Connection to Google cloud environments

克雷亚te and manage connectionsdescribes the wizards that create a connection. The following information covers details specific to Google cloud environments.

Note:

Before creating a connection to Google cloud environments, you need to first finish setting up your Google cloud account as a resource location. SeeGoogle Cloud environments.

Add a connection

In the Full Configuration interface, follow the guidance in克雷亚te a connection and resources. The following description guides you through setting up a hosting connection:

1. FromManage > Full Configuration, selectHostingin the left pane.

2. SelectAdd Connection and Resourcesin the action bar.

3. On theConnectionpage, select克雷亚te a new ConnectionandCitrix provisioning tools, and then selectNext.

   • Zone name. Select a zone (equivalent to a resource location) where you want your host resources to reside. Zones are created automatically when you create a resource location and add a Cloud Connector to it. For more information, seeZones.
   • Connection type. SelectGoogle Cloudfrom the menu.
   • Service account key. Import the key contained in your Google credential file (.json). To do so, locate your credential file, open the file with Notepad (or any text editor), and then copy the content. After that, return to theConnectionpage, selectImport key, paste the content, and then selectSave.
   • Service account ID. The field automatically populates with the information from the imported key.
   • Connection name. Type a name for the connection.

   • Route traffic through Citrix Cloud Connectors. To route the API requests through an available Citrix Cloud connector, select this check box. You can also selectEnable Google Cloud Build to use private poolscheck box for an additional layer of security.

     Alternatively, you can enable this feature using PowerShell. For more information, see克雷亚te a secure environment for GCP-managed traffic.

   Note:

   • This feature is being rolled out in phases. It might not be activated for your account.
   • This option is available only when there are active Citrix Cloud Connectors in your deployment. Currently, this feature is not supported for Connector Appliances.

4. On theRegionpage, select a project name from the menu, select a region containing the resources you want to use, and then selectNext.

5. On theNetworkpage, type a name for the resources, select a virtual network from the menu, select a subset, and then selectNext. The resource name helps identify the region and network combination. Virtual networks with the(Shared)suffix appended to their name represent shared VPCs. If you configure a subnet-level IAM role for a shared VPC, only specific subnets of the shared VPC appear on the subnet list.

   Note:

   • The resource name can contain 1–64 characters, and cannot contain only blank spaces or the characters\ / ; : # . * ? = < > | [ ] { } " ' ( ) ' ).

6. On theSummarypage, confirm the information and then selectFinishto exit theAdd Connection and Resourceswindow.

After you create the connection and resources, the connection and resources you created are listed. To configure the connection, select the connection and then select the applicable option in the action bar.

Similarly, you can delete, rename, or test the resources created under the connection. To do so, select the resource under the connection and then select the applicable option in the action bar.

Service endpoint URLs

You must have access to the following URLs:

• https://oauth2.googleapis.com
• https://cloudresourcemanager.googleapis.com
• https://compute.googleapis.com
• https://storage.googleapis.com
• https://cloudbuild.googleapis.com

Google Cloud projects

There are basically two types of Google Cloud projects:

• Provisioning project: In this case, the current admin account owns the provisioned machines in the project. This project is also referred to as a local project.
• 克雷亚共享VPC项目:项目的机器ted in the provisioning project use the VPC from the Shared VPC project. The admin account used for provisioning project has limited permissions in this project, specifically, only permissions to use the VPC.

克雷亚te a secure environment for GCP managed traffic

You can allow only private Google access to your Google Cloud projects. This implementation enhances security to handle sensitive data. To do this:

1. Install Cloud Connectors in the VPC where you want to enforce VPC service controls. SeeVPC Service Controlsfor more information.
2. AddProxyHypervisorTrafficThroughConnectorinCustomPropertiesin case of Citrix Cloud deployment. If you are using a private worker pool, addUsePrivateWorkerPoolinCustomProperties. For information on the private worker pool, seePrivate pools overview.

Note:

Currently, this feature is not supported for Connector Appliance.

Requirements to create a secure environment for GCP managed traffic

The requirements to create a secure environment for GCP managed traffic are:

• Ensure that the hosting connection is in maintenance mode when updating the custom properties.
• To use private worker pools, the following changes are required:
  • For Citrix Cloud Service Account, add the following IAM roles:
    • Cloud Build Service Account
    • Compute Instance Admin
    • Service Account User
    • Service Account Token Creator
    • Cloud Build WorkerPool Owner
  • 克雷亚te the Citrix Cloud Service Account in the same project that you use for creating a hosting connection.

  • Set up DNS zones forprivate.googleapis.comandgcr.ioas described inDNS configuration.

    

    

  • Set up private Network Address Translation (NAT) or use private service connect. For more information, seeAccess Google APIs through endpoints.

    

  • If using a peered VPC, create a Cloud DNS zone peering to the peered VPC. For more information, see克雷亚te a peering zone.

    

  • In VPC service controls, set up Egress rules so that the APIs and VMs can talk to the internet. Ingress rules are optional. For example:

    Egress Rule 1 From: Identities:ANY_IDENTITY To: Projects = All projects Service = Service name: All services 

Enable the proxy

To enable the proxy, set the custom properties as follows on the host connection:

1. Open a PowerShell window from the Delivery Controller host or use the Remote PowerShell SDK. For more information on Remote PowerShell SDK, seeSDKs and APIs.

2. Run the following commands:

   1. Add-PSSnapin citrix*
   2. cd XDHyp:\Connections\
   3. dir
3. Copy theCustomPropertiesfrom the connection to a notepad.

4. Append the property setting as follows:

   • In case of cloud deployment (using public pools): Append property settingto theCustomPropertiesto enable the proxy. For example:

     Allow ingress rule for Cloud Build Service Account in VPC service perimeter. For example:

     Ingress Rule 1 From: Identities: @cloudbuild.gserviceaccount.com Source > All sources allowed To: Projects = All projects Services = Service name: All services 

     For information on VPC service perimeter, seeService perimeter details and configuration.

   • In case of a private worker pool in a cloud deployment, append property settingandto theCustomPropertiesto enable the proxy. For example:

5. In the PowerShell window, assign a variable to the modified custom properties. For example:$customProperty = ''.
6. Run$gcpServiceAccount = "".
7. Run$gcpPrivateKey = "".
8. Run$securePassword = ConvertTo-SecureString $gcpPrivateKey -AsPlainText -Force.

9. Run the following to update an existing host connection:

   Set-Item -PassThru -Path @('XDHyp:\\Connections\\') -SecurePassword $securePassword -UserName $gcpServiceAccount -CustomProperties $customProperty 

About GCP permissions

This section has the complete list of GCP permissions. Use the complete set of permissions as given in the section for the functionality to work correctly.

克雷亚ting a host connection

• Minimum permissions required for Citrix Cloud Service Account in Provisioning project:

  compute.instanceTemplates.list compute.instances.list compute.networks.list compute.projects.get compute.regions.list compute.subnetworks.list compute.zones.list resourcemanager.projects.get 

  The following Google defined roles have the permissions as listed above:

  • Compute Admin
  • Cloud Datastore User

• 共享VPC所需额外的权限Citrix Cloud Service Account in Shared VPC project:

  compute.networks.list compute.subnetworks.list resourcemanager.projects.get 

  The following Google defined roles have the permissions as listed above:

  • Compute Network User

Power management of VMs

Minimum permissions required for Citrix Cloud Service Account in Provisioning project:

compute.instanceTemplates.list compute.instances.list compute.instances.get compute.instances.reset compute.instances.resume compute.instances.start compute.instances.stop compute.instances.suspend compute.networks.list compute.projects.get compute.regions.list compute.subnetworks.list compute.zones.list resourcemanager.projects.get 

The following Google defined roles have the permissions as listed above:

• Compute Admin
• Cloud Datastore User

克雷亚ting, updating, or deleting VMs

• Minimum permissions required for Citrix Cloud Service Account in Provisioning project:

  cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list compute.acceleratorTypes.list compute.diskTypes.get compute.diskTypes.list compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.firewalls.create compute.firewalls.delete compute.firewalls.list compute.globalOperations.get compute.images.create compute.images.delete compute.images.get compute.images.list compute.images.setLabels compute.images.useReadOnly compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.list compute.instanceTemplates.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.list compute.instances.reset compute.instances.resume compute.instances.setDeletionProtection compute.instances.setLabels compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.suspend compute.machineTypes.get compute.machineTypes.list compute.networks.list compute.networks.updatePolicy compute.nodeGroups.list compute.nodeTemplates.get compute.projects.get compute.regions.list compute.snapshots.create compute.snapshots.delete compute.snapshots.list compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.zoneOperations.get compute.zoneOperations.list compute.zones.get compute.zones.list iam.serviceAccounts.actAs resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list 

  The following Google defined roles have the permissions as listed above:

  • Compute Admin
  • Storage Admin
  • Cloud Build Editor
  • Service Account User
  • Cloud Datastore User

• 共享VPC所需额外的权限Citrix Cloud Service Account in Shared VPC project to create a hosting unit using VPC and subnetwork from Shared VPC project:

  compute.firewalls.list compute.networks.list compute.projects.get compute.regions.list compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.zones.list resourcemanager.projects.get 

  The following Google defined roles have the permissions as listed above:

  • Compute Network User
  • Cloud Datastore User

• Minimum permissions required for Cloud Build Service Account in Provisioning project required by Google Cloud Build service when downloading preparation instruction disk to MCS:

  compute.disks.create compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.images.get compute.images.list compute.images.useReadOnly compute.instances.create compute.instances.delete compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.setLabels compute.instances.setMetadata compute.instances.setServiceAccount compute.machineTypes.list compute.networks.get compute.networks.list compute.projects.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.list iam.serviceAccounts.actAs logging.logEntries.create pubsub.topics.publish resourcemanager.projects.get source.repos.get source.repos.list storage.buckets.create storage.buckets.get storage.buckets.list storage.objects.create storage.objects.delete storage.objects.get storage.objects.list 

  The following Google defined roles have the permissions as listed above:

  • Cloud Build Service Account
  • Compute Instance Admin
  • Service Account User

• Minimum permissions required for Cloud Compute Service Account in Provisioning project required by Google Cloud Build service when downloading preparation instruction disk to MCS:

  resourcemanager.projects.get storage.objects.create storage.objects.get storage.objects.list 

  The following Google defined roles have the permissions as listed above:

  • Compute Network User
  • Storage Account User
  • Cloud Datastore User

• 共享VPC所需额外的权限Cloud Build Service Account in Provisioning project required by Google Cloud Build service when downloading preparation instruction disk to MCS:

  compute.firewalls.list compute.networks.list compute.subnetworks.list compute.subnetworks.use resourcemanager.projects.get 

  The following Google defined roles have the permissions as listed above:

  • Compute Network User
  • Storage Account User
  • Cloud Datastore User

• Additional permissions required for Cloud Key Management Service (KMS) for Citrix Cloud Service Account in Provisioning project:

  cloudkms.cryptoKeys.get cloudkms.cryptoKeys.list cloudkms.keyRings.get cloudkms.keyRings.list 

  The following Google defined roles have the permissions as listed above:

  • Compute KMS Viewer

General permissions

Following are the permissions for Citrix Cloud Service Account in Provisioning project for all features supported in MCS. These permissions provide the best compatibility going forward:

resourcemanager.projects.get cloudbuild.builds.create cloudbuild.builds.get cloudbuild.builds.list compute.acceleratorTypes.list compute.diskTypes.get compute.diskTypes.list compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.firewalls.create compute.firewalls.delete compute.firewalls.list compute.globalOperations.get compute.images.create compute.images.delete compute.images.get compute.images.list compute.images.setLabels compute.images.useReadOnly compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.list compute.instanceTemplates.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.list compute.instances.reset compute.instances.resume compute.instances.setDeletionProtection compute.instances.setLabels compute.instances.setMetadata compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.suspend compute.instances.update compute.instances.updateAccessConfig compute.instances.updateDisplayDevice compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.machineTypes.get compute.machineTypes.list compute.networks.list compute.networks.updatePolicy compute.nodeGroups.list compute.nodeTemplates.get compute.projects.get compute.regions.list compute.snapshots.create compute.snapshots.delete compute.snapshots.list compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zoneOperations.list compute.zones.get compute.zones.list resourcemanager.projects.get storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list cloudkms.cryptoKeys.get cloudkms.cryptoKeys.list cloudkms.keyRings.get cloudkms.keyRings.list 

Where to go next

• If you’re in the initial deployment process, see克雷亚te machine catalogs.
• For Google Cloud Platform (GCP) specific information, see克雷亚te a Google Cloud Platform catalog.

More information

• Connections and resources
• Google Cloud environments.