Google Cloud uses a resource hierarchy as its governance foundation. The Google Cloud Foundation (GCF) is Google's reference landing zone. This guide covers assessing your GCP environment against Cloud Foundation best practices.
๐ก Quick start: TCOIQ gives instant AI-powered results in 60 seconds. Built by Wekams. Free at tcoiq.com.
Four levels: Organisation (top, maps to your domain), Folders (departments/environments/teams), Projects (billing and API boundary = AWS account/Azure subscription), Resources (VMs, buckets, databases). Policies at higher levels cascade down to all below.
Bootstrap project (Terraform state), Organisation node (Org policies, IAM at org level), Shared infrastructure (VPC Service Controls, Shared VPC host projects, DNS), Workload environments (production/non-prod folder hierarchy). Key services: Cloud Identity, Shared VPC, Cloud Armor, VPC Service Controls, Security Command Center.
Shared VPC allows multiple projects to share a common VPC managed by a host project. Mature GCP LZ has: host projects for Shared VPC (per environment), service projects using Shared VPC subnets (per app), Cloud NAT for egress, Cloud Armor on public endpoints. Many GCP environments have individual project VPCs โ creating security and routing complexity.
Critical policies: requireOsLogin (require OS Login for VMs), disableServiceAccountKeyCreation (prevent long-lived SA keys), vmExternalIpAccess (restrict public IPs), restrictCloudSQLInstances (private IPs for SQL), uniformBucketLevelAccess. TCOIQ checks which policies are in place.
AI workloads require: dedicated AI/ML projects with GPU quota, VPC Service Controls perimeter for training data, service account governance, Model Registry for version control, and responsible AI policies. TCOIQ assesses Vertex AI readiness specifically.
AI-powered results in 60 seconds. No consultant needed. Free plan available.
Run GCP LZ Assessment โ