Citrix DaaS

Google Cloud virtualization environments

Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) lets you provision and manage machines on Google Cloud.

Requirements

  • Citrix Cloud account: The features are available only in Citrix Cloud.
  • Citrix DaaS subscription. For details, see Get started.
  • A Google Cloud project. The project stores all compute resources associated with the machine catalog. It can be an existing project or a new one.
  • Enable four APIs in your Google Cloud project. For details, see Enable Google Cloud APIs.
  • Google Cloud service account. The service account authenticates to Google Cloud to enable access to the project. For details, see Configure and update service accounts.
  • Enable Google private access. For details, see Enable-private-google-access.

Google Cloud projects

There are basically two types of Google Cloud projects:

  • Provisioning project: In this case, the current admin account owns the provisioned machines in the project. This project is also referred to as a local project.
  • Shared VPC project: Project in which machines created in the provisioning project use the VPC from the Shared VPC project. The admin account used for provisioning projects has limited permissions in this project, specifically, only permissions to use the VPC.

Service endpoint URLs

You must have access to the following URLs:

  • https://oauth2.googleapis.com
  • https://cloudresourcemanager.googleapis.com
  • https://compute.googleapis.com
  • https://storage.googleapis.com
  • https://cloudbuild.googleapis.com

Enable Google Cloud APIs

To use the Google Cloud functionality through the Citrix DaaS Full Configuration interface, enable these APIs in your Google Cloud project:

  • Compute Engine API
  • Cloud Resource Manager API
  • Identity and Access Management (IAM) API
  • Cloud Build API

From the Google Cloud console, complete these steps:

  1. In the upper left menu, select APIs and Services > Enabled APIs & services.
  2. On the Enabled APIs & services screen, ensure that the Compute Engine API is enabled. If not, follow these steps:

    1. Navigate to APIs and Services > Library.
    2. In the search box, type Compute Engine.
    3. From the search results, select Compute Engine API.
    4. On the Compute Engine API page, select Enable.
  3. Enable Cloud Resource Manager API.
    1. Navigate to APIs and Services > Library.
    2. In the search box, type Cloud Resource Manager.
    3. From the search results, select Cloud Resource Manager API.
    4. On the Cloud Resource Manager API page, select Enable. The status of the API appears.
  4. Similarly, enable Identity and Access Management (IAM) API and Cloud Build API, and Cloud Key Management Service (KMS) API.

You can also use Google Cloud Shell to enable the APIs. To do this:

  1. Open the Google Console and load the Cloud Shell.
  2. Run the following four commands in the Cloud Shell:

    • gcloud services enable compute.googleapis.com
    • gcloud services enable cloudresourcemanager.googleapis.com
    • gcloud services enable iam.googleapis.com
    • gcloud services enable cloudbuild.googleapis.com
    • gcloud services enable cloudkms.googleapis.com
  3. Click Authorize if the Cloud Shell prompts.

Configure and update service accounts

Citrix Cloud uses three separate service accounts within the Google Cloud project:

  • Citrix Cloud Service Account: This service account enables Citrix Cloud to access the Google project, provision, and manage machines. The Google Cloud account authenticates to Citrix Cloud using a key generated by Google Cloud.

    You must create this service account manually as outlined here. For more information, see Create a Citrix Cloud Service Account.

    You can identify this service account with an email address. For example, <my-service-account>@<project-id>.iam.gserviceaccount.com.

  • Cloud Build Service Account: This service account is provisioned automatically after you enable all the APIs mentioned in Enable Google Cloud APIs. To view all automatically created service accounts, navigate to IAM & Admin > IAM in the Google Cloud console and select the Include Google-provided role grants checkbox.

    You can identify this service account by an email address that begins with the Project ID and the word cloudbuild. For example, <project-id>@cloudbuild.gserviceaccount.com

    Verify if the service account has been granted the following roles. If you need to add roles, follow the steps outlined in Add roles to the Cloud Build Service Account.

    • Cloud Build Service Account
    • Compute Instance Admin
    • Service Account User
  • Cloud Compute Service Account: This service account is added by Google Cloud to instances created in Google Cloud once the Compute API is activated. This account has the IAM basic editor role to do the operations. However, if you delete the default permission to have more granular control, you must add a Storage Admin role that requires the following permissions:

    • resourcemanager.projects.get
    • storage.objects.create
    • storage.objects.get
    • storage.objects.list

You can identify this service account by an email address that begins with the Project ID and the word compute. For example, <project-id>-compute@developer.gserviceaccount.com.

Create a Citrix Cloud Service Account

To create a Citrix Cloud Service Account, follow these steps:

  1. In the Google Cloud console, navigate to IAM & Admin > Service accounts.
  2. On the Service accounts page, select CREATE SERVICE ACCOUNT.
  3. On the Create service account page, enter the required information, and then select CREATE AND CONTINUE.
  4. On the Grant this service account access to project page, click the Select a role drop-down menu and select the required roles. Click +ADD ANOTHER ROLE if you want to add more roles.

Each account (personal or service) has various roles defining the management of the project. Grant the following roles to this service account:

-  Compute Admin
-  Storage Admin
-  Cloud Build Editor
-  Service Account User
-  Cloud Datastore User
-  Cloud KMS Crypto Operator

The Cloud KMS Crypto Operator requires the following permissions:

-  cloudkms.cryptoKeys.get
-  cloudkms.cryptoKeys.list
-  cloudkms.keyRings.get
-  cloudkms.keyRings.list

> **Note:**
>
> Enable all the APIs to get the complete list of roles available while creating a new service account.
  1. Click CONTINUE
  2. On the Grant users access to this service account page, add users or groups to grant them access to perform actions in this service account.
  3. Click DONE.
  4. Navigate to the IAM main console.
  5. Identify the service account created.
  6. Validate the roles are assigned successfully.

Considerations:

When creating the service account, consider the following:

  • The steps Grant this service account access to project and Grant users access to this service account are optional. If you choose to skip these optional configuration steps, the newly created service account does not display in the IAM & Admin > IAM page.
  • To display roles associated with a service account, add the roles without skipping the optional steps. This process ensures that roles appear for the configured service account.

Citrix Cloud Service Account key

The Citrix Cloud Service Account key is required for creating a connection in Citrix DaaS. The key is contained in a credential file (.json). The file is automatically downloaded and saved to the Downloads folder after you create the key. When you create the key, be sure to set the key type to JSON. Otherwise, the Citrix Full Configuration interface cannot parse it.

To create a Service Account Key, navigate to IAM & Admin > Service accounts and click the email address of the Citrix Cloud Service Account. Switch to the Keys tab and select Add Key > Create new key. Make sure to select JSON as the key type.

Tip:

Create keys using the Service accounts page in the Google Cloud console. We recommend that you change keys regularly for security purposes. You can provide new keys to the Citrix Virtual Apps and Desktops application by editing an existing Google Cloud connection.

Add roles to the Citrix Cloud Service Account

To add roles to the Citrix Cloud Service Account:

  1. In the Google Cloud console, navigate to IAM & Admin > IAM.
  2. On the IAM > PERMISSIONS page, locate the service account you created, identifiable with an email address.

    For example, <my-service-account>@<project-id>.iam.gserviceaccount.com

  3. Select the pencil icon to edit the access to the principal of the service account.
  4. On the Edit access to “project-id” page for the selected principal option, select ADD ANOTHER ROLE to add the required roles to your service account one by one and then select SAVE.

Add roles to the Cloud Build Service Account

To add roles to the Cloud Build Service Account:

  1. In the Google Cloud console, navigate to IAM & Admin > IAM.
  2. On the IAM page, locate the Cloud Build service account, identifiable with an email address that begins with the Project ID and the word cloudbuild.

    For example, <project-id>@cloudbuild.gserviceaccount.com

  3. Select the pencil icon to edit the Cloud Build account roles.
  4. On the Edit access to “project-id” page for the selected principal option, select ADD ANOTHER ROLE to add the required roles to your Cloud Build service account one by one and then select SAVE.

    Note:

    Enable all the APIs to get the complete list of roles.

Storage permissions and bucket management

Citrix DaaS improves the process of reporting cloud build failures for the Google Cloud service. This service runs builds on the Google Cloud. Citrix DaaS creates a storage bucket named citrix-mcs-cloud-build-logs-{region}-{5 random characters} where the Google Cloud services captures build log information. An option is set on this bucket that deletes the contents after a period of 30 days. This process requires that the service account used for the connection has Google Cloud permissions set to storage.buckets.update. If the service account does not have this permission, Citrix DaaS ignores errors and proceeds with the catalog creation process. Without this permission, the size of the build logs increases and requires manual cleanup.

Enable private Google access

When a VM lacks an external IP address assigned to its network interface, packets are only sent to other internal IP addresses destinations. When you enable private access, the VM connects to the set of external IP addresses used by the Google API and associated services.

Note:

Whether private Google access is enabled, all VMs that are with and without public IP addresses, must be able to access Google Public APIs, especially if third-party networking appliances have been installed in the environment.

To ensure that a VM in your subnet can access the Google APIs without a public IP address for MCS provisioning:

  1. In Google Cloud, access the VPC network configuration.
  2. Identify the subnet(s) leveraged for the Citrix environment in the Subnets in current project tab.
  3. Click on the name of the subnet(s) and enable Private Google Access.

For more information, see Configuring Private Google Access.

Important:

If your network is configured to prevent VM access to the internet, ensure that your organization assumes the risks associated with enabling Private Google access for the subnet to which the VM is connected.

Where to go next

More information

Google Cloud virtualization environments