Google Cloud setup checklist

Before you begin

• To help secure your Google Cloud account, learn and utilize the Super administrator account best practices.
• Gather administrator credentials for the domain (such as "example.com") that you want to link to Google Cloud. You need these credentials to adjust DNS settings during setup.
• Identify a primary email account (such as maria@example.com) to use as a recovery address for your Google Cloud organization. When you begin the signup process, Cloud Identity asks you for this address first.
• Identify a secondary, backup email address for redundancy. You'll link this backup address to your super admin account. This email must be different from the primary email address. Cloud Identity asks for this address after you have already provided the account recovery address described earlier.

What you do in this task

• Provide an initial email address to use for account recovery.
• Create a managed user account for your first Google Cloud super admin user.
• Link your company’s domain (such as example.com) to Google Cloud by using a verification process.

After you complete these actions, Google Cloud creates the root node of your resource hierarchy, which we refer to as the organization resource.

You use Cloud Identity in the Admin Console to complete this task. Cloud Identity provides unified identity, access, application, and endpoint management across Google services. It offers fifty free user licenses, and you can request more free licenses if needed. Cloud Identity users also can access your organization's Google Drive, Google Keep, and Google Groups services.

Google Cloud offers Cloud Identity as a standalone product or bundled with Google Workspace. With Google Workspace, you get Cloud Identity along with familiar productivity and collaboration tools, like Gmail, Calendar, Meet, Chat, etc. It has several free trial options. Some companies save costs by using a combination of standalone Cloud Identity licenses for some users, with Google Workspace licenses going only to those users who need the additional collaboration tools.

Required permissions

In this task, you create the first super admin for your Google Cloud organization. The super admin has irrevocable, root administrator privileges for your organization, and can grant the same role to other users.

Security best practices

Securing your super admin accounts is critical to the security of your Google Cloud organization. Please review and follow Google Cloud super admin account best practices when creating your super admin accounts.

Procedure

To complete this task, select whether you are a New customer or a current Google Workspace customer.

Troubleshooting

Unable to sign up my domain for a Google service

For more information about common problems and solutions, see Can't sign up my domain for a Google service.

The Google account already exists

See 'Google Account already exists' error for a workaround.

My account doesn't have permission to administer or use my company’s Google Cloud org

This error implies that your company's domain has already been verified and has super admins in place. If you still need access to administer your Google Cloud organization, find an administrator within your company to give you access.

My firewall is showing errors and I am unable to verify the domain

If your company uses a proxy server that denies particular URLs, you will encounter errors when you attempt to register your domain. This scenario is common with customers who have advanced security setups, such as financial institutions. If you see this error, ensure that your proxy server explicitly allows the following URLs:

Additional resources

The following resources provide more context identity and other topics relevant to this task.

• Overview of creating and managing organizations
• Best practices for planning accounts and organizations
• Assessing and planning your identity setup
• Cloud Identity free edition
• Domain verification:
  • Documentation
  • Video walkthrough
• Google Workspace administrator roles
• Cloud Identity administrator roles

In this task, you add your first users, create groups to administer user access, and assign users to those groups. You assign the permissions to those user groups in task 3. You need the Admin Console and the Google Cloud console to do the following:

• Add managed users to your Google Cloud organization.
• Create a Google Group for each type of administrative user (such as organization admins, billing admins).
• Assign users to the groups corresponding to their roles.

Before you begin

• Ensure that you are signed in to the Google Admin console and Google Cloud console with one of the super admin accounts created in task 1.
• If your company already uses an identity provider, such as Active Directory, Azure AD, Okta, or Ping Identity, you can federate it into Google Cloud. For details see the identity provider reference architectures for identity federation.
• Federate Cloud Identity with Active Directory to automatically provision users and enable single sign-on.
• Create a custom solution using the Google Workspace Admin SDK.

Security best practices

Principle of least privilege: Give users the minimum necessary permissions to perform their role, and remove access as soon as it is no longer needed.

Role-based access control (RBAC): Assign permissions to groups of users according to their job role, using Google Groups to organize your users. We recommend against adding specific permissions to individual user accounts.

Procedure

Add users in the Google Admin console

For the purpose of this onboarding checklist, we recommend that you add users who will participate in the checklist tasks, such as administrators and decision makers involved with cloud setup practices.

1. Sign in to Google Admin console using a super admin account.
2. Add users with one of the following options:
   • Add several users at once.
   • Add users individually.

Create Google Groups and add group members

Next, you’ll use the Groups feature of the Google Cloud console to create Google Groups corresponding to the different types of users in your organization. A Google Group is a named collection of Google Accounts and service accounts. Every Google Group has a unique email address associated with the group (such as grp-gcp-billing-admins@example.com).

The groups below are common in enterprise organizations that have multiple departments administering its cloud infrastructure. If your setup requires a different group structure, feel free to customize our recommendations to your needs.

To complete, later steps in the checklist you need the following groups with at least one member in each group.

• grp-gcp-organization-admins or individual accounts
• grp-gcp-network-admins
• grp-gcp-billing-admins
• grp-gcp-devops

To create groups and add users using the Google Cloud console:

1. Log in to the Google Cloud console with a super admin account created in Task 1.

2. Go to the Groups page in the Google Cloud console.

   Go to the Groups page

3. Click Create.

4. Fill in details for a group, including the group name, email address, and an optional description.

5. Add members to the group:

   1. Click Add member.
   2. Enter the member's email address.

   3. Choose their Google Groups role.

6. Click Submit to create the group with the specified users.

Additional resources

• Managing conflicting accounts:
  • Using the transfer tool for unmanaged users.
    • Using a CSV upload.
    • Using the User Invitation API.
• Overview of Identity and Access Management (IAM) and Google Groups.
• Best practices for IAM.
• Create a group.
• Add or invite users to a group.
• Identity federation:
  • Review Reference architecture for federating with external identity providers.
  • Sync Active Directory or other LDAP-based identity stores to Google Cloud using the options outlined in the next section.
  • Automate identity administration using the Google Workspace Admin SDK.
• Sync identity stores to Google Cloud using either GCDS or Directory Sync:
  • To sync Active Directory or other LDAP-based identity stores to Google Cloud, use Google Cloud Directory Sync (GCDS):
  • To sync Active Directory users and groups to Google Cloud, use Directory Sync, an agentless solution that requires setting up Cloud VPN or Interconnect (covered in task 8).
  • Compare GCDS and Directory Sync.

In this task you set up administrator access for your organization, which gives the administrators central visibility and control over every cloud resource that belongs to your organization.

Who performs this task

If your company already uses a paid Google Workspace service, a person with Google Workspace super admin access must perform this step. If not, use the Cloud Identity account created in task 1.

What you do in this task

• Verify that your organization was created.

• Assign administrative roles to the grp-gcp-organization-admins@<your-domain>.com group that was created in task 2.

• Add administrative permissions to yourself, and to other administrators in your organization, so that you can perform later tasks in the checklist.

Why we recommend this task

For security reasons, you must explicitly define all administrative roles for your organization. Separating super admin and organization admin roles is a Google Cloud security best practice. The super admin role manages all other identities in Cloud Identity and Google Workspace, and is required to create the root Google Cloud organization. To learn more, please visit super admin best practices.

Verify that your organization was created

1. Log in to the Google Cloud console using either your Google Workspace

   super administrator account, or using the Cloud Identity Super Admin account that you set up in task 1.

2. Go to the Identity and Organization

   page to finish creating the organization. After you go to the link, you might need to wait a few minutes for the process to complete.

3. Make sure that your organization name appears in the Select an organization list. It can take a few minutes for your organization to be created from the steps in task 1. If you don't see the organization name, wait a few minutes and then refresh the page.

Set up administrator access

Next, you assign administrative roles to the grp-gcp-organization-admins@<your-domain>.com group that was created in task 2.

You can find a more dynamic, responsive form of these procedures in the Google Cloud console. The console-based checklist automates and simplifies several tasks. You must be signed in to the Google Cloud console to complete the procedure there.

1. Complete the steps at Grant access, with the following changes:

   • After you open the IAM page in the Google Cloud console, make sure that your organization name is selected in the organization list at the top of the page.

   • When you're asked to enter an email address, use grp-gcp-organization-admins@<your-domain>.com.

   • When you're asked to select a role, select Resource Manager > Organization Administrator.

2. After you've added the first role, click Add another role and then add the following additional roles for the grp-gcp-organization-admins@<your-domain>.com member:

   • Resource Manager > Folder Admin
   • Resource Manager > Project Creator
   • Billing > Billing Account User
   • Roles > Organization Role Administrator
   • Organization Policy > Organization Policy Administrator
   • Security Center > Security Center Admin
   • Support > Support Account Administrator

3. When you're done adding roles, click Save.

In this task, you set up a billing account to pay for Google Cloud resources, and you set administrator access for your billing accounts.

As you prepare for this task, you'll need to decide which type of billing account to use for your setup:

• Self-serve. You sign up online using a credit or debit card, or ACH direct debit. Costs are charged automatically.
• Invoiced. If you already have self-service billing set up, you might be eligible to switch your account type to monthly invoiced billing if your business meets certain requirements. Invoices are sent by mail or electronically and may be paid by check or wire transfer.

For more information, see Billing account types.

Who performs this task

This task requires multiple people:

1. A person in the grp-gcp-organization-admins@<your-domain>.com group created in task 2, or someone with the administrator access defined in task 3.

2. A person in the grp-gcp-billing-admins@<your-domain>.com group created in task 2.

What you do in this task

• Assign administrative access to the grp-gcp-billing-admins@<your-domain>.com group created in task 2.
• Decide whether to use a self-serve or invoiced billing account.
• Set up a billing account and a payment method.

Why we recommend this task

A Cloud Billing account is required to use Google Cloud products. Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources you use, such as virtual machines, networking, and storage. IAM roles control access to Cloud Billing accounts.

Set up administrator access

Team members who are assigned the Billing Account Administrator IAM role can complete tasks such as managing payments and invoices, setting budgets, and associating projects with billing accounts. The role does not give team members permission to view the contents of the projects.

1. Make sure that you're signed in to the Google Cloud console as a user in the grp-gcp-organization-admins Google Group that was created in task 2, or as a user with the administrator access defined in task 3.

2. Complete the steps at Grant access, with the following changes:

   • When you're asked to enter an email address, use grp-gcp-billing-admins@<your-domain>.com.

   • When you're asked to select a role, select Billing > Billing Account Administrator.

   • After you've added the first role, click Add another role and then add the following additional roles for the grp-gcp-billing-admins@<your-domain>.com member:

     • Billing > Billing Account Creator
     • Resource Manager > Organization Viewer

Set up the billing account

Next, you set up a Cloud Billing account. There are two types of billing accounts:

• Self-serve. You sign up online using a credit or debit card, or ACH direct debit. Costs are charged automatically.

• Invoiced. You pay by check or wire transfer. Invoices are sent by mail or electronically.

When you sign up online for a billing account, your account is automatically set up as a self-serve type of account. You cannot sign up online for an invoiced type of account, rather, you must apply for invoiced billing. For more information, see Billing account types.

After you set up the billing account

To monitor your costs and avoid surprises on your bill, after you have set up your Cloud Billing account, we recommend you implement the following billing best practices for each billing account:

• Configure Cloud Billing data exports to a BigQuery dataset.
• Define budgets to generate alerts when spending reaches certain thresholds.

For best practices to monitor and control costs, see Monitor and control cost.

In this task, you create a basic structure for folders and projects in your resource hierarchy:

• Folders

  provide a grouping mechanism and isolation boundaries between projects. For example, they can represent the main departments in your organization such as finance or retail, or environments such as production versus non-production.

• Projects

  contain your cloud resources, such as virtual machines, databases, and storage buckets. For design considerations and best practices to organize your resources in projects, see Decide a resource hierarchy for your Google Cloud landing zone.

You can set IAM policies to control access at different levels of the resource hierarchy. You will set these policies as a later task in this checklist.

Who performs this task

A person in the grp-gcp-organization-admins@<your-domain>.com group that was created in task 2, or someone with the administrator access defined in task 3.

What you do in this task

Create the initial hierarchy structure with folders and projects.

Why we recommend this task

Creating the structure is a requirement for a later task where you set IAM policies in order to control access at different levels of the resource hierarchy.

Plan the resource hierarchy

There are many ways to create your resource hierarchy. The following diagram shows a typical example:

In the example, the organization resource hierarchy contains three levels of folders:

• Environment (non-production and production). By isolating environments from each other, you can better control access to production environments and avoid non-production changes accidentally impacting production.

• Business units. In the diagram, these are represented by Dept X and Dept Y, which might be business units such as Engineering and Marketing, and a Shared folder that has projects that contain resources shared across the hierarchy, such as networking, logging, and monitoring.

• Teams. In the diagram, these are represented by Team A, Team B, and Team C, which might be teams like Development, Data Science, QA, and so on.

Create initial folders in the resource hierarchy

In this step, you create basic folders for your initial setup, as shown in this diagram. Folders allow you to group resources.

To create initial folders:

1. Sign in to the Google Cloud console as a user in the grp-gcp-organization-admins Google Group (created in task 2), or as a user with the administrator access defined in task 3.

2. In the Google Cloud console, go to the Manage resources page:

   Go to Manage resources

3. Create the following two folders:

   • Production > Shared
   • Non-Production > Shared

Create initial projects in the resource hierarchy

After creating the initial hierarchy, you create projects. Following the principle of separating production and non-production environments, for this checklist you need to create the following projects:

• example-vpc-host-nonprod. This project is used to help connect non-production resources from multiple projects to a common VPC network.

• example-vpc-host-prod-draft. This project is a placeholder to eventually connect production resources from multiple projects to a common VPC network.

• example-monitoring-nonprod. This project is used to host non-production monitoring resources.

• example-monitoring-prod-draft. This project is a placeholer to eventually host production monitoring resources.

• example-logging-nonprod. This project is used to host exported log data from your non-production environment.

• example-logging-prod-draft. This project is a placeholder used to eventually host exported log data from your production environment.

Project names are limited to 30 characters. Typically, you would use your own company name in place of example, as long as you can do so within the 30-character limit. When you create projects in the resource hierarchy in the future, we recommend using a naming convention such as <business unit name>-<team name>-<application name>-<environment>, according to the resource hierarchy of your organization.

To create the projects:

1. In the Google Cloud console, go to the Manage resources page:

   Go to Manage resources

2. Click Create Project.

3. In the New Project window, enter one of the project names listed earlier.

4. If you're prompted to select a billing account, select the billing account you want to use for this checklist.

5. For Location, click Browse and then set the location as follows:

   • If the name of the project you're creating ends with prod, select Production > Shared.
   • If the name of the project you're creating ends with nonprod, select Non-Production > Shared.

6. Click Create.

7. Repeat steps 2 through 6 for each of the recommended projects.

Confirm projects are linked to the appropriate billing account

In order to perform tasks later in this checklist, projects must be linked to a billing account. For a current list of your projects and linked billing accounts, visit Task 5 in the Google Cloud console.

If you do not have access to an active billing account, skip to the next task. If you attempt to use projects not linked to a billing account, the Google Cloud console prompts you to enable billing. When a billing account is ready, return to this step to enable billing for those projects.

To review or change billing accounts set for projects in Cloud Billing:

1. View billing accounts on the Billing page and select the My Projects tab. The page lists all billing accounts linked to your organization's projects.
2. To change the billing account for any project, see Enable, disable, or change billing for a project.

In this task, you set up access control for your resource hierarchy by adding IAM policies to the resources. An IAM policy is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

To set permissions, you perform the same basic procedure, but you do it for resources at different levels of the hierarchy (organization, folders, and projects). We recommend that you use the principle of least privilege and grant the least amount of access that's necessary to resources in each level. The roles that we recommend in the following procedures help you enforce the principle of least privilege.

Who performs this task

A person in the grp-gcp-organization-admins@<your-domain>.com group that was created in task 2, or someone with the administrator access defined in task 3.

What you do in this task

Set IAM policies on the organization, folder, and project level.

Why we recommend this task

Setting IAM policies across your resource hierarchy lets you scalably control access to your cloud resources.

About IAM policies

IAM policies apply at three levels of your resource hierearchy:

1. The organization. Policies that you set at the organization level apply to all folders and projects in the organization.
2. A folder. Policies set on a folder apply to projects within the folder.
3. A project. Policies set at the project level apply only to that project.

The following table lists the principals and the roles that you assign to them at the organization level.

Administer IAM roles

1. Make sure that you're signed in to the Google Cloud console as a user in the grp-gcp-organization-admins Google Group that was created in task 2, or as someone with the administrator access defined in task 3.

2. In the Google Cloud console, go to the Manage resources page:

   Go to Manage resources

3. Select your organization from the organization tree grid.

4. If the Info Panel pane on the right is hidden, click Show Info Panel in the top right corner.

5. Select the checkbox for the organization.

6. In the Info Panel pane, in the Permissions tab, click Add Member.

7. In the New members field, enter the name of a member from the table. For example, start by entering grp-gcp-network-admins@<your-domain>.com, as listed in the preceding table.

8. In the Select a role list, select the first role for that member as listed in the table. For example, for the first member, the first role that you select is Compute Engine > Compute Network Admin.

9. Click Add another role, and then add the next role for that member.

10. Add the next role for that member.

11. When you've added all the roles for a member, click Save.

12. Repeat step 2 through 7 for the other members listed in the table.

Set IAM policies at the folder level

Policies set on the folder level also apply to projects in the folders. The procedure is similar to what you did for your organization, except that you select a different level in the hierarchy.

1. Clear the checkbox for the organization and for any other resource that is selected.

2. Select the checkbox for the Production folder.

3. In the Info Panel pane, in the Permissions tab, click Add Member.

4. In the New members field, enter grp-gcp-devops@<your-domain>.com.

5. Using the same steps you used for adding roles to organization members, add the following roles to the grp-gcp-devops@<your-domain>.com member:

   • Logging > Logging Admin. This grants full permissions to Cloud Logging.
   • Error Reporting > Error Reporting Admin. This grants full permissions to error reporting data.
   • Service Management > Quota Administrator. This grants access to administer service quotas.
   • Monitoring > Monitoring Admin. This grants full permissions to monitoring data.
   • Compute Engine > Compute Admin. This grants full permissions to Compute Engine resources.
   • Kubernetes Engine > Kubernetes Engine Admin. This grants full permissions to Google Kubernetes Engine container clusters.

6. When you've finished adding roles, click Save.

7. Clear the checkbox for the Production folder.

8. Select the checkbox for the Non-Production folder.

9. Add grp-gcp-developers@<your-domain>.com as a new member.

10. Assign the following IAM roles to the grp-gcp-developers@<your-domain>.com member:

    • Compute Engine > Compute Admin. This grants full permissions to Compute Engine resources.
    • Kubernetes Engine > Kubernetes Engine Admin. This grants full permissions to Google Kubernetes Engine container clusters.

Set IAM policies at the project level

Policies that you set at the project level apply only to the projects they are applied to. This lets you set fine-grained permissions for individual projects.

1. Clear the checkbox for any folders and for any other resource that has been selected.

2. Select the checkboxes for the following projects:

   • example-vpc-host-nonprod
   • example-vpc-host-prod

3. Add grp-gcp-network-admins@<your-domain>.com as a member.

4. Assign the following role to the grp-gcp-network-admins@<your-domain>.com member:

   • Project > Owner. This grants full permissions to all resources in the selected projects.

5. Click Save.

6. Clear the checkboxes for the selected projects.

7. Select the checkboxes for the following projects:

   • example-monitoring-nonprod
   • example-monitoring-prod
   • example-logging-nonprod
   • example-logging-prod

8. Add gcp-devops@<your-domain>.com as a new member.

9. Assign the following role to the grp-gcp-devops@<your-domain>.com member:

   • Project > Owner. This grants full permissions to all resources in the selected projects.

10. Click Save.

In this task, you set up your initial networking configuration. Typically, you need to do the following:

• Design, create, and configure a virtual private cloud architecture.
• If you have on-premises networking, or networking in another cloud provider, configure connectivity between that provider and Google Cloud.
• Set up a path for external egress traffic.
• Implement network security controls, such as firewall rules.
• Choose a preferred ingress traffic option for services that are hosted on the cloud.

This task shows you an example for item 1 as a basis for your own virtual private cloud architecture.

The remaining items—external connectivity, egress traffic configuration, implementing firewall rules, and choosing an ingress option—are dependent on your business needs. Therefore, we don't cover those in this checklist. However, we provide links to additional information for these items.

Who performs this task

A person in the grp-gcp-network-admins@<your-domain>.com group that was created in task 2.

What you do in this task

Set up an initial networking configuration.

• Create Shared VPC networks
• Configure connectivity between the external provider and Google Cloud
• Set up a path for external egress traffic
• Implement network security controls
• Choose an ingress traffic option

Why we recommend this task

• Shared VPC allows separate teams to connect to a common, centrally-managed VPC network from multiple distinct products.

• Configuring hybrid connectivity allows seamless migration of applications to Google Cloud while still connecting to service dependencies.

• Designing secure ingress and egress pathways from the start enables your teams to productively work in Google Cloud without compromising security.

Virtual private cloud architecture

Google offers Virtual Private Cloud (VPC), which provides networking functionality to your Google Cloud resources such as Compute Engine virtual machine instances, GKE containers, and App Engine flexible environment. The following diagram shows a basic multi-regional architecture:

This architecture has two Shared VPC host projects. One host project is for your non-production environment, and the other is for your eventual production environment (currently labeled "production-draft". Shared Virtual Private Cloud allows organizations to connect resources from multiple projects to a common network, so that the resources can communicate with each other more securely and efficiently using internal IP addresses from that network.

A Shared VPC host project contains one or more Shared VPC networks. In this architecture, each Shared VPC network (both production-draft and non-production) contains public and private subnets across two regions (in this case, us-east1 and us-west1):

• The public subnet can be used for instances that are internet-facing to provide external connectivity.
• The private subnet can be used for instances that are solely internal-facing and should not be allocated public IP addresses.

The architecture that's shown in the preceding diagram uses example names for various resources. For your own setup, you might change elements of the name, such as your company (example in the example names) and the region you're using (us-east1 and us-west1 in the examples).

Configure networking

Although networking setups vary based on your workload, the following activities are common:

1. Create shared Virtual Private Cloud (VPC) networks. Shared VPC allows an organization to connect resources from multiple projects to a common VPC network. To create a shared VPC network, use the Google Cloud console.

2. Configure connectivity between the external provider and Google Cloud. If you have on-premises networking, or networking in another cloud provider, you can set up Cloud VPN, a service that helps securely connect your peer network to your Google Cloud VPC network through an IPSec VPN connection. Cloud VPN is suitable for speeds up to 3.0 Gbps. If you need higher bandwidth to connect your on-premises system to Google Cloud, see Partner Interconnect and Dedicated Interconnect. To create a VPN connection, follow the instructions at Creating a gateway and tunnel for both the production-draft and non-production Shared VPC networks created in the previous procedure.

3. Set up a path for external egress traffic. You use Cloud NAT to allow your VMs to connect to the internet without using external IP addresses. Cloud NAT is a regional resource. You can configure it to allow traffic from all primary and secondary IP ranges of subnets in a region, or you can configure it to apply to only some of those ranges. To set up a path for external egress traffic, follow the instructions at Create NAT for all regions in the shared VPC networks created in the previous procedure for both production-draft and non-production networks.

4. Implement network security controls. Firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify. Follow the instructions at Using firewall rules to configure these controls for both production-draft and non-production Shared VPC networks that was created in the previous procedure.

5. Choose an ingress traffic option. Cloud Load Balancing allows you to control how compute resources are distributed across regions. Load balancing helps you meet availability requirements both for incoming external traffic and for traffic within your VPC network. As you plan your application architecture on Google Cloud, review Choosing a Load Balancer to decide which types of load balancers you need.

In this task, you set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring.

Who performs this task

A person in the grp-gcp-devops@<your-domain>.com group that was created in task 2.

What you do in this task

Set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring.

Why we recommend this task

Comprehensive logging and monitoring is key to maintaining observability in your cloud environment. Configuring appropriate logging retention from the start allows you to build and have confidence that an audit trail is preserved, while setting up centralized monitoring will give your team a central dashboard for viewing your environments.

Set up monitoring

Cloud Monitoring collects metrics, events, and metadata from Google Cloud services, hosted uptime probes, application instrumentation, and other common application components.

In this task, you configure a Google Cloud project to have access to the metrics of other Google Cloud projects:

1. Sign in to the Google Cloud console as a user in the grp-gcp-devops Google Group created in task 2.
2. Add the projects that you want to monitor. For example, add all of the other non-production projects.
3. Repeat this procedure for your production projects. Use example-monitoring-prod as the scoping project, and add the production projects that you wish to monitor.

Set up logging

Cloud Logging allows you to store, search, analyze, monitor, and alert on log data and events from Google Cloud and Amazon Web Services (AWS). Cloud Logging also allows you to ingest custom log data from any source, and to export logs to external data sinks.

1. Make sure that you're signed in to the Google Cloud console as a user in the grp-gcp-devops group that was created in task 2.

2. Enable logging export for BigQuery, using the following values:

   • Select the example-logging-nonprod project.
   • Create a BigQuery dataset. For Dataset ID, use a name like example_logging_export_nonprod.
   • After you've named the dataset, click Create dataset.

3. Repeat the previous step for the example-logging-prod project, but use example_logging_export_prod for the dataset ID.

4. Review the logs retention periods to determine whether they meet your compliance requirements. If they don't, set up log export to Cloud Storage, which can be helpful for long-term retention.

In this task, you configure Google Cloud products to help protect your organization. Google Cloud provides many security offerings.

Who performs this task

A person in the grp-gcp-organization-admins@<your-domain>.com group that was created in task 2, or someone with the administrator access defined in task 3.

What you do in this task

• Enable the Security Command Center dashboard
• Set up Organization Policy

Why we recommend this task

We recommend setting up the following two products:

• Security Command Center. This comprehensive security management and data risk platform enables you to monitor your cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities, and review access rights to critical resources.

• Organization Policy Service. This service gives you centralized and programmatic control over your organization's cloud resources.

Set up the products

1. Sign in to the Google Cloud console as a user in the grp-gcp-organization-admins group that was created in task 2, or as a user with the administrator access defined in task 3).

2. Enable the Security Command Center dashboard.

3. Set up Organization Policy by following the steps at Customizing policies for boolean constraints. When you're asked to select a project, folder, or organization, select your organization.

   We recommend setting the following policies:

   1. Skip default network creation.

      1. On the Organization policies screen, filter for Skip default network creation.
      2. Select Skip default network creation policy.
      3. Click Edit.
      4. Select Customize and click Add Rule.
      5. When asked to select an enforcement option, select On.

   2. Define allowed external IPs for VM instances.

      1. On the Organization policies screen, filter for Define allowed external IPs for VM instances.
      2. Select Define allowed external IPs for VM instances policy and click Edit.
      3. Select Customize and click Add Rule. When you're asked to select policy values, select Deny All.

      You can also set custom policy to allow/deny external IPs for specific VM instances.

   3. Set up the Domain restricted sharing constraint.

In this task, you can choose a support option.

Who performs this task

A person in the grp-gcp-organization-admins@<your-domain>.com group created in task 2, or someone with the administrator access defined in task 3.

What you do in this task

Choose a support plan based on your company's needs.

Why we recommend this task

A premium support plan provides you with business-critical support to quickly resolve issues with help from experts at Google.

Choose a support option

Every Google Cloud customer automatically gets free support that includes support product documentation, community support, and support for billing issues. However, we recommend that enterprise customers sign up for a premium support plan, which offers one-on-one technical support with Google support engineers. For more information, you can compare support plans.

Enable support

1. Read about the support plans

   and decide which plan you want. You set up the support plan in a later step. If you decide to stay with free support options, you can continue to the next task.

2. Make sure that you're signed in to the Google Cloud console as a user in the grp-gcp-organization-admins Google Group that was created in task 2, or as a user with the administrator access defined in task 3.

3. Set up the support plan.

   • To request Premium Support, contact your Google sales representative. If you don't have a representative, contact sales.

   • To enable Role-Based Support, go to the Enable Role-Based Support page in Google Cloud console and follow the on-screen prompts to complete the required steps.

4. Follow the instructions at Support user roles to assign the Support User and Org Viewer roles to each user who needs to interact with Google Cloud Support.