Custom VPC Network
As a part of the service, the cloud services team creates a custom global VPC network in US regions and subnets are subnetted from a 10.255.0.0/16 network. This network space is not routed by UMNets nor does it overlap with any on-premise networks.
For more information about regions and zone or about the products available at the global locations, please use these links:
Firewall Rules
By default, custom VPCs have no firewall rules, therefore nothing on the custom VPC would be accessible. During the provisioning process the cloud services team creates firewall rules in your custom VPC to allow for connectivity testing (ICMP) and remote management from campus using RDP for Windows Instances and SSH for Linux instances. Similar rules are created to allow connectivity between subnets (us-central1, us-east1).
Optional VPN
The cloud services team will provision a VPN to connect an additional custom VPC with campus networks. The cloud services team creates a custom global VPC network and assigns a 10.238.0.0/24 network. This network space is dedicated for use in GCP and is guaranteed to not overlap with on-premise networks or U-M provided private address space in another cloud provider. This network is divided into two /25 networks in two different regions, us-central1, and us-east1.
Logging Exports
The Cloud Services Team configures project activity log exports to campus Splunk server.
IAM and Permissions
GCP is integrated with Shibboleth (UMICH single-sign-on). You may provide permissions to MCommunity users or groups by applying roles/permissions to their umich.edu address.
These permissions are configured based on the form filled out at initial order:
- Provided billing contact configured as Billing Account Administrator
- Provided MCommunity group configured as Project Editors
Shortcode Billing
The cloud services team bills the provided shortcode so your group does not have to deal with invoices or Purchase Order
New accounts should be available within 1 business day. If optional VPN is selected, it may take an additional 1 - 2 business days to complete the request.
Up front, there is no cost to sign up prior to consuming GCP resources. The only cost is for the customer VPN. Google charges about $36/month ($0.05 per hour = $1.20 per day) per vpn connection. This charge is applied once the VPN is created, whether it is being used or not.
Consolidated billing is only available to faculty and staff.
You can give permissions to specific portions of your environment through granular IAM permissions. To do so, click on the menu in the upper left, select “IAM & admin,” select “IAM,” then set the appropriate permissions for the user or group. You should only give the access required for the user or group to perform their job. For more information about Cloud IAM, refer to this site: https://cloud.google.com/iam/
You can do this for a number of GCP offerings. To bill a different shortcode than on your project, simply set label with a key of “shortcode” and a value of your shortcode number. The process is slightly different for each product/service, but labels are available for much of GCP.
A master billing account holds a Silver Support contract with Google Cloud Platform. Any user of the service needing support would file a ticket through the Cloud Services team. For more information on the service provided with this level of support, please visit: https://cloud.google.com/support/
The enterprise agreement provides legal protections as well as a Business Associate Agreement (BAA) between the University of Michigan and Google which is necessary for dealing with HIPAA data. Please keep in mind that only projects under the umich.edu domain and affiliated with Faculty and Staff are covered by the agreement.
To move a project to an organization, we can follow the process defined in this document: https://cloud.google.com/resource-manager/docs/migrating-projects-billing
Students and alumni can use the free credits and the free tier provided by Google, and if using GCP for coursework or classwork, students and professors may be able to take advantage of education grants. A VPN to campus is also available for an additional fee. However, students and alumni are not able to utilize the enterprise agreement, shortcode billing, or discounts. For more information about the free tier and free credits, or education grants, please see the links below:
- Free credits/free tier: https://cloud.google.com/free/
- Education grants: https://cloud.google.com/edu/
Yes, you can associate multiple projects with a billing account. To do so, fill out this form. Answer yes to the question regarding an existing billing account and enter in the appropriate billing account ID
A few options exist to connect a cloud compute instance to a resource on campus or vice versa.
If communications between the two resources are already through a secure protocol, opening a port in the firewall between the two specific resources may be a viable option.
If communications are not known to be secured, if the number of firewall openings would be excessively cumbersome, or if a having a secure tunnel that passes all data intended for campus is preferred or required, a Virtual Private Network (VPN) might be the proper solution.
To request an opening of a campus firewall to a specific campus resource, please follow the existing procedure.
To manage the firewall in Google Cloud Platform (GCP), click on the menu, select VPC Networks, then select Firewall rules, or simply click this link. Note: make sure you have the correct project selected from the dropdown at the top. For information about how firewall rules function in GCP, please utilize this documentation. Documentation about creating firewall rules is linked on that page or can be found here.
The Cloud Services Team configures the custom VPC to allow:
- ICMP from campus IP space (non-wireless)
- SSH from campus IP space to instances tagged with Linux
- RDP from campus IP space to instances tagged with Windows
Please use the above links to help create any additional rules. If a rule from all campus networks is needed, please contact [email protected] for assistance.
To request a VPN, simply indicate Yes/check the box when requesting from this site. The Cloud Services Team will configure the connection and notify you when it is ready for use.
To add a VPN to an existing project, please email [email protected].
To utilize the VPN, instances must reside on the custom subnet provided by the Cloud Services team. This IP space does not overlap with campus addresses, so it will not cause any routing issues. Campus resources should be able to communicate with the cloud instance via the internal IP address (10.238.x.x) and cloud instances should be able to communicate with campus via the normal U-M IP address. Please keep in mind that a firewall still needs to allow traffic between these resources.
To use these networks and rules with your Cloud Compute Engine Instances, click the Management, disks, networking, SSH keys dropdown list, enter the appropriate tag (Windows instances = windows; Linux instances = linux), click the Network interfaces menu and set the Network to the projectID-vpc vpc. The subnet should set to either us-central1 or us-east1 based on the zone in which you are deploying your instance.
General use of GCP for HIPAA data is not permitted at this time. U-M ITS continues to work with Michigan Medicine Corporate Compliance, the U-M data steward and compliance owner for HIPAA data, to establish processes and practices for the appropriate collection, processing, storage, and maintenance of HIPAA data in the Cloud. Please contact the GCP Support Team if you have any questions regarding using GCP for HIPAA data.