Before you run workloads on Google Cloud, you must configure an initial foundation to support your work. Google Cloud setup helps administrators configure Google Cloud for scalable production workloads. The setup process guides you through an interactive procedure that helps you create a foundational architecture with best practices in mind.
To help you align with your business needs, you can quickly deploy a default configuration or make adjustments throughout the setup process. Depending on your preferred deployment workflow, you can deploy your configuration directly from the console, or download and deploy Terraform to integrate with your own Infrastructure as Code (IaC) process.
This document includes steps and background information to help you complete the setup process, which is also available as an interactive guide in the Google Cloud console:
The setup process includes the following phases:
Establish your organization, administrators, and billing: Set up the top-level node of your hierarchy, create initial administrator users, and connect your payment method.
Create an initial architecture: Select an initial folder and project structure, assign access, set up your network, and configure logging.
Deploy your settings: Your initial architecture choices are compiled in Terraform configuration files. You can quickly deploy through the Google Cloud console, or download the files to customize and iterate using your own workflow.
Apply security and support settings: Apply recommended monitoring, security, and support settings to bolster your architecture.
Establish your organization, administrators, and billing
Organization
An organization resource in Google Cloud represents your business, and serves as the top level node of your hierarchy. To create your organization, you set up a Google identity service and associate it with your domain. When you complete this process, an organization resource is automatically created.
For an overview of the organization resource, see the following:
Who performs this task
The following two administrators perform this task:
An identity administrator responsible for assigning role-based access. You assign this person as the Cloud Identity super administrator. For more information about the super administrator user, see Prebuilt administrator roles.
A domain administrator with access to the company's domain host. This person edits your domain settings, such as DNS configurations, as part of the domain verification process.
What you do in this task
- If you haven't already, set up Cloud Identity, where you create a managed user account for your super administrator user.
- Link Cloud Identity to your domain (such as example.com).
- Verify your domain. This process creates the root node of your resource hierarchy, known as the organization resource.
Why we recommend this task
You must configure the following as part of your Google Cloud foundation:
- A Google identity service to centrally manage identities.
- An organization resource to establish the root of your hierarchy and access control.
Google identity service options
You use one or both of the following Google identity services to administer credentials for Google Cloud users:
- Cloud Identity: Centrally manages users and groups. You can federate identities between Google and other identity providers. For more information, see Overview of Cloud Identity.
- Google Workspace: Manages users and groups, and provides access to productivity and collaboration products like Gmail and Google Drive. For more information, see Google Workspace.
For detailed information about identity planning, see Planning the onboarding process for your corporate identities.
Before you begin
To understand how to manage a super administrator account, see Super administrator account best practices.
Configure an identity provider and verify your domain
The steps you complete in this task depend on whether you are a new or existing customer. Identify the option that fits your needs:
New customer: Set up Cloud Identity, verify your domain, and create your organization.
Existing Google Workspace customer: Use Google Workspace as your identity provider for users who access Google Workspace and Google Cloud. If you plan to create users who only access Google Cloud, enable Cloud Identity.
Existing Cloud Identity customer: Verify your domain, make sure your organization was created, and confirm that Cloud Identity is enabled.
New customer
New Customer: Set up Cloud Identity and create your organization
To create your organization resource, you first set up Cloud Identity, which helps you manage users and groups that access Google Cloud resources.
In this task, you set up Cloud Identity free edition.You can enable Cloud Identity premium edition after you complete your initial setup. For more information, see Compare Cloud Identity features and editions.
Identify the person who serves as the Cloud Identity administrator (also known as the super administrator) in your organization
Record the administrator's username in the following format: admin-name@example.com. For example, [email protected]. Specify this username when you create your first administrator user.
To complete the setup process and create the super administrator account, go to the Cloud Identity signup page.
If you get an error when you set up the administrator account, see 'Google Account already exists' error.
Verify your domain and create your organization resource
Cloud Identity requires you to verify that you are your domain owner. Once the verification is complete, your Google Cloud organization resource is automatically created for you.
Make sure you created a super administrator account when you configured your identity provider.
Verify your domain in Cloud Identity. As you complete the verification process, note the following:
- When prompted, don't click Create new users. You will create new users in a later task.
- If you are unable sign up your domain, see Can't sign up my domain for a Google service.
- The verification may require several hours to process.
For steps to verify your domain, see Verify your domain.
When you finish the domain verification steps, click Set up Google Cloud console now.
Sign in to the Google Cloud console as the super administrator user using the email address you specified. For example, [email protected].
Go to Google Cloud setup: Organization. Your organization is created automatically.
Select your organization from the Select from drop-down list at the top of the page.
Request additional Cloud Identity user licenses
Cloud Identity free edition includes an allotment of user licenses. For steps to view and request licenses, see Your Cloud Identity free edition user cap.
Workspace customer
Existing Google Workspace customer: Verify your domain and enable Cloud Identity
If you are an existing Google Workspace customer, verify your domain, make sure that your organization resource is automatically created, and optionally enable Cloud Identity.
To verify your domain in Google Workspace, see Verify your domain. As you complete the verification process, note the following:
- When prompted, don't click Create new users. You will create new users in a later task.
- If you are unable sign up your domain, see Can't sign up my domain for a Google service.
- The verification may require several hours to process.
Sign in to the Google Cloud console as the super administrator user.
Go to Google Cloud setup: Organization.
Select I'm a current Google Workspace customer.
Make sure that your organization name is displayed in the Organization list.
If you want to create users who access Google Cloud, but don't receive Google Workspace licenses, do the following.
In Google Workspace, Enable Cloud Identity.
When you set up Cloud Identity, Disable automatic Google Workspace licensing.
Cloud Identity customer
Existing Cloud Identity customer: Verify your domain
If you are an existing Cloud Identity customer, make sure you have verified your domain, and that your organization resource was automatically created.
To make sure that you have verified your domain, see Verify your domain. As you complete the verification process, note the following:
- When prompted, don't click Create new users. You will create new users in a later task.
- If you are unable sign up your domain, see Can't sign up my domain for a Google service.
- The verification may require several hours to process.
Sign in to the Google Cloud console as the super administrator user.
Go to Google Cloud setup: Organization.
Select I'm a current Cloud Identity customer.
Make sure that your organization name is displayed in the Organization list.
Make sure that Cloud Identity is enabled in Google Admin console: Subscriptions. Sign in as a super administrator user.
What's next
Users and groups
In this task, you create user groups and managed user accounts for the administrators in your Google Cloud organization.
For more information on access management on Google Cloud, see the following:
- Identity and Access Management (IAM) overview.
- For best practices, see Manage identity and access.
Before you begin
Find and migrate users that already have Google Accounts. For detailed information, see Add users with unmanaged accounts.
Who performs this task
An identity administrator responsible for managing access to individuals or groups in your organization. You assigned this person as a super administrator in the Organization task.
What you do in this task
In this task, you perform the following user management procedures:
- Create a group for each recommended administrative function, including organization, billing, and network administration.
- Create user accounts for administrators.
- Assign users to administrative groups that correspond to their responsibilities.
You can customize permissions for each group in a later task.
Why we recommend this task
This task helps you implement the following security best practices:
Principle of least privilege: Give users the minimum permissions required to perform their role, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their job role. Do not add permissions to individual user accounts.
You can use groups to efficiently apply IAM roles to a collection of users. This practice helps you simplify access management.
Create administrative groups
A group is a named collection of Google Accounts and service accounts. Each group has a unique email address, such as [email protected]. You create groups to manage users and apply IAM roles at scale.
The following groups are recommended to help you administer your organization's core functions and complete the Google Cloud setup process.
Group | Description |
gcp-organization-admins
|
Administer all organization resources. Assign this role only to your most trusted users. |
gcp-billing-admins
|
Set up billing accounts and monitor usage. |
gcp-network-admins
|
Create networks, subnets, firewall rules, and network devices such as Cloud Router, Cloud VPN, and load balancers. |
gcp-logging-admins
|
Use all Cloud Logging features. |
gcp-logging-viewers
|
Read-only access to a subset of logs. |
gcp-monitoring-admins
|
Establishing and managing security policies for the entire organization, including access management and organization constraint policies. See the Google Cloud enterprise foundations blueprint for more information about planning your Google Cloud security infrastructure. |
gcp-security-admins |
Establish and manage security policies for the entire organization, including access management and organization constraint policies. |
gcp-developers
|
Design, code, and test applications. |
gcp-devops
|
Create or manage end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning. |
To create administrative groups, do the following:
Sign in to the Google Cloud console as the super administrator account you created in theOrganization task.
Go to Google Cloud setup: Users & groups.
Review the task details and click Continue users & groups.
Review the list of recommended administrative groups, and then do one of the following:
- To create all recommended groups, click Create all groups.
- If you want to create a subset of the recommended groups, click Create in the chosen rows.
Click Continue.
Create administrative users
We recommend that you initially add users who complete organizational, networking, billing, and other setup procedures. You can add other users after you complete the Google Cloud setup process.
To add administrative users who perform Google Cloud setup tasks, do the following:
Migrate consumer accounts to managed user accounts controlled by Cloud Identity. For detailed steps, see the following:
Sign in to Google Admin console using a super administrator account.
Use one of the following options to add users:
- To bulk add users, see Add or update multiple users from a CSV file.
- To add users individually, see Add an account for a new user.
When you're done adding users, return to Google Cloud setup: Users & groups (Create users).
Click Continue.
Add administrative users to groups
Add the members you created to administrative groups that correspond to their duties.
In Google Cloud setup: Users & groups (Add users to groups), review the step details.
In each Group row, do the following:
- Click Add members.
- Enter the user's email address.
From the Group role drop-down list, select the user's group permission settings. For more information, see Set who can view, post, and moderate.
Each member inherits all IAM roles you grant to a group, regardless of the group role you select.
To add another user to this group, click Add another member and repeat these steps.
When you're done adding users to this group, click Save.
When you're done adding members to groups, click Confirm users & groups.
What's next
Administrative access
In this task, you use Identity and Access Management (IAM) to assign collections of permissions to groups of administrators at the organization level. This process gives administrators central visibility and control over every cloud resource that belongs to your organization.
For an overview of Identity and Access Management in Google Cloud, see IAM overview.
Who performs this task
To perform this task, you must be one of the following:
- A super administrator user.
- A user with the Organization Administrator role (
roles/resourcemanager.organizationAdmin
).
What you do in this task
Review a list of default roles assigned to each administrator group that you created in the Users and groups task.
If you want to customize a group, you can do the following:
- Add or remove roles.
- If you do not plan to use a group, you can delete it.
Why we recommend this task
You must explicitly grant all administrative roles for your organization. This task helps you implement the following security best practices:
Principle of least privilege: Give users the minimum permissions required to perform their jobs, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their jobs. Do not grant roles to individual user accounts.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
Grant access to administrator groups
To grant appropriate access to each administrator group that you created in the Users and groups task, review the default roles that are assigned to each group. You can add or remove roles to customize each group's access.
Make sure that you are logged in to the Google Cloud console as a super administrator user.
Alternatively, you can sign in as a user with the Organization Administrator role (
roles/resourcemanager.organizationAdmin
).Go to Google Cloud setup: Administrative access.
Select your organization name from the Select from drop-down list at the top of the page.
Review the task overview and click Continue administrative access.
Review the groups in the Group (Principal) column that you created in the Users & groups task.
For each group, review the default IAM roles. You can add or remove roles assigned to each group to fit the unique needs of your organization.
Each role contains multiple permissions that allow users to perform relevant tasks. For more information about the permissions in each role, see IAM basic and predefined roles reference.
When you are ready to assign roles to each group, click Save and grant access.
What's next
Set up billing.
Billing
In this task, you set up a billing account to pay for Google Cloud resources. To do this, you associate one of the following with your organization.
An existing Cloud Billing account. If you don't have access to the account, you can request access from your billing account administrator.
A new Cloud Billing account.
For more information on billing, see the Cloud Billing documentation.
Who performs this task
A person in the gcp-billing-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
- Create or use an existing self-serve Cloud Billing account.
- Decide whether to transition from a self-serve account to an invoiced account.
- Set up a Cloud Billing account and payment method.
Why we recommend this task
Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources you use, such as virtual machines, networking, and storage.
Determine your billing account type
The billing account that you associate with your organization is one of the following types.
Self-serve (or online): Sign up online using a credit or debit card. We recommend this option if you are a small business or individual. When you sign up online for a billing account, your account is automatically set up as a self-serve account.
Invoiced (or offline). If you already have a self-serve billing account, you might be eligible to apply for invoiced billing if your business meets eligibility requirements.
You cannot create an invoiced account online, but you can apply to convert a self-serve account to an invoiced account.
For more information, see Cloud Billing account types.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Set up the billing account
Now that you have chosen a billing account type, associate the billing account with your organization. When you complete this process, you can use your billing account to pay for Google Cloud resources.
Sign in to the Google Cloud console as a user from the
gcp-billing-admins@YOUR_DOMAIN
group.Go to Google Cloud setup: Billing.
Review the task overview, and then click Continue billing.
Select one of the following billing account options:
Create a new account
If your organization does not have an existing account, create a new account.
- Select I want to create a new billing account.
- Click Continue.
Select the billing account type you want to create. For detailed steps, see the following:
- To create a new self-serve account, see Create a new self-serve Cloud Billing account.
- To transition an existing self-serve account to invoiced billing, see Apply for monthly invoiced billing.
Verify that your billing account was created:
If you created an invoiced account, wait up to 5 business days to receive email confirmation.
Go to the Billing page.
Select your organization from the Select from list at the top of the page. If the account was created successfully, it is displayed in the billing account list.
Use my existing account
If you have an existing billing account, you can associate it with your organization.
- Select I identified a billing account from this list that I would like to use to complete the setup steps.
- From the Billing drop-down list, select the account you want to associate with your organization.
- Click Continue.
- Review the details and click Confirm billing account.
Use another user's account
If another user has access to an existing billing account, you can ask that user to associate the billing account with your organization, or the user can give you access to complete the association.
- Select I want to use a billing account that's managed by another Google user account.
- Click Continue.
- Enter the billing account administrator's email address.
- Click Contact administrator.
- Wait for the billing account administrator to contact you with further instructions.
What's next
Create an initial architecture
Hierarchy and access
In this task, you set up your resource hierarchy by creating and assigning access to the following resources:
- Folders
- Provide a grouping mechanism and isolation boundaries between projects. For example, folders can represent main departments in your organization such as finance or retail, or environments such as production or non-production.
- Projects
- Contain your Google Cloud resources, such as virtual machines, databases, and storage buckets.
For design considerations and best practices to organize your resources in projects, see Decide a resource hierarchy for your Google Cloud landing zone.
Who performs this task
A person in the gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task can
perform this task.
What you do in this task
- Create an initial hierarchy structure that includes folders and projects.
- Set IAM policies to control access to your folders and projects.
Why we recommend this task
Creating a structure for folders and projects helps you manage Google Cloud resources and assign access based on the way your organization operates. For example, you might organize and provide access to resources based on your organization's unique collection of geographic regions, subsidiary structures, or accountability frameworks.
Plan the resource hierarchy
Your resource hierarchy helps you create boundaries, and share resources across your organization for common tasks. You create your hierarchy using one of the following initial configurations, based on your organization structure:
Simple environment-oriented:
- Isolate environments like
Non-production
andProduction
. - Implement distinct policies, regulatory requirements, and access controls in each environment folder.
- Good for small companies with centralized environments.
- Isolate environments like
Simple team-oriented:
- Isolate teams like
Development
andQA
. - Isolate access to resources using child environment folders under each team folder.
- Good for small companies with autonomous teams.
- Isolate teams like
Environment-oriented:
- Prioritize the isolation of environments like
Non-production
andProduction
. - Under each environment folder, isolate business units.
- Under each business unit, isolate teams.
- Good for large companies with centralized environments.
- Prioritize the isolation of environments like
Business unit-oriented:
- Prioritize the isolation of business units like
Human Resources
andEngineering
to help ensure that users can only access the resources and data they need. - Under each business unit, isolate teams.
- Under each team, isolate environments.
- Good for large companies with autonomous teams.
- Prioritize the isolation of business units like
Each configuration has a Common
folder for projects that contain shared
resources. This might include logging and monitoring projects.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
Configure initial folders and projects
Select the resource hierarchy that represents your organization structure.
To configure initial folders and projects, do the following:
Sign in to the Google Cloud console as a user from the
gcp-organization-admins@YOUR_DOMAIN
group you created in the Users and groups task.Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Hierarchy & access.
Review the task overview, and then click Start next to Resource hierarchy.
Select a starting configuration.
Click Continue and configure.
Customize your resource hierarchy to reflect your organizational structure. For example, you can customize the following:
- Folder names.
Service projects for each team. To grant access to service projects, you can create the following:
- A group for each service project.
- Users in each group.
For an overview of service projects, see Shared VPC.
Projects required for monitoring, logging, and networking.
Custom projects.
Click Continue.
Grant access to your folders and projects
In the Administrative access task, you granted administrative access to groups at the organization level. In this task, you configure access to groups that interact with your newly configured folders and projects.
Projects, folders, and organizations each have their own IAM policies, which are inherited through the resource hierarchy:
- Organization: Policies apply to all folders and projects in the organization.
- Folder: Policies apply to projects and other folders within the folder.
- Project: Policies apply only to that project and its resources.
Update the IAM policies for your folders and projects:
In the Configure access control section of Hierarchy & access, grant your groups access to your folders and projects:
In the table, review the list of recommended IAM roles granted to each group for each resource.
If you want to modify the roles assigned to each group, click Edit in the desired row.
For more information about each role, see IAM basic and predefined roles.
Click Continue.
Review your changes and click Confirm draft configuration.
What's next
Networking
In this task, you set up your initial networking configuration, which you can scale as your needs change.
Virtual Private Cloud architecture
A Virtual Private Cloud (VPC) network is a virtual version of a physical network that is implemented inside of Google's production network. A VPC network is a global resource that consists of regional subnetworks (subnets).
VPC networks provide networking capabilities to your Google Cloud resources such as Compute Engine virtual machine instances, GKE containers, and App Engine flexible environment instances.
Shared VPC connects resources from multiple projects to a common VPC network so that they can communicate with each other using the network's internal IP addresses. The following diagram shows the basic architecture of a Shared VPC network with attached service projects.
When you use Shared VPC, you designate a host project and attach one or more service projects to it. Virtual Private Cloud networks in the host project are called Shared VPC networks.
The example diagram has production and non-production host projects, which each contain a Shared VPC network. You can use a host project to centrally manage the following:
- Routes
- Firewalls
- VPN connections
- Subnets
A service project is any project that's attached to a host project. You can share subnets, including secondary ranges, between host and service projects.
In this architecture, each Shared VPC network contains public and private subnets:
- The public subnet can be used by internet-facing instances for external connectivity.
- The private subnet can be used by internal-facing instances that are not allocated public IP addresses.
In this task, you create an initial network configuration based on the example diagram.
Who performs this task
You need one of the following to perform this task:
- The
roles/compute.networkAdmin
role. - Inclusion in the
gcp-network-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Create an initial network configuration, including the following:
- Create multiple host projects to reflect your development environments.
- Create a Shared VPC network in each host project to allow distinct resources to share the same network.
- Create distinct subnets in each Shared VPC network to provide network access to service projects.
Why we recommend this task
Distinct teams can use Shared VPC to connect to a common, centrally-managed VPC network.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
Configure your network architecture
Create your initial network configuration with two host projects to segment non-production and production workloads. Each host project contains a Shared VPC network, which can be used by multiple service projects. You configure network details and then deploy a configuration file in a later task.
To configure your initial network, do the following.
Sign in to the Google Cloud console as a user from the
gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task.Select your organization from the Select an organization drop-down list at the top of the page.
Go to Google Cloud setup: Networking.
Review the default network architecture.
To edit the network name, do the following:
- Click more_vert Actions
- Select Edit network name.
- In the Network name field, enter lowercase letters, numbers, or hyphens. The network name cannot exceed 25 characters.
- Click Save.
Modify firewall details
The default firewall rules on the host project are based on recommended best practices. For general information on firewall rules, see VPC firewall rules.
To modify firewall settings, do the following:
Click more_vert Actions.
Select Edit firewall rules.
For detailed information about each default firewall rule, see Pre-populated rules in the default network.
To disable a firewall rule, clear its corresponding checkbox.
To disable Firewall Rules Logging, click Off.
By default, traffic to and from Compute Engine instances are logged for auditing purposes. This process incurs costs. For more information, see Firewall Rules Logging.
Click Save.
Modify subnet details
Each VPC network contains at least one subnet, which is a regional resource with an associated IP address range. In this multi-regional configuration, you must have at least two subnets with non-overlapping IP ranges.
For more information, see Subnets.
Each subnet is configured using recommend best practices. If you want to customize each subnet, do the following:
- Click more_vert Actions
- Select Edit subnets.
- In the Name field, enter lowercase letters, numbers, or hyphens. The subnet name cannot exceed 25 characters.
From the Region drop-down, select a region that is close to your point of service.
We recommend a different region for each subnet. You can't change the region after you deploy your configuration. For information about choosing a region, see Regional resources.
In the IP address range field, enter a range in CIDR notation— for example, 10.0.0.0/24.
The range you enter must not overlap with other subnets in this network. For information on valid ranges, see IPv4 subnet ranges.
Repeat these steps for Subnet 2.
To configure additional subnets in this network, click Add subnet and repeat these steps.
Click Save.
Your subnets are automatically configured according to best practices. If you want to modify the configuration, in the Google Cloud Setup: VPC Networks page, do the following:
To turn off VPC Flow Logs, from the Flow logs column, select Off.
When flow logs are on, each subnet records network flows that you can analyze for security, expenses optimization, and other purposes. For more information, see Use VPC Flow Logs.
VPC Flow Logs incur costs. For more information, see Virtual Private Cloud pricing.
To turn off Private Google Access, from the Private access column, select Off.
When Private Google Access is on, VM instances that don't have external IP addresses can reach Google APIs and services. For more information, see Private Google Access.
To turn on Cloud NAT, from the Cloud NAT column, select On.
When Cloud NAT is on, certain resources can create outbound connections to the internet. For more information, see Cloud NAT overview.
Cloud NAT incurs costs. For more information, see Virtual Private Cloud pricing.
Click Continue to link service projects.
Link service projects to your host projects
A service project is any project that has been attached to a host project. This attachment allows the service project to participate in Shared VPC. Each service project can be operated and administered by different departments or teams to create a separation of responsibilities.
For more information about connection multiple projects to a common VPC network, see Shared VPC overview.
To link service projects to your host projects and complete the configuration, do the following:
For each subnet in the Shared VPC networks table, select a service project to connect. To do this, select from the Select a project drop-down in the Service project column.
You can connect a service project to multiple subnets.
Click Continue to Review.
Review your configuration, and make changes.
You can make edits until you deploy your configuration file.
Click Confirm draft configuration. Your network configuration is added to your configuration file.
Your network is not deployed until you deploy your configuration file in a later task.
What's next
Centralize logging
In this task, you set up Cloud Logging to route logs from your organization's projects to a central log bucket.
Who performs this task
You must have one of the following:
- The Logging Admin role (
roles/logging.admin
). - Membership in the
gcp-logging-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Centrally organize logs that are created in projects across your organization to help with security, auditing, and compliance.
Why we recommend this task
Configuring logging storage and retention simplifies analysis and preserves your audit trail.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
Centrally organize logging
Cloud Logging helps you store, search, analyze, monitor, and alert on log data and events from Google Cloud. You can also collect and process logs from your applications, on-premises resources, and other clouds. For an overview about how Logging routes and stores logs, see Routing and storage overview.
To store your log data in a central log bucket, do the following:
Sign in to the Google Cloud console as a user from the
gcp-logging-admins@YOUR_DOMAIN
group that you created in the Users and groups task.Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Centralize logging.
Review the task overview and click Start logging configuration.
Review the task details.
To route logs to a central log bucket, ensure that Store organization-level admin activity audit logs in a log bucket is selected.
In the Log bucket name field, enter a name for the central log bucket.
From the Log bucket region list, select the region where your log data is stored.
For more information, see Log bucket locations.
We recommend storing logs for 365 days. To customize the retention period, enter the number of days in the Retention period field.
Logs stored for longer than 30 days incur a retention cost. For more information, see Cloud Logging pricing summary.
Click Continue.
Review your Log Router configuration details and click Confirm draft configuration.
Your logging configuration isn't deployed until you deploy your configuration in a later task.
What's next
Deploy your configuration, which includes settings for your hierarchy and access, network, and logging.
Deploy your settings
Deploy or download
As you complete the Google Cloud setup process, your settings from the following tasks are compiled into Terraform configuration files:
To apply your settings, you review your selections and choose a deployment method.
Who performs this task
A person in the gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Deploy configuration files to apply your setup settings.
Why we recommend this task
You must deploy configuration files to apply the settings you selected.
Before you begin
You must complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
- Create or link a billing account in the Billing task.
- Set up your hierarchy and assign access in the Hierarchy and access task.
The following tasks are recommended:
- Configure your initial network in the Networking task.
- Consolidate log data in a single location in the Centralize logging task.
Review your configuration details
Do the following to make sure that your configuration settings are complete:
Sign in to the Google Cloud console as a user from the
gcp-organization-admins@YOUR_DOMAIN
group that you created in the Users and groups task.Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud setup: Deploy or download.
Review the configuration settings you selected. Click each of the following tabs and review your settings:
- Resource hierarchy & access
- Networking
- Logging
Deploy your configuration
Now that you have reviewed your configuration details, use one of the following options:
Deploy directly from the console: Use this option if you don't have an existing Terraform deployment workflow, and want a simple deployment method. You can deploy using this method only once.
Download and deploy the Terraform file: Use this option if you want to automate resource management using a Terraform deployment workflow. You can download and deploy using this method multiple times.
Deploy using one of the following options:
Deploy directly
If you don't have an existing Terraform workflow and want a simple one-time deployment, you can deploy directly from the console.
Click Deploy directly.
Wait several minutes for the deployment to complete.
If the deployment fails, do the following:
- To reattempt the deployment, click Retry Process.
- If the deployment fails after multiple attempts, you can contact an administrator for help. To do this, click Contact organization administrator.
Download and deploy
If you want to iterate on your deployment using your Terraform deployment workflow, download and deploy configuration files.
To download your configuration file, click Download as Terraform.
The package you download contains Terraform configuration files based on the settings you selected in the following tasks:
- Hierarchy & access
- Networking
- Centralize logging
If you only want to deploy configuration files that are relevant to your responsibilities, you can avoid downloading irrelevant files. To do this, clear the check boxes for the configuration files that you don't need.
Click Download. A
terraform.tar.gz
package that includes the selected files is downloaded to your local file system.For detailed deployment steps, see Deploy your foundation using Terraform downloaded from the console.
What's next
Apply security and support settings
Monitoring
Cloud Monitoring is automatically configured for your Google Cloud projects. In this task, you learn about optional monitoring best practices.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Who performs this task
A person in the gcp-monitoring-admins@YOUR_DOMAIN
group that you created in the Users and groups task.
What you do in this task
Review and implement optional monitoring best practices.
Why we recommend this task
You can implement monitoring best practices to do the following:
- Facilitate collaboration among users who monitor your organization.
- Monitor your Google Cloud infrastructure in one place.
- Collect important application metrics and logs.
Review and implement monitoring best practices
Cloud Monitoring collects metrics, events, and metadata from Google Cloud services, synthetic monitors, application instrumentation, and other common application components. Cloud Monitoring is automatically configured for your Google Cloud projects.
In this task, you can implement the following best practices to build on the default Cloud Monitoring configuration.
To aid collaboration, create an organization policy that grants the Monitoring Viewer role to every principal in your organization for every project.
To monitor your Google Cloud infrastructure in one place, configure a project to read metrics from multiple Google Cloud projects by using Metric Scopes.
To collect application metrics and logs for virtual machines, do the following:
- For Compute Engine, install the Ops Agent.
- For Google Kubernetes Engine (GKE), set up Google Cloud Managed Service for Prometheus.
What's next
Security
In this task, you configure security settings and products to help protect your organization.
Who performs this task
You must have one of the following to complete this task:
- The Organization Policy Administrator (
roles/orgpolicy.policyAdmin
) and Security Center Admin (roles/securitycenter.admin
) roles. - Membership in the
gcp-organization-admins@<your-domain>.com
group that you created in the Users and groups task.
What you do in this task
Apply recommended organization policies based on the following categories:
- Access management.
- Service account behavior.
- VPC network configuration.
You also enable Security Command Center to centralize vulnerability and threat reporting.
Why we recommend this task
Applying recommended organization policies helps you limit user actions that don't align with your security posture.
Enabling Security Command Center helps you create a central location to analyze vulnerabilities and threats.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Apply recommended organization policies
Organization policies apply at the organization level, and are inherited by folders and projects. In this task, review and apply the list of recommended policies. You can modify organization policies at any time. For more information, see Introduction to the Organization Policy Service.
Sign in to the Google Cloud console with a user from the
gcp-organization-admins@<your-domain>.com
group you created in the Users & groups task.Select your organization from the Select from drop-down at the top of the page.
Go to Google Cloud setup: Security.
Review the task overview, and then click Continue Security.
Review the list of recommended organization policies. If you don't want to apply a recommended policy, click its checkbox to remove it.
For a detailed explanation of each organization policy, see Organization policy constraints.
Centralize vulnerability and threat reporting
To centralize vulnerability and threat reporting services, enable Security Command Center. This helps you strengthen your security posture and mitigate risks. For more information, see Security Command Center overview.
On the Google Cloud setup: Security page, under Security Command Center, make sure that the Enable Security Command Center: Standard checkbox is enabled.
This task enables the free Standard tier. You can upgrade to the Premium version at a later time. For more information, see Security Command Center service tiers.
Click Apply organization policies and Security Command Center.
What's next
Support
In this task, you choose a support plan that fits your business needs.
Who performs this task
A person in the gcp-organization-admins@YOUR_DOMAIN
group created in the Users and groups task.
What you do in this task
Choose a support plan based on your company's needs.
Why we recommend this task
A premium support plan provides business-critical support to quickly resolve issues with help from experts at Google Cloud.
Choose a support option
You automatically get free Basic Support, which includes access to the following resources:
We recommend that enterprise customers sign up for Premium Support, which offers one-on-one technical support with Google support engineers. To compare support plans, see Google Cloud customer care.
Before you begin
Complete the following tasks:
- Create a super administrator user and your organization in the Organization task.
- Add users and create groups in the Users and groups task.
- Assign IAM roles to groups in the Administrative access task.
Enable support
Identify and select a support option.
Review and select a support plan. For more information, see Google Cloud Customer Care.
Sign in to the Google Cloud console with a user from the
gcp-organization-admins@<your-domain>.com
group that you created in the Users and groups task.Go to Google Cloud setup: Support.
Review the task details and click View support offerings to select a support option.
After you set up your support option, go back to the Google Cloud setup: Support page and click Mark task as completed.
What's next
Now that you have completed the Google Cloud setup, you are ready to extend your initial setup, deploy prebuilt solutions, and migrate your existing workflows. For more information, see Extend your initial setup and start building.