Connection to AWS

Create and manage connectionsdescribes the wizards that create a connection. The following information covers details specific to AWS cloud environments.

Note:

Before creating a connection to AWS, you need to first finish setting up your AWS account as a resource location. SeeAWS cloud environments.

Create a connection

When you create a connection from the Full Configuration interface:

• You must provide the API key and secret key values. You can export the key file containing those values from AWS and then import them. You must also provide the region, availability zone, VPC name, subnet addresses, domain name, security group names, and credentials.
• The credentials file for the root AWS account (retrieved from the AWS console) is not formatted the same as credentials files downloaded for standard AWS users. Therefore, Citrix Virtual Apps and Desktops management cannot use the file to populate the API key and secret key fields. Ensure that you are using AWS Identity Access Management (IAM) credentials files.

Note:

After you create a connection, attempts to update the API key and secret key might fail. To resolve the issue, check your proxy server or firewall restrictions and ensure that the following address is contactable:https://*.amazonaws.com.

Host connection default values

When you create host connections in the Full Configuration interface of the AWS cloud environment, the following default values display:

MCS supports 100 maximum concurrent provisioning operations by default.

You can configure these values by accessing the Citrix StudioAdvancedsection on theEdit Connectionscreen:

MCS supports 100 maximum concurrent operations by default. Alternatively, you can use the Remote PowerShell SDK to set the maximum number of concurrent operations for optimal settings per your environment.

Use the PowerShell custom property,MaximumConcurrentProvisioningOperations, to specify the maximum number of concurrent AWS provisioning operations.

Prior to configuration:

• Ensure you have installed PowerShell SDK for Cloud.
• Understand that the default value forMaximumConcurrentProvisioningOperationsis 100.

Perform the following steps to customize theMaximumConcurrentProvisioningOperationsvalue:

1. Open aPowerShellwindow.
2. Runasnp citrix*to load the Citrix-specific PowerShell modules.
3. Entercd xdhyp:\Connections\.
4. Enterdirto list the connections.

5. Change or Initialize the Custom Properties string:

   • If the Custom Properties string has a value, copy the Custom Properties into Notepad. Next, change theMaximumConcurrentProvisioningOperationsproperty to your preferred value. You can enter a value ranging from 1-1000. For example,.

   • If the Custom Properties string is empty/null, you must initialize the string by entering the proper syntax for both the schema and theMaximumConcurrentProvisioningOperationsproperty.

6. In thePowerShellwindow, paste the modified Custom Properties from Notepad and assign a variable to the modified Custom Properties. If you initialized the Custom Properties, add the lines below following the syntax:

   $customProperties = ''.

   This string sets theMaximumConcurrentProvisioningOperationsproperty to 100. In the Custom Properties string, you must set theMaximumConcurrentProvisioningOperationsproperty to a value that aligns with your needs.

7. EnterGet-XDAuthentication, which prompts you for your credentials.
8. Run$cred = Get-Credential, which might prompt you for solely a Password (or a Name and Password). You also might be prompted for the application ID and associated secret. For connections using role-based authentication,role_based_authis both the Name and Password. Otherwise, enter the AWS API ID and secret.
9. Runset-item -PSPath 'XDHyp:\Connections' -CustomProperties $customProperties -username $cred.username -Securepassword $cred.password. You must set the <connection-name> to the name of the connection.
10. Enterdirto verify the updated CustomProperties string.

Service endpoint URL

Standard zone service endpoint URL

When you use MCS, a new AWS connection is added with an API key and an API secret. With this information, along with the authenticated account, MCS queries AWS for the supported zones using the AWS DescribeRegions EC2 API call. The query is made using a generic EC2 Service Endpoint URLhttps://ec2.amazonaws.com/. Use MCS to select the zone for the connection from the list of supported zones. The preferred AWS service endpoint URL is automatically selected for the zone. However, after you create the service endpoint URL, you can no longer set or modify the URL.

Non-standard service endpoint URL

There can be situations where you might not need the automatically chosen AWS Service Endpoint URL for the connection. For such cases, you can use Citrix Cloud SDK and PowerShell to create a connection with a non-standard service endpoint URL. For example, to create a connection using the service endpoint URLhttps://ec2.cn-north-1.amazonaws.com.cn:

1. Set up the AWS hosted Cloud Connector and ensure that it has connectivity.

2. Run the following PowerShell commands to see the list of Cloud Connectors.

   PS C:\> asnp citrix.* PS C:\> Get-XDAuthentication PS C:\> Get-ConfigEdgeServer 

3. Find the ZoneUid from the newly created Cloud Connector and enter it into the following PowerShell commands. Replace the italicized items with the respective values.

   PS C:\> $hyp= New-Item -Path xdhyp:\Connections -ZoneUidZoneUid-Name“My New Connection”-ConnectionType "AWS" -HypervisorAddress @("https://ec2.cn-north-1.amazonaws.com.cn") -UserName“APIkey”-Password“API Secret”-PersistPS C:\> New-BrokerHypervisorConnection -HypHypervisorConnectionUid $hyp. HypervisorConnectionUid

4. Refresh theFull Configuration > Hostingtab to verify that the EC2 connection has been created.
5. Add a resource location using the new connection.

Defining IAM permissions

Use the information in this section to define IAM permissions for Citrix DaaS on AWS. Amazon’s IAM service permits accounts having multiple users, which can be further organized into groups. These users can possess different permissions to control their ability to perform operations associated with the account. For more information about IAM permissions, seeIAM JSON policy reference.

To apply IAM permissions policy to a new group of users:

1. Log into the AWS management console and select theIAM servicefrom the drop-down list.
2. SelectCreate a New Group of Users.
3. Type a name for the new user group and selectContinue.
4. On thePermissionspage, chooseCustom PolicythenSelect.
5. Type a name for thePermissions policy.
6. In thePolicy Documentsection, enter relevant permissions.

After entering the policy information, selectContinueto complete the group of users. Users in the group are granted permissions to perform only those actions that are required for Citrix DaaS.

Important:

Use the policy text provided in the example above to list the actions that a Citrix DaaS uses to perform actions within an AWS account without restricting those actions to specific resources. Citrix recommends that you use the example for testing purposes. For production environments, you might choose to add further restrictions on resources.

Adding IAM permissions

Set the permissions in theIAMsection of the AWS Management Console:

1. In theSummarypanel, select thePermissionstab.
2. SelectAdd permissions.

In theAdd Permissions toscreen, grant permissions:

Use the following as an example in theJSONtab:

Tip:

The noted JSON example might not include all the permissions for your environment. SeeHow to Define Identity Access Management Permissions Running Citrix Virtual Apps and Desktops on AWSfor more information.

About AWS permissions

This section contains the complete list of AWS permissions. Use the complete set of permissions as given in the section for the functionality to work correctly.

Note:

Theiam:PassRolepermission is needed only forrole_based_auth.

Creating a host connection

A new host connection is added using the information obtained from AWS.

{“版本”:“2012-10-17”,“声明”:{”行动n": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" } ] } 

Power management of VMs

Machine instances are powered on or off.

{“版本”:“2012-10-17”,“声明”:{”行动n": [ "ec2:AttachVolume", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DetachVolume", "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*" } ] } 

Creating, updating, or deleting VMs

A machine catalog is created, updated, or deleted with VMs provisioned as AWS instances.

{“版本”:“2012-10-17”,“声明”:{”行动n": [ "ec2:AttachVolume", "ec2:AssociateIamInstanceProfile", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeInstanceAttribute", "ec2:DescribeElasticGpus", "ec2:GetLaunchTemplateData", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:DisassociateIamInstanceProfile", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketAcl", "s3:PutBucketTagging", "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::citrix*" }, { "Action": [ "ebs:StartSnapshot", "ebs:GetSnapshotBlock", "ebs:PutSnapshotBlock", "ebs:CompleteSnapshot", "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ec2:CreateSnapshot" ], "Effect": "Allow", "Resource": "*" } ] } 

Note:

• The EC2 section related to SecurityGroups is only needed if an Isolation Security Group must be created for the Preparation VM during catalog creation. Once this is done, these permissions are not required.
• Use ec2:CreateNetworkInterface and ec2:DeleteNetworkInterface permissions only if you are using volume worker method.

Direct disk upload and download

Direct disk upload eliminates the volume worker requirement for machine catalog provisioning, and instead uses public APIs provided by AWS. This functionality reduces the cost associated with extra storage accounts and the complexity for maintaining volume worker operations.

Following permissions must be added to the policy:

• ebs:StartSnapshot
• ebs:GetSnapshotBlock
• ebs:PutSnapshotBlock
• ebs:CompleteSnapshot
• ebs:ListSnapshotBlocks
• ebs:ListChangedBlocks
• ec2:CreateSnapshot
• ec2:DescribeLaunchTemplates

Important:

• You can add a new VM to existing machine catalogs without any volume worker operation such as volume worker AMI, and volume worker VM.
• If you delete an existing catalog that used volume worker before, all artifacts including volume worker related are deleted.

EBS encryption of created volumes

EBS can auto-encrypt newly created volumes if the AMI is encrypted, or EBS is configured to encrypt all new volumes. However, to implement the functionality, the following permissions must be included in the IAM policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlainText", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "*" } ] } 

Note:

The permissions can be limited to specific keys by including a Resource and Condition block at the discretion of the user. For example,KMS Permissions with Condition:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlainText", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": [ "arn:aws:kms:us-east-2:123456789012:key/abcd1234-a123-456d-a12b-a123b4cd56ef" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] } 

The following key policy statement is the entire default key policy for KMS keys that is required to allow the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.

{ "Sid": "Enable IAM policies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:", "Resource": "" } 

For more information, seeAWS Key Management Service official documentation.

IAM role-based authentication

The following permissions are added to support role-based authentication.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*" } ] } 

Minimal IAM permissions policy

下面的JSON可以用于所有当前年代upported features. You can create host connections, create, update, or delete VMs, and do power management using this policy. The policy can be applied to the users as explained inDefining IAM permissionssections or you can also use role-based authentication usingrole_based_authsecurity key and secret key.

Important:

To userole_based_auth, first configure the desired IAM role on the cloud connector ec2 instance when setting up the cloud connector. Using Citrix Studio, add the hosting connection and supply the role_based_auth for the authentication key and secret. A hosting connection with these settings then uses role-based authentication.

{“版本”:“2012-10-17”,“声明”:{”行动n": [ "ec2:AttachVolume", "ec2:AssociateIamInstanceProfile", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:CreateNetworkInterface", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeInstanceAttribute", "ec2:DescribeElasticGpus", "ec2:GetLaunchTemplateData", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:DisassociateIamInstanceProfile", "ec2:RebootInstances", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetObject", "s3:PutBucketAcl", "s3:PutObject", "s3:PutBucketTagging", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::citrix*" }, { "Action": [ "ebs:StartSnapshot", "ebs:GetSnapshotBlock", "ebs:PutSnapshotBlock", "ebs:CompleteSnapshot", "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ec2:CreateSnapshot" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlainText", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*" } ] } 

Note:

• The EC2 section related to SecurityGroups is only needed if an Isolation Security Group must be created for the Preparation VM during catalog creation. Once this is done, these permissions are not required.
• 公里部分only required when using EBS volume encryption.
• The iam:PassRole permission section is needed only forrole_based_auth.
• Specific resource-level permissions can be added instead of full access based on your requirements and environment. Refer to AWS documentsDemystifying EC2 Resource-Level PermissionsandAccess management for AWS resourcesfor more details.
• Use ec2:CreateNetworkInterface and ec2:DeleteNetworkInterface permissions only if you are using volume worker method.

Where to go next

• If you’re in the initial deployment process, seeCreate machine catalogs.
• For AWS specific information, seeCreate an AWS catalog.

更多的信息

• Connections and resources
• AWS cloud environments