Citrix Virtual Apps and Desktops

Connection to Google cloud environments

Create and manage connections and resources describes the wizards that create a connection. The following information covers details specific to Google cloud environments.

Note:

Before creating a connection to Google cloud environments, you need to first finish setting up your Google cloud account as a resource location. See Google Cloud environments.

Add a connection

Follow the guidance in Create a connection and resources. The following description guides you through setting up a hosting connection:

  1. From Manage > Configuration, select Hosting in the left pane.

  2. Select Add Connection and Resources in the action bar.

  3. On the Connection page, select Create a new Connection and Citrix provisioning tools, and then select Next.

    • Connection type. Select Google Cloud from the menu.
    • Connection name. Type a name for the connection.
  4. On the Region page, select a project name from the menu, select a region containing the resources you want to use, and then select Next.

  5. On the Network page, type a name for the resources, select a virtual network from the menu, select a subset, and then select Next. The resource name helps identify the region and network combination. Virtual networks with the (Shared) suffix appended to their name represent shared VPCs. If you configure a subnet-level IAM role for a shared VPC, only specific subnets of the shared VPC appear on the subnet list.

    Note:

    • The resource name can contain 1–64 characters, and cannot contain only blank spaces or the characters \ / ; : # . * ? = < > | [ ] { } " ' ( ) ' ).
  6. On the Summary page, confirm the information and then select Finish to exit the Add Connection and Resources window.

After creating the connection and resources, the connection and resources you created are listed. To configure the connection, select the connection and then select the applicable option in the action bar.

Similarly, you can delete, rename, or test the resources created under the connection. To do so, select the resource under the connection and then select the applicable option in the action bar.

Service endpoint URLs

You must have access to the following URLs:

  • https://oauth2.googleapis.com
  • https://cloudresourcemanager.googleapis.com
  • https://compute.googleapis.com
  • https://storage.googleapis.com
  • https://cloudbuild.googleapis.com

Google Cloud projects

There are basically two types of Google Cloud projects:

  • Provisioning project: In this case, the current admin account owns the provisioned machines in the project. This project is also referred to as a local project.
  • Shared VPC project: Project in which machines created in the provisioning project use the VPC from the Shared VPC project. The admin account used for provisioning project has limited permissions in this project, specifically, only permissions to use the VPC.

Create a secure environment for GCP managed traffic

You can allow private Google access to your Google Cloud projects. This implementation enhances security to handle sensitive data. To achieve this, you can do one of the following:

  • Include the following ingress rules of VPC service controls for Cloud Build Service Account. If you do this step, then do not follow the steps below for creating a secure environment for GCP managed traffic.

     Ingress Rule 1
     From:
     Identities:
     <ProjectID>@cloudbuild.gserviceaccount.com
     Source > All sources allowed
     To:
     Projects =
     All projects
     Services =
     Service name: All services
     <!--NeedCopy-->
    
  • If you are using a private worker pool, add UsePrivateWorkerPool in CustomProperties. For information on the private worker pool, see Private pools overview.

Requirements to create a secure environment for GCP managed traffic

The requirements to create a secure environment for GCP managed traffic are:

  • Ensure that the hosting connection is in maintenance mode when updating the custom properties.
  • To use private worker pools, the following changes are required:
    • For Citrix Cloud Service Account, add the following IAM roles:
      • Cloud Build Service Account
      • Compute Instance Admin
      • Service Account User
      • Service Account Token Creator
      • Cloud Build WorkerPool Owner
    • Create the Citrix Cloud Service Account in the same project that you use for creating a hosting connection.
    • Set up DNS zones for private.googleapis.com and gcr.io as described in DNS configuration.

      DNS zones for private-googleapis-com

      DNS zones for gcr.io

    • Set up private Network Address Translation (NAT) or use private service connect. For more information, see Access Google APIs through endpoints.

      Private service connect

    • If using a peered VPC, create a Cloud DNS zone peering to the peered VPC. For more information, see Create a peering zone.

      Create a peering zone

    • In VPC service controls, set up Egress rules so that the APIs and VMs can talk to the internet. Ingress rules are optional. For example:

       Egress Rule 1
       From:
       Identities:ANY_IDENTITY
       To:
       Projects =
       All projects
       Service =
       Service name: All services
       <!--NeedCopy-->
      

Enable the private worker pool

To enable the private worker pool, set the custom properties as follows on the host connection:

  1. Open a PowerShell window from the Delivery Controller host or use the Remote PowerShell SDK. For more information on Remote PowerShell SDK, see SDKs and APIs.
  2. Run the following commands:

    1. Add-PSSnapin citrix*
    2. cd XDHyp:\Connections\
    3. dir
  3. Copy the CustomProperties from the connection to a notepad.
  4. Append property setting <Property xsi:type="StringProperty" Name="UsePrivateWorkerPool" Value="True"/>. For example:

    ```
    <CustomProperties xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.citrix.com/2014/xd/machinecreation">
    <Property xsi:type="StringProperty" Name="UsePrivateWorkerPool" Value="True"/>
    </CustomProperties>
    <!--NeedCopy--> ```
    
  5. In the PowerShell window, assign a variable to the modified custom properties. For example: $customProperty = '<CustomProperties…</CustomProperties>'.
  6. Run $gcpServiceAccount = "<ENTER YOUR SERVICE ACCOUNT EMAIL HERE>".
  7. Run $gcpPrivateKey = "<ENTER YOUR SERVICE ACCOUNT PRIVATE KEY HERE AFTER REMOVING ALL INSTANCES OF \n >".
  8. Run $securePassword = ConvertTo-SecureString $gcpPrivateKey -AsPlainText -Force.
  9. Run the following to update an existing host connection:

    Set-Item -PassThru -Path @('XDHyp:\\Connections\\<ENTER YOUR CONNECTION NAME HERE>') -SecurePassword $securePassword -UserName $gcpServiceAccount -CustomProperties $customProperty
    <!--NeedCopy-->
    

Specify CMEK global and regional key

Note:

Support for CMEK in GCP is currently under Preview.

There are two types of customer-managed encryption keys (CMEK) in GCP:

  • Regional: Encryption keys that can only be used by resources in the same region.
  • Global: Encryption keys that can be used by resources from multiple regions.

You can browse and use global or regional customer-managed encryption keys (CMEK) from all projects that are accessible to the service account. You can then use the key to create a CMEK enabled MCS machine catalog and update an existing CMEK enabled MCS machine catalog using Set-ProvScheme command. For information creating a CMEK enabled catalog using PowerShell, see Create a catalog with CMEK using custom properties.

For this feature, you need additional permissions for the following two service accounts:

  • The service account of the current project with which the hosting connection is created.
  • The Compute Engine Service Agent of the current project (that has the email: service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com). For more information, see Compute Engine Service Agent.

In Service accounts, you must assign the following roles in the project that has crypto keys that you want to use (for example, shared project):

  • Cloud KMS Viewer
  • Cloud KMS CryptoKey Encrypter/Decrypter

If you do not assign to the roles, then make sure that you have the following permissions:

  • resourcemanager.projects.get
  • cloudkms.keyRings.list
  • cloudkms.keyRings.get
  • cloudkms.cryptoKeys.get
  • cloudkms.cryptoKeys.list
  • cloudkms.cryptoKeyVersions.useToDecrypt
  • cloudkms.cryptoKeyVersions.useToEncrypt

List the encryption keys

You can list the global and regional encryption keys within the same project and all other accessible projects using the PowerShell commands. To do this:

  1. Open a PowerShell window from the Delivery Controller host or remote PowerShell.
  2. Run the command asnp citrix* to load Citrix-specific PowerShell modules.
  3. Run the following command to list the encryption keys. Example:

    • To list contents of encryptionKeys folder:

       Get-ChildItem XDHyp:\HostingUnits\my-hostingunit\encryptionKeys.folder
       <!--NeedCopy-->
      
    • To get global encryption keys within the same project:

       Get-Item XDHyp:\HostingUnits\my-hostingunit\encryptionKeys.folder\myglobalkeyring.globalkeyring\myglobalkey.cryptokey
       <!--NeedCopy-->
      
    • To get regional encryption keys within the same project:

       Get-Item XDHyp:\HostingUnits\my-hostingunit\encryptionKeys.folder\regional-ring.keyring\shared-key.cryptokey
       <!--NeedCopy-->
      
    • To get global encryption keys from another accessible project (for example: myanotherproject):

       Get-Item XDHyp:\HostingUnits\my-hostingunit\encryptionKeys.folder\myanotherproject.project\shared-global-ring.globalkeyring\shared-key.cryptokey
       <!--NeedCopy-->
      
    • To get regional encryption keys from another accessible project (for example: myanotherproject):

       Get-Item XDHyp:\HostingUnits\my-hostingunit\encryptionKeys.folder\myanotherproject .project.project\shared-uscentral.keyring\shared-uscentral-key.cryptokey
       <!--NeedCopy-->
      

Note:

  • The extension of the key ring inventory item for a global key ring is .globalkeyring.
  • The id of global key rings has the word global in it.

Required GCP permissions

This section has the complete list of GCP permissions. Use the complete set of permissions as given in the section for the functionality to work correctly.

Note:

GCP is introducing changes to Cloud Build Services’s default behavior and use of service accounts after April 29, 2024. For more information, see Cloud Build Service Account Change. Your existing Google projects with Cloud Build API enabled before April 29, 2024 are not affected by this change. However, if you want to have existing Cloud Build Service behavior after April 29, you can create or apply the organization policy to disable the constraint enforcement before you enable the API. If you set the new organization policy, you can still follow the existing permissions in this section and the items that are marked Before Cloud Build Service Account Change. If not, then follow the existing permissions and items that are marked After Cloud Build Service Account Change.

Creating a host connection

  • Minimum permissions required for Citrix Cloud Service Account in Provisioning project:

     compute.instanceTemplates.list
     compute.instances.list
     compute.networks.list
     compute.projects.get
     compute.regions.list
     compute.subnetworks.list
     compute.zones.list
     resourcemanager.projects.get
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute Admin
    • Cloud Datastore User
  • Additional permissions required for Shared VPC for Citrix Cloud Service Account in Shared VPC project:

     compute.networks.list
     compute.subnetworks.list
     resourcemanager.projects.get
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute Network User
  • In Service accounts, you must assign the following roles in the project that has crypto keys that you want to use (for example, shared project):

    • Cloud KMS Viewer
    • Cloud KMS CryptoKey Encrypter/Decrypter

    If you do not assign to the roles, then make sure that you have the following permissions:

    • resourcemanager.projects.get
    • cloudkms.keyRings.list
    • cloudkms.keyRings.get
    • cloudkms.cryptoKeys.get
    • cloudkms.cryptoKeys.list
    • cloudkms.cryptoKeyVersions.useToDecrypt
    • cloudkms.cryptoKeyVersions.useToEncrypt

Power management of VMs

Minimum permissions required for Citrix Cloud Service Account in Provisioning project in case of power managed only catalogs:

compute.instanceTemplates.list
compute.instances.list
compute.instances.get
compute.instances.reset
compute.instances.resume
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.list
compute.zones.list
resourcemanager.projects.get
compute.zoneOperations.get
<!--NeedCopy-->

The following Google defined roles have the permissions as listed above:

  • Compute Admin
  • Cloud Datastore User

Creating, updating, or deleting VMs

  • Minimum permissions required for Citrix Cloud Service Account in Provisioning project:

     cloudbuild.builds.create
     cloudbuild.builds.get
     cloudbuild.builds.list
     compute.acceleratorTypes.list
     compute.diskTypes.get
     compute.diskTypes.list
     compute.disks.create
     compute.disks.createSnapshot
     compute.disks.delete
     compute.disks.get
     compute.disks.list
     compute.disks.setLabels
     compute.disks.use
     compute.disks.useReadOnly
     compute.firewalls.create
     compute.firewalls.delete
     compute.firewalls.list
     compute.globalOperations.get
     compute.images.create
     compute.images.delete
     compute.images.get
     compute.images.list
     compute.images.setLabels
     compute.images.useReadOnly
     compute.instanceTemplates.create
     compute.instanceTemplates.delete
     compute.instanceTemplates.get
     compute.instanceTemplates.list
     compute.instanceTemplates.useReadOnly
     compute.instances.attachDisk
     compute.instances.create
     compute.instances.delete
     compute.instances.detachDisk
     compute.instances.get
     compute.instances.list
     compute.instances.reset
     compute.instances.resume
     compute.instances.setDeletionProtection
     compute.instances.setLabels
     compute.instances.setMetadata
     compute.instances.setServiceAccount
     compute.instances.setTags
     compute.instances.start
     compute.instances.stop
     compute.instances.suspend
     compute.machineTypes.get
     compute.machineTypes.list
     compute.networks.list
     compute.networks.updatePolicy
     compute.nodeGroups.list
     compute.nodeTemplates.get
     compute.projects.get
     compute.regions.list
     compute.snapshots.create
     compute.snapshots.delete
     compute.snapshots.list
     compute.snapshots.get
     compute.snapshots.setLabels
     compute.snapshots.useReadOnly
     compute.subnetworks.get
     compute.subnetworks.list
     compute.subnetworks.use
     compute.zoneOperations.get
     compute.zoneOperations.list
     compute.zones.get
     compute.zones.list
     iam.serviceAccounts.actAs
     resourcemanager.projects.get
     storage.buckets.create
     storage.buckets.delete
     storage.buckets.get
     storage.buckets.list
     storage.buckets.update
     storage.objects.create
     storage.objects.delete
     storage.objects.get
     storage.objects.list
     compute.networks.get
     compute.resourcePolicies.use
    
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute Admin
    • Storage Admin
    • Cloud Build Editor
    • Service Account User
    • Cloud Datastore User
  • Additional permissions required for Shared VPC for Citrix Cloud Service Account in Shared VPC project to create a hosting unit using VPC and subnetwork from Shared VPC project:

     compute.firewalls.list
     compute.networks.list
     compute.projects.get
     compute.regions.list
     compute.subnetworks.get
     compute.subnetworks.list
     compute.subnetworks.use
     compute.zones.list
     resourcemanager.projects.get
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute Network User
    • Cloud Datastore User
  • (Before Cloud Build Service Account Change): Minimum permissions required for Cloud Build Service Account in Provisioning project required by Google Cloud Build service when downloading preparation instruction disk to MCS:

  • (After Cloud Build Service Account Change): Minimum permissions required for Cloud Compute Service Account in Provisioning project required by Google Cloud Compute service when downloading preparation instruction disk to MCS:

     compute.disks.create
     compute.disks.delete
     compute.disks.get
     compute.disks.list
     compute.disks.setLabels
     compute.disks.use
     compute.disks.useReadOnly
     compute.images.get
     compute.images.list
     compute.images.useReadOnly
     compute.instances.create
     compute.instances.delete
     compute.instances.get
     compute.instances.getSerialPortOutput
     compute.instances.list
     compute.instances.setLabels
     compute.instances.setMetadata
     compute.instances.setServiceAccount
     compute.machineTypes.list
     compute.networks.get
     compute.networks.list
     compute.projects.get
     compute.subnetworks.list
     compute.subnetworks.use
     compute.subnetworks.useExternalIp
     compute.zoneOperations.get
     compute.zones.list
     iam.serviceAccounts.actAs
     logging.logEntries.create
     pubsub.topics.publish
     resourcemanager.projects.get
     source.repos.get
     source.repos.list
     storage.buckets.create
     storage.buckets.get
     storage.buckets.list
     storage.objects.create
     storage.objects.delete
     storage.objects.get
     storage.objects.list
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Cloud Build Service Account (After Cloud Build Service Account Change, it is Cloud Compute Service Account)
    • Compute Instance Admin
    • Service Account User
  • Minimum permissions required for Cloud Compute Service Account in Provisioning project required by Google Cloud Build service when downloading preparation instruction disk to MCS:

     resourcemanager.projects.get
     storage.objects.create
     storage.objects.get
     storage.objects.list
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute Network User
    • Storage Account User
    • Cloud Datastore User
  • (Before Cloud Build Service Account Change): Additional permissions required for Shared VPC for Cloud Build Service Account in Provisioning project required by Google Cloud Build service when downloading preparation instruction disk to MCS:
  • (After Cloud Build Service Account Change): Additional permissions required for Shared VPC for Cloud Compute Service Account in Provisioning project required by Google Cloud Compute service when downloading preparation instruction disk to MCS:

     compute.firewalls.list
     compute.networks.list
     compute.subnetworks.list
     compute.subnetworks.use
     resourcemanager.projects.get
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute Network User
    • Storage Account User
    • Cloud Datastore User
  • Additional permissions required for Cloud Key Management Service (KMS) for Citrix Cloud Service Account in Provisioning project:

     cloudkms.cryptoKeys.get
     cloudkms.cryptoKeys.list
     cloudkms.keyRings.get
     cloudkms.keyRings.list
     <!--NeedCopy-->
    

    The following Google defined roles have the permissions as listed above:

    • Compute KMS Viewer

General permissions

Following are the permissions for Citrix Cloud Service Account in Provisioning project for all features supported in MCS. These permissions provide the best compatibility going forward:

resourcemanager.projects.get
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
compute.acceleratorTypes.list
compute.diskTypes.get
compute.diskTypes.list
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.list
compute.globalOperations.get
compute.images.create
compute.images.delete
compute.images.get
compute.images.list
compute.images.setLabels
compute.images.useReadOnly
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.list
compute.instanceTemplates.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.reset
compute.instances.resume
compute.instances.setDeletionProtection
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.machineTypes.get
compute.machineTypes.list
compute.networks.list
compute.networks.updatePolicy
compute.nodeGroups.list
compute.nodeTemplates.get
compute.projects.get
compute.regions.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.list
compute.snapshots.get
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zoneOperations.list
compute.zones.get
compute.zones.list
resourcemanager.projects.get
storage.buckets.create
storage.buckets.delete
storage.buckets.get
storage.buckets.list
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.keyRings.get
cloudkms.keyRings.list
compute.disks.list
compute.instances.setServiceAccount
compute.networks.get
compute.networks.use
compute.networks.useExternalIp
iam.serviceAccounts.actAs
compute.resourcePolicies.use
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToEncrypt
<!--NeedCopy-->

Where to go next

More information

Connection to Google cloud environments