Google Cloud makes it easy for teams to get the Cloud resources they need to build and host applications. But there are so many tools and services that controlling costs and managing your organization can get tricky if not set up properly. Don't worry, we're here to help. Beyond Your Bill is a video series dedicated to helping you better understand what you're spending on the Cloud and best practices for managing your Cloud environment. On this episode, we'll take a look at how to organize your GCP resources. Questions about resource management are top of mind for many GCP administrators. In fact, the most common Google Cloud Billing support requests focus on access issues and confusion around tracking payment for services. To help you avoid having the same issues, we'll go over some best practices and answer some common questions such as, how should I structure my resources for effective cost management, and what's the ideal folder structure for my organization? First, let's start with what we mean by a resource and then we'll cover how to best organize them and grant access. Resources are defined as any Google Cloud Platform service, such as Compute Engine and BigQuery, and they can exist in a hierarchy. When we say resource hierarchy, we're referring to the way that you can organize your Google Cloud environment and how that maps to your organization's structure, letting you manage access and permission for groups of related resources. As you plan and set up your resource hierarchy, make sure to consider the requirements for your organization. You can always change the structure in the GCP Console. Start with the simplest structure that meets your needs and make changes as required. Here's a diagram of what the different parts of the resource hierarchy look like. Let's start from the top and work our way down. Everything you'll manage in Google Cloud is under your domain and organization. They're like an umbrella. If you're an individual user with a G Suite or Cloud Identity account, you may not have an organization, which means that some features won't be available to you until you create one. If you're getting started with an organization or if you're migrating existing projects to a new organization, the organization setup wizard may be a good place to begin. The wizard guides you through recommendations and steps for setting up everything, so check out the link for more information. The domain is handled through G Suite or Cloud Identity and helps you manage user profiles, while the organization is managed through the GCP console, and let's you manage GCP resources and access. With an organization, projects belong to the org rather than to the user that created them. Org admins can see and manage all projects as well as set up permissions and policies that'll be inherited for different groups of resources. This is especially helpful when a team member creates a project and then later leaves the company. Each organization and domain have separate permission settings. Make sure to set up multiple admins or use a group for each to ensure a reasonable level of redundancy. Billing accounts are under the organization and track any charges for associated projects. A billing account has its own roles and permissions, so you can manage users for billing related functions. Billing account users can associate projects and see spend, while billing account admins can additionally, unlink projects, enable billing export, and set budgets. In addition, only billing account admins can contact billing support. Make sure to have more than one admin or user group and ensure your team knows who they are. We recommend sticking to a single billing account per organization and making sure only your admins can create new billing accounts. You can do that by removing the billing account creator role from your organization. In most cases, you'll only need one billing account and creating multiple can make it tricky to track down payments. If you need to deal with multiple currencies or follow certain legal requirements, you may have to create multiple billing accounts, but don't forget to still have redundancy for your admins. When setting up a billing account, the admin should enable BigQuery export as soon as possible since the export data isn't retroactive. This way, your usage data will be tracked and ready for analysis using a variety of tools. We'll talk more about exploiting and analyzing billing data in later videos. The payments profile is a Google level resource that sits outside of Google Cloud and is used for paying for all Google services, such as Google Ads or Chrome licenses. It's possible to have the same admins for your billing account, and your payment profile, but make sure that you still set up multiple administrators or use groups. In the payment profile settings, review the preferences for notifications and statements, as well as ensuring that you have invoice delivery setup for email and paper invoices. Having multiple admins, payment methods and notification methods will make sure that you get the right information when you need it and avoid any potential issues. Projects are used for grouping any resources like Google Kubernetes Engine or Cloud Storage. A project can exist under a folder, so it can be grouped logically to match your company's structure, as well as inherit any permissions from folders above it or from the organization at the top. Projects can also have labels across your entire organization, which you can use to horizontally group projects and services, folders and projects can have permissions that let you control who can create, edit, or just view resources inside of them. For example, you could set up certain users as project creators so that they can create new projects or just project viewer so that they can see what's being used and view the cost for an individual project. The permissions and structure are flexible and changeable so you can organize your hierarchy to meet your needs. Here's an example of matching an organization's structure. In this image, the first level of folders represents departments, the next level teams, and then products, with labels for environments like production. Another example might be using folders for environments and labels for teams, or folders for lines of business and labels for applications. A project can have multiple labels, but it can only directly exist under a single folder. For projects labels and folders, ensure that you use naming conventions that are familiar to your team. These names are referenced in the console, billing reports and for resource organization, it's imperative that clear and well understood naming is used across your organization. Of course, the specifics will depend on your team and your governance. Ultimately, the structure and naming convention are meant to follow whatever works best for your org. Taking the time upfront to plan your resource structure for what's right for your business can save you a lot of confusion and hassle down the road. With that overview of the resource hierarchy, the next step is to talk more about billing accounts and the payments profile. I definitely recommend checking out the links for a deeper dive and for more best practices around resource organization. In the next video, we'll set up a billing account, go over permissions and discuss more best practices.
