Custom VPC Network
As a part of the service, the cloud services team creates a custom global VPC network in US regions and subnets are subnetted from a 10.255.0.0/16 network. This network space is not routed by UMNets nor does it overlap with any on-premise networks.
For more information about regions and zone or about the products available at the global locations, please use these links:
Firewall Rules
By default, custom VPCs have no firewall rules, therefore nothing on the custom VPC would be accessible. During the provisioning process the cloud services team creates firewall rules in your custom VPC to allow for connectivity testing (ICMP) and remote management from campus using RDP for Windows Instances and SSH for Linux instances. Similar rules are created to allow connectivity between subnets (us-central1, us-east1).
Optional VPN
The cloud services team will provision a VPN to connect an additional custom VPC with campus networks. The cloud services team creates a custom global VPC network and assigns a 10.238.0.0/24 network. This network space is dedicated for use in GCP and is guaranteed to not overlap with on-premise networks or U-M provided private address space in another cloud provider. This network is divided into two /25 networks in two different regions, us-central1, and us-east1.
Logging Exports
The Cloud Services Team configures project activity log exports to campus Splunk server.
IAM and Permissions
GCP is integrated with Shibboleth (UMICH single-sign-on). You may provide permissions to MCommunity users or groups by applying roles/permissions to their umich.edu address.
These permissions are configured based on the form filled out at initial order:
- Provided billing contact configured as Billing Account Administrator
- Provided MCommunity group configured as Project Editors
Shortcode Billing
The cloud services team bills the provided Shortcode so your group does not have to deal with invoices or Purchase Order
New accounts should be available within 1 business day. If optional VPN is selected, it may take an additional 1–2 business days to complete the request.
There is no up-front cost to sign up prior to consuming GCP resources. The only cost is for the customer VPN. Google charges about $36/month ($0.05 per hour = $1.20 per day) per vpn connection. This charge is applied once the VPN is created, whether it is being used or not.
Consolidated billing is only available to faculty and staff.
You can give permissions to specific portions of your environment through granular IAM permissions. To do so, click on the menu in the upper left, select “IAM & admin,” select “IAM,” then set the appropriate permissions for the user or group. You should only give the access required for the user or group to perform their job. For more information about Cloud IAM, refer to Google Cloud Identity and Access Management (IAM).
You can do this for a number of GCP offerings. To bill a different Shortcode than on your project, simply set label with a key of “Shortcode” and a value of your Shortcode number. The process is slightly different for each product/service, but labels are available for much of GCP.
There are a few caveats with this feature. The tag is actually embedded in the usage detail used for billing, so only charges accrued after the tag is created will be impacted. Also, if a tag is removed all charges that were accrued up until the point of removal will be charged to the Shortcode.
It is also important that this value be changed before a Shortcode is terminated.
This is part of an automated billing process so the cloud team cannot alter this. In the event an adjustment is needed your local finance team should be able to perform a journal transfer.
All GCP projects in the umich.edu organization have access to an Enhanced Support contract with Google Cloud Platform. For more information on the service provided with this level of support, please visit Google Cloud Customer Care.
Any user of the service needing support may still file a ticket through the Cloud Services team ([email protected]), but may also create a ticket directly in the console by selecting the support menu or going to Google Cloud Platform.
The enterprise agreement provides legal protections as well as a Business Associate Agreement (BAA) between the University of Michigan and Google which is necessary for dealing with HIPAA data. Please keep in mind that only projects under the umich.edu domain and affiliated with Faculty and Staff are covered by the agreement.
To move a project to an organization, we can follow the process defined in Migrating projects between organization resources.
Students and alumni can use the free credits and the free tier provided by Google, and if using GCP for coursework or classwork, students and professors may be able to take advantage of education grants. A VPN to campus is also available for an additional fee. However, students and alumni are not able to utilize the enterprise agreement, Shortcode billing, or discounts. For more information about the free tier and free credits, or education grants, please see the links below:
- Free credits/free tier: https://cloud.google.com/free/
- Education grants: https://cloud.google.com/edu/
Yes, you can associate multiple projects with a billing account. To do so, fill out this form. Answer yes to the question regarding an existing billing account and enter in the appropriate billing account ID
A few options exist to connect a cloud compute instance to a resource on campus or vice versa.
If communications between the two resources are already through a secure protocol, opening a port in the firewall between the two specific resources may be a viable option.
If communications are not known to be secured, if the number of firewall openings would be excessively cumbersome, or if a having a secure tunnel that passes all data intended for campus is preferred or required, a Virtual Private Network (VPN) might be the proper solution.
To request an opening of a campus firewall to a specific campus resource, please follow the existing procedure.
To manage the firewall in Google Cloud Platform (GCP), click on the menu, select VPC Networks, then select Firewall rules, or simply click this link. Note: make sure you have the correct project selected from the dropdown at the top.
For information about how firewall rules function in GCP, please see VPC firewall rules. Documentation about creating firewall rules is linked on that page or can be found at Use VPC firewall rules.
The Cloud Services Team configures the custom VPC to allow:
- ICMP from campus IP space (non-wireless)
- SSH from campus IP space to instances tagged with Linux
- RDP from campus IP space to instances tagged with Windows
Please use the above links to help create any additional rules. If a rule from all campus networks is needed, please contact [email protected] for assistance.
To request a VPN, simply indicate Yes/check the box when requesting from this site. The Cloud Services Team will configure the connection and notify you when it is ready for use.
To add a VPN to an existing project, please email [email protected].
To utilize the VPN, instances must reside on the custom subnet provided by the Cloud Services team. This IP space does not overlap with campus addresses, so it will not cause any routing issues. Campus resources should be able to communicate with the cloud instance via the internal IP address (10.238.x.x) and cloud instances should be able to communicate with campus via the normal U-M IP address. Please keep in mind that a firewall still needs to allow traffic between these resources.
To use these networks and rules with your Cloud Compute Engine Instances, click the Management, disks, networking, SSH keys dropdown list, enter the appropriate tag (Windows instances = windows; Linux instances = linux), click the Network interfaces menu and set the Network to the projectID-vpc vpc. The subnet should set to either us-central1 or us-east1 based on the zone in which you are deploying your instance.
General use of GCP for HIPAA data is not permitted at this time. U-M ITS continues to work with Michigan Medicine Corporate Compliance, the U-M data steward and compliance owner for HIPAA data, to establish processes and practices for the appropriate collection, processing, storage, and maintenance of HIPAA data in the Cloud. Please contact the GCP Support Team if you have any questions regarding using GCP for HIPAA data.
All users in the umich.edu organization should be able to create GCP projects in the “self-created” folder. For some reason Google Earth Engine cannot see this folder to create a new project, so users must first create a GCP project, then use the Google Earth Engine interface to connect them.
Google Cloud
- Go to https://console.cloud.google.com/
- In the project picker, select NEW PROJECT
- The Project Picker is the dropdown menu in the upper left, just below the address
- Make sure you have UMICH.EDU selected
- Set a Project Name
- This will generate a project ID (or you can edit it)
A project ID cannot be changed, while a project name can
- This will generate a project ID (or you can edit it)
- Confirm Organization is set to “umich.edu”
- Under Location, click BROWSE
- Select “self-created”, then SELECT in the lower right of the window
- Once the project is created, you may go to https://earthengine.google.com/
Google Earth Engine
- Go to https://earthengine.google.com/
- Select Get Started in the upper right
- Select Register a Noncommercial or Commercial Cloud project
- Select Paid vs Unpaid
- Select Choose an existing Google Cloud Project
- From the Project Picker, select your newly created project
- You may filter by name or ID
- Click CONTINUE TO SUMMARY
- Confirm your information
- Click CONFIRM