create projects. Following the principle of separating production and non-production environments, for this checklist you need to create the following projects:

example-vpc-host-nonprod. This project is used to help connect non-production resources from multiple projects to a common VPC network.
example-vpc-host-prod. This project is used to help connect production resources from multiple projects to a common VPC network.
example-monitoring-nonprod. This project is used to host non-production monitoring resources.
example-monitoring-prod. This project is used to host production monitoring resources.
example-logging-nonprod. This project is used to host exported log data from your non-production environment.
example-logging-prod. This project is used to host exported log data from your production environment.

Project names are limited to 30 characters. Typically, you would use your own company name in place of example, as long as you can do so within the 30-character limit. When you create projects in the resource hierarchy in the future, we recommend using a naming convention such as <business unit name>-<team name>-<application name>-<environment>, according to the resource hierarchy of your organization.

To create the projects:

In the Cloud Console, go to the Manage resources page:
Go to the Manage resources page
Click Create Project.
In the New Project window, enter one of the project names listed earlier.
If you're prompted to select a billing account, select the billing account you want to use for this checklist.
For Location, click Browse and then set the location as follows:
- If the name of the project you're creating ends with prod, select Production > Shared.
- If the name of the project you're creating ends with nonprod, select Non-Production > Shared.
Click Create.
Repeat steps 2 through 6 for each of the recommended projects.

Set up access control for your resource hierarchy

In this task, you set up access control for your resource hierarchy by adding IAM policies to the resources. An IAM policy is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

To set permissions, you perform the same basic procedure, but you do it for resources at different levels of the hierarchy (organization, folders, and projects). We recommend that you use the principle of least privilege and grant the least amount of access that's necessary to resources in each level. The roles that we recommend in the following procedures help you enforce the principle of least privilege.

Who performs this task

A person in the gcp-organization-admins@<your-domain>.com group that was created in task 2.

What you do

Set IAM policies on the organization, folder, and project level.

Why we recommend this task

Setting IAM policies across your resource hierarchy lets you scalably control access to your cloud resources.

Set IAM policies at the organization level

Policies that you set at the organization level apply to all folders and projects in the organization. The following table lists the members and the roles that you assign to them at the organization level. The steps for how to perform this procedure are listed after the table.

Member	Roles to grant
`gcp-network-admins@<your-domain>.com`	Compute Engine > Compute Network Admin. This grants permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. Compute Engine > Compute Shared VPC Admin. This grants permissions to administer Shared VPC host projects. Compute Engine > Compute Security Admin. This grants permissions to create, modify, and delete firewall rules and SSL certificates. Resource Manager > Folder Viewer. This grants permissions to view folders.
`gcp-security-admins@<your-domain>.com`	Organization Policy > Organization Policy Admin. This grants permissions to set organization-level IAM policies. Organization Policy > Organization Policy Viewer. This grants permissions to view the IAM policies that apply to the organization. IAM > Security Reviewer. This grants permissions to view all resources for the organization, and to view the IAM policies that apply to them. Roles > Organization Role Viewer. This grants permissions to view all custom IAM roles in the organization, and to view the projects that they apply to. Security Center > Security Center Admin. This grants administrator access to the security command center. Resource Manager > Folder IAM Admin. This grants permissions to set folder-level IAM policies. Logging > Private Logs Viewer. This grants read-only access to Cloud Logging features, including the ability to read private logs. Logging > Logs Configuration Writer. This grants permissions to create logs-based metrics and export sinks. Kubernetes Engine > Kubernetes Engine Viewer. This grants read-only access to Google Kubernetes Engine resources. Compute Engine > Compute Viewer. This grants read-only access to Compute Engine resources. BigQuery > BigQuery Data Viewer. This grants permissions for BigQuery datasets.
`gcp-devops@<your-domain>.com`	Resource Manager > Folder Viewer. This grants permissions to view folders.

Make sure that you're logged in to the Cloud Console as a user in the gcp-organization-admins Google Group that was created in task 2.
Go to the Manage resources page in the Cloud Console:
Go to the Manage resources page
Select your organization from the organization tree grid.
If the Info Panel pane on the right is hidden, click Show Info Panel in the top right corner.
Select the checkbox for the organization.
In the Info Panel pane, in the Permissions tab, click Add Member.
In the New members field, enter the name of a member from the table. For example, start by entering gcp-network-admins@<your-domain>.com, as listed in the preceding table.
In the Select a role list, select the first role for that member as listed in the table. For example, for the first member, the first role that you select is Compute Engine > Compute Network Admin.
Click Add another role, and then add the next role for that member.
Add the next role for that member.
When you've added all the roles for a member, click Save.
Repeat step 2 through 7 for the other members listed in the table.

Set IAM policies at the folder level

Policies set on the folder level also apply to projects in the folders. The procedure is similar to what you did for your organization, except that you select a different level in the hierarchy.

Clear the checkbox for the organization and for any other resource that is selected.
Select the checkbox for the Production folder.
In the Info Panel pane, in the Permissions tab, click Add Member.
In the New members field, enter gcp-devops@<your-domain>.com.
Using the same steps you used for adding roles to organization members, add the following roles to the gcp-devops@<your-domain>.com member:
- Logging > Logging Admin. This grants full permissions to Cloud Logging.
- Error Reporting > Error Reporting Admin. This grants full permissions to error reporting data.
- Service Management > Quota Administrator. This grants access to administer service quotas.
- Monitoring > Monitoring Admin. This grants full permissions to monitoring data.
- Compute Engine > Compute Admin. This grants full permissions to Compute Engine resources.
- Kubernetes Engine > Kubernetes Engine Admin. This grants full permissions to Google Kubernetes Engine container clusters.
When you've finished adding roles, click Save.
Clear the checkbox for the Production folder.
Select the checkbox for the Non-Production folder.
Add gcp-developers@<your-domain>.com as a new member.
Assign the following IAM roles to the gcp-developers@<your-domain>.com member:
- Compute Engine > Compute Admin. This grants full permissions to Compute Engine resources.
- Kubernetes Engine > Kubernetes Engine Admin. This grants full permissions to Google Kubernetes Engine container clusters.

Set IAM policies at the project level

Policies that you set at the project level apply only to the projects they are applied to. This lets you set fine-grained permissions for individual projects.

Clear the checkbox for any folders and for any other resource that has been selected.
Select the checkboxes for the following projects:
- example-vpc-host-nonprod
- example-vpc-host-prod
Add gcp-network-admins@<your-domain>.com as a member.
Assign the following role to the gcp-network-admins@<your-domain>.com member:
- Project > Owner. This grants full permissions to all resources in the selected projects.
Click Save.
Clear the checkboxes for the selected projects.
Select the checkboxes for the following projects:
- example-monitoring-nonprod
- example-monitoring-prod
- example-logging-nonprod
- example-logging-prod
Add gcp-devops@<your-domain>.com as a new member.
Assign the following role to the gcp-devops@<your-domain>.com member:
- Project > Owner. This grants full permissions to all resources in the selected projects.
Click Save.

Set up support

In this task, you can choose a support option.

Who performs this task

A person in the gcp-organization-admins@<your-domain>.com group that was created in task 2.

What you do

Choose a support plan based on your company's needs.

Why we recommend this task

A premium support plan provides you with business-critical support to quickly resolve issues with help from experts at Google.

Choose a support option

Every Google Cloud customer automatically gets free support that includes support product documentation, community support, and support for billing issues. However, we recommend that enterprise customers sign up for a premium support plan, which offers one-on-one technical support with Google support engineers. For more information, you can compare support plans.

Read about the support plans and decide which plan you want. You set up the support plan in a later step. If you decide to stay with free support options, you can continue to the next task.
Make sure that you're logged in to the Cloud Console as a user in the gcp-organization-admins Google Group that was created in task 2.
Set up the support plan.
- To request Premium Support, contact your Google sales representative. If you don't have a representative, contact sales.
- To enable Role-Based Support, go to the Enable Role-Based Support page in Google Cloud Console and follow the on-screen prompts to complete the required steps.
  Go to the Enable Role-Based Support page
Follow the instructions at Support user roles to assign the Support User and Org Viewer roles to each user who needs to interact with Google Cloud Support.

Set up your networking configuration

In this task, you set up your initial networking configuration. Typically, you need to do the following:

Design, create, and configure a virtual private cloud architecture.
If you have on-premises networking, or networking in another cloud provider, configure connectivity between that provider and Google Cloud.
Set up a path for external egress traffic.
Implement network security controls, such as firewall rules.
Choose a preferred ingress traffic option for services that are hosted on the cloud.

This task shows you an example for item 1 as a basis for your own virtual private cloud architecture.

The remaining items—external connectivity, egress traffic configuration, implementing firewall rules, and choosing an ingress option—are dependent on your business needs. Therefore, we don't cover those in this checklist. However, we provide links to additional information for these items.

Who performs this task

A person in the gcp-network-admins@<your-domain>.com group that was created in task 2.

What you do

Set up an initial networking configuration.

Create Shared VPC networks
Configure connectivity between the external provider and Google Cloud
Set up a path for external egress traffic
Implement network security controls
Choose an ingress traffic option

Why we recommend this task

Shared VPC allows separate teams to connect to a common, centrally-managed VPC network from multiple distinct products.
Configuring hybrid connectivity allows seamless migration of applications to Google Cloud while still connecting to service dependencies.
Designing secure ingress and egress pathways from the start enables your teams to productively work in Google Cloud without compromising security.

Virtual private cloud architecture

Google offers Virtual Private Cloud (VPC), which provides networking functionality to your Google Cloud resources such as Compute Engine virtual machine instances, GKE containers, and App Engine flexible environment. The following diagram shows a basic multi-regional architecture:

Sample resource hierarchy

This architecture has two Shared VPC host projects. One host project is for your production environment, and the other is for your non-production environment. Shared VPC allows organizations to connect resources from multiple projects to a common VPC network, so that the resources can communicate with each other more securely and efficiently using internal IP addresses from that network.

A Shared VPC host project contains one or more Shared VPC networks. In this architecture, each Shared VPC network (both production and non-production) contains public and private subnets across two regions (in this case, us-east1 and us-west1):

The public subnet can be used for instances that are internet-facing to provide external connectivity.
The private subnet can be used for instances that are solely internal-facing and should not be allocated public IP addresses.

The architecture that's shown in the preceding diagram uses example names for various resources. For your own setup, you might change elements of the name, such as your company (example in the example names) and the region you're using (us-east1 and us-west1 in the examples).

Create the Shared VPC networks

In the project selector page, select example-vpc-host-nonprod:
Go to the project selector page
Follow the instructions at Deleting a network to delete the VPC network named default.
Follow the instructions to Create a custom mode network using the following values:
1. For Name, enter example-shared-vpc-nonprod-1.
2. For the New subnet section parameters:
  - For Name, enter example-nonprod-us-east1-subnet-public.
  - For IP address range, enter 10.1.0.0/24 (as long as that IP address does not conflict with existing network IP range and is sufficient to meet your hosting requirements.
  - For Private Google access, select On to enable VMs to communicate with Google APIs without an external IP address.
3. Choose Add subnet, and follow the instructions for adding the following subnet names:
  - example-nonprod-us-east1-subnet-private
    IP address range: 10.2.0.0/24
  - example-nonprod-us-west1-subnet-public
    IP address range: 10.3.0.0/24
  - example-nonprod-us-west1-subnet-private
    IP address range: 10.4.0.0/24
Enable the Shared VPC host project, using the following values:
1. For the project, select example-vpc-host-nonprod.
2. Under Select subnets, click Individual subnets (subnet-level permissions) and select all of the non-production subnets that you created earlier.
3. In Attach service projects, attach all of the remaining monitoring and logging non-production projects.
In the project selector page, select example-vpc-host-prod:

Go to the project selector page
Repeat steps 2 through 4 for the production environment. Make sure that you select all of the previously created production subnets.

Configure connectivity between the external provider and Google Cloud

If you have on-premises networking, or networking in another cloud provider, you can set up Cloud VPN, a service that helps securely connect your peer network to your Google Cloud VPC network through an IPSec VPN connection. Cloud VPN is suitable for speeds up to 3.0 Gbps. If you need higher bandwidth to connect your on-premises system to Google Cloud, see Partner Interconnect and Dedicated Interconnect.

To create a VPN connection, follow the instructions at Creating a gateway and tunnel for both the production and non-production Shared VPC networks that was created in the previous procedure.

Set up a path for external egress traffic

You use Cloud NAT to allow your VMs to connect to the internet without using external IP addresses. Cloud NAT is a regional resource. You can configure it to allow traffic from all primary and secondary IP ranges of subnets in a region, or you can configure it to apply to only some of those ranges.

Follow the instructions at Create NAT for all regions in the Shared VPC networks that was created in the previous procedure for both production and non-production networks.

Implement network security controls

Firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify. Follow the instructions at Using firewall rules to configure these controls for both production and non-production Shared VPC networks that was created in the previous procedure.

Choose an ingress traffic option

Cloud Load Balancing gives you the ability to distribute compute resources in single or multiple regions. This lets you meet your high-availability requirements both for incoming external traffic and for traffic within your VPC network. As you plan your application architecture on Google Cloud, review Choosing a Load Balancer to decide which types of load balancers you need.

Set up logging and monitoring

In this task, you set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring.

Who performs this task

A person in the gcp-devops@<your-domain>.com group that was created in task 2.

What you do

Set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring.

Why we recommend this task

Comprehensive logging and monitoring is key to maintaining observability in your cloud environment. Configuring appropriate logging retention from the start allows you to build and have confidence that an audit trail is preserved, while setting up centralized monitoring will give your team a central dashboard for viewing your environments.

Set up monitoring

Cloud Monitoring collects metrics, events, and metadata from Google Cloud services, hosted uptime probes, application instrumentation, and other common application components.

Make sure that you're logged in to the Cloud Console as a user in the gcp-devops group that was created in task 2.
Create a Workspace for Monitoring using a host project. The first monitored Google Cloud project in a Workspace is the host project; you should make sure that you choose the right project to act as the host project. When the steps prompt you to select a project, select the non-production monitoring project (example-monitoring-nonprod) that was created in task 5.
Add other projects that you want to monitor from this Workspace. For example, add all of the other non-production projects.
Repeat this procedure for your production projects. Use example-monitoring-prod as the Workspace project, and add the production projects to monitor.

Set up logging

Cloud Logging allows you to store, search, analyze, monitor, and alert on log data and events from Google Cloud and Amazon Web Services (AWS). Cloud Logging also allows you to ingest custom log data from any source, and to export logs to external data sinks.

Make sure that you're logged in to the Cloud Console as a user in the gcp-devops group that was created in task 2.
Enable logging export for BigQuery, using the following values:
- Select the example-logging-nonprod project.
- Create a BigQuery dataset. For Dataset ID, use a name like example_logging_export_nonprod.
- After you've named the dataset, click Create dataset.
Repeat the previous step for the example-logging-prod project, but use example_logging_export_prod for the dataset ID.
Review the logs retention periods to determine whether they meet your compliance requirements. If they don't, set up log export to Cloud Storage, which can be helpful for long-term retention.

Configure organizational security settings

In this task, you configure Google Cloud products to help protect your organization. Google Cloud provides many security offerings.

Who performs this task

A person in the gcp-organization-admins@<your-domain>.com group that was created in task 2.

What you do

Enable the Security Command Center dashboard
Set up Organization Policy

Why we recommend this task

We recommend setting up the following two products:

Security Command Center. This comprehensive security management and data risk platform enables you to monitor your cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities, and review access rights to critical resources.
Organization Policy Service. This service gives you centralized and programmatic control over your organization's cloud resources.

Set up the products

Make sure that you're logged in to the Cloud Console as a user in the gcp-organization-admins group that was created in task 2.
Enable the Security Command Center dashboard.
Set up Organization Policy by following the steps at Customizing policies for boolean constraints, with the following details:
1. Set the Skip default network creation constraint with the following changes:
  - When you're asked to select a project, folder, or organization, select your organization.
  - When you're asked to select a constraint from the list on the Organization policies page, select Skip default network creation.
  - When you're asked to select an enforcement option, select On.
2. Set up the Domain restricted sharing constraint.
3. Disable external IP address access for VM instances.
Note: If you need VMs that have external access but don't expose public IP addresses, configure Cloud NAT as explained in task 8.