Similar to Amazon AWS & Microsoft Azure Google also provides a suite of cloud computing services in the name of Google Cloud Platform ( GCP ). GCP runs on the same infrastructure that Google uses for its end-user products, such as Google Search, Gmail, file storage, and YouTube. Google Cloud Platform provides infrastructure as a service, platform as a service, and serverless computing environments.
In this blog, we are detailing the steps involved in setting up a Cloud infrastructure platform for your Organization. GCP provides a complete checklist to help you to configure Google Cloud for scalable, production-ready enterprise workloads. Though GCP provides vast numbers of cloud services to its customers, we are concentrating only on essential services that would be required to build a scalable infrastructure, production-ready GCP.
Prerequisites to configure a GCP
- Users should have a GCP subscription with its super administrator credentials
- Users should have created a valid Organization & a project to use GCP services in GCP
- Users should have moderate knowledge of computing, network, and storage concepts
- A complete list of understanding about his corporate network components and the requirement checklist of GCP services the company needs
Set up Google Cloud for your organization
Log in to Google Cloud console using your subscription administrator user credentials. You can use the URL https://console.cloud.google.com/.Create an Organization and a Project as per your need. In this blog, we are not covered to describe how to create an Organization or Project. In our case, we have created Organization testvembudesk.com ( Usually a Company Name or domain name ), and the default project “My First Project: The below screenshot shows these details. Users are recommended to create a new project under the Organization.
On the getting started page, you will have the following checklist and the available GCP services. Click on the “Go to the Checklist” button to get more details of the checklists which show the various essential GCP services.
Available Checklists for setting up a Google Cloud Platform
This checklist helps you set up Google Cloud for scalable, production-ready enterprise workloads. The checklist is designed for administrators who are trusted with complete control over the company’s Google Cloud resources. The checklist consists of 10 tasks that have step-by-step procedures. Some tasks can be accomplished in multiple ways; in general, we describe the way that will be helpful to the largest number of users
- Set up your organization resource
- Add users and groups to your organization
- Set up administrator access to your organization
- Set up billing
- Set up the resource hierarchy
- Set up access control for your resource hierarchy
- Set up support
- Set up networking configuration
- Set up logging and monitoring
- Configure security settings for apps and data
The below screenshot shows these 10 checklists. On clicking each checklist, the user may need to set up his organization resources to use GCP services effectively.
Checklist 1: Setup your Organisation resource
Additional configuring this checklist establishes a cloud identity to centrally organize resources and users. In this very first step, a Google cloud identity called Administrator account was created when you set up your Google identity account. You can create an additional administrator account in this step or can declare the task associated with this checklist is completed and proceed to the next step.
To use Google Cloud, you must use a Google identity service (either Cloud Identity or Workspace ) to administer credentials for users of your Google Cloud resources. Both Cloud Identity and Workspace provide authentication credentials allowing others to access your cloud resources. Workspace offers additional consumer services like Gmail, Google Drive, and other services.
You may require to set up a cloud identity and verify your domain, in case your Organization uses the Google Cloud and Google Workspace as well. The below screenshot shows this information. After finishing this task click the button “ Mark Task as Completed”
Once you finish your first checklist, your other checklists are “Open” to use. You can verify that the listed checklists have changed from the “Review” state to the “Open” state.
Checklist 2: Adding users and groups to your Organisation
In this task, you are
- Creating accounts in Cloud Identity or Workspace for people who will help set up your Google Cloud foundation using this checklist
- Creating a set of Google Groups to administer core functions within your organization
- Adding users to the Google Groups who will participate in the checklist tasks
From here, you can log in to the Google Administrator console with the Super Administrator account, and can create Users & Groups. Creating these user accounts and Google Groups is a prerequisite for assigning Cloud Identity and Access Management (Cloud IAM) roles required for a later task.
After completing this task, mark the task is completed at the top, by moving the pointer to the right side, to proceed to the next step.
Checklist 3: Set up administrator access to your organization
In this task, you are promoting a few of your created users to an Administrator or group of administrators ( if required ) to enable central visibility and control over every resource in your Google Cloud organization.
Here you can assign administrative roles to a particular administrator and add administrative permissions that enable you to perform later tasks in the checklist. Also, grant roles to the group at the organization level.
After finishing this task, click the button “Mark task as completed” to move to the next checklist task.
Checklist 4: Setup billing
In this task, you set up a billing account to pay for Google Cloud resources, and you set administrator access for your billing accounts.
Cloud Billing accounts are linked to one or more Google Cloud projects and are used to pay for the resources that you use, such as virtual machines, networking, and storage. Cloud Identity and Access Management (Cloud IAM) roles control access to Cloud Billing accounts.
Team members who are assigned the Billing Account Administrator and Billing Account Creator IAM roles can complete tasks such as managing payments and invoices, setting budgets, creating billing accounts, and associating projects with billing accounts. The roles do not permit team members to view the contents of the projects.
You can set up a billing option either using an online billing account or Invoice based billing. You can use either of these two options or can use the existing billing account if you already set it up. After assigning a Billing Account Administrator, you can mark the task completed to proceed to the next checklist. The below screenshot shows these details.
Checklist 5: Setup the resource hierarchy
In this task, you create a basic structure for folders and projects in the resource hierarchy.
Folders provide a group mechanism and isolation between projects. Projects are the lowest level of the hierarchy. They contain any of your cloud resources, such as virtual machines, databases, and storage buckets. Creating the structure is a requirement for a later task where you set IAM policies to control access at different levels of the resource hierarchy. After setting up the resource hierarchy you can mark the task completed to proceed to the next checklist
Checklist 6: Setup access control for your resource hierarchy
In this task, you set up access control for your resource hierarchy by adding Cloud IAM policies to the resources. A Cloud IAM policy is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
To set permissions, you perform the same basic procedure, but you do it for resources at different levels of the hierarchy (organizations, folders, and projects). We recommend that you use the principle of least privilege and grant the least amount of access that’s necessary to resources at each level. After setting IAM policies on the organization, folder, and project level, you can mark the task completed to proceed to the next checklist
Checklist 7: Setup support
Choose a support plan based on your company’s needs. Google offers four levels of support. In this checklist, you can choose the level of support your organization needs.
Basic support – Included with your Google Cloud subscription. Case, phone, and chat support for billing issues only
Standard Support – Kickstart your cloud journey with unlimited access to technical support to help you troubleshoot, test, and explore.
Enhanced Support – Optimize your cloud experience with high-quality, robust support. Fast response times and additional services to run your cloud, boosting productivity and efficiency.
Premium Support – Premium Support provides proactive engagement and increased operational efficiencies.
You can also enable role-based support. After choosing the support option, you can mark the task completed to proceed to the next checklist
Checklist 8: Setup networking configuration
In this task, you set up your initial networking configuration. Typically, you need to do the following:
- Design, create and configure a virtual private cloud architecture
- If you have on-premises networking or networking in another cloud provider, configure connectivity between that provider and Google Cloud
- Set up a path for external egress traffic
- Implement network security controls, such as firewall rules
- Choose a preferred ingress traffic option for services that are hosted on the cloud
Typically these network configuration involves in six steps namely,
- Virtual Private Cloud Architecture
- Create the Shared VPC Network
- Configure connectivity between the external provider and the GCP
- Setup a path for external egress traffic
- Implement network security control
- Choose an ingress traffic option
In this blog, we are not covering every step mentioned above. Provided an overview of the network architecture, which should be taken into consideration while setting up the GCP, depending on the Organization’s requirements. After completing the above steps, you can mark the task completed to proceed to the next checklist
Checklist 9: Set up logging and monitoring
In this task, you set up basic logging and monitoring features using Cloud Logging and Cloud Monitoring services in GCP
Comprehensive logging and monitoring are key to maintaining observability in your cloud environment. Configuring appropriate logging retention from the start allows you to build and have confidence that an audit trail is preserved while setting up centralized monitoring will give your team a central dashboard for viewing your environments.
After completing the setup for monitoring and logging, you can mark the task completed to proceed to the final checklist
Checklist 10: Configure security settings for apps and data
In this task, you configure Google Cloud products to help protect your organization. This includes setting up the two GCP products viz Security Command Centre and Organisation Policy Service
Security Command Centre – This comprehensive security management and data risk platform enables you to monitor your cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities and review access rights to critical resources.
Organization Policy Service – This service gives you centralized and programmatic control over your organization’s cloud resources.
The below screenshot shows these two services to be configured as per Google recommendation.
Many organizations choose Google Cloud over other competitors since they have more advantages in various aspects. For any IT administrators or DevOps administrator, it is essential to build a Google Cloud platform with high security and remove the complexity of building and maintaining a complete GCP environment. GCP offers a complete and comprehensive checklist of best practices to help enterprise customers like you on your journey to Google Cloud. The checklist is not an exhaustive list of recommendations. Instead, its goal is to help enterprise architects and technology stakeholders understand the scope of activities and plan accordingly. Each section provides key actions and includes links for further configuration to use its services effectively with low cost.