Stay organized with collections Save and categorize content based on your preferences.
Before you run workloads on Google Cloud, we recommend that administrators configure a foundation using Google Cloud Setup. A foundation includes fundamental settings that help you organize, manage, and maintain Google Cloud resources.
Using the interactive guide in Google Cloud Setup, you can quickly deploy a default configuration or make adjustments to align with your business needs:
This document outlines steps and background information to help you complete the setup process, including the following phases:
Select a foundation option: Based on the workload that you want to support, select a proof of concept, production, or enhanced security foundation.
Establish your organization, administrators, and billing: Set up the top-level node of your hierarchy, create initial administrator users and assign access, and connect your payment method.
Create an initial architecture: Select an initial folder and project structure, apply security settings, configure logging and monitoring, and set up your network.
Deploy your settings: Your initial architecture choices are compiled in Terraform configuration files. You can quickly deploy through the Google Cloud console, or download the files to customize and iterate using your own workflow. After you deploy, select a support plan.
To get started with Google Cloud Setup, you select one of the following foundation options based on your organization's needs:
Proof of concept: Support proof of concept workloads with basic security in mind. This option guides you through the Organization and Billing tasks. For example, you can select this option to experiment with Google Cloud before making a larger commitment.
Production: Support production-ready workloads with security and scalability in mind. This option includes all Google Cloud Setup tasks in this document. For example, you can select this option to configure a secure and scalable foundation for your organization.
Enhanced security: Includes all tasks in the Production foundation, as well as additional security options in the Security task. For example, you can select this option if your organization is subject to strict security requirements.
To select a foundation option, do the following:
Go to Google Cloud Setup: Foundations.
Click Start under one of the following options:
Do one of the following:
A proof of concept foundation helps you perform the following:
To create a proof of concept foundation, do the following:
Complete the Organization task.
Configure an identity provider, verify your domain, and generate your organization.
Sign in to the console as the super administrator user you created in the Organization task.
Select the Proof of concept foundation option.
Make sure the organization you created is selected, and click Continue to Billing.
The gcp-organization-admins and gcp-billing-admins groups are created, and you are added as a member of each group.
Select or create a billing account. For more information, see the Billing task.
Click Continue to Review and Deploy Foundation.
From the Review and deploy your configuration screen, review the following draft configurations:
Resource hierarchy: Review the proof of concept folder and project.
Organization policies: Review the list of recommended organization policies. For more information, see Apply recommended organization policies.
Click Deploy. Your proof of concept foundation is deployed.
To enable billing on the management project, see Link a billing account to your management project.
For information on experimenting and building, see Build your Google Cloud architecture.
Establish your organization, administrators, and billing OrganizationAn organization resource in Google Cloud represents your business, and serves as the top level node of your hierarchy. To create your organization, you set up a Google identity service and associate it with your domain. When you complete this process, an organization resource is automatically created.
For an overview of the organization resource, see the following:
Who performs this taskThe following two administrators perform this task:
An identity administrator responsible for assigning role-based access. You assign this person as the Cloud Identity super administrator. For more information about the super administrator user, see Prebuilt administrator roles.
A domain administrator with access to the company's domain host. This person edits your domain settings, such as DNS configurations, as part of the domain verification process.
You must configure the following as part of your Google Cloud foundation:
You use one or both of the following Google identity services to administer credentials for Google Cloud users:
For detailed information about identity planning, see Planning the onboarding process for your corporate identities.
Before you beginTo understand how to manage a super administrator account, see Super administrator account best practices.
Configure an identity provider and verify your domainThe steps you complete in this task depend on whether you are a new or existing customer. Identify the option that fits your needs:
New customer: Set up Cloud Identity, verify your domain, and create your organization.
Existing Google Workspace customer: Use Google Workspace as your identity provider for users who access Google Workspace and Google Cloud. If you plan to create users who only access Google Cloud, enable Cloud Identity.
Existing Cloud Identity customer: Verify your domain, make sure your organization was created, and confirm that Cloud Identity is enabled.
To create your organization resource, you first set up Cloud Identity, which helps you manage users and groups that access Google Cloud resources.
In this task, you set up Cloud Identity free edition.You can enable Cloud Identity premium edition after you complete your initial setup. For more information, see Compare Cloud Identity features and editions.
Identify the person who serves as the Cloud Identity administrator (also known as the super administrator) in your organization
Record the administrator's username in the following format: admin-name@example.com. For example, admin-maria@example.com. Specify this username when you create your first administrator user.
To complete the setup process and create the super administrator account, go to the Cloud Identity signup page.
If you get an error when you set up the administrator account, see 'Google Account already exists' error.
Cloud Identity requires you to verify that you are your domain owner. Once the verification is complete, your Google Cloud organization resource is automatically created for you.
Make sure you created a super administrator account when you configured your identity provider.
Verify your domain in Cloud Identity. As you complete the verification process, note the following:
For steps to verify your domain, see Verify your domain.
When you finish the domain verification steps, click Set up Google Cloud console now.
Sign in to the Google Cloud console as the super administrator user using the email address you specified. For example, admin-maria@example.com.
Go to Google Cloud Setup: Organization. Your organization is created automatically.
Select your organization from the Select from drop-down list at the top of the page.
Cloud Identity free edition includes an allotment of user licenses. For steps to view and request licenses, see Your Cloud Identity free edition user cap.
Workspace customer Existing Google Workspace customer: Verify your domain and enable Cloud IdentityIf you are an existing Google Workspace customer, verify your domain, make sure that your organization resource is automatically created, and optionally enable Cloud Identity.
To verify your domain in Google Workspace, see Verify your domain. As you complete the verification process, note the following:
Sign in to the Google Cloud console as the super administrator user.
Go to Google Cloud Setup: Organization.
Select I'm a current Google Workspace customer.
Make sure that your organization name is displayed in the Organization list.
If you want to create users who access Google Cloud, but don't receive Google Workspace licenses, do the following.
In Google Workspace, Enable Cloud Identity.
When you set up Cloud Identity, Disable automatic Google Workspace licensing.
If you are an existing Cloud Identity customer, make sure you have verified your domain, and that your organization resource was automatically created.
To make sure that you have verified your domain, see Verify your domain. As you complete the verification process, note the following:
Sign in to the Google Cloud console as the super administrator user.
Go to Google Cloud Setup: Organization.
Select I'm a current Cloud Identity customer.
Make sure that your organization name is displayed in the Organization list.
Make sure that Cloud Identity is enabled in Google Admin console: Subscriptions. Sign in as a super administrator user.
Create groups and add members.
Users and groupsIn this task, you set up identities, users, and groups to manage access to Google Cloud resources.
For more information on access management on Google Cloud, see the following:
You can perform this task if you have one of the following:
roles/resourcemanager.organizationAdmin).roles/iam.workforcePoolAdmin).Connect to Cloud Identity or your external identity provider (IdP).
Create administrative groups and users that will perform the remainder of the Google Cloud Setup steps. You grant access to these groups in a later task.
This task helps you implement the following security best practices:
Principle of least privilege: Give users the minimum permissions required to perform their role, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their job role. Do not add permissions to individual user accounts.
You can use groups to efficiently apply IAM roles to a collection of users. This practice helps you simplify access management.
Select an identity providerYou can use one of the following to manage users and groups, and connect them to Google Cloud:
To select your identity provider, do the following:
Sign in to the Google Cloud console as one of the users you identified in Who performs this task.
Go to Google Cloud Setup: Users & groups.
Review the task details and click Continue identity setup.
On the Select your identity provider page, select one of the following to begin a guided setup:
Click Continue.
See one of the following for next steps:
If you don't have an existing identity provider, or if you're not ready to connect your identity provider to Google Cloud, you can create and manager users and groups in Cloud Identity or Google Workspace. To create users and groups, you do the following:
Find and migrate users that already have Google Accounts. For detailed information, see Add users with unmanaged accounts.
You must be a super administrator.
A group is a named collection of Google Accounts and service accounts. Each group has a unique email address, such as gcp-billing-admins@example.com. You create groups to manage users and apply IAM roles at scale.
The following groups are recommended to help you administer your organization's core functions and complete the Google Cloud Setup process.
Group Descriptiongcp-organization-admins Administer all organization resources. Assign this role only to your most trusted users. gcp-billing-admins Set up billing accounts and monitor usage. gcp-network-admins Create Virtual Private Cloud networks, subnets, and firewall rules. gcp-hybrid-connectivity-admins Create network devices such as Cloud VPN instances and Cloud Router. gcp-logging-monitoring-admins Use all Cloud Logging and Cloud Monitoring features. gcp-logging-monitoring-viewers Read-only access to a subset of logs and monitoring data. gcp-security-admins
gcp-developers Design, code, and test applications. gcp-devops Create or manage end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning.
To create administrative groups, do the following:
On the Create Groups page, review the list of recommended administrative groups, and then do one of the following:
Click Continue.
We recommend that you initially add users who complete organizational, networking, billing, and other setup procedures. You can add other users after you complete the Google Cloud Setup process.
To add administrative users who perform Google Cloud Setup tasks, do the following:
Migrate consumer accounts to managed user accounts controlled by Cloud Identity. For detailed steps, see the following:
Sign in to Google Admin console using a super administrator account.
Use one of the following options to add users:
When you're done adding users, return to Google Cloud Setup: Users & groups (Create users).
Click Continue.
Add the users you created to administrative groups that correspond to their duties.
In Google Cloud Setup: Users & groups (Add users to groups), review the step details.
In each Group row, do the following:
From the Group role drop-down list, select the user's group permission settings. For more information, see Set who can view, post, and moderate.
Each member inherits all IAM roles you grant to a group, regardless of the group role you select.
To add another user to this group, click Add another member and repeat these steps. We recommend that you add more than one member to each group.
When you're done adding users to this group, click Save.
When you're done with all groups, click Confirm users & groups.
If you want to federate your identity provider into Google Cloud, see the following:
You can use your existing identity provider to create and manage groups and users. You configure single sign-on to Google Cloud by setting up workforce identity federation with your external identity provider. For key concepts of this process, see Workforce Identity Federation.
To connect your external identity provider, you complete a guided setup that includes the following steps:
For background information on the connection process for each provider, see the following:
Assign permissions to your administrator groups.
Administrative accessIn this task, you use Identity and Access Management (IAM) to assign collections of permissions to groups of administrators at the organization level. This process gives administrators central visibility and control over every cloud resource that belongs to your organization.
For an overview of Identity and Access Management in Google Cloud, see IAM overview.
Who performs this taskTo perform this task, you must be one of the following:
roles/resourcemanager.organizationAdmin).Review a list of default roles assigned to each administrator group that you created in the Users and groups task.
If you want to customize a group, you can do the following:
You must explicitly grant all administrative roles for your organization. This task helps you implement the following security best practices:
Principle of least privilege: Give users the minimum permissions required to perform their jobs, and remove access as soon as it is no longer needed.
Role-based access control (RBAC): Assign permissions to groups of users according to their jobs. Do not grant roles to individual user accounts.
Complete the following tasks:
To grant appropriate access to each administrator group that you created in the Users and groups task, review the default roles that are assigned to each group. You can add or remove roles to customize each group's access.
Make sure that you are logged in to the Google Cloud console as a super administrator user.
Alternatively, you can sign in as a user with the Organization Administrator role (roles/resourcemanager.organizationAdmin).
Go to Google Cloud Setup: Administrative access.
Select your organization name from the Select from drop-down list at the top of the page.
Review the task overview and click Continue administrative access.
Review the groups in the Group (Principal) column that you created in the Users & groups task.
Note: If you don't plan to use a group, you can delete it.For each group, review the default IAM roles. You can add or remove roles assigned to each group to fit the unique needs of your organization.
Each role contains multiple permissions that allow users to perform relevant tasks. For more information about the permissions in each role, see IAM basic and predefined roles reference.
When you are ready to assign roles to each group, click Save and grant access.
Set up billing.
BillingIn this task, you set up a billing account to pay for Google Cloud resources. To do this, you associate one of the following with your organization.
An existing Cloud Billing account. If you don't have access to the account, you can request access from your billing account administrator.
A new Cloud Billing account.
For more information on billing, see the Cloud Billing documentation.
Who performs this taskA person in the gcp-billing-admins@YOUR_DOMAIN group that you created in the Users and groups task.
Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources you use, such as virtual machines, networking, and storage.
Determine your billing account typeThe billing account that you associate with your organization is one of the following types.
Self-serve (or online): Sign up online using a credit or debit card. We recommend this option if you are a small business or individual. When you sign up online for a billing account, your account is automatically set up as a self-serve account.
Invoiced (or offline). If you already have a self-serve billing account, you might be eligible to apply for invoiced billing if your business meets eligibility requirements.
You cannot create an invoiced account online, but you can apply to convert a self-serve account to an invoiced account.
For more information, see Cloud Billing account types.
Before you beginComplete the following tasks:
Now that you have chosen a billing account type, associate the billing account with your organization. When you complete this process, you can use your billing account to pay for Google Cloud resources.
Sign in to the Google Cloud console as a user from the gcp-billing-admins@YOUR_DOMAIN group.
Go to Google Cloud Setup: Billing.
Review the task overview, and then click Continue billing.
Select one of the following billing account options:
Create a new accountIf your organization does not have an existing account, create a new account.
Select the billing account type you want to create. For detailed steps, see the following:
Verify that your billing account was created:
If you created an invoiced account, wait up to 5 business days to receive email confirmation.
Go to the Billing page.
Select your organization from the Select from list at the top of the page. If the account was created successfully, it is displayed in the billing account list.
If you have an existing billing account, you can associate it with your organization.
If another user has access to an existing billing account, you can ask that user to associate the billing account with your organization, or the user can give you access to complete the association.
Create a resource hierarchy and assign access.
Create an initial architecture Hierarchy and accessIn this task, you set up your resource hierarchy by creating and assigning access to the following resources:
For design considerations and best practices to organize your resources in projects, see Decide a resource hierarchy for your Google Cloud landing zone.
Who performs this taskA person in the gcp-organization-admins@YOUR_DOMAIN group that you created in the Users and groups task can perform this task.
Creating a structure for folders and projects helps you manage Google Cloud resources and assign access based on the way your organization operates. For example, you might organize and provide access to resources based on your organization's unique collection of geographic regions, subsidiary structures, or accountability frameworks.
Plan the resource hierarchyYour resource hierarchy helps you create boundaries, and share resources across your organization for common tasks. You create your hierarchy using one of the following initial configurations, based on your organization structure:
Simple environment-oriented:
Non-production and Production.Simple team-oriented:
Development and QA.Environment-oriented:
Non-production and Production.Business unit-oriented:
Human Resources and Engineering to help ensure that users can only access the resources and data they need.Each configuration has a Common folder for projects that contain shared resources. This might include logging and monitoring projects.
Complete the following tasks:
Select the resource hierarchy that represents your organization structure.
Important: If you already have existing folders and projects in your organization, the new resource hierarchy you create appears alongside your existing resources. If there are existing resources that are identical to resources in the proposed hierarchy, they are automatically merged.To configure initial folders and projects, do the following:
Sign in to the Google Cloud console as a user from the gcp-organization-admins@YOUR_DOMAIN group you created in the Users and groups task.
Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud Setup: Hierarchy & access.
Review the task overview, and then click Start next to Resource hierarchy.
Select a starting configuration.
Click Continue and configure.
Customize your resource hierarchy to reflect your organizational structure. For example, you can customize the following:
Service projects for each team. To grant access to service projects, you can create the following:
For an overview of service projects, see Shared VPC.
Projects required for monitoring, logging, and networking.
Custom projects.
Click Continue.
In the Administrative access task, you granted administrative access to groups at the organization level. In this task, you configure access to groups that interact with your newly configured folders and projects.
Tip: We recommend that you implement the principle of least privilege by granting the least amount of access that's necessary to resources at each level.Projects, folders, and organizations each have their own IAM policies, which are inherited through the resource hierarchy:
Update the IAM policies for your folders and projects:
In the Configure access control section of Hierarchy & access, grant your groups access to your folders and projects:
In the table, review the list of recommended IAM roles granted to each group for each resource.
If you want to modify the roles assigned to each group, click Edit in the desired row.
For more information about each role, see IAM basic and predefined roles.
Click Continue.
Review your changes and click Confirm draft configuration.
In this task, you configure security settings and products to help protect your organization.
Important: The policies you apply in this task are a first step in configuring security. Your organization's unique challenges require you to perform security audits, understand the attack surface for your architecture, and so on. Who performs this taskYou must have one of the following to complete this task:
roles/resourcemanager.organizationAdmin).gcp-organization-admins@<your-domain>.comgcp-security-admins@<your-domain>.comApply recommended organization policies based on the following categories:
You also enable Security Command Center to centralize vulnerability and threat reporting.
Why we recommend this taskApplying recommended organization policies helps you limit user actions that don't align with your security posture.
Enabling Security Command Center helps you create a central location to analyze vulnerabilities and threats.
Enforcing and automating Cloud KMS with Autokey helps you use customer-managed encryption keys (CMEKs) consistently to protect your resources.
Note: Cloud KMS with Autokey is generally available; however, Google Cloud Setup for Cloud KMS with Autokey is in Preview. Before you beginComplete the following tasks:
Sign in to the Google Cloud console with a user you identified in Who performs this task.
Select your organization from the Select from drop-down at the top of the page.
Go to Google Cloud Setup: Security.
Review the task overview, and then click Start Security.
To centralize vulnerability and threat reporting services, enable Security Command Center. This helps you strengthen your security posture and mitigate risks. For more information, see Security Command Center overview.
On the Google Cloud Setup: Security page, make sure that the Enable Security Command Center: Standard checkbox is enabled.
This task enables the free Standard tier. You can upgrade to the Premium version at a later time. For more information, see Security Command Center service tiers.
Click Apply Security Command Center configurations.
Organization policies apply at the organization level, and are inherited by folders and projects. In this task, review and apply the list of recommended policies. You can modify organization policies at any time. For more information, see Introduction to the Organization Policy Service.
Review the list of recommended organization policies. If you don't want to apply a recommended policy, click its checkbox to remove it.
For a detailed explanation of each organization policy, see Organization policy constraints.
Click Confirm organization policy configurations.
The organization policies that you select are applied when you deploy your configuration in a later task.
Enforce and automate customer encryption keysCloud KMS with Autokey lets developers in your organization create symmetric encryption keys when required to protect your Google Cloud resources.
Note: Cloud KMS with Autokey includes a free allotment of active key versions. You might incur costs as your resource utilization increases. For pricing details, see Cloud KMS pricing.The following configurations are applied when you deploy your configuration in a later task:
Central logging and monitoring.
Central logging and monitoringIn this task, you configure the following:
To set up logging and monitoring, you must have one of the following:
roles/logging.admin) and Monitoring Admin (roles/monitoring.admin) roles.gcp-organization-admins@YOUR_DOMAINgcp-security-admins@YOUR_DOMAINgcp-logging-monitoring-admins@YOUR_DOMAINYou do the following in this task:
Log storage and retention simplifies analysis and preserves your audit trail. Central monitoring gives you a view of metrics in one place.
Before you beginComplete the following tasks:
Cloud Logging helps you store, search, analyze, monitor, and alert on log data and events from Google Cloud. You can also collect and process logs from your applications, on-premises resources, and other clouds. We recommend that you use Cloud Logging to consolidate logs into a single log bucket.
Note: Cloud Logging includes a free monthly allotment. You might incur costs as your resource utilization increases. For pricing details, see Cloud Logging pricing summary.For more information, see the following:
To store your log data in a central log bucket, do the following:
Sign in to the Google Cloud console as a user that you identified in Who performs this task.
Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud Setup: Central logging and monitoring.
Review the task overview and click Start central logging & monitoring.
Review the task details.
To route logs to a central log bucket, ensure that Store organization-level audit logs in a logs bucket is selected.
Expand Route logs to a Logging log bucket and do the following:
In the Log bucket name field, enter a name for the central log bucket.
From the Log bucket region list, select the region where your log data is stored.
For more information, see Log bucket locations.
By default logs are stored for 30 days. We recommend that large enterprises store logs for 365 days. To customize the retention period, enter the number of days in the Retention period field.
Logs stored for longer than 30 days incur a retention cost. For more information, see Cloud Logging pricing summary.
If you want to export logs to a destination outside of Google Cloud, you can export using Pub/Sub. For example, if you use multiple cloud providers, you might decide to export log data from each cloud provider to a third-party tool.
You can filter the logs you export to meet your unique needs and requirements. For example, you might choose to limit the types of logs you export to control costs or to reduce noise in your data.
For more information about exporting logs, see the following:
To export logs, do the following:
Click Stream your logs to other applications, other repositories, or third parties.
In the Pub/Sub topic ID field, enter an identifier for the topic that contains your exported logs. For information on subscribing to a topic, see Pull subscriptions.
To select logs to export, do the following:
For information about each log type, see Understand Cloud Audit Logs.
To prevent one of the following recommended logs from being exported, click the Inclusion filter list and clear the log checkbox:
Select the following additional logs to export them:
The logs you select in this step are exported only if they are enabled in your projects or resources. For steps to change the log filter for your projects and resources after you deploy your configuration, see Inclusion filters.
Click OK.
Click Continue to Monitoring.
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see the launch stage descriptions.
Central monitoring helps you analyze system health, performance, and security for multiple projects. In this task, you add the projects that you created during the Hierarchy and access task to a scoping project. You can then monitor those projects from the scoping project. After you complete Cloud setup, you can configure other projects to be monitored by the scoping project.
For more information, see Metrics scope overview.
To set up central monitoring, do the following:
To configure projects created during Google Cloud Setup for central monitoring, ensure that Use central monitoring is selected.
Projects that you created during Google Cloud Setup are added to the metrics scope of the listed Scoping project.
Cloud Monitoring includes a free monthly allotment. For more information, see Cloud Monitoring pricing summary.
For steps to configure projects that you create outside of Google Cloud Setup, see the following:
To complete the logging and monitoring task, do the following:
Click Confirm Configuration.
Review your logging and monitoring configuration details. Your configuration isn't deployed until you deploy your settings in a later task.
Set up your initial networking configuration.
VPC networksIn this task, you set up your initial networking configuration, which you can scale as your needs change.
Virtual Private Cloud architectureA Virtual Private Cloud (VPC) network is a virtual version of a physical network that is implemented inside of Google's production network. A VPC network is a global resource that consists of regional subnetworks (subnets).
VPC networks provide networking capabilities to your Google Cloud resources such as Compute Engine virtual machine instances, GKE containers, and App Engine flexible environment instances.
Shared VPC connects resources from multiple projects to a common VPC network so that they can communicate with each other using the network's internal IP addresses. The following diagram shows the basic architecture of a Shared VPC network with attached service projects.
When you use Shared VPC, you designate a host project and attach one or more service projects to it. Virtual Private Cloud networks in the host project are called Shared VPC networks.
The example diagram has production and non-production host projects, which each contain a Shared VPC network. You can use a host project to centrally manage the following:
A service project is any project that's attached to a host project. You can share subnets, including secondary ranges, between host and service projects.
In this architecture, each Shared VPC network contains public and private subnets:
In this task, you create an initial network configuration based on the example diagram.
Who performs this taskYou need one of the following to perform this task:
roles/compute.networkAdmin role.gcp-network-admins@YOUR_DOMAIN group that you created in the Users and groups task.Create an initial network configuration, including the following:
Distinct teams can use Shared VPC to connect to a common, centrally-managed VPC network.
Before you beginComplete the following tasks:
Create your initial network configuration with two host projects to segment non-production and production workloads. Each host project contains a Shared VPC network, which can be used by multiple service projects. You configure network details and then deploy a configuration file in a later task.
To configure your initial network, do the following.
Sign in to the Google Cloud console as a user from the gcp-organization-admins@YOUR_DOMAIN group that you created in the Users and groups task.
Select your organization from the Select an organization drop-down list at the top of the page.
Go to Google Cloud Setup: Networking.
Review the default network architecture.
To edit the network name, do the following:
The default firewall rules on the host project are based on recommended best practices. You can choose to disable one or more of the default firewall rules. For general information on firewall rules, see VPC firewall rules.
To modify firewall settings, do the following:
Click more_vert Actions.
Select Edit firewall rules.
For detailed information about each default firewall rule, see Pre-populated rules in the default network.
To disable a firewall rule, clear its corresponding checkbox.
To disable Firewall Rules Logging, click Off.
By default, traffic to and from Compute Engine instances are logged for auditing purposes. This process incurs costs. For more information, see Firewall Rules Logging.
Click Save.
Each VPC network contains at least one subnet, which is a regional resource with an associated IP address range. In this multi-regional configuration, you must have at least two subnets with non-overlapping IP ranges.
For more information, see Subnets.
Each subnet is configured using recommend best practices. If you want to customize each subnet, do the following:
From the Region drop-down, select a region that is close to your point of service.
We recommend a different region for each subnet. You can't change the region after you deploy your configuration. For information about choosing a region, see Regional resources.
In the IP address range field, enter a range in CIDR notation— for example, 10.0.0.0/24.
The range you enter must not overlap with other subnets in this network. For information on valid ranges, see IPv4 subnet ranges.
Note: To expand the primary IPv4 range of an existing subnet, reduce the prefix length. For example, to expand 10.0.0.0/24, use 10.0.0.0/20.Repeat these steps for Subnet 2.
To configure additional subnets in this network, click Add subnet and repeat these steps.
Click Save.
Your subnets are automatically configured according to best practices. If you want to modify the configuration, in the Google Cloud Setup: VPC Networks page, do the following:
To turn off VPC Flow Logs, from the Flow logs column, select Off.
When flow logs are on, each subnet records network flows that you can analyze for security, expenses optimization, and other purposes. For more information, see Use VPC Flow Logs.
VPC Flow Logs incur costs. For more information, see Virtual Private Cloud pricing.
To turn off Private Google Access, from the Private access column, select Off.
When Private Google Access is on, VM instances that don't have external IP addresses can reach Google APIs and services. For more information, see Private Google Access.
To turn on Cloud NAT, from the Cloud NAT column, select On.
When Cloud NAT is on, certain resources can create outbound connections to the internet. For more information, see Cloud NAT overview.
Cloud NAT incurs costs. For more information, see Virtual Private Cloud pricing.
Click Continue to link service projects.
A service project is any project that has been attached to a host project. This attachment allows the service project to participate in Shared VPC. Each service project can be operated and administered by different departments or teams to create a separation of responsibilities.
For more information about connection multiple projects to a common VPC network, see Shared VPC overview.
To link service projects to your host projects and complete the configuration, do the following:
For each subnet in the Shared VPC networks table, select a service project to connect. To do this, select from the Select a project drop-down in the Service project column.
You can connect a service project to multiple subnets.
Click Continue to Review.
Review your configuration, and make changes.
You can make edits until you deploy your configuration file.
Click Confirm draft configuration. Your network configuration is added to your configuration file.
Your network is not deployed until you deploy your configuration file in a later task.
Set up hybrid connectivity, which helps you connect on-premise servers or other cloud providers to Google Cloud.
Hybrid connectivityIn this task, you establish connections between your peer (on-premises or other cloud) networks and your Google Cloud networks, as in the following diagram.
This process creates an HA VPN, which is a high-availability (HA) solution that you can quickly create to transmit data over the public internet.
After you deploy your Google Cloud configuration, we recommend creating a more robust connection using Cloud Interconnect.
For more information on connections between peer networks and Google Cloud, see the following:
Who performs this taskYou must have the Organization Administrator role (roles/resourcemanager.organizationAdmin).
Create low-latency, high-availability connections between your VPC networks and your on-premises or other cloud networks. You configure the following components:
An HA VPN provides a secure and highly available connection between your existing infrastructure and Google Cloud.
Before you beginComplete the following tasks:
Collect the following information from your peer network administrator:
Do the following to connect your VPC networks to your peer networks:
Sign in as a user with the Organization Administrator role.
Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud Setup: Hybrid connectivity.
Review the task details by doing the following:
Review the task overview and click Start hybrid connectivity.
Click each tab to learn about hybrid connectivity and click Continue.
See what to expect in each task step and click Continue.
Review the peer gateway configuration information that you need to collect and click Continue.
In the Hybrid connections area, identify the VPC networks that you want to connect, based on your business needs.
In the row for the first network you chose, click Configure.
In the Configuration overview area, read the description and click Next.
In the Google Cloud HA VPN gateway area, do the following:
In the Cloud VPN gateway name field, enter up to 60 characters using lowercase letters, numbers, and hyphens.
In the VPN tunnel inner IP stack type area, select one of the following stack types:
The stack type determines the type of traffic that is allowed in the tunnel between your VPC network and your peer network. You cannot modify the stack type after you create the gateway. For background information, see the following:
Click Next.
In the Peer VPN gateway area, do the following:
In the Peer VPN gateway name field, enter the name provided by your peer network administrator. You can enter up to 60 characters using lowercase letters, numbers, and hyphens.
In the Peer interface IP address 0 field, enter the peer gateway interface external IP address provided by your peer network administrator.
In the Peer interface IP address 1 field, do one of the following:
For background information, see Configure the peer VPN gateway.
Click Next.
In the Cloud Router area, do the following:
In the Cloud router ASN field, enter the Autonomous System Number you want to assign to your Cloud Router, as provided by your peer network administrator. For background information, see Create a Cloud Router.
In the Peer router ASN field, enter your peer network router's Autonomous System Number, as provided by your peer network administrator.
In the VPN tunnel 0 area, do the following:
In the Tunnel 0 name field, enter up to 60 characters using lowercase letters, numbers, and hyphens.
In the IKE version area, select one of the following:
For background information, see Configure VPN tunnels.
In the IKE pre-shared key field, enter the key you use in your peer gateway configuration, as provided by your peer network administrator. If you don't have an existing key, you can click Generate and copy, and then give the key to your peer network administrator.
Note: If you forget the key that you generate in this step, you can find it after you deploy. The key is stored in the gcp-internal-cloud-setup folder in the Hybrid Connectivity Project project. For steps to access a key using Secret Manager, see List secrets and view secret details.In the VPN tunnel 1 area, repeat the previous step to apply settings for the second tunnel. You configure this tunnel for redundancy and additional throughput.
Click Save.
Repeat these steps for any other VPC networks that you want to connect to your peer network.
After you deploy your Google Cloud Setup configuration, complete the following steps to ensure that your network connection is complete:
Work with your peer network administrator to align your peer network with your hybrid connectivity settings. After you deploy, specific instructions are provided for your peer network, including the following:
Validate the network connections you created. For example, you can use Network Intelligence Center to check connectivity between networks. For more information, see Connectivity Tests overview.
If your business needs require a more robust connection, use Cloud Interconnect. For more information, see Choosing a Network Connectivity product.
Deploy your configuration, which includes settings for your hierarchy and access, logging, network, and hybrid connectivity.
Deploy your settings Deploy or downloadAs you complete the Google Cloud Setup process, your settings from the following tasks are compiled into Terraform configuration files:
To apply your settings, you review your selections and choose a deployment method.
Who performs this taskA person in the gcp-organization-admins@YOUR_DOMAIN group that you created in the Users and groups task.
Deploy configuration files to apply your setup settings.
Why we recommend this taskYou must deploy configuration files to apply the settings you selected.
Before you beginYou must complete the following tasks:
The following tasks are recommended:
Do the following to make sure that your configuration settings are complete:
Sign in to the Google Cloud console as a user from the gcp-organization-admins@YOUR_DOMAIN group that you created in the Users and groups task.
Select your organization from the Select from drop-down list at the top of the page.
Go to Google Cloud Setup: Deploy or download.
Review the configuration settings you selected. Click each of the following tabs and review your settings:
Now that you have reviewed your configuration details, use one of the following options:
Deploy directly from the console: Use this option if you don't have an existing Terraform deployment workflow, and want a simple deployment method. You can deploy using this method only once.
Download and deploy the Terraform file: Use this option if you want to automate resource management using a Terraform deployment workflow. You can download and deploy using this method multiple times.
Deploy using one of the following options:
Deploy directlyIf you don't have an existing Terraform workflow and want a simple one-time deployment, you can deploy directly from the console.
Warning: If you plan to deploy using your own Terraform workflow in the future, don't click Deploy directly.Click Deploy directly.
Wait several minutes for the deployment to complete.
If the deployment fails, do the following:
If you want to iterate on your deployment using your Terraform deployment workflow, download and deploy configuration files.
To download your configuration file, click Download as Terraform.
The package you download contains Terraform configuration files based on the settings you selected in the following tasks:
If you only want to deploy configuration files that are relevant to your responsibilities, you can avoid downloading irrelevant files. To do this, clear the check boxes for the configuration files that you don't need.
Click Download. A terraform.tar.gz package that includes the selected files is downloaded to your local file system.
For detailed deployment steps, see Deploy your foundation using Terraform downloaded from the console.
In this task, you choose a support plan that fits your business needs.
Who performs this taskA person in the gcp-organization-admins@YOUR_DOMAIN group created in the Users and groups task.
Choose a support plan based on your company's needs.
Why we recommend this taskA premium support plan provides business-critical support to quickly resolve issues with help from experts at Google Cloud.
Choose a support optionYou automatically get free Basic Support, which includes access to the following resources:
We recommend that enterprise customers sign up for Premium Support, which offers one-on-one technical support with Google support engineers. To compare support plans, see Google Cloud customer care.
Before you beginComplete the following tasks:
Identify and select a support option.
Review and select a support plan. For more information, see Google Cloud Customer Care.
Sign in to the Google Cloud console with a user from the gcp-organization-admins@<your-domain>.com group that you created in the Users and groups task.
Go to Google Cloud Setup: Support.
Review the task details and click View support offerings to select a support option.
After you set up your support option, go back to the Google Cloud Setup: Support page and click Mark task as completed.
Now that you have completed the Google Cloud Setup, you are ready to extend your initial setup, deploy prebuilt solutions, and migrate your existing workflows. For more information, see Extend your initial setup and start building.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4