Step 4: Configure Access to VM Consoles

Overview

Now that we have gone through the process of creating the Windows virtual machine instances. The next step is to identify a way to remotely access the consoles of these virtual machines to configure them. Google Cloud handles remote console access by relying upon network connectivity to the virtual machine instance, and a remote console service running inside the virtual machine. For Windows virtual machines, that means using an RDP client to connect to the RDP listener running inside the instances. SSH handles the connection for non-Windows machines.

The tools and techniques you use to gain access to the VM consoles can differ based on the operating system and network location of your workstation. They can also differ based on how your organization handles security. The goal of this section is ensuring you can establish remote console connections to the virtual machines in your Google Cloud project.

Some common techniques for establishing remote console access include the following:

  1. Using an RDP client to establish a direct connection between an administrative workstation and VMs on the same network

  2. Using public IP addresses on one or more VMs, and establishing RDP connections to the public addresses from an administrative workstation via the Internet

  3. Establishing a connection to a jump box or bastion host, then accessing the VM within the Google Cloud project using the preferred RDP client. Administrators often connect to the jump box via an external IP address.

  4. Using the Google Cloud Identity Aware Proxy (IAP) TCP forwarding feature, plus a tool like IAP Desktop

If your administrative workstation is already on the same network as the VMs in your Google Cloud project, you can connect to them via an IP address, assuming you have allowed RDP access via your firewall rules. If your administrative workstation is NOT on the same network, then you can consider using a jump box with an external IP address assigned. If you do this, however, make sure you restrict access to the RDP listener (TCP 3389) to only allow access from the public IP address of your administrative workstation.

The most secure way to provide remote console access is to use the Google Cloud Identity Aware Proxy TCP forwarding feature, plus IAP Desktop. Google Cloud Identity Aware Proxy (IAP) TCP forwarding feature allows you to control who can access the administrative interfaces such as SSH and RDP to the VMs in your project via the public Internet. IAP prevents these services from being directly exposed to the Internet. IAP also allows you to control WHO can access these services based on Google Cloud IAM roles as IAP does authentication and authorization before allowing access. The IAP Desktop is a Windows only open-source tool that puts a user-friendly UI on top of the IAP and RDP client.

This deployment guide uses the IAP service and IAP Desktop app to securely access the virtual machines for configuration. You can still use the IAP service with a non-Windows endpoint using the Google Cloud SDK and gcloud command, but that is outside of the scope of this guide.

Configuring Identity Aware Proxy is a three-step process: the first step is to configure the Firewall to allow ingress TCP traffic, the second step is to configure the Identity Aware Proxy, and the third step is to use IAP Desktop for remote console access.

1 Configure the Google Cloud firewall to allow ingress TCP traffic

  1. Click the hamburger icon, located in the top left-hand corner of the Google Console

  2. Navigate to VPC network

  3. Click Firewall

    vpc-networks-firewall

  4. Click Create Firewall Rule

    vpc-networks-firewall-rule

  5. Input a unique name for the Firewall rule: allow-iap-access

  6. Input a description for the Firewall rule: Allow IAP Access

  7. Select the VPC network created in the Virtual Private Cloud section: citrixcloudnetwork

  8. Select Ingress traffic

    vm-ingress-create-firewall-rule

  9. In the Targets field, select All instances in the network

  10. Set the Source IP ranges to 35.235.240.0/20

  11. Select Specified protocols and ports

  12. Select the tcp check box

  13. Click Create

    vm-ingress-ip-ranges

  14. Validate the Firewall rule is created

    vm-ingress-firewall-validation

2 Enable and Configure the Identity Aware Proxy

  1. Click the hamburger icon, located in the top left-hand corner of the Google Console

  2. Navigate to IAM & Admin

  3. Click Identity-Aware Proxy

    identity-aware-proxy

  4. If prompted, click Enable API

    identity-aware-proxy-enable-api

  5. Click Go to Identity-Aware Proxy

    identity-aware-proxy-go-to

    The following screen appears after clicking:

  6. Click SSH and TCP Resources tab

  7. To update member permissions on resources, select all the VM instances created earlier.

  8. Click Add Principal

    identity-aware-proxy-add-principal

  9. To grant users, groups, or service accounts access to the resources, specify their email addresses in the New principals field. If you are the only user testing this feature, you can enter your email address.

  10. To grant the members access to the resources through the Cloud IAP TCP forwarding feature, in the Role drop-down, select Cloud IAP

  11. Select IAP-secured Tunnel User

    iap-secured-tunnel-user

  12. Click Save

    iap-add-principals

3 Install, configure, and use IAP Desktop for remote console access

Once the Identity Aware Proxy has been enabled, the next step is to connect to the deployed virtual machine instances using IAP Desktop, available on GitHub. Once you have downloaded and installed the IAP Desktop, launch it and follow the steps to configure it.

  1. Click Sign in with Google

    iap-desktop

  2. Select the account associated with the Google Cloud. Depending on your account configuration, you must provide Username, Password, and a token.

    iap-choose-account

  3. Upon a successful authentication, you are prompted with the following permission window. Select the See, edit, configure and delete your Google Cloud Platform data

  4. Click Continue

    iap-desktop-access

  5. Select the Google Cloud Project

  6. Click Add Project

    iap-add-project

  7. All the machines created under the Deploying Google Compute Instance section earlier are enumerated:

    iap-project-explorer

  8. To log in to the virtual machine instance, right Click on the target virtual machine

  9. Select Connect as user…

    iap-connect-as-user

  10. Click User a different account

  11. Enter the username admin

  12. Enter the unique password previously auto generated for the machine you are connecting

  13. Click OK

    iap-enter-your-credentials

  14. Upon successful authentication, you can log in to the virtual machine

    iap-remote-desktop-ssh

Once you have completed this goal (using IAP, a jump box, or some other technique), you have a functional method for connecting to the remote consoles of your virtual machines. In the next section, you use this method to configure the virtual machines into a functional Citrix Cloud resource location.

Step 4: Configure Access to VM Consoles