AWS cloud environments

This article walks you through setting up your Amazon Web Services (AWS) account as a resource location you can use with Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). The resource location includes a basic set of components, ideal for a proof-of-concept, or other deployment that does not require resources spread over multiple availability zones. After you complete these tasks, you can install VDAs, provision machines, create machine catalogs, and create Delivery Groups.

When you complete the tasks in this article, your resource location includes the following components:

• A virtual private cloud (VPC) with public and private subnets inside a single availability zone.
• An instance that runs as both an Active Directory domain controller and DNS server, located in the private subnet of the VPC.
• Two domain-joined instances on which the Citrix Cloud Connector is installed, located in the private subnet of the VPC.
• An instance that acts as a bastion host, located in the public subnet of your VPC. This instance is used to initiate RDP connections to the instances in the private subnet for administration purposes. After you finish setting up your resource location, you can shut down this instance so it is no longer readily accessible. When you must manage other instances in the private subnet, such as VDA instances, you can restart the bastion host instance.

Task overview

Set up a virtual private cloud (VPC) with public and private subnets. When you complete this task, AWS deploys a NAT instance with an Elastic IP address in the public subnet. This enables instances in the private subnet to access the Internet. Instances in the public subnet are accessible to inbound public traffic while instances in the private subnet are not.

Configure security groups. Security groups act as virtual firewalls that control traffic for the instances in your VPC. You add rules to your security groups that allow instances in your public subnet to communicate with instances in your private subnet. You will also associate these security groups with each instance in your VPC.

Create a DHCP options set. With an Amazon VPC, DHCP and DNS services are provided by default, which affects how you configure DNS on your Active Directory domain controller. Amazon’s DHCP cannot be disabled and Amazon’s DNS can be used only for public DNS resolution, not Active Directory name resolution. To specify the domain and name servers handed to instances through DHCP, create a DHCP options set. The set assigns the Active Directory domain suffix and specifies the DNS server for all instances in your VPC. To ensure Host (A) and Reverse Lookup (PTR) records are automatically registered when instances join the domain, you configure the network adapter properties for each instance you add to the private subnet.

Add a bastion host, domain controller, and Citrix Cloud Connectors to the VPC. Through the bastion host, you can log on to instances in the private subnet to set up the domain, join instances to the domain, and install the Citrix Cloud Connector.

Task 1: Set up the VPC

1. From the AWS management console, select VPC.
2. From the VPC Dashboard, select Start VPC Wizard.
3. Select VPC with Public and Private Subnets and then Select.
4. Enter a VPC name and change the IP CIDR block and Public and Private subnet IP ranges, if necessary.
5. If a NAT gateway is selected, select Use a NAT Instance instead.
6. For the NAT instance, specify the instance type and the key pair you want to use. The key pair enables you to securely connect to the instance later.
7. In Enable DNS host names, leave Yes selected.
8. Select Create VPC. AWS creates the public and private subnets, Internet gateway, route tables, and default security group.

Note:

Changing the name of an AWS Virtual Private Cloud (VPC) in the AWS console breaks the existing hosting unit in Citrix Cloud. When the hosting unit is broken, you cannot create catalogs or add machines to existing catalogs. From Known Issue: PMCS-7701

Task 2: Configure security groups

This task creates and configures the following security groups for your VPC:

• A security group for the NAT instance.
• A public security group, with which instances in your Public subnet will be associated.
• A private security group, with which instances in your Private subnet will be associated.

To create the security groups

1. From the VPC Dashboard, select Security Groups.
2. Create a security group for the NAT instance. Select Create Security Group and enter a name tag and description for the group. In VPC, select the VPC you created earlier. Select Yes, Create.
3. Repeat Step 2 to create a public security group and a private security group.

Configure the NAT security group

1. From the security group list, select the NAT security group.

2. Select the Inbound Rules tab and select Edit to create the following rules:

   Type	Source
   ALL Traffic	Select the Private security group.
   22 (SSH)	0.0.0.0/0

3. When finished, select Save.

Configure the Public security group

1. From the security group list, select the Public security group.

2. Select the Inbound Rules tab and select Edit to create the following rules:

   Type	Source
   ALL Traffic	Select the Private security group.
   ALL Traffic	Select the Public security group.
   ICMP	0.0.0.0/0
   22 (SSH)	0.0.0.0/0
   80 (HTTP)	0.0.0.0/0
   443 (HTTPS)	0.0.0.0/0
   1494 (ICA/HDX)	0.0.0.0/0
   2598 (Session Reliability)	0.0.0.0/0
   3389 (RDP)	0.0.0.0/0

3. When finished, select Save.

4. Select the Outbound Rules tab and select Edit to create the following rules:

   Type	Destination
   ALL Traffic	Select the Private security group.
   ALL Traffic	0.0.0.0/0
   ICMP	0.0.0.0/0

5. When finished, select Save.

Configure the private security group

1. From the security group list, select the Private security group.

2. If you have not setup traffic from the public security group, you may must set TCP ports; select the Inbound Rules tab and select Edit to create the following rules:

   Type	Source
   ALL Traffic	Select the NAT security group.
   ALL Traffic	Select the Private security group.
   ALL Traffic	Select the Public security group.
   ICMP	Select the Public security group.
   TCP 53 (DNS)	Select the Public security group.
   UDP 53 (DNS)	Select the Public security group.
   80 (HTTP)	Select the Public security group.
   TCP 135	Select the Public security group.
   TCP 389	Select the Public security group.
   UDP 389	Select the Public security group.
   443 (HTTPS)	Select the Public security group.
   TCP 1494 (ICA/HDX)	Select the Public security group.
   TCP 2598 (Session Reliability)	Select the Public security group.
   3389 (RDP)	Select the Public security group.
   TCP 49152–65535	Select the Public security group.

3. When finished, select Save.

4. Select the Outbound Rules tab and select Edit to create the following rules:

   Type	Destination
   ALL Traffic	Select the Private security group.
   ALL Traffic	0.0.0.0/0
   ICMP	0.0.0.0/0
   UDP 53 (DNS)	0.0.0.0/0

5. When finished, select Save.

Task 3: Associate the NAT instance with the NAT security group

1. From the AWS management console, select EC2.
2. From the EC2 Dashboard, select Instances.
3. Select the NAT instance and then select Actions > Networking > Change Security Groups.
4. Clear the default security group check box.
5. Select the NAT security group you created earlier and then select Assign Security Groups.

Task 4: Launch instances

The following steps create four EC2 instances and decrypt the default Administrator password that Amazon generates.

1. From the AWS management console, select EC2.

2. From the EC2 Dashboard, select Launch Instance.

3. Select a Windows Server machine image and instance type.

4. On the Configure Instance Details page, enter a name for the instance and select the VPC you set up earlier.

5. In Subnet, make the following selections for each instance:

   • Bastion host: Select the Public subnet.
   • Domain controller and Connectors: Select the Private subnet.

6. In Auto-assign Public IP address, make the following selections for each instance:

   • Bastion host: Select Enable.
   • Domain controller and Connectors: Select Use default setting or Disable.

7. In Network Interfaces, enter a primary IP address within the IP range of your private subnet for the domain controller and Cloud Connector instances.

8. On the Add Storage page, modify the disk size, if necessary.

9. On the Tag Instance page, enter a friendly name for each instance.

10. On the Configure Security Groups page, select Select an existing security group and then make the following selections for each instance:

    • Bastion host: Select the Public security group.
    • Domain controller and Cloud Connectors: Select the Private security group.

11. Review your selections and then select Launch.

12. Create a new key pair or select an existing one. If you create a new key pair, download your private key (.pem) file and keep it in safe place. You must supply your private key when you acquire the default Administrator password for the instance.

13. Select Launch Instances. select View Instances to display a list of your instances. Wait until the newly launched instance has passed all status checks before accessing it.

14. Acquire the default Administrator password for each instance:

    1. From the instance list, select the instance and then select Connect.
    2. Select Get Password and supply your private key (.pem) file when prompted.
    3. Select Decrypt Password. AWS displays the default password.

15. Repeat Steps 2–14 until you have created four instances: a bastion host instance in your public subnet and three instances in your private subnet that for use as a domain controller and two Cloud Connectors.

Task 5: Create a DHCP options set

1. From the VPC Dashboard, select DHCP Options Sets.

2. Enter the following information:

   • Name tag: Enter a friendly name for the set.
   • Domain name: Enter the fully qualified domain name you use when you configure the domain controller instance.
   • Domain name servers: Enter the private IP address you assigned to the domain controller instance and the string AmazonProvidedDNS, separated by commas.
   • NTP servers: Leave this field blank.
   • NetBIOS name servers: Enter the private IP address of the domain controller instance.
   • NetBIOS node type: Enter 2.

3. Select Yes, Create.

4. Associate the new set with your VPC:

   1. From the VPC Dashboard, select Your VPCs and then select the VPC you set up earlier.
   2. Select Actions > Edit DHCP Options Set.
   3. When prompted, select the new set you created and then select Save.

Task 6: Configure the instances

1. Using an RDP client, connect to the public IP address of the bastion host instance. When prompted, enter the credentials for the Administrator account.

2. From the bastion host instance, launch Remote Desktop Connection and connect to the private IP address of the instance you want to configure. When prompted, enter the Administrator credentials for the instance.

3. For all instances in the private subnet, configure the DNS settings:

   1. Select Start > Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Double-click the network connection displayed.
   2. Select Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties.

   3. Select Advanced > DNS. Ensure that the following settings are enabled and select OK:

      • Register this connection’s addresses in DNS
      • Use this connection’s DNS suffix in DNS registration

4. To configure the domain controller:

   1. Using Server Manager, add the Active Directory Domain Services role with all default features.
   2. Promote the instance to a domain controller. During promotion, enable DNS and use the domain name you specified when you created the DHCP options set. Restart the instance when prompted.

5. To configure the first Cloud Connector:

   1. Join the instance to the domain and restart when prompted. From the bastion host instance, reconnect to the instance using RDP.
   2. Sign in to Citrix Cloud. Select Resource Locations from the upper left menu.
   3. Download the Cloud Connector.
   4. When prompted, run the cwcconnector.exe file and supply your Citrix Cloud credentials. Follow the wizard.
   5. When finished, selectRefresh to display the Resource Locations page. When the Cloud Connector is registered, the instance appears on the page.

6. Repeat Step 5 to configure the second Cloud Connector.

Create a connection

When you create a connection from the Full Configuration interface:

• You must provide the API key and secret key values. You can export the key file containing those values from AWS and then import them. You must also provide the region, availability zone, VPC name, subnet addresses, domain name, security group names, and credentials.
• The credentials file for the root AWS account (retrieved from the AWS console) is not formatted the same as credentials files downloaded for standard AWS users. Therefore, Citrix Virtual Apps and Desktops management cannot use the file to populate the API key and secret key fields. Ensure that you are using AWS Identity Access Management (IAM) credentials files.

Note:

After you create a connection, attempts to update the API key and secret key might fail. To resolve the issue, check your proxy server or firewall restrictions and ensure that the following address is contactable: https://*.amazonaws.com.

Host connection default values

When you create host connections in the Full Configuration interface of the AWS cloud environment, the following default values display:

MCS supports 100 maximum concurrent provisioning operations by default.

You can configure these values by accessing the Citrix Studio Advanced section on the Edit Connection screen:

MCS supports 100 maximum concurrent operations by default. Alternatively, you can use the Remote PowerShell SDK to set the maximum number of concurrent operations for optimal settings per your environment.

Use the PowerShell custom property, MaximumConcurrentProvisioningOperations, to specify the maximum number of concurrent AWS provisioning operations.

Prior to configuration:

• Ensure you have installed PowerShell SDK for Cloud.
• Understand that the default value for MaximumConcurrentProvisioningOperations is 100.

Perform the following steps to customize the MaximumConcurrentProvisioningOperations value:

1. Open a PowerShell window.
2. Run asnp citrix* to load the Citrix-specific PowerShell modules.
3. Enter cd xdhyp:\Connections\.
4. Enter dir to list the connections.

5. Change or Initialize the Custom Properties string:

   • If the Custom Properties string has a value, copy the Custom Properties into Notepad. Next, change the MaximumConcurrentProvisioningOperations property to your preferred value. You can enter a value ranging from 1-1000. For example, <Property xsi:type="IntProperty" Name="MaximumConcurrentProvisioningOperations" Value="xyz"/>.

   • If the Custom Properties string is empty/null, you must initialize the string by entering the proper syntax for both the schema and the MaximumConcurrentProvisioningOperations property.

6. In the PowerShell window, paste the modified Custom Properties from Notepad and assign a variable to the modified Custom Properties. If you initialized the Custom Properties, add the lines below following the syntax:

   $customProperties = '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Property xsi:type="IntProperty" Name="MaximumConcurrentProvisioningOperations" Value="100"/></CustomProperties>'.

   This string sets the MaximumConcurrentProvisioningOperations property to 100. In the Custom Properties string, you must set the MaximumConcurrentProvisioningOperations property to a value that aligns with your needs.

7. Enter Get-XDAuthentication, which prompts you for your credentials.
8. Run $cred = Get-Credential, which might prompt you for solely a Password (or a Name and Password). You also might be prompted for the application ID and associated secret. For connections using role-based authentication, role_based_auth is both the Name and Password. Otherwise, enter the AWS API ID and secret.
9. Run set-item -PSPath 'XDHyp:\Connections<connection-name>' -CustomProperties $customProperties -username $cred.username -Securepassword $cred.password. You must set the <connection-name> to the name of the connection.
10. Enter dir to verify the updated CustomProperties string.

Service endpoint URL

Standard zone service endpoint URL

When you use MCS, a new AWS connection is added with an API key and an API secret. With this information, along with the authenticated account, MCS queries AWS for the supported zones using the AWS DescribeRegions EC2 API call. The query is made using a generic EC2 Service Endpoint URL https://ec2.amazonaws.com/. Use MCS to select the zone for the connection from the list of supported zones. The preferred AWS service endpoint URL is automatically selected for the zone. However, after you create the service endpoint URL, you can no longer set or modify the URL.

Non-standard service endpoint URL

There can be situations where you might not need the automatically chosen AWS Service Endpoint URL for the connection. For such cases, you can use Citrix Cloud SDK and PowerShell to create a connection with a non-standard service endpoint URL. For example, to create a connection using the service endpoint URL https://ec2.cn-north-1.amazonaws.com.cn:

1. Set up the AWS hosted Cloud Connector and ensure that it has connectivity.

2. Run the following PowerShell commands to see the list of Cloud Connectors.

    PS C:\> asnp citrix.*
    PS C:\> Get-XDAuthentication
    PS C:\> Get-ConfigEdgeServer
   <!--NeedCopy-->