Files
wehub-resource-sync bb5c75ce05
Component Security Validation / Security Audit (push) Has been cancelled
Deploy to Cloudflare Pages / deploy (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:38:58 +08:00

5.5 KiB

Google Cloud Setup

This guide provides an overview of the enterprise-level setup process for Google Cloud, focusing on creating a secure, scalable foundation.

Overview

Enterprise onboarding requires more than just a single project. It involves establishing an Organization resource, setting up a resource hierarchy (Folders and Projects), managing identities centrally, and configuring shared networking and security policies.

Phases of Enterprise Setup

1. Establish Your Organization

The Organization resource is the root node of your resource hierarchy.

2. Configure Billing

3. Identity and Access (IAM)

  • Centralized Management: Use Google Groups to manage permissions rather than assigning roles directly to individual users.
  • Administrative Access: Assign core IAM roles:
    • Organization Administrator: Full control over all resources.
    • Billing Administrator: Manage billing accounts and link projects.
    • Network Administrator: Manage VPC networks, firewalls, and VPNs.
    • Security Administrator: Manage security policies and SCC.

4. Resource Hierarchy

Organize your projects using Folders to reflect your business structure or environments (e.g., Production, Development).

  • Folders: Group projects by department or environment.
  • Projects: The base unit for resource management.

5. Networking (VPC)

  • Shared VPC: Allows multiple service projects to share a common VPC network managed by a host project.
  • Subnets: Create regional subnets with non-overlapping IP ranges.
  • Connectivity: Set up High Availability (HA) VPN or Cloud Interconnect for hybrid connectivity to on-premises data centers.

6. Security and Compliance

  • Organization Policies: Apply constraints at the organization or folder level (e.g., restrict allowed regions, disable public IP creation).
  • Security Command Center (SCC): Enable SCC for threat detection and security health analytics.
  • Encryption: Use Cloud KMS (Key Management Service) for managing encryption keys.

7. Centralized Logging and Monitoring

  • Cloud Logging: Use Log Sinks to export logs from across the organization to a central BigQuery dataset or Pub/Sub topic. Routing logs to a centralized bucket helps users centrally manage compliance with data retention and data residency requirements.
  • Cloud Monitoring: Set up a scoping project to monitor metrics from multiple projects in one place.

Best Practices

  • Infrastructure as Code (IaC): Use Terraform to manage and deploy your foundation. Google Cloud provides Terraform blueprints for enterprise setup.
  • Principle of Least Privilege: Start with minimal permissions and expand as needed.
  • Separation of Duties: Ensure that network, security, and application administrators have distinct roles.