Introduction
Google Cloud Platform is a public cloud vendor like Amazon Web Services (AWS) and Microsoft Azure. Customers can use GCP and other cloud providers to gain free or pay-per-use access to computer resources hosted in Google's data centres across the world.
GCP provides a spectrum of computing services ranging from GCP cost management to data management to web and video delivery via the web to AI and machine learning capabilities. A cloud billing account is one of the services offered by GCP, which specifies who is responsible for paying for a specific set of Google Cloud resources.
What is a resource?
A Google Cloud resource can refer to service-level resources used to handle your workloads (VMs, DBs, and so on) and account-level resources that lie above the services, such as projects, folders, and the organization.
Resource Hierarchy
Google Cloud resources are grouped hierarchically. This hierarchy enables you to connect your company's operational structure to Google Cloud and manage access control and permissions for groups of relevant resources. The resource hierarchy serves as a logical anchor for access management policies (Identity and Access Management) and organizational policies.
IAM and organizational policies are passed down via the ranks. Each node's effective policy is the result of policies implemented directly at the node and policies inherited from its predecessors.
The graphic below is an example resource hierarchy that depicts the basic account-level resources involved in operating your Google Cloud account.
Domain
- Your organization domain is your organization's principal identification, defining your company's identity with Google services such as Google Cloud.
- The Domain is used to manage people in your business:
When utilizing Google Cloud, you designate which users should be linked with your company at the domain level.
The Domain is also where you can manage policies for all your users and devices (for example, enable 2-factor authentication, and reset passwords for any users in your organization).
- A Google Workspace or Cloud Identity account is associated with the Domain.
- The Cloud Identity account is linked to a single Organization.
- The Google Admin Console is used to control domain-level functions (admin.google.com).
Organization
- An Organization is the base node of the Google Cloud resource hierarchy.
- The Organization node groups all Google Cloud resources that belong to an organization, allowing you to configure settings, permissions, and rules for any projects, folders, resources, and Cloud Billing accounts it,, parents.
- An Organization is linked to a single Domain (made with a Google Workspace or Cloud Identity account) and is generated automatically when you set up your Domain in Google Cloud.
- Using an Organization, you may centrally manage your Google Cloud resources and users' access to those services. This includes the following:
Proactive management: restructure resources as required (for example, restructuring or spinning up a new division may require new projects and folders).
Reactive management: an Organization resource acts as a safety net, allowing access to lost resources to be regained (for example, if one of your team members loses their access or leaves the company).
- The Google Cloud console manages the many responsibilities and resources associated with Google Cloud (including the organization, folders, resources, projects, and Cloud Billing accounts).
Folders
- Folders are a method for organizing projects, other folders, or a mix of the two.
- We can use the Organization node to get access to the folders.
- The Organization node contains all folders and projects.
- Folders may be used to organize resources that adhere to the same IAM policies.
- A folder can contain several directories or resources, but each folder or resource can only have one parent.
Projects
- Projects, Google Cloud's base-level organizational entity, handles all service-level resources.
- Various projects require the use of service-level resources (such as Compute Engine virtual machines (VMs), Pub/Sub topics, Cloud Storage buckets, and so on).
- Projects can represent logical projects, teams, environments, or other groups that correspond to a business function or structure.
- Projects are used to enable services, APIs, and IAM permissions.
- A resource can only exist in one project at a time.
Resources
- Google Cloud service-level resources are the basic building blocks of all Google Cloud services, including Compute Engine virtual machines (VMs), Pub/Sub topics, Cloud Storage buckets, and so on.
- Resources reside at the bottom of a hierarchy containing projects and an organization for billing and access control purposes.
Labels
- Labels assist you in categorizing your Google Cloud resources (such as Compute Engine instances).
- Labels are key-value pairs.
- Labels may be assigned to each resource, and then the resources can be filtered depending on their labels.
- Labels are excellent for granular expense tracking. Label information is sent to the billing system, allowing you to evaluate your charges by the label.