This checklist helps you set up Google Cloud for scalable, production-ready, enterprise workloads. It is designed for administrators who are trusted with complete control over the company's Google Cloud resources.
The checklist includes 10 tasks that have step-by-step procedures. Some tasks can be accomplished multiple ways; we describe the most common path. If you need to deviate from the recommended path, keep track of your choices because they may be important later in the checklist.
Checklist
Click on a checklist item to see more information and click the box when you complete a task.
Cloud identity and organization
Before you begin
- To help secure your Google Cloud account, learn and utilize the Super administrator account best practices.
- Gather administrator credentials for the domain (such as "example.com") that you want to link to Google Cloud. You need these credentials to adjust DNS settings during setup.
- Identify a primary email account (such as maria@example.com) to use as a recovery address for your Google Cloud organization. When you begin the signup process, Cloud Identity asks you for this address first.
- Identify a secondary, backup email address for redundancy. You'll link this backup address to your super admin account. This email must be different from the primary email address. Cloud Identity asks for this address after you have already provided the account recovery address described earlier.
What you do in this task
- Provide an initial email address to use for account recovery.
- Create a managed user account for your first Google Cloud super admin user.
- Link your company’s domain (such as example.com) to Google Cloud by using a verification process.
After you complete these actions, Google Cloud creates the root node of your resource hierarchy, which we refer to as the organization resource.
You use Cloud Identity in the Admin Console to complete this task. Cloud Identity provides unified identity, access, application, and endpoint management across Google services. It offers fifty free user licenses, and you can request more free licenses if needed. Cloud Identity users also can access your organization's Google Drive, Google Keep, and Google Groups services.
Google Cloud offers Cloud Identity as a standalone product or bundled with Google Workspace. With Google Workspace, you get Cloud Identity along with familiar productivity and collaboration tools, like Gmail, Calendar, Meet, Chat, etc. It has several free trial options. Some companies save costs by using a combination of standalone Cloud Identity licenses for some users, with Google Workspace licenses going only to those users who need the additional collaboration tools.
Required permissions
In this task, you create the first super admin for your Google Cloud organization. The super admin has irrevocable, root administrator privileges for your organization, and can grant the same role to other users.
Security best practices
Securing your super admin accounts is critical to the security of your Google Cloud organization. Please review and follow Google Cloud super admin account best practices when creating your super admin accounts.
Procedure
To complete this task, select whether you are a New customer or a current Google Workspace customer.
New customers
This checklist shows steps for the free, standalone edition of Cloud Identity. To learn more about the premium edition, see Compare Cloud Identity features and editions. (If you want to use Google Workspace, you can enable it after completing your initial setup.)
Create your first Cloud Identity account and super admin username. You'll specify your email address and company details, as well as the username for your first super admin.
Note: Specify the super admin username in this format:
admin-[user]
(for example,admin-maria
). Cloud Identity adds<username>@<your-domain>.com
as the first super admin for Cloud Identity. You can specify additional super admins using the Admin Console.Verify your domain. This process may take several hours. If you run into issues, see the Troubleshooting section. We will add more users later in this checklist; when you're prompted to add users to your account, skip that process as follows:
- Click Create users.
- Select I have finished adding users for now, and then click Next.
- Click Continue to Google Cloud console.
By default, the free edition of Cloud Identity provides fifty user licenses. This checklist uses four of those. You can view existing licenses at the Admin Console Billing page. If you need additional free licenses, you can request them by completing the following steps:
- Sign in to Google Admin console with the super admin account created in the preceding procedure.
- Request additional free licenses by following this process.
Google Workspace customers
To set up Cloud Identity for existing Google Workspace accounts:
Enable Cloud Identity. After you enable Cloud Identity, any user added to your organization can access Cloud Identity.
Disable automatic Google Workspace licensing.
If you don't disable automatic Google Workspace licensing, all new users also receive a paid Google Workspace license, potentially causing unintended expense. You can still add paid Google Workspace user accounts after completing this step.
By default, you receive 50 licenses for the free edition of Cloud Identity. This checklist requires you to set up four users. You can view existing licenses at the Admin Console Billing page. If you need additional free licenses, request them as follows:
- Sign in to Google Admin console with the super admin account created in the preceding procedure.
- Once signed in as a super admin, you can request additional free licenses by following the process outline on this page.
Troubleshooting
Unable to sign up my domain for a Google service
For more information about common problems and solutions, see Can't sign up my domain for a Google service.
The Google account already exists
See 'Google Account already exists' error for a workaround.
My account doesn't have permission to administer or use my company’s Google Cloud org
This error implies that your company's domain has already been verified and has super admins in place. If you still need access to administer your Google Cloud organization, find an administrator within your company to give you access.
My firewall is showing errors and I am unable to verify the domain
If your company uses a proxy server that denies particular URLs, you will encounter errors when you attempt to register your domain. This scenario is common with customers who have advanced security setups, such as financial institutions. If you see this error, ensure that your proxy server explicitly allows the following URLs:
Required URL | Why it matters |
---|---|
accounts.google.com | Required for SAML SSO federation to Google Cloud and for SSO access to
Google Cloud console.
Note: This works only after the customer domain has been allowlisted in the Google Cloud backend. |
www.googleapis.com | Required during sign-in for sync of Active Directories if you use a federated identity provider. |
console.cloud.google.com | Required to access Google Cloud console. |
fonts.googleapis.com | Fonts for Google Cloud console. Required for proper UI styling. |
*.clients6.google.com | Required for Google Cloud console. This URI provides Service API gRPC endpoints used to display information in the Google Cloud console. |
ssl.gstatic.com www.gstatic.com lh3.googleusercontent.com lh4.googleusercontent.com lh5.googleusercontent.com lh6.googleusercontent.com |
Required for Google Cloud console to serve static content and some APIs. Also stores public keys for custom certificates. |
cloud.google.com | Required for access to Google Cloud documentation and help pages. |
ssh.cloud.google.com | Required for Cloud Shell. |
apis.google.com *.googleapis.com |
Required for remote API access to Google Cloud. (Optional for Google Cloud console; prefer private or restricted API access when using the Google Cloud CLI command-line interface.) |
admin.google.com | Optional when administering (Cloud Identity). |
payments.google.com | Optional when submitting payment information, Google Admin subscriptions and billing accounts. |
Additional resources
The following resources provide more context identity and other topics relevant to this task.
Users and groups
In this task, you add your first users, create groups to administer user access, and assign users to those groups. You assign the permissions to those user groups in task 3. You need the Admin Console and the Google Cloud console to do the following:
- Add managed users to your Google Cloud organization.
- Create a Google Group for each type of administrative user (such as organization admins, billing admins).
- Assign users to the groups corresponding to their roles.
Before you begin
- Ensure that you are signed in to the Google Admin console and Google Cloud console with one of the super admin accounts created in task 1.
- If your company already uses an identity provider, such as Active Directory, Azure AD, Okta, or Ping Identity, you can federate it into Google Cloud. For details see the identity provider reference architectures for identity federation.
- Federate Cloud Identity with Active Directory to automatically provision users and enable single sign-on.
- Create a custom solution using the Google Workspace Admin SDK.
Security best practices
Principle of least privilege: Give users the minimum necessary permissions to perform their role, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their job role, using Google Groups to organize your users. We recommend against adding specific permissions to individual user accounts.
Procedure
Add users in the Google Admin console
For the purpose of this onboarding checklist, we recommend that you add users who will participate in the checklist tasks, such as administrators and decision makers involved with cloud setup practices.
- Sign in to Google Admin console using a super admin account.
- Add users with one of the following options:
Create Google Groups and add group members
Next, you’ll use the Groups feature of the Google Cloud console to create Google Groups corresponding to the different types of users in your organization. A Google Group is a named collection of Google Accounts and service accounts. Every Google Group has a unique email address associated with the group (such as grp-gcp-billing-admins@example.com).
The groups below are common in enterprise organizations that have multiple departments administering its cloud infrastructure. If your setup requires a different group structure, feel free to customize our recommendations to your needs.
Group | Function |
grp-gcp-organization-admins (group or individual accounts required for checklist) |
Administering any resource that belongs to the organization. Assign this role sparingly; org admins have access to all of your Google Cloud resources. Alternatively, because this function is highly privileged, consider using individual accounts instead of creating a group. |
grp-gcp-network-admins (required for checklist) |
Creating networks, subnets, firewall rules, and network devices such as Cloud Router, Cloud VPN, and cloud load balancers. |
grp-gcp-billing-admins (required for checklist) |
Setting up billing accounts and monitoring their usage. |
grp-gcp-devops (required for checklist) |
Creating or managing end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning. |
grp-gcp-developers
|
Designing, coding, and testing applications. |
grp-gcp-security-admins |
Establishing and managing security policies for the entire organization, including access management and organization constraint policies. See the Google Cloud security foundations guide for more information about planning your Google Cloud security infrastructure. |
grp-gcp-billing-viewer
|
Monitoring the spend on projects. Typical members are part of the finance team. |
grp-gcp-platform-viewer
|
Reviewing resource information across the Google Cloud organization. |
grp-gcp-security-reviewer
|
Reviewing cloud security. |
grp-gcp-network-viewer
|
Reviewing network configurations. |
grp-gcp-audit-viewer
|
Viewing audit logs. |
grp-gcp-scc-admin
|
Administering Security Command Center. |
grp-gcp-secrets-admin
|
Managing secrets in Secret Manager. |
To complete, later steps in the checklist you need the following groups with at least one member in each group.
grp-gcp-organization-admins
or individual accountsgrp-gcp-network-admins
grp-gcp-billing-admins
grp-gcp-devops
To create groups and add users using the Google Cloud console:
- Log in to the Google Cloud console with a super admin account created in Task 1.
Go to the Groups page in the Google Cloud console.
Click Create.
Fill in details for a group, including the group name, email address, and an optional description.
Add members to the group:
- Click Add member.
- Enter the member's email address.
Choose their Google Groups role.
Click Submit to create the group with the specified users.
Additional resources
- Managing conflicting accounts:
- Using the
transfer tool for unmanaged users.
- Using a CSV upload.
- Using the User Invitation API.
- Using the
transfer tool for unmanaged users.
- Overview of Identity and Access Management (IAM) and Google Groups.
- Best practices for IAM.
- Create a group.
- Add or invite users to a group.
- Identity federation:
- Review Reference architecture for federating with external identity providers.
- Sync Active Directory or other LDAP-based identity stores to Google Cloud using the options outlined in the next section.
- Automate identity administration using the Google Workspace Admin SDK.
- Sync identity stores to Google Cloud using either GCDS or Directory
Sync:
- To sync Active Directory or other LDAP-based identity stores to Google Cloud, use Google Cloud Directory Sync (GCDS):
- To sync Active Directory users and groups to Google Cloud, use Directory Sync, an agentless solution that requires setting up Cloud VPN or Interconnect (covered in task 8).
- Compare GCDS and Directory Sync.
Administrative access
In this task you set up administrator access for your organization, which gives the administrators central visibility and control over every cloud resource that belongs to your organization.
Who performs this task
If your company already uses a paid Google Workspace service, a person with Google Workspace super admin access must perform this step. If not, use the Cloud Identity account created in task 1.
What you do in this task
- Verify that your organization was created.
Assign administrative roles to the
grp-gcp-organization-admins@<your-domain>.com
group that was created in task 2.Add administrative permissions to yourself, and to other administrators in your organization, so that you can perform later tasks in the checklist.
Why we recommend this task
For security reasons, you must explicitly define all administrative roles for your organization. Separating super admin and organization admin roles is a Google Cloud security best practice. The super admin role manages all other identities in Cloud Identity and Google Workspace, and is required to create the root Google Cloud organization. To learn more, please visit super admin best practices.
Verify that your organization was created
Log in to the Google Cloud console using either your Google Workspace
super administrator account, or using the Cloud Identity Super Admin account that you set up in task 1.
Go to the Identity and Organization
page to finish creating the organization. After you go to the link, you might need to wait a few minutes for the process to complete.
Make sure that your organization name appears in the Select an organization list. It can take a few minutes for your organization to be created from the steps in task 1. If you don't see the organization name, wait a few minutes and then refresh the page.
Set up administrator access
Next, you assign administrative roles to the
grp-gcp-organization-admins@<your-domain>.com
group that was created in task
2.
You can find a more dynamic, responsive form of these procedures in the Google Cloud console. The console-based checklist automates and simplifies several tasks. You must be signed in to the Google Cloud console to complete the procedure there.
Complete the steps at Grant access, with the following changes:
After you open the IAM page in the Google Cloud console, make sure that your organization name is selected in the organization list at the top of the page.
When you're asked to enter an email address, use
grp-gcp-organization-admins@<your-domain>.com
.When you're asked to select a role, select Resource Manager > Organization Administrator.
After you've added the first role, click Add another role and then add the following additional roles for the
grp-gcp-organization-admins@<your-domain>.com
member:- Resource Manager > Folder Admin
- Resource Manager > Project Creator
- Billing > Billing Account User
- Roles > Organization Role Administrator
- Organization Policy > Organization Policy Administrator
- Security Center > Security Center Admin
- Support > Support Account Administrator
When you're done adding roles, click Save.
Set up billing
In this task, you set up a billing account to pay for Google Cloud resources, and you set administrator access for your billing accounts.
As you prepare for this task, you'll need to decide which type of billing account to use for your setup:
- Self-serve. You sign up online using a credit or debit card, or ACH direct debit. Costs are charged automatically.
- Invoiced. If you already have self-service billing set up, you might be eligible to switch your account type to monthly invoiced billing if your business meets certain requirements. Invoices are sent by mail or electronically and may be paid by check or wire transfer.
For more information, see Billing account types.
Who performs this task
This task requires multiple people:
A person in the
grp-gcp-organization-admins@<your-domain>.com
group created in task 2, or someone with the administrator access defined in task 3.A person in the
grp-gcp-billing-admins@<your-domain>.com
group created in task 2.
What you do in this task
- Assign administrative access to the
grp-gcp-billing-admins@<your-domain>.com
group created in task 2. - Decide whether to use a self-serve or invoiced billing account.
- Set up a billing account and a payment method.
Why we recommend this task
A Cloud Billing account is required to use Google Cloud products. Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources you use, such as virtual machines, networking, and storage. IAM roles control access to Cloud Billing accounts.
Set up administrator access
Team members who are assigned the Billing Account Administrator IAM role can complete tasks such as managing payments and invoices, setting budgets, and associating projects with billing accounts. The role does not give team members permission to view the contents of the projects.
Make sure that you're signed in to the Google Cloud console as a user in the
grp-gcp-organization-admins
Google Group that was created in task 2, or as a user with the administrator access defined in task 3.Complete the steps at Grant access, with the following changes:
When you're asked to enter an email address, use
grp-gcp-billing-admins@<your-domain>.com
.When you're asked to select a role, select Billing > Billing Account Administrator.
After you've added the first role, click Add another role and then add the following additional roles for the
grp-gcp-billing-admins@<your-domain>.com
member:- Billing > Billing Account Creator
- Resource Manager > Organization Viewer
Set up the billing account
Next, you set up a Cloud Billing account. There are two types of billing accounts:
Self-serve. You sign up online using a credit or debit card, or ACH direct debit. Costs are charged automatically.
Invoiced. You pay by check or wire transfer. Invoices are sent by mail or electronically.
When you sign up online for a billing account, your account is automatically set up as a self-serve type of account. You cannot sign up online for an invoiced type of account, rather, you must apply for invoiced billing. For more information, see Billing account types.
Self-serve accounts
Log in to the Google Cloud console as a user in the
grp-gcp-billing-admins
Google Group that was created in task 2.To verify that the billing account was created, go to the Billing page, and then select your organization in the Select an organization list. If the billing account was successful, you see it in the billing account list.
Invoiced accounts
Contact your Google sales representative to request an invoiced account. Your sales representative will submit a request on your behalf.
Learn more about how to apply for monthly invoiced billing, including eligibility requirements for invoiced billing accounts.
Wait to receive email confirmation. This process can take up to 5 business days.
To verify that the invoiced billing account was created, go to the Billing page, and then select your organization in the Select an organization list. If the invoiced billing account is available, you see it in the billing account list.
After you set up the billing account
To monitor your costs and avoid surprises on your bill, after you have set up your Cloud Billing account, we recommend you implement the following billing best practices for each billing account:
- Configure Cloud Billing data exports to a BigQuery dataset.
- Define budgets to generate alerts when spending reaches certain thresholds.
For best practices to monitor and control costs, see Monitor and control cost.
Resource hierarchy
In this task, you create a basic structure for folders and projects in your resource hierarchy:
-
provide a grouping mechanism and isolation boundaries between projects. For example, they can represent the main departments in your organization such as finance or retail, or environments such as production versus non-production.
-
contain your cloud resources, such as virtual machines, databases, and storage buckets. For design considerations and best practices to organize your resources in projects, see Decide a resource hierarchy for your Google Cloud landing zone.
You can set IAM policies to control access at different levels of the resource hierarchy. You will set these policies as a later task in this checklist.
Who performs this task
A person in the grp-gcp-organization-admins@<your-domain>.com
group that was
created in task 2, or someone with the administrator access defined in task 3.
What you do in this task
Create the initial hierarchy structure with folders and projects.
Why we recommend this task
Creating the structure is a requirement for a later task where you set IAM policies in order to control access at different levels of the resource hierarchy.
Plan the resource hierarchy
There are many ways to create your resource hierarchy. The following diagram shows a typical example:
In the example, the organization resource hierarchy contains three levels of folders:
Environment (non-production and production). By isolating environments from each other, you can better control access to production environments and avoid non-production changes accidentally impacting production.
Business units. In the diagram, these are represented by
Dept X
andDept Y
, which might be business units such as Engineering and Marketing, and aShared
folder that has projects that contain resources shared across the hierarchy, such as networking, logging, and monitoring.Teams. In the diagram, these are represented by
Team A
,Team B
, andTeam C
, which might be teams like Development, Data Science, QA, and so on.
Create initial folders in the resource hierarchy
In this step, you create basic folders for your initial setup, as shown in this diagram. Folders allow you to group resources.
To create initial folders:
- Sign in to the Google Cloud console as a user in the
grp-gcp-organization-admins
Google Group (created in task 2), or as a user with the administrator access defined in task 3. In the Google Cloud console, go to the Manage resources page:
Create the following two folders:
- Production > Shared
- Non-Production > Shared
Create initial projects in the resource hierarchy
After creating the initial hierarchy, you create projects. Following the principle of separating production and non-production environments, for this checklist you need to create the following projects:
example-vpc-host-nonprod
. This project is used to help connect non-production resources from multiple projects to a common VPC network.example-vpc-host-prod-draft
. This project is a placeholder to eventually connect production resources from multiple projects to a common VPC network.example-monitoring-nonprod
. This project is used to host non-production monitoring resources.example-monitoring-prod-draft
. This project is a placeholer to eventually host production monitoring resources.example-logging-nonprod
. This project is used to host exported log data from your non-production environment.example-logging-prod-draft
. This project is a placeholder used to eventually host exported log data from your production environment.
Project names are limited to 30 characters. Typically, you would use your own
company name in place of example
, as long as you can do so within the
30-character limit. When you create projects in the resource hierarchy in the
future, we recommend using a naming convention such as <business unit
name>-<team name>-<application name>-<environment>
, according to the resource
hierarchy of your organization.
To create the projects:
In the Google Cloud console, go to the Manage resources page:
Click Create Project.
In the New Project window, enter one of the project names listed earlier.
If you're prompted to select a billing account, select the billing account you want to use for this checklist.
For Location, click Browse and then set the location as follows:
- If the name of the project you're creating ends with
prod
, select Production > Shared. - If the name of the project you're creating ends with
nonprod
, select Non-Production > Shared.
- If the name of the project you're creating ends with
Click Create.
Repeat steps 2 through 6 for each of the recommended projects.
Confirm projects are linked to the appropriate billing account
In order to perform tasks later in this checklist, projects must be linked to a billing account. For a current list of your projects and linked billing accounts, visit Task 5 in the Google Cloud console.
If you do not have access to an active billing account, skip to the next task. If you attempt to use projects not linked to a billing account, the Google Cloud console prompts you to enable billing. When a billing account is ready, return to this step to enable billing for those projects.
To review or change billing accounts set for projects in Cloud Billing:
- View billing accounts on the Billing page and select the My Projects tab. The page lists all billing accounts linked to your organization's projects.
- To change the billing account for any project, see Enable, disable, or change billing for a project.
Access
In this task, you set up access control for your resource hierarchy by adding IAM policies to the resources. An IAM policy is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
To set permissions, you perform the same basic procedure, but you do it for resources at different levels of the hierarchy (organization, folders, and projects). We recommend that you use the principle of least privilege and grant the least amount of access that's necessary to resources in each level. The roles that we recommend in the following procedures help you enforce the principle of least privilege.
Who performs this task
A person in the grp-gcp-organization-admins@<your-domain>.com
group that was
created in task 2, or someone with the administrator access defined in task 3.
What you do in this task
Set IAM policies on the organization, folder, and project level.
Why we recommend this task
Setting IAM policies across your resource hierarchy lets you scalably control access to your cloud resources.
About IAM policies
IAM policies apply at three levels of your resource hierearchy:
- The organization. Policies that you set at the organization level apply to all folders and projects in the organization.
- A folder. Policies set on a folder apply to projects within the folder.
- A project. Policies set at the project level apply only to that project.
The following table lists the principals and the roles that you assign to them at the organization level.
Principal | Roles to grant |
---|---|
grp-gcp-network-admins@<your-domain>.com |
|
grp-gcp-security-admins@<your-domain>.com |
|
grp-gcp-devops@<your-domain>.com |
Resource Manager > Folder Viewer. This grants permissions to view folders. |
grp-gcp-billing-viewer
|
Billing > Viewer. This role provides permissions to view billing account cost and pricing information. |
grp-gcp-platform-viewer
|
Viewer. This role provides permissions to view existing resources of data. |
grp-gcp-security-reviewer
|
IAM > Security Reviewer. This role provides permissions to list all resources and allow policies on them. |
grp-gcp-network-viewer
|
Compute Enginer > Network Viewer. This role provides read-only access to all networking resources. |
grp-gcp-audit-viewer
|
|
grp-gcp-scc-admin
|
Security Center > Admin. This role provides administrator access to the security center. |
grp-gcp-secrets-admin
|
Secret Manager > Admin. This role provides full access to administer Secret Manager resources. |
Administer IAM roles
Make sure that you're signed in to the Google Cloud console as a user in the
grp-gcp-organization-admins
Google Group that was created in task 2, or as someone with the administrator access defined in task 3.In the Google Cloud console, go to the Manage resources page:
Select your organization from the organization tree grid.
If the Info Panel pane on the right is hidden, click Show Info Panel in the top right corner.
Select the checkbox for the organization.
In the Info Panel pane, in the Permissions tab, click Add Member.
In the New members field, enter the name of a member from the table. For example, start by entering
grp-gcp-network-admins@<your-domain>.com
, as listed in the preceding table.In the Select a role list, select the first role for that member as listed in the table. For example, for the first member, the first role that you select is Compute Engine > Compute Network Admin.
Click Add another role, and then add the next role for that member.
Add the next role for that member.
When you've added all the roles for a member, click Save.
Repeat step 2 through 7 for the other members listed in the table.
Set IAM policies at the folder level
Policies set on the folder level also apply to projects in the folders. The procedure is similar to what you did for your organization, except that you select a different level in the hierarchy.
Clear the checkbox for the organization and for any other resource that is selected.
Select the checkbox for the
Production
folder.In the Info Panel pane, in the Permissions tab, click Add Member.
In the New members field, enter
grp-gcp-devops@<your-domain>.com
.Using the same steps you used for adding roles to organization members, add the following roles to the
grp-gcp-devops@<your-domain>.com
member:- Logging > Logging Admin. This grants full permissions to Cloud Logging.
- Error Reporting > Error Reporting Admin. This grants full permissions to error reporting data.
- Service Management > Quota Administrator. This grants access to administer service quotas.
- Monitoring > Monitoring Admin. This grants full permissions to monitoring data.
- Compute Engine > Compute Admin. This grants full permissions to Compute Engine resources.
- Kubernetes Engine > Kubernetes Engine Admin. This grants full permissions to Google Kubernetes Engine container clusters.
When you've finished adding roles, click Save.
Clear the checkbox for the
Production
folder.Select the checkbox for the
Non-Production
folder.Add
grp-gcp-developers@<your-domain>.com
as a new member.Assign the following IAM roles to the
grp-gcp-developers@<your-domain>.com
member:- Compute Engine > Compute Admin. This grants full permissions to Compute Engine resources.
- Kubernetes Engine > Kubernetes Engine Admin. This grants full permissions to Google Kubernetes Engine container clusters.
Set IAM policies at the project level
Policies that you set at the project level apply only to the projects they are applied to. This lets you set fine-grained permissions for individual projects.
Clear the checkbox for any folders and for any other resource that has been selected.
Select the checkboxes for the following projects:
example-vpc-host-nonprod
example-vpc-host-prod
Add
grp-gcp-network-admins@<your-domain>.com
as a member.Assign the following role to the
grp-gcp-network-admins@<your-domain>.com
member:- Project > Owner. This grants full permissions to all resources in the selected projects.
Click Save.
Clear the checkboxes for the selected projects.
Select the checkboxes for the following projects:
example-monitoring-nonprod
example-monitoring-prod
example-logging-nonprod
example-logging-prod
Add
gcp-devops@<your-domain>.com
as a new member.Assign the following role to the
grp-gcp-devops@<your-domain>.com
member:- Project > Owner. This grants full permissions to all resources in the selected projects.
Click Save.
Networking
In this task, you set up your initial networking configuration. Typically, you need to do the following:
- Design, create, and configure a virtual private cloud architecture.
- If you have on-premises networking, or networking in another cloud provider, configure connectivity between that provider and Google Cloud.
- Set up a path for external egress traffic.
- Implement network security controls, such as firewall rules.
- Choose a preferred ingress traffic option for services that are hosted on the cloud.
This task shows you an example for item 1 as a basis for your own virtual private cloud architecture.
The remaining items—external connectivity, egress traffic configuration, implementing firewall rules, and choosing an ingress option—are dependent on your business needs. Therefore, we don't cover those in this checklist. However, we provide links to additional information for these items.
Who performs this task
A person in the grp-gcp-network-admins@<your-domain>.com
group that was
created in task 2.
What you do in this task
Set up an initial networking configuration.
- Create Shared VPC networks
- Configure connectivity between the external provider and Google Cloud
- Set up a path for external egress traffic
- Implement network security controls
- Choose an ingress traffic option
Why we recommend this task
Shared VPC allows separate teams to connect to a common, centrally-managed VPC network from multiple distinct products.
Configuring hybrid connectivity allows seamless migration of applications to Google Cloud while still connecting to service dependencies.
Designing secure ingress and egress pathways from the start enables your teams to productively work in Google Cloud without compromising security.
Virtual private cloud architecture
Google offers Virtual Private Cloud (VPC), which provides networking functionality to your Google Cloud resources such as Compute Engine virtual machine instances, GKE containers, and App Engine flexible environment. The following diagram shows a basic multi-regional architecture:
This architecture has two Shared VPC host projects. One host project is for your non-production environment, and the other is for your eventual production environment (currently labeled "production-draft". Shared Virtual Private Cloud allows organizations to connect resources from multiple projects to a common network, so that the resources can communicate with each other more securely and efficiently using internal IP addresses from that network.
A Shared VPC host project contains one or more Shared VPC networks. In this
architecture, each Shared VPC network (both production-draft and non-production)
contains public and private subnets across two regions (in this case, us-east1
and us-west1
):
- The public subnet can be used for instances that are internet-facing to provide external connectivity.
- The private subnet can be used for instances that are solely internal-facing and should not be allocated public IP addresses.
The architecture that's shown in the preceding diagram uses example names for
various resources. For your own setup, you might change elements of the name,
such as your company (example
in the example names) and the region you're
using (us-east1
and us-west1
in the examples).
Configure networking
Although networking setups vary based on your workload, the following activities are common:
Create shared Virtual Private Cloud (VPC) networks. Shared VPC allows an organization to connect resources from multiple projects to a common VPC network. To create a shared VPC network, use the Google Cloud console.
Configure connectivity between the external provider and Google Cloud. If you have on-premises networking, or networking in another cloud provider, you can set up Cloud VPN, a service that helps securely connect your peer network to your Google Cloud VPC network through an IPSec VPN connection. Cloud VPN is suitable for speeds up to 3.0 Gbps. If you need higher bandwidth to connect your on-premises system to Google Cloud, see Partner Interconnect and Dedicated Interconnect. To create a VPN connection, follow the instructions at Creating a gateway and tunnel for both the production-draft and non-production Shared VPC networks created in the previous procedure.
Set up a path for external egress traffic. You use Cloud NAT to allow your VMs to connect to the internet without using external IP addresses. Cloud NAT is a regional resource. You can configure it to allow traffic from all primary and secondary IP ranges of subnets in a region, or you can configure it to apply to only some of those ranges. To set up a path for external egress traffic, follow the instructions at Create NAT for all regions in the shared VPC networks created in the previous procedure for both production-draft and non-production networks.
Implement network security controls. Firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration that you specify. Follow the instructions at Using firewall rules to configure these controls for both production-draft and non-production Shared VPC networks that was created in the previous procedure.
Choose an ingress traffic option. Cloud Load Balancing allows you to control how compute resources are distributed across regions. Load balancing helps you meet availability requirements both for incoming external traffic and for traffic within your VPC network. As you plan your application architecture on Google Cloud, review Choosing a Load Balancer to decide which types of load balancers you need.
Monitoring and logging
In this task, you set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring.
Who performs this task
A person in the grp-gcp-devops@<your-domain>.com
group that was created in
task 2.
What you do in this task
Set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring.
Why we recommend this task
Comprehensive logging and monitoring is key to maintaining observability in your cloud environment. Configuring appropriate logging retention from the start allows you to build and have confidence that an audit trail is preserved, while setting up centralized monitoring will give your team a central dashboard for viewing your environments.
Set up monitoring
Cloud Monitoring collects metrics, events, and metadata from Google Cloud services, hosted uptime probes, application instrumentation, and other common application components.
In this task, you configure a Google Cloud project to have access to the metrics of other Google Cloud projects:
- Sign in to the Google Cloud console as a user in the
grp-gcp-devops
Google Group created in task 2. - Add the projects that you want to monitor. For example, add all of the other non-production projects.
- Repeat this procedure for your production projects. Use
example-monitoring-prod
as the scoping project, and add the production projects that you wish to monitor.
Set up logging
Cloud Logging allows you to store, search, analyze, monitor, and alert on log data and events from Google Cloud and Amazon Web Services (AWS). Cloud Logging also allows you to ingest custom log data from any source, and to export logs to external data sinks.
Make sure that you're signed in to the Google Cloud console as a user in the
grp-gcp-devops
group that was created in task 2.Enable logging export for BigQuery, using the following values:
- Select the
example-logging-nonprod
project. - Create a
BigQuery dataset.
For Dataset ID, use a name like
example_logging_export_nonprod
. - After you've named the dataset, click Create dataset.
- Select the
Repeat the previous step for the
example-logging-prod
project, but useexample_logging_export_prod
for the dataset ID.Review the logs retention periods to determine whether they meet your compliance requirements. If they don't, set up log export to Cloud Storage, which can be helpful for long-term retention.
Security
In this task, you configure Google Cloud products to help protect your organization. Google Cloud provides many security offerings.
Who performs this task
A person in the grp-gcp-organization-admins@<your-domain>.com
group that was
created in task 2, or someone with the administrator access defined in task 3.
What you do in this task
- Enable the Security Command Center dashboard
- Set up Organization Policy
Why we recommend this task
We recommend setting up the following two products:
Security Command Center. This comprehensive security management and data risk platform enables you to monitor your cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities, and review access rights to critical resources.
Organization Policy Service. This service gives you centralized and programmatic control over your organization's cloud resources.
Set up the products
Sign in to the Google Cloud console as a user in the
grp-gcp-organization-admins
group that was created in task 2, or as a user with the administrator access defined in task 3).Set up Organization Policy by following the steps at Customizing policies for boolean constraints. When you're asked to select a project, folder, or organization, select your organization.
We recommend setting the following policies:
Skip default network creation.
- On the Organization policies screen, filter for Skip default network creation.
- Select Skip default network creation policy.
- Click Edit.
- Select Customize and click Add Rule.
- When asked to select an enforcement option, select On.
Define allowed external IPs for VM instances.
- On the Organization policies screen, filter for Define allowed external IPs for VM instances.
- Select Define allowed external IPs for VM instances policy and click Edit.
- Select Customize and click Add Rule. When you're asked to select policy values, select Deny All.
You can also set custom policy to allow/deny external IPs for specific VM instances.
Support
In this task, you can choose a support option.
Who performs this task
A person in the grp-gcp-organization-admins@<your-domain>.com
group created in
task 2, or someone with the administrator access defined in task 3.
What you do in this task
Choose a support plan based on your company's needs.
Why we recommend this task
A premium support plan provides you with business-critical support to quickly resolve issues with help from experts at Google.
Choose a support option
Every Google Cloud customer automatically gets free support that includes support product documentation, community support, and support for billing issues. However, we recommend that enterprise customers sign up for a premium support plan, which offers one-on-one technical support with Google support engineers. For more information, you can compare support plans.
Enable support
-
and decide which plan you want. You set up the support plan in a later step. If you decide to stay with free support options, you can continue to the next task.
Make sure that you're signed in to the Google Cloud console as a user in the
grp-gcp-organization-admins
Google Group that was created in task 2, or as a user with the administrator access defined in task 3.Set up the support plan.
To request Premium Support, contact your Google sales representative. If you don't have a representative, contact sales.
To enable Role-Based Support, go to the Enable Role-Based Support page in Google Cloud console and follow the on-screen prompts to complete the required steps.
Follow the instructions at Support user roles to assign the Support User and Org Viewer roles to each user who needs to interact with Google Cloud Support.