Google Cloud Platform at U-M FAQ

What is provisioned in my project?

Custom VPC Network

As a part of the service, the cloud services team creates a custom global VPC network in US regions and subnets are subnetted from a 10.255.0.0/16 network. This network space is not routed by UMNets nor does it overlap with any on-premise networks.

For more information about regions and zone or about the products available at the global locations, please use these links:

Firewall Rules

By default, custom VPCs have no firewall rules, therefore nothing on the custom VPC would be accessible. During the provisioning process the cloud services team creates firewall rules in your custom VPC to allow for connectivity testing (ICMP) and remote management from campus using RDP for Windows Instances and SSH for Linux instances. Similar rules are created to allow connectivity between subnets (us-central1, us-east1).

Optional VPN

The cloud services team will provision a VPN to connect an additional custom VPC with campus networks. The cloud services team creates a custom global VPC network and assigns a 10.238.0.0/24 network. This network space is dedicated for use in GCP and is guaranteed to not overlap with on-premise networks or U-M provided private address space in another cloud provider. This network is divided into two /25 networks in two different regions, us-central1, and us-east1.

Logging Exports

The Cloud Services Team configures project activity log exports to campus Splunk server.

IAM and Permissions

GCP is integrated with Shibboleth (UMICH single-sign-on). You may provide permissions to MCommunity users or groups by applying roles/permissions to their umich.edu address.

These permissions are configured based on the form filled out at initial order:

  • Provided billing contact configured as Billing Account Administrator
  • Provided MCommunity group configured as Project Editors

Shortcode Billing

The cloud services team bills the provided shortcode so your group does not have to deal with invoices or Purchase Order

If I request a new account, how long will it take to finish?

New accounts should be available within 1 business day. If optional VPN is selected, it may take an additional 1 - 2 business days to complete the request.

Is there a charge to sign up for Google Cloud Platform at U-M?

Up front, there is no cost to sign up prior to consuming GCP resources.  The only cost is for the customer VPN. Google charges about $36/month ($0.05 per hour = $1.20 per day) per vpn connection. This charge is applied once the VPN is created, whether it is being used or not.

Are there any limitations to using consolidated billing?

Consolidated billing is only available to faculty and staff.

How can I give other users/groups different access in my account?

You can give permissions to specific portions of your environment through granular IAM permissions. To do so, click on the menu in the upper left, select “IAM & admin,” select “IAM,” then set the appropriate permissions for the user or group. You should only give the access required for the user or group to perform their job. For more information about Cloud IAM, refer to this site: https://cloud.google.com/iam/

Can I run workloads in my account but charge another shortcode then the one used for my whole account?

You can do this for a number of GCP offerings. To bill a different shortcode than on your project, simply set label with a key of “shortcode” and a value of your shortcode number. The process is slightly different for each product/service, but labels are available for much of GCP.

There are a few caveats with this feature.  The tag is actually embedded in the usage detail used for billing, so only charges accrued after the tag is created will be impacted.  Also, if a tag is removed all charges that were accrued up until the point of removal will be charged to the shortcode. 

It is also important that this value be changed before a shortcode is terminated.

This is part of an automated billing process so the cloud team cannot alter this.  In the event an adjustment is needed your local finance team should be able to perform a journal transfer.

What support contracts are provided with Google?

A master billing account holds a Silver Support contract with Google Cloud Platform. Any user of the service needing support would file a ticket through the Cloud Services team. For more information on the service provided with this level of support, please visit: https://cloud.google.com/support/

What is covered by the enterprise agreement?

The enterprise agreement provides legal protections as well as a Business Associate Agreement (BAA) between the University of Michigan and Google which is necessary for dealing with HIPAA data. Please keep in mind that only projects under the umich.edu domain and affiliated with Faculty and Staff are covered by the agreement.

What do we do if our project doesn’t appear in the umich.edu organization?

To move a project to an organization, we can follow the process defined in this document: https://cloud.google.com/resource-manager/docs/migrating-projects-billing

Can students and alumni use Google Cloud at U-M?

Students and alumni can use the free credits and the free tier provided by Google, and if using GCP for coursework or classwork, students and professors may be able to take advantage of education grants. A VPN to campus is also available for an additional fee. However, students and alumni are not able to utilize the enterprise agreement, shortcode billing, or discounts. For more information about the free tier and free credits, or education grants, please see the links below:

Can I have more than one project on my billing account?

Yes, you can associate multiple projects with a billing account. To do so, fill out this form. Answer yes to the question regarding an existing billing account and enter in the appropriate billing account ID

How do I connect from instances in the cloud to resources on campus?

A few options exist to connect a cloud compute instance to a resource on campus or vice versa.

If communications between the two resources are already through a secure protocol, opening a port in the firewall between the two specific resources may be a viable option. 

If communications are not known to be secured, if the number of firewall openings would be excessively cumbersome, or if a having a secure tunnel that passes all data intended for campus is preferred or required, a  Virtual Private Network (VPN) might be the proper solution.

How do I configure a firewall to allow connections to/from the cloud and campus?

To request an opening of a campus firewall to a specific campus resource, please follow the existing procedure.

To manage the firewall in Google Cloud Platform (GCP), click on the menu, select VPC Networks, then select Firewall rules, or simply click this link. Note: make sure you have the correct project selected from the dropdown at the top. For information about how firewall rules function in GCP, please utilize this documentation. Documentation about creating firewall rules is linked on that page or can be found here.

Are there any firewall rules already in place to allow communication from campus?

The Cloud Services Team configures the custom VPC to allow:

  • ICMP from campus IP space (non-wireless)
  • SSH from campus IP space to instances tagged with Linux
  • RDP from campus IP space to instances tagged with Windows

Please use the above links to help create any additional rules. If a rule from all campus networks is needed, please contact [email protected] for assistance.

How do I request a VPN?

To request a VPN, simply indicate Yes/check the box when requesting from this site. The Cloud Services Team will configure the connection and notify you when it is ready for use.

Can I add a VPN to an existing project?

To add a VPN to an existing project, please email [email protected].

Once I have a VPN in place, how do I use it to connect to campus?

To utilize the VPN, instances must reside on the custom subnet provided by the Cloud Services team. This IP space does not overlap with campus addresses, so it will not cause any routing issues. Campus resources should be able to communicate with the cloud instance via the internal IP address (10.238.x.x) and cloud instances should be able to communicate with campus via the normal U-M IP address. Please keep in mind that a firewall still needs to allow traffic between these resources.

How do I use the VPC and firewall rules created for me in my project?

To use these networks and rules with your Cloud Compute Engine Instances, click the Management, disks, networking, SSH keys dropdown list, enter the appropriate tag (Windows instances = windows; Linux instances = linux), click the Network interfaces menu and set the Network to the projectID-vpc vpc. The subnet should set to either us-central1 or us-east1 based on the zone in which you are deploying your instance.

Is GCP HIPAA Compliant?

General use of GCP for HIPAA data is not permitted at this time. U-M ITS continues to work with Michigan Medicine Corporate Compliance, the U-M data steward and compliance owner for HIPAA data, to establish processes and practices for the appropriate collection, processing, storage, and maintenance of HIPAA data in the Cloud. Please contact the GCP Support Team if you have any questions regarding using GCP for HIPAA data.