Cloud Billing overview

Cloud Billing is a collection of tools that help you track and understand your Cloud de Confiance spending, pay your bill, and optimize your costs.

This document covers the following topics:

• An introduction to Cloud Billing accounts. Your Cloud Billing account pays for your usage of Cloud de Confiance resources and services.

• An overview of resource management in Cloud de Confiance. The way you organize your Cloud de Confiance resources depends on your organization's structure, and affects how you analyze your costs in the Cloud Billing reports.

Not all Cloud Billing features that are available in Google Cloud can be used in Cloud de Confiance. See our differences guide for more details.

Pricing and invoicing in Cloud de Confiance are handled by S3NS. If you have any questions about pricing or invoicing, contact Cloud de Confiance by S3NS billing support.

About Cloud Billing accounts

A Cloud Billing account is set up in Cloud de Confiance and defines who pays for a given set of Cloud de Confiance resources.

This account is used to track all of the costs (charges and savings) incurred by your Cloud de Confiance usage in all projects linked to the Cloud Billing account.

Access control to a Cloud Billing account is established by IAM roles.

About resource management for billing

You can configure billing on Cloud de Confiance by S3NS in a variety of ways to meet different needs. This section introduces the core concepts for your organization and for billing, and discusses how to use them effectively.

About resources

In the context of Cloud de Confiance, a resource can refer to service-level resources that are used to process your workloads, such as virtual machines and databases, or to account-level resources that sit above the services, such as projects, folders, and the organization.

Resource management

Resource management focuses on how you should configure and grant access to the various cloud resources for your company/team, specifically the setup and organization of the account-level resources that sit above the service-level resources. Account-level resources are the resources involved in setting up and administering your Cloud de Confiance account.

Resource hierarchy

Cloud de Confiance resources are organized hierarchically. This hierarchy lets you map your organization's operational structure to Cloud de Confiance, and to manage access control and permissions for groups of related resources. The resource hierarchy provides logical attachment points for access management policies (Identity and Access Management) and Organization policies.

Both IAM and Organization policies are inherited through the hierarchy, and the effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors.

For more information on the hierarchy of resources, see the Resource Manager documentation.

Organization

• An organization is the root node of the Cloud de Confiance hierarchy of resources.
• All Cloud de Confiance resources that belong to an organization are grouped under the organization node, allowing you to define settings, permissions, and policies for all projects, folders, resources, and Cloud Billing accounts it parents.
• A new organization is created for you when you onboard to Cloud de Confiance.
• Using an organization, you can centrally manage your Cloud de Confiance resources and your users' access to those resources. This includes:
  • Proactive management: reorganize resources as needed (for example, restructuring or spinning up a new division may require new projects and folders).
  • Reactive management: an organization resource provides a safety net to regain access to lost resources (for example, if one of your team members loses their access or leaves the company).
• The various roles and resources that are related to Cloud de Confiance (including the organization, projects, folders, resources, and Cloud Billing accounts) are managed within the Cloud de Confiance console.

For more information on organizations, see the following documentation:

• Creating and managing organizations
• Viewing and managing organization resources
• Managing multiple organizations

Folders

• Folders are a grouping mechanism and can contain projects, other folders, or a combination of both.
• To use folders, you must have an organization node.
• Folders and projects are all mapped under the organization node.
• Folders can be used to group resources that share common IAM policies.
• While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.

For more details about using folders, see Creating and managing folders.

Projects

• All service-level resources are parented by projects, the base-level organizing entity in Cloud de Confiance.
• Projects are required to use service-level resources (such as Compute Engine virtual machines, Pub/Sub topics, and Cloud Storage buckets).
• You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure.
• Projects form the basis for enabling services, APIs, and IAM permissions.
• Any given resource can only exist in one project.

For more details about projects, see the following documentation:

• Creating and managing projects
• Moving a project
• Migrating projects

Resources

• Cloud de Confiance service-level resources are the fundamental components that make up all Cloud de Confiance services, such as Compute Engine virtual machines, Pub/Sub topics, and Cloud Storage buckets.
• For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.

Labels

• Labels help you categorize your Cloud de Confiance resources (such as Compute Engine instances).
• A label is a key-value pair.
• You can attach labels to each resource, then filter the resources based on their labels.
• Labels are great for cost tracking at a granular level. Information about labels is forwarded to the billing system, so you can analyze your charges by label.

For more details about using labels, see Creating and managing labels.

Relationships between resources and Cloud Billing accounts

Two types of relationships govern the interactions between organizations, Cloud Billing accounts, and projects: ownership and payment linkage.

• Ownership refers to IAM permission inheritance.
• Payment linkages define which Cloud Billing account pays for a given project.

Ownership of a Cloud Billing account is limited to a single organization. Payment linkage of a project linked to a Cloud Billing account is not limited by organization ownership. It is possible for a Cloud Billing account to pay for projects that belong to an organization that is different than the organization that owns the Cloud Billing account. For more information on managing the Cloud Billing account for your projects, see Enable, disable, or change billing for a project.

For information about granting IAM billing roles, see Overview of Cloud Billing access control.