Google Cloud Setup guided flow

Before you run workloads on Google Cloud, we recommend thatadministrators configure a foundation using Google Cloud Setup. A foundationincludes fundamental settings that help you organize, manage, and maintainGoogle Cloud resources.

Using the interactive guide in Google Cloud Setup, you can quickly deploy adefault configuration or make adjustments to align with your business needs:

Go to Google Cloud Setup

This document outlines steps and background information to help you complete thesetup process, including the following phases:

  • Select a foundation option:Based on the workload that you want to support, select a proof of concept,production, or enhanced security foundation.

  • Establish your organization, administrators, and billing: Set upthe top-level node of your hierarchy, create initial administrator users andassign access, and connect your payment method.

  • Create an initial architecture: Select aninitial folder and project structure, apply security settings, configurelogging and monitoring, and set up your network.

  • Deploy your settings: Your initial architecturechoices are compiled in Terraform configuration files. You can quickly deploythrough the Google Cloud console, or download the files to customize anditerate using your own workflow. After you deploy, select a support plan.

Select a Google Cloud Setup foundation option

To get started with Google Cloud Setup, you select one of the following foundationoptions based on your organization's needs:

  • Proof of concept: Support proof of concept workloads with basic securityin mind. This option guides you through the Organization and Billing tasks. Forexample, you can select this option to experiment with Google Cloudbefore making a larger commitment.

  • Production: Support production-ready workloads with security andscalability in mind. This option includes all Google Cloud Setup tasks in thisdocument. For example, you can select this option to configure a secure andscalable foundation for your organization.

  • Enhanced security: Includes all tasks in the Production foundation, aswell as Cloud KMS with Autokey configuration in theSecuritytask. For example, you can select this option if your organization is subjectto strict security requirements.

To select a foundation option, do the following:

  1. Go toGoogle Cloud Setup: Foundations.

    Go to Foundations

  2. ClickStart under one of the following options:

    • Proof of concept.
    • Production.
    • Enhanced security.

  3. Do one of the following:

Create a proof of concept foundation

A proof of concept foundation helps you perform the following:

  • Organization and Billing tasks.
  • Create a lightweight deployment that includes the following:
    • Afolder configured for application managementwhere you can define and manage applications.
    • Amanagement projectwhich helps you manage access, billing, observability, and otheradministrative functions for your applications.
    • A standardprojectwhere you can deploy resources.
    • Organization and billing administrator groups.
    • Recommended organization policies.

To create a proof of concept foundation, do the following:

  1. Complete theOrganization task.

    Configure an identity provider, verify your domain, and generate yourorganization.

  2. Sign in to the console as the super administrator user youcreated in theOrganization task.

  3. Select theProof of conceptfoundation option.

  4. Make sure the organization you created is selected, and clickContinue to Billing.

    Thegcp-organization-admins andgcp-billing-admins groups are created,and you are added as a member of each group.

    Note: If you signed up for a free trial, and did not complete theOrganization task, the system might not create groups.Instead, the system assigns your user the roles required to complete theremaining steps.

  5. Select or create a billing account. For more information, see theBilling task.

  6. ClickContinue to Review and Deploy Foundation.

  7. From theReview and deploy your configuration screen, review thefollowing draft configurations:

  8. ClickDeploy. Your proof of concept foundation is deployed.

  9. To enable billing on the management project, seeLink a billing account to your management project.

For information on experimenting and building, seeBuild your Google Cloud architecture.

Establish your organization, administrators, and billing

Organization

An organization resource in Google Cloud represents your business, and servesas the top level node of your hierarchy. To create your organization, you set upa Google identity service and associate it with your domain. When you completethis process, an organization resource is automatically created.

For an overview of the organization resource, see the following:

Who performs this task

The following two administrators perform this task:

  • An identity administrator responsible for assigning role-based access. Youassign this person as the Cloud Identity super administrator. For moreinformation about the super administrator user, seePrebuilt administrator roles.

  • A domain administrator with access to the company's domain host. This personedits your domain settings, such as DNS configurations, as part of the domainverification process.

What you do in this task

  • If you haven't already, set up Cloud Identity, where you create amanaged user account for your superadministrator user.
  • Link Cloud Identity to your domain (such asexample.com).
  • Verify your domain. This process creates the root node of your resourcehierarchy, known as theorganization resource.

Why we recommend this task

You must configure the following as part of your Google Cloud foundation:

  • A Google identity service to centrally manage identities.
  • An organization resource to establish the root of your hierarchy and accesscontrol.

Google identity service options

You use one or both of the following Google identity services to administercredentials for Google Cloud users:

  • Cloud Identity: Centrally manages users and groups. You can federateidentities between Google and other identity providers. For more information,seeOverview of Cloud Identity.
  • Google Workspace: Manages users and groups, and provides access toproductivity and collaboration products like Gmail andGoogle Drive. For more information, seeGoogle Workspace.

For detailed information about identity planning, seePlanning the onboarding process for your corporate identities.

Before you begin

To understand how to manage a super administrator account, seeSuper administrator account best practices.

Configure an identity provider and verify your domain

The steps you complete in this task depend on whether you are a new or existingcustomer. Identify the option that fits your needs:

  • New customer: Set up Cloud Identity, verify your domain, and create yourorganization.

  • Existing Google Workspace customer: Use Google Workspace as youridentity provider for users who access Google Workspace and Google Cloud.If you plan to create users who only access Google Cloud, enable Cloud Identity.

  • Existing Cloud Identity customer: Verify your domain, make sure yourorganization was created, and confirm that Cloud Identity is enabled.

New customer

New Customer: Set up Cloud Identity and create your organization

To create your organization resource, you first set up Cloud Identity, whichhelps you manage users and groups that access Google Cloud resources.

In this task, you set up Cloud Identityfree edition.You can enable Cloud Identity premium edition after youcomplete your initial setup. For more information, seeCompare Cloud Identity features and editions.

  1. Identify the person who serves as the Cloud Identity administrator (alsoknown as the super administrator) in your organization

    Record the administrator's username in the following format:admin-name@example.com. For example, admin-maria@example.com. Specifythis username when you create your first administrator user.

  2. To complete the setup process and create the super administrator account,go to theCloud Identity signup page.

    If you get an error when you set up the administrator account, see'Google Account already exists' error.

Verify your domain and create your organization resource

Cloud Identity requires you to verify that you are your domain owner. Oncethe verification is complete, your Google Cloudorganization resource is automatically created for you.

  1. Make sure you created a super administrator account when youconfigured your identity provider.

  2. Verify your domain in Cloud Identity. As you complete the verificationprocess, note the following:

    • When prompted, don't click Create new users. You will create new usersin a later task.
    • If you are unable sign up your domain, seeCan't sign up my domain for a Google service.
    • The verification may require several hours to process.

    For steps to verify your domain, seeVerify your domain.

  3. When you finish the domain verification steps, clickSet up Google Cloud console now.

  4. Sign in to the Google Cloud console as the super administrator userusing the email address you specified. For example, admin-maria@example.com.

  5. Go toGoogle Cloud Setup: Organization. Your organization is createdautomatically.

    Go to Organization

  6. Select your organization from theSelect from drop-down list at the topof the page.

Request additional Cloud Identity user licenses

Cloud Identity free edition includes an allotment of userlicenses. For steps to view and request licenses, seeYour Cloud Identity free edition user cap.

Workspace customer

Existing Google Workspace customer: Verify your domain and enable Cloud Identity

If you are an existing Google Workspace customer, verify your domain,make sure that your organization resource is automatically created, andoptionally enable Cloud Identity.

  1. To verify your domain in Google Workspace, seeVerify your domain. As you complete the verification process, note the following:

    • When prompted, don't click Create new users. You will create new usersin a later task.
    • If you are unable sign up your domain, seeCan't sign up my domain for a Google service.
    • The verification may require several hours to process.

  2. Sign in to the Google Cloud console as the super administrator user.

  3. Go toGoogle Cloud Setup: Organization.

    Go to Organization

  4. SelectI'm a current Google Workspace customer.

  5. Make sure that your organization name is displayed in theOrganizationlist.

  6. If you want to create users who access Google Cloud, but don't receiveGoogle Workspace licenses, do the following.

    1. In Google Workspace,Enable Cloud Identity.

    2. When you set up Cloud Identity,Disable automatic Google Workspace licensing.

Cloud Identity customer

Existing Cloud Identity customer: Verify your domain

If you are an existing Cloud Identity customer, make sure you have verifiedyour domain, and that your organization resource was automatically created.

  1. To make sure that you have verified your domain, seeVerify your domain.As you complete the verification process, note the following:

    • When prompted, don't click Create new users. You will create new usersin a later task.
    • If you are unable sign up your domain, seeCan't sign up my domain for a Google service.
    • The verification may require several hours to process.

  2. Sign in to the Google Cloud console as the super administrator user.

  3. Go toGoogle Cloud Setup: Organization.

    Go to Organization

  4. SelectI'm a current Cloud Identity customer.

  5. Make sure that your organization name is displayed in theOrganizationlist.

  6. Make sure that Cloud Identity is enabled inGoogle Admin console: Subscriptions.Sign in as a super administrator user.

What's next

Create groups and add members.

Users and groups

In this task, you set up identities, users, and groups to manage access toGoogle Cloud resources.

For more information on access management on Google Cloud, see thefollowing:

Who performs this task

You can perform this task if you have one of the following:

  • The Google Workspace or Cloud Identity super administrator that youcreated in theOrganization task.
  • One of the following IAM roles:
    • Organization Administrator (roles/resourcemanager.organizationAdmin).
    • Workforce Identity Pool Admin (roles/iam.workforcePoolAdmin).

What you do in this task

  • Connect to Cloud Identity or your external identity provider (IdP).

  • Create administrative groups and users that will perform the remainder of theGoogle Cloud Setup steps. You grant access to these groups in a later task.

Why we recommend this task

This task helps you implement the following security best practices:

You can use groups to efficiently apply IAM roles to a collectionof users. This practice helps you simplify access management.

Select an identity provider

You can use one of the following to manage users and groups, and connectthem to Google Cloud:

  • Google Workspace or Cloud Identity: You create and manage users and groupsin Google Workspace or Cloud Identity. You can choose to synchronize withyour external identity provider later.
  • Your external identity provider, such as Microsoft Entra ID or Okta: Youcreate and manage users and groups in your external identity provider. Youthen connect your provider to Google Cloud to enable single-sign-on.

To select your identity provider, do the following:

  1. Sign in to the Google Cloud console as one of the usersyou identified inWho performs this task.

  2. Go toGoogle Cloud Setup: Users & groups.

    Go to Users & groups

  3. Review the task details and clickContinue identity setup.

  4. On theSelect your identity provider page, select one of the following tobegin a guided setup:

    • Use Google to centrally manage Google Cloud users: UseGoogle Workspace or Cloud Identity to provision and manage users andgroups as a super administrator of your verified domain. You can latersynchronize with your external identity provider.
    • Microsoft Entra ID (Azure AD): Use OpenID Connect to configure aconnection to Microsoft Entra ID.
    • Okta: Use OpenID Connect to configure a connection to Okta.
    • OpenID Connect: Use the OpenID protocol to connect to a compatibleidentity provider.
    • SAML: Use the SAML protocol to connect to a compatible identityprovider.
    • Skip setting up an external IdP for now: If you have an externalidentity provider and you're not ready to connect it to Google Cloud,You can create users and groups in Google Workspace or Cloud Identity.

  5. ClickContinue.

  6. See one of the following for next steps:

Create users and groups in Cloud Identity

If you don't have an existing identity provider, or if you're not ready to connect your identity provider to Google Cloud, you can create and manager users and groups in Cloud Identity or Google Workspace. To create users and groups, you do the following:

  • Create a group for each recommended administrative function, includingorganization, billing, and network administration.
  • Createmanaged user accounts for administrators.
  • Assign users to administrative groups that correspond to theirresponsibilities.

Before you begin

Create administrative groups

A group is a named collection of Google Accounts and service accounts.Each group has a unique email address, such asgcp-billing-admins@example.com.You create groups to manage users and apply IAM roles at scale.

The following groups are recommended to help you administer your organization'score functions and complete the Google Cloud Setup process.

GroupDescription
gcp-organization-adminsAdminister all organization resources. Assign this role only to your most trusted users.
gcp-billing-adminsSet up billing accounts and monitor usage.
gcp-network-adminsCreate Virtual Private Cloud networks, subnets, and firewall rules.
gcp-hybrid-connectivity-adminsCreate network devices such as Cloud VPN instances and Cloud Router.
gcp-logging-monitoring-adminsUse all Cloud Logging and Cloud Monitoring features.
gcp-logging-monitoring-viewersRead-only access to a subset of logs and monitoring data.
gcp-security-admins
Establishing and managing security policies for the entire organization, including access management andorganization constraint policies. See theGoogle Cloud enterprise foundations blueprint for more information about planning your Google Cloud security infrastructure.
gcp-developersDesign, code, and test applications.
gcp-devopsCreate or manage end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning.

To create administrative groups, do the following:

  1. Select Google as your provider.

  2. On theCreate Groups page, review the list of recommended administrativegroups, and then do one of the following:

    • To create all recommended groups, clickCreate all groups.
    • If you want to create a subset of the recommended groups, clickCreatein the chosen rows.

  3. ClickContinue.

Create administrative users

We recommend that you initially add users who complete organizational,networking, billing, and other setup procedures. You can add other users afteryou complete the Google Cloud Setup process.

To add administrative users who perform Google Cloud Setup tasks, do thefollowing:

  1. Migrateconsumer accounts tomanaged user accounts controlled byCloud Identity. For detailed steps, see the following:

  2. Sign in toGoogle Admin console using asuper administrator account.

  3. Use one of the following options to add users:

  4. When you're done adding users, return toGoogle Cloud Setup: Users & groups (Create users).

  5. ClickContinue.

Add administrative users to groups

Add the users you created to administrative groups that correspond to theirduties.

  1. Make sure youcreated administrative users.

  2. InGoogle Cloud Setup: Users & groups (Add users to groups), reviewthe step details.

  3. In eachGroup row, do the following:

    1. ClickAdd members.
    2. Enter the user's email address.

    3. From theGroup role drop-down list, select the user's grouppermission settings. For more information, seeSet who can view, post, and moderate.

      Each member inherits all IAM roles you grant to a group,regardless of the group role you select.

    4. To add another user to this group, clickAdd another member andrepeat these steps. We recommend that you add more than one member toeach group.

    5. When you're done adding users to this group, clickSave.

  4. When you're done with all groups, clickConfirm users & groups.

  5. If you want to federate your identity provider into Google Cloud, seethe following:

Connect your external identity provider to Google Cloud

You can use your existing identity provider to create and manage groups andusers. You configure single sign-on to Google Cloud by setting upworkforce identity federation with your external identity provider. For keyconcepts of this process, seeWorkforce Identity Federation.

To connect your external identity provider, you complete a guided setup thatincludes the following steps:

  1. Create a workforce pool: A workforce identity pool helps you manageidentities and their access to resources. You enter the following details in ahuman-readable format.
    • Workforce pool ID: A globally unique identifier used in IAM.
    • Provider ID: A name for your provider, which users will specify when theylog in to Google Cloud.
  2. Configure Google Cloud in your provider: The guided setup includesspecific steps for your provider.
  3. Enter your provider's workforce pool details: To add your provider as atrusted authority to assert identities, retrieve details from your providerand add them to Google Cloud:
  4. Configure an initial set of administrative groups: The guided setup includesspecific steps for your provider. You assign groups in your provider andestablish a connection to Google Cloud. For a detailed description ofeach group, seeCreate administrative groups.
  5. Assign users to each group: We recommend that you assign more than oneuser to each group.

For background information on the connection process for each provider, see thefollowing:

What's next

Assign permissions to your administrator groups.

Administrative access

In this task, you use Identity and Access Management (IAM) to assign collections ofpermissions to groups of administrators at the organization level. This processgives administrators central visibility and control over every cloud resourcethat belongs to your organization.

For an overview of Identity and Access Management in Google Cloud, seeIAM overview.

Who performs this task

To perform this task, you must be one of the following:

  • A super administrator user.
  • A user with the Organization Administrator role (roles/resourcemanager.organizationAdmin).

What you do in this task

  • Review a list of default roles assigned to each administrator group that youcreated in theUsers and groups task.

  • If you want to customize a group, you can do the following:

    • Add or remove roles.
    • If you do not plan to use a group, you can delete it.

Why we recommend this task

You must explicitly grant all administrative roles for your organization. Thistask helps you implement the following security best practices:

Before you begin

Complete the following tasks:

Grant access to administrator groups

To grant appropriate access to each administrator group that you created in theUsers and groups task, review the default roles that areassigned to each group. You can add or remove roles to customize each group'saccess.

  1. Make sure that you are logged in to the Google Cloud console as asuper administrator user.

    Alternatively, you can sign in as a user with the Organization Administratorrole (roles/resourcemanager.organizationAdmin).

  2. Go toGoogle Cloud Setup: Administrative access.

    Go to Administrative access

  3. Select your organization name from theSelect from drop-down list at thetop of the page.

  4. Review the task overview and clickContinue administrative access.

  5. Review the groups in theGroup (Principal) column that you created intheUsers & groups task.

    Note: If you don't plan to use a group, you can delete it.

  6. For each group, review the defaultIAM roles. You can add or removeroles assigned to each group to fit the unique needs of your organization.

    Each role contains multiple permissions that allow users to perform relevanttasks. For more information about the permissions in each role, seeIAM basic and predefined roles reference.

  7. When you are ready to assign roles to each group, clickSave and grantaccess.

What's next

Set upbilling.

Billing

In this task, you set up a billing account to pay for Google Cloudresources. To do this, you associate one of the following with your organization.

  • An existing Cloud Billing account. If you don't have access to the account,you can request access from your billing account administrator.

  • A new Cloud Billing account.

Tip: We recommend a single billing account for your organization.

For more information on billing, see theCloud Billing documentation.

Who performs this task

A person in thegcp-billing-admins@YOUR_DOMAINgroup that you created in theUsers and groups task.

What you do in this task

  • Create or use an existing self-serve Cloud Billing account.
  • Decide whether to transition from a self-serve account to an invoicedaccount.
  • Set up a Cloud Billing account and payment method.

Why we recommend this task

Cloud Billing accounts are linked to one or more Google Cloud projectsand are used to pay for the resources you use, such as virtual machines,networking, and storage.

Determine your billing account type

The billing account that you associate with your organization is one of thefollowing types.

  • Self-serve (or online): Sign up online using a credit or debit card. Werecommend this option if you are a small business or individual. When yousign up online for a billing account, your account is automatically set upas a self-serve account.

  • Invoiced (or offline). If you already have a self-serve billing account,you might be eligible to apply for invoiced billing if your business meetseligibility requirements.

You cannot create an invoiced account online, but you can apply to convert aself-serve account to an invoiced account.

For more information, seeCloud Billing account types.

Before you begin

Complete the following tasks:

Set up the billing account

Now that you havechosen a billing account type, associate thebilling account with your organization. When you complete this process, you canuse your billing account to pay for Google Cloud resources.

  1. Sign in to the Google Cloud console as a user from thegcp-billing-admins@YOUR_DOMAIN group.

  2. Go toGoogle Cloud Setup: Billing.

    Go to Billing

  3. Review the task overview, and then clickContinue billing.

  4. Select one of the following billing account options:

    Create a new account

    If your organization does not have an existing account, create a newaccount.

    1. SelectI want to create a new billing account.
    2. ClickContinue.

    3. Select the billing account type you want to create. For detailed steps,see the following:

    4. Verify that your billing account was created:

      1. If you created an invoiced account, wait up to 5 business days toreceive email confirmation.

      2. Go to theBilling page.

      3. Select your organization from theSelect from list at the topof the page. If the account was created successfully, it isdisplayed in the billing account list.

    Use my existing account

    If you have an existing billing account, you can associate it with yourorganization.

    1. SelectI identified a billing account from this list that I would like to use to complete the setup steps.
    2. From theBilling drop-down list, select the account you want toassociate with your organization.
    3. ClickContinue.
    4. Review the details and clickConfirm billing account.

    Use another user's account

    If another user has access to an existing billing account, you can askthat user to associate the billing account with your organization, or theuser can give you access to complete the association.

    1. SelectI want to use a billing account that's managed by another Google user account.
    2. ClickContinue.
    3. Enter the billing account administrator's email address.
    4. ClickContact administrator.
    5. Wait for the billing account administrator to contact you with furtherinstructions.

What's next

Create a resource hierarchy and assign access.

Create an initial architecture

Hierarchy and access

In this task, you set up your resource hierarchy by creating and assigningaccess to the following resources:

Folders

Provide a grouping mechanism and isolation boundaries between projects. Forexample, folders can represent departments in your organization such as financeor retail.

The environment folders, such asProduction, in your resource hierarchy areconfigured for application management.You can define and manage applications in these folders.

Projects

Contain your Google Cloud resources, such as virtual machines,databases and storage buckets. Each of the environment folders also contains amanagement project,which helps you manage access, billing, observability and other administrativefunctions for your applications.

For design considerations and best practices to organize your resources inprojects, seeDecide a resource hierarchy for your Google Cloud landing zone.

Who performs this task

A person in thegcp-organization-admins@YOUR_DOMAINgroup that you created in theUsers and groups task canperform this task.

What you do in this task

  • Create an initial hierarchy structure that includes folders and projects.
  • Set IAM policies to control access to your folders andprojects.

Why we recommend this task

Creating a structure for folders and projects helps you manageGoogle Cloud resources and applications. You can use the structure toassign access based on the way your organization operates. For example, youmight organize and provide access based on your organization's unique collectionof geographic regions, subsidiary structures, or accountability frameworks.

Plan the resource hierarchy

Your resource hierarchy helps you create boundaries, and share resources acrossyour organization for common tasks. You create your hierarchy using one of thefollowing initial configurations, based on your organization structure:

  • Simple environment-oriented:

    • Isolate environments likeNon-production andProduction.
    • Implement distinct policies, regulatory requirements, and access controls ineach environment folder.
    • Good for small companies with centralized environments.

  • Simple team-oriented:

    • Isolate teams likeDevelopment andQA.
    • Isolate access to resources using child environment folders under each teamfolder.
    • Good for small companies with autonomous teams.

  • Environment-oriented:

    • Prioritize the isolation of environments likeNon-production andProduction.
    • Under each environment folder, isolate business units.
    • Under each business unit, isolate teams.
    • Good for large companies with centralized environments.

  • Business unit-oriented:

    • Prioritize the isolation of business units likeHuman Resources andEngineering to help ensure that users can only access the resources anddata they need.
    • Under each business unit, isolate teams.
    • Under each team, isolate environments.
    • Good for large companies with autonomous teams.

Each configuration has aCommon folder for projects that contain sharedresources. This might include logging and monitoring projects.

Before you begin

Complete the following tasks:

Configure initial folders and projects

Select the resource hierarchy that represents your organization structure.

Important: If you already have existing folders and projects in yourorganization, the new resource hierarchy you create appears alongside yourexisting resources. If there are existing resources that are identical toresources in the proposed hierarchy, they are automatically merged.

To configure initial folders and projects, do the following:

  1. Sign in to the Google Cloud console as a user from thegcp-organization-admins@YOUR_DOMAIN groupyou created in theUsers and groups task.

  2. Select your organization from theSelect from drop-down list at the topof the page.

  3. Go toGoogle Cloud Setup: Hierarchy & access.

    Go to Hierarchy & access

  4. Review the task overview, and then clickStart next toResource hierarchy.

  5. Select a starting configuration.

  6. ClickContinue and configure.

  7. Customize your resource hierarchy to reflect your organizational structure. For example, you can customize the following:

    • Folder names.

    • Service projects for each team. To grant access to service projects, you can create the following:

      • A group for each service project.
      • Users in each group.

      For an overview of service projects, seeShared VPC.

    • Projects required for monitoring, logging, and networking.

    • Custom projects.

  8. ClickContinue.

  9. Grant access to your folders and projects.

Grant access to your folders and projects

In theAdministrative access task, you grantedadministrative access to groups at the organization level. In this task, youconfigure access to groups that interact with your newly configured folders andprojects.

Tip: We recommend that you implement the principle of least privilege bygranting the least amount of access that's necessary to resources at each level.

Projects, folders, and organizations each have their own IAMpolicies, which are inherited through the resource hierarchy:

  • Organization: Policies apply to all folders and projects in the organization.
  • Folder: Policies apply to projects and other folders within the folder.
  • Project: Policies apply only to that project and its resources.

Update theIAM policies for your folders and projects:

  1. In theConfigure access control section ofHierarchy & access, grant your groups access to your folders and projects:

    1. In the table, review the list of recommended IAM rolesgranted to each group for each resource.

    2. If you want to modify the roles assigned to each group, clickEdit inthe desired row.

      For more information about each role, seeIAM basic and predefined roles.

  2. ClickContinue.

  3. Review your changes and clickConfirm draft configuration.

Configure billing for management projects

After you deploy your configuration, you must configure billing for eachmanagement project. The billing account is required to pay for APIs that haveassociated costs. For more information, seeLink a billing account for the management project.

What's next

Configure security settings.

Security

In this task, you configure security settings and products to help protect yourorganization.

Important: The policies you apply in this task are a first step inconfiguring security. Your organization's unique challenges require you toperform security audits, understand the attack surface for your architecture,and so on.

Who performs this task

You must have one of the following to complete this task:

What you do in this task

Apply recommended organization policies based on the following categories:

  • Access management.
  • Service account behavior.
  • VPC network configuration.
  • Cloud KMS with Autokey—only available for theEnhanced security foundation option.

You also enable Security Command Center to centralize vulnerability and threat reporting.

Why we recommend this task

Applying recommended organization policies helps you limit user actions thatdon't align with your security posture.

Enabling Security Command Center helps you create a central location to analyzevulnerabilities and threats.

Enforcing and automatingCloud KMS withAutokey helps you use customer-managed encryption keys(CMEKs) consistently to protect your resources.

Before you begin

Complete the following tasks:

Start the security task

  1. Sign in to the Google Cloud console with a user you identified inWho performs this task.

  2. Select your organization from theSelect from drop-down at the top of thepage.

  3. Go toGoogle Cloud Setup: Security.

    Go to Security

  4. Review the task overview, and then clickStart Security.

Centralize vulnerability and threat reporting

To centralize vulnerability and threat reporting services, enable Security Command Center.This helps you strengthen your security posture and mitigate risks. For moreinformation, seeSecurity Command Center overview.

  1. On theGoogle Cloud Setup: Security page, make sure that theEnable Security Command Center: Standard checkbox is enabled.

    This task enables the free Standard tier. You can upgrade to the Premiumversion at a later time. For more information, seeSecurity Command Center service tiers.

  2. ClickApply SCC settings.

Apply recommended organization policies

Organization policies apply at the organization level, and are inherited byfolders and projects. In this task, review and apply the list of recommendedpolicies. You can modify organization policies at any time. For moreinformation, seeIntroduction to the Organization Policy Service.

  1. Review the list of recommended organization policies. If you don't want toapply a recommended policy, click its checkbox to remove it.

    For a detailed explanation of each organization policy, seeOrganization policy constraints.

  2. ClickConfirm organization policy configurations.

The organization policies that you select are applied when you deploy yourconfiguration in a later task.

Enforce and automate customer encryption keys

Cloud KMS with Autokey lets developers in your organization createsymmetric encryption keys when required to protect your Google Cloudresources. You can configure Cloud KMS with Autokey if you selected theEnhanced security foundation option.

Note: Cloud KMS with Autokey includes a free allotment of active keyversions. You might incur costs as your resource utilization increases. Forpricing details, seeCloud KMS pricing.
  1. Review the description of Cloud KMS with Autokey, and thenforUse Cloud KMS with Autokey and apply organizational policies, clickYes (recommended).
  2. ClickConfirm key management configuration.

The following configurations are applied when you deploy your configuration in alater task:

  • Set up an Autokey project in each environment folder of your hierarchy.
  • Enable Cloud KMS with Autokey on the environment folders.
  • Require the use of customer managed encryption keys (CMEKs) for resourcescreated in each environment folder.
  • Restrict each folder to only use Cloud KMS keys in the Autokeyproject for that folder.

What's next

Central logging and monitoring.

Central logging and monitoring

In this task, you configure the following:

  • Central logging to help you analyze and gain insights from logs for allprojects in your organization.
  • Central monitoring to help you visualize metrics across all projectscreated in this setup.

Who performs this task

To set up logging and monitoring, you must have one of the following:

  • The Logging Admin (roles/logging.admin) and Monitoring Admin (roles/monitoring.admin) roles.
  • Membership in one of the following groups that you created in theUsers and groups task:
    • gcp-organization-admins@YOUR_DOMAIN
    • gcp-security-admins@YOUR_DOMAIN
    • gcp-logging-monitoring-admins@YOUR_DOMAIN

What you do in this task

You do the following in this task:

  • Centrally organize logs that are created in projects across your organizationto help with security, auditing, and compliance.
  • Configure a central monitoring project to have access to monitoring metricsacross the projects you created in this setup.

Why we recommend this task

Log storage and retention simplifies analysis and preserves your audit trail.Central monitoring gives you a view of metrics in one place.

Before you begin

Complete the following tasks:

Centrally organize logging

Cloud Logging helps you store, search, analyze, monitor, and alert on logdata and events from Google Cloud. You can also collect and process logsfrom your applications, on-premises resources, and other clouds. We recommendthat you use Cloud Logging to consolidate logs into a single log bucket.

Note: Cloud Logging includes a free monthly allotment. You might incur costsas your resource utilization increases. For pricing details, seeCloud Logging pricing summary.

For more information, see the following:

To store your log data in a central log bucket, do the following:

  1. Sign in to the Google Cloud console as a user that you identified inWho performs this task.

  2. Select your organization from theSelect from drop-down list at the topof the page.

  3. Go toGoogle Cloud Setup: Central logging and monitoring.

    Go to Central logging and monitoring

  4. Review the task overview and clickStart central logging & monitoring.

  5. Review the task details.

  6. To route logs to a central log bucket, ensure thatStore organization-level audit logs in a logs bucket is selected.

  7. ExpandRoute logs to a Logging log bucket and do the following:

    1. In theLog bucket name field, enter a name for the central log bucket.

    2. From theLog bucket region list, select the region where your logdata is stored.

      For more information, seeLog bucket locations.

    3. By default logs are stored for 30 days. We recommend that largeenterprises store logs for 365 days. To customize the retentionperiod, enter the number of days in theRetention period field.

      Logs stored for longer than 30 days incur aretention cost. For more information, seeCloud Logging pricing summary.

Export logs outside of Google Cloud

If you want to export logs to a destination outside of Google Cloud, you canexport using Pub/Sub. For example, if you use multiple cloud providers,you might decide to export log data from each cloud provider to a third-partytool.

You can filter the logs you export to meet your unique needs and requirements.For example, you might choose to limit the types of logs you export to controlcosts or to reduce noise in your data.

For more information about exporting logs, see the following:

To export logs, do the following:

  1. ClickStream your logs to other applications, other repositories, or third parties.

  2. In thePub/Sub topic ID field, enter an identifier for the topicthat contains your exported logs. For information on subscribing to a topic,seePull subscriptions.

  3. To select logs to export, do the following:

    1. For information about each log type, seeUnderstand Cloud Audit Logs.

    2. To prevent one of the following recommended logs from being exported,click theInclusion filter list and clear the log checkbox:

      • Cloud Audit logs: Admin Activity: API calls or actions that modifyresource configuration or metadata.
      • Cloud Audit logs: System Event: Google Cloud actions that modifyresource configuration.
      • Access Transparency: Actions that Google personnel take whenaccessing customer content.

    3. Select the following additional logs to export them:

      • Cloud Audit logs: Data Access: API calls that read resourceconfiguration or metadata, and user-driven API calls that create,modify, or read user-provided resource data.
      • Cloud Audit logs: Policy Denied: Google Cloud service access denialsto user or service accounts, based on security policy violations.

    4. The logs you select in this step are exported only if they areenabled in your projects or resources. For steps to change the log filterfor your projects and resources after you deploy your configuration, seeInclusion filters.

    5. ClickOK.

  4. ClickContinue to Monitoring.

Set up central monitoring

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Central monitoring helps you analyze system health, performance, and securityfor multiple projects. In this task, you add the projects that you createdduring theHierarchy and access task to a scopingproject. You can then monitor those projects from the scoping project. After youcomplete Cloud setup, you can configure other projects to be monitored by thescoping project.

For more information, seeMetrics scope overview.

To set up central monitoring, do the following:

  1. To configure projects created during Google Cloud Setup for central monitoring,ensure thatUse central monitoring is selected.

    Projects that you created during Google Cloud Setup are added to themetrics scopeof the listedScoping project.

  2. Cloud Monitoring includes a free monthly allotment. For more information, seeCloud Monitoring pricing summary.

  3. For steps to configure projects that you create outside of Google Cloud Setup, seethe following:

Complete the configuration

To complete the logging and monitoring task, do the following:

  1. ClickConfirm Configuration.

  2. Review your logging and monitoring configuration details. Your configurationisn't deployed until you deploy your settings in a later task.

What's next

Set up your initial networking configuration.

VPC networks

In this task, you set up your initial networking configuration, which you canscale as your needs change.

Virtual Private Cloud architecture

AVirtual Private Cloud (VPC) network is a virtual versionof a physical network that is implemented inside of Google's production network.A VPC network is a global resource that consists of regionalsubnetworks (subnets).

VPC networks provide networking capabilities toyour Google Cloud resources such as Compute Engine virtual machineinstances, GKE containers, and App Engine flexible environmentinstances.

Shared VPC connects resources from multipleprojects to a common VPC network so that they can communicatewith each other using the network's internal IP addresses. The following diagramshows the basic architecture of a Shared VPC network with attachedservice projects.

Shared VPC architecture

When you use Shared VPC, you designate a host project and attach one ormore service projects to it. Virtual Private Cloud networks in the host project arecalled Shared VPC networks.

The example diagram has production and non-production host projects, which eachcontain a Shared VPC network. You can use a host project to centrallymanage the following:

  • Routes
  • Firewalls
  • VPN connections
  • Subnets

A service project is any project that's attached to a host project. You canshare subnets, including secondary ranges, between host and service projects.

In this architecture, each Shared VPC network contains public andprivate subnets:

  • The public subnet can be used by internet-facing instances for externalconnectivity.
  • The private subnet can be used by internal-facing instances that are notallocated public IP addresses.

In this task, you create an initial network configuration based on the examplediagram.

Who performs this task

You need one of the following to perform this task:

  • Theroles/compute.networkAdmin role.
  • Inclusion in thegcp-network-admins@YOUR_DOMAINgroup that you created in theUsers and groups task.

What you do in this task

Create an initial network configuration, including the following:

  • Create multiple host projects to reflect your development environments.
  • Create a Shared VPC network in each host project to allow distinctresources to share the same network.
  • Create distinct subnets in each Shared VPC network to provide networkaccess to service projects.

Why we recommend this task

Distinct teams can use Shared VPC to connect to a common,centrally-managed VPC network.

Before you begin

Complete the following tasks:

Configure your network architecture

Create your initial network configuration with two host projects to segmentnon-production and production workloads. Each host project contains aShared VPC network, which can be used by multiple service projects. Youconfigure network details and then deploy a configuration file in a later task.

To configure your initial network, do the following.

  1. Sign in to the Google Cloud console as a user from thegcp-organization-admins@YOUR_DOMAIN groupthat you created in theUsers and groups task.

  2. Select your organization from theSelect an organization drop-down listat the top of the page.

  3. Go toGoogle Cloud Setup: Networking.

    Go to Networking

  4. Review the default network architecture.

  5. To edit the network name, do the following:

    1. ClickActions
    2. SelectEdit network name.
    3. In theNetwork name field, enter lowercase letters, numbers, orhyphens. The network name cannot exceed 25 characters.
    4. ClickSave.

Modify firewall details

The default firewall rules on the host project are based on recommended bestpractices. You can choose to disable one or more of the default firewall rules.For general information on firewall rules, seeVPC firewall rules.

To modify firewall settings, do the following:

  1. ClickActions.

  2. SelectEdit firewall rules.

  3. For detailed information about each default firewall rule, seePre-populated rules in the default network.

  4. To disable a firewall rule, clear its corresponding checkbox.

  5. To disableFirewall Rules Logging, clickOff.

    By default, traffic to and from Compute Engine instances are logged forauditing purposes. This process incurs costs. For more information, seeFirewall Rules Logging.

  6. ClickSave.

Modify subnet details

Each VPC network contains at least one subnet, which is aregional resource with an associated IP address range. In this multi-regionalconfiguration, you must have at least two subnets with non-overlapping IP ranges.

For more information, seeSubnets.

Each subnet is configured using recommend best practices. If you want tocustomize each subnet, do the following:

  1. ClickActions
  2. SelectEdit subnets.
  3. In theName field, enter lowercase letters, numbers, or hyphens.The subnet name cannot exceed 25 characters.

  4. From theRegion drop-down, select a region that is close to your pointof service.

    We recommend a different region for each subnet. You can't change the regionafter you deploy your configuration. For information about choosing aregion, seeRegional resources.

  5. In theIP address range field, enter a range in CIDR notation—for example, 10.0.0.0/24.

    The range you enter must not overlap with other subnets in this network. Forinformation on valid ranges, seeIPv4 subnet ranges.

    Note: To expand the primary IPv4 range of an existing subnet, reduce theprefix length. For example, to expand 10.0.0.0/24, use 10.0.0.0/20.

  6. Repeat these steps for Subnet 2.

  7. To configure additional subnets in this network, clickAdd subnet andrepeat these steps.

  8. ClickSave.

Your subnets are automatically configured according to best practices. If youwant to modify the configuration, in theGoogle Cloud Setup: VPC Networks page, do the following:

  1. To turn off VPC Flow Logs, from theFlow logs column, selectOff.

    When flow logs are on, each subnet records network flows that you cananalyze for security, expenses optimization, and other purposes. For moreinformation, seeUse VPC Flow Logs.

    VPC Flow Logs incur costs. For more information, seeVirtual Private Cloud pricing.

  2. To turn off Private Google Access, from thePrivate access column,selectOff.

    When Private Google Access is on, VM instances that don't have external IPaddresses can reach Google APIs and services. For more information,seePrivate Google Access.

  3. To turn on Cloud NAT, from theCloud NAT column, selectOn.

    When Cloud NAT is on, certain resources can create outbound connectionsto the internet. For more information, seeCloud NAT overview.

    Cloud NAT incurs costs. For more information, seeVirtual Private Cloud pricing.

  4. ClickContinue to link service projects.

Link service projects to your host projects

A service project is any project that has been attached to a host project. Thisattachment allows the service project to participate in Shared VPC. Eachservice project can be operated and administered by different departments orteams to create a separation of responsibilities.

For more information about connection multiple projects to a commonVPC network, seeShared VPC overview.

To link service projects to your host projects and complete the configuration,do the following:

  1. For each subnet in theShared VPC networks table, select aservice project to connect. To do this, select from theSelect a projectdrop-down in theService project column.

    You can connect a service project to multiple subnets.

  2. ClickContinue to Review.

  3. Review your configuration, and make changes.

    You can make edits until you deploy your configuration file.

  4. ClickConfirm draft configuration. Your network configuration is added toyour configuration file.

    Your network is not deployed until you deploy your configuration file in a later task.

What's next

Set up hybrid connectivity, which helps you connecton-premise servers or other cloud providers to Google Cloud.

Hybrid connectivity

In this task, you establish connections between your peer (on-premises or othercloud) networks and your Google Cloud networks, as in the following diagram.

Shared VPC networks with individual regions that are connected to a peer network through HA VPN tunnels

This process creates an HA VPN, which is a high-availability(HA) solution that you can quickly create to transmit data over the publicinternet.

After you deploy your Google Cloud configuration, we recommend creatinga more robust connection usingCloud Interconnect.

For more information on connections between peer networks and Google Cloud, seethe following:

Who performs this task

You must have the Organization Administrator role (roles/resourcemanager.organizationAdmin).

What you do in this task

Create low-latency, high-availability connections between your VPCnetworks and your on-premises or other cloud networks. You configure thefollowing components:

  • Google Cloud HA VPN gateway: A regional resource that has twointerfaces, each with its own IP address. You specify the IP stack type, whichdetermines whether IPv6 traffic is supported in your connection. Forbackground information, seeHA VPN.
  • Peer VPN gateway: The gateway on your peer network, to which the Google CloudHA VPN gateway connects. You enter external IP addresses thatyour peer gateway uses to connect to Google Cloud. For background information,seeConfigure the peer VPN gateway.
  • Cloud Router: Uses Border Gateway Protocol (BGP) to dynamically exchangeroutes between your VPC and peer networks. You assign anAutonomous System Number (ASN) as an identifier for your Cloud Router, andspecify the ASN that your peer router uses. For background information, seeCreate a Cloud Router to connect a VPC network to a peer network.
  • VPN tunnels: Connect the Google Cloud gateway to the peer gateway. You specifythe Internet Key Exchange (IKE) protocol to use to establish the tunnel.You can enter your own previously generated IKE key or generate and copy a newkey. For background information, seeConfigure IKE.

Why we recommend this task

An HA VPN provides a secure and highly availableconnection between your existing infrastructure and Google Cloud.

Before you begin

Complete the following tasks:

Collect the following information from your peer network administrator:

  • Your peer VPN gateway name: The gateway to which your Cloud VPNconnects.
  • Peer interface IP address 0: An external IP address on your peer networkgateway.
  • Peer interface IP address 1: A second external address, or you can reuse IPaddress 0 if your peer network only has a single external IP address.
  • Peer Autonomous System Number (ASN): A unique identifier assigned to yourpeer network router.
  • Cloud Router ASN: A unique identifier that you will assign to yourCloud Router.
  • Internet Key Exchange (IKE) keys: Keys you use to establish two VPN tunnelswith your peer VPN gateway. If you don't have existing keys, you can generatethem during this setup and then apply them to your peer gateway.

Configure your connections

Do the following to connect your VPC networks to your peernetworks:

  1. Sign in as a user with the Organization Administrator role.

  2. Select your organization from theSelect from drop-down list at the topof the page.

  3. Go toGoogle Cloud Setup: Hybrid connectivity.

    Go to Hybrid connectivity

  4. Review the task details by doing the following:

    1. Review the task overview and clickStart hybrid connectivity.

    2. Click each tab to learn about hybrid connectivity and clickContinue.

    3. See what to expect in each task step and clickContinue.

    4. Review the peer gateway configuration information that you need to collectand clickContinue.

  5. In theHybrid connections area, identify the VPC networksthat you want to connect, based on your business needs.

  6. In the row for the first network you chose, clickConfigure.

  7. In theConfiguration overview area, read the description and clickNext.

  8. In theGoogle Cloud HA VPN gateway area, do thefollowing:

    1. In theCloud VPN gateway name field, enter up to 60 characters usinglowercase letters, numbers, and hyphens.

    2. In theVPN tunnel inner IP stack type area, select one of thefollowing stack types:

      • IPv4 and IPv6 (recommended): Can support both IPv4 and IPv6 traffic. We recommend this setting if you plan to allow IPv6 traffic in your tunnel.
      • IPv4: Can only support IPv4 traffic.

      The stack type determines the type of traffic that is allowed in thetunnel between your VPC network and your peer network. Youcannot modify the stack type after you create the gateway. Forbackground information, see the following:

    3. ClickNext.

  9. In thePeer VPN gateway area, do the following:

    1. In thePeer VPN gateway name field, enter the name provided by yourpeer network administrator. You can enter up to 60 characters usinglowercase letters, numbers, and hyphens.

    2. In thePeer interface IP address 0 field, enter the peer gatewayinterface external IP address provided by your peer network administrator.

    3. In thePeer interface IP address 1 field, do one of the following:

      • If your peer gateway has a second interface, enter its IP address.
      • If your peer gateway only has a single interface, enter the same addressyou entered inPeer interface IP address 0.

      For background information, seeConfigure the peer VPN gateway.

    4. ClickNext.

  10. In theCloud Router area, do the following:

    1. In theCloud router ASN field, enter the Autonomous System Number youwant to assign to your Cloud Router, as provided by your peer networkadministrator. For background information, seeCreate a Cloud Router.

    2. In thePeer router ASN field, enter your peer network router'sAutonomous System Number, as provided by your peer network administrator.

  11. In theVPN tunnel 0 area, do the following:

    1. In theTunnel 0 name field, enter up to 60 characters usinglowercase letters, numbers, and hyphens.

    2. In theIKE version area, select one of the following:

      • IKEv2 - recommended: Supports IPv6 traffic.
      • IKEv1: Use this setting if you do not plan to allow IPv6 traffic inthe tunnel.

      For background information, seeConfigure VPN tunnels.

    3. In theIKE pre-shared key field, enter the key you use in your peer gatewayconfiguration, as provided by your peer network administrator. If you don'thave an existing key, you can clickGenerate and copy, and then give thekey to your peer network administrator.

      Note: If you forget the key that you generate in this step, you can find itafter you deploy. The key is stored in thegcp-internal-cloud-setupfolder in theHybrid Connectivity Project project. For steps to accessa key using Secret Manager, seeList secrets and view secret details.

  12. In theVPN tunnel 1 area, repeat the previous step to apply settings forthe second tunnel. You configure this tunnel for redundancy and additionalthroughput.

  13. ClickSave.

  14. Repeat these steps for any other VPC networks that you want toconnect to your peer network.

After you deploy

After youdeploy your Google Cloud Setup configuration,complete the following steps to ensure that your network connection is complete:

  1. Work with your peer network administrator to align your peer network withyour hybrid connectivity settings. After you deploy, specific instructionsare provided for your peer network, including the following:

    • Tunnel settings.
    • Firewall settings.
    • IKE settings.

  2. Validate the network connections you created. For example, you can useNetwork Intelligence Center to check connectivity between networks. For more information, seeConnectivity Tests overview.

  3. If your business needs require a more robust connection, useCloud Interconnect. For more information, seeChoosing a Network Connectivity product.

What's next

Deploy your configuration, which includes settings foryour hierarchy and access, logging, network, and hybrid connectivity.

Deploy your settings

Deploy or download

As you complete the Google Cloud Setup process, your settings from thefollowing tasks are compiled into Terraform configuration files:

To apply your settings, you review your selections and choose a deploymentmethod.

Who performs this task

A person in thegcp-organization-admins@YOUR_DOMAINgroup that you created in theUsers and groups task.

What you do in this task

Deploy configuration files to apply your setup settings.

Why we recommend this task

You must deploy configuration files to apply the settings you selected.

Before you begin

You must complete the following tasks:

The following tasks are recommended:

Review your configuration details

Do the following to make sure that your configuration settings are complete:

  1. Sign in to the Google Cloud console as a user from thegcp-organization-admins@YOUR_DOMAIN groupthat you created in theUsers and groups task.

  2. Select your organization from theSelect from drop-down list at the topof the page.

  3. Go toGoogle Cloud Setup: Deploy or download.

    Go to Deploy or Download

  4. Review the configuration settings you selected. Click each of the followingtabs and review your settings:

    • Resource hierarchy & access
    • Security
    • Logging & monitoring
    • VPC networks
    • Hybrid connectivity

Deploy your configuration

Now that you have reviewed your configuration details, use one of thefollowing options:

  • Deploy directly from the console:Use this option if you don't have an existing Terraform deployment workflow,and want a simple deployment method. You can deploy using this method onlyonce.

  • Download and deploy the Terraform file: Use this option if you want toautomate resource management using a Terraform deployment workflow. You candownload and deploy using this method multiple times.

Deploy using one of the following options:

Deploy directly

If you don't have an existing Terraform workflow and want a simple one-timedeployment, you can deploy directly from the console.

Warning: If you plan to deploy using your own Terraform workflow in thefuture, don't click Deploy directly.

  1. ClickDeploy directly.

  2. Wait several minutes for the deployment to complete.

  3. If the deployment fails, do the following:

    1. To reattempt the deployment, clickRetry Process.
    2. If the deployment fails after multiple attempts, you can contact anadministrator for help. To do this, clickContact organization administrator.

Download and deploy

If you want to iterate on your deployment using your Terraform deployment workflow, download and deploy configuration files.

  1. To download your configuration file, clickDownload as Terraform.

  2. The package you download contains Terraform configuration files basedon the settings you selected in the following tasks:

    If you only want to deploy configuration files that are relevant to yourresponsibilities, you can avoid downloading irrelevant files. To do this,clear the check boxes for the configuration files that you don't need.

  3. ClickDownload. Aterraform.tar.gz package that includes theselected files is downloaded to your local file system.

  4. For detailed deployment steps, seeDeploy your foundation using Terraform downloaded from the console.

What's next

Choose a support plan.

Support

In this task, you choose a support plan that fits your business needs.

Who performs this task

A person in thegcp-organization-admins@YOUR_DOMAINgroup created in theUsers and groups task.

What you do in this task

Choose a support plan based on your company's needs.

Why we recommend this task

A premium support plan provides business-critical support to quickly resolveissues with help from experts at Google Cloud.

Choose a support option

You automatically get free Basic Support, which includes access to the followingresources:

We recommend that enterprise customers sign up forPremium Support, which offers one-on-one technicalsupport with Google support engineers. To compare support plans, seeGoogle Cloud customer care.

Before you begin

Complete the following tasks:

Enable support

Identify and select a support option.

  1. Review and select a support plan. For more information, seeGoogle Cloud Customer Care.

  2. Sign in to the Google Cloud console with a user from thegcp-organization-admins@<your-domain>.com group that you created in theUsers and groups task.

  3. Go toGoogle Cloud Setup: Support.

    Go to Support

  4. Review the task details and clickView support offerings to select asupport option.

  5. After you set up your support option, go back to theGoogle Cloud Setup: Support page and clickMark task as completed.

What's next

Now that you have completed the Google Cloud Setup, you are ready toextend your initial setup, deploy prebuilt solutions, and migrate your existingworkflows. For more information, seeExtend your initial setup and start building.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.