Google Cloud environments 编辑
Google Cloud environments
Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) lets you provision and manage machines on Google Cloud. This article walks you through using Machine Creation Services (MCS) to provision virtual machines in your Citrix Virtual Apps or Citrix Virtual Desktops service deployment.
Requirements
- Citrix Cloud account. The feature described in this article is available only in Citrix Cloud.
- Citrix DaaS subscription. For details, see Get started.
- A Google Cloud project. The project stores all compute resources associated with the machine catalog. It can be an existing project or a new one.
- Enable four APIs in your Google Cloud project. For details, see Enable Google Cloud APIs.
- Google Cloud service account. The service account authenticates to Google Cloud to enable access to the project. For details, see Configure the Google Cloud service account.
- Enable Google private access. For details, see Enable-private-google-access.
Enable Google Cloud APIs
To use the Google Cloud functionality through the Citrix Virtual Apps and Desktops Full Configuration interface, enable these APIs in your Google Cloud project:
- Compute Engine API
- Cloud Resource Manager API
- Identity and Access Management (IAM) API
- Cloud Build API
From the Google Cloud console, complete these steps:
In the upper left menu, select APIs and Services > Dashboard.
On the Dashboard screen, ensure that Compute Engine API is enabled. If not, follow these steps:
Navigate to APIs and Services > Library.
In the search box, type Compute Engine.
From the search results, select Compute Engine API.
On the Compute Engine API page, select Enable.
Enable Cloud Resource Manager API.
Navigate to APIs and Services > Library.
In the search box, type Cloud Resource Manager.
From the search results, select Cloud Resource Manager API.
On the Cloud Resource Manager API page, select Enable. The status of the API appears.
Similarly, enable Identity and Access Management (IAM) API and Cloud Build API.
Configure the Google Cloud service account
A Google Cloud service account lets you create and manage resources inside Google Cloud projects. A Google Cloud service account is required to provision and manage machines, as described in this article. The Google Cloud account authenticates to Citrix Cloud using a key generated by Google Cloud. Each account (personal or service) has various roles defining the management of the project.
We recommend that you create a service account. To do so, follow these steps:
In the Google Cloud console, navigate to IAM & Admin > Service accounts.
On the Service accounts page, select CREATE SERVICE ACCOUNT.
On the Create service account page, type the required information and then select CREATE.
When creating the service account, consider the following:
You can select CANCEL to save and exit the Service account details page without completing the Grant this service account access to project and the Grant users access to this service account pages. You can do these optional steps later.
If you choose to skip these optional configuration steps, the newly created service account does not display in the IAM & Admin > IAM page.
To display roles associated with a service account, add the roles without skipping the optional steps. This process ensures that roles appear for the configured service account.
When creating a service account, there is an option to create a key for the account. You need this key when creating a connection in Citrix DaaS. The key is contained in a credential file (.json). The file is automatically downloaded and saved to the Downloads folder after you create the key. When you create the key, be sure to set the key type to JSON. Otherwise, the Citrix Full Configuration interface cannot parse it.
Tip:
Create keys using the Service accounts page in the Google Cloud console. We recommend that you change keys regularly for security purposes. You can provide new keys to the Citrix Virtual Apps and Desktops application by editing an existing Google Cloud connection.
Also, you need to grant your service account the necessary permissions to access your Google Cloud project:
In the Google Cloud console, navigate to IAM & Admin > IAM. On the IAM page, locate the service account you created and then select the pencil icon to edit the service account.
On the Edit permissions page, select ADD ANOTHER ROLE to add the following roles to your service account one by one and then select SAVE.
- Compute Admin
- Storage Admin
- Cloud Build Editor
- Service Account User
Update the roles assigned to your Cloud Build service account project:
- In the Google Cloud console, navigate to IAM & Admin > IAM.
- On the IAM page, locate the Cloud Build service account and then select the pencil icon to edit the service account. You can identify the Cloud Build service account by its user name, which is in this format:
<your_gcp_project_ID_number>@cloudbuild.gserviceaccount.com
. - On the Edit permissions page, select ADD ANOTHER ROLE to add the following roles to your Cloud Build service account one by one and then select SAVE.
- Cloud Build Service Account
- Compute Instance Admin
- Service Account User
Storage permissions and bucket management
Citrix DaaS improves the process of reporting cloud build failures for the Google Cloud service. This service runs builds on the Google Cloud. Citrix DaaS creates a storage bucket named citrix-mcs-cloud-build-logs-{region}-{5 random characters}
where the Google Cloud services captures build log information. An option is set on this bucket that deletes the contents after a period of 30 days. This process requires that the service account used for the connection has Google Cloud permissions set to storage.buckets.update
. If the service account does not have this permission, Citrix DaaS ignores errors and proceeds with the catalog creation process. Without this permission, the size of the build logs increases and requires manual cleanup.
Enable private Google access
When a VM lacks an external IP address assigned to its network interface, packets are only sent to other internal IP addresses destinations. When you enable private access, the VM connects to the set of external IP addresses used by the Google API and associated services.
Note:
Whether private Google access is enabled, all VMs that are with and without public IP addresses, must be able to access Google Public APIs, especially if third-party networking appliances have been installed in the environment.
To ensure that a VM in your subnet can access the Google APIs without a public IP address for MCS provisioning:
- In Google Cloud, access the VPC network configuration.
- In the Subnet details screen, turn on Private Google access.
For more information, see Configuring Private Google Access.
Important:
If your network is configured to prevent VM access to the Internet, ensure that your organization assumes the risks associated with enabling Private Google access for the subnet to which the VM is connected.
Add a connection
In the Full Configuration interface, follow the guidance in Create a connection and resources. The following description guides you through setting up a hosting connection:
From Manage > Full Configuration, select Hosting in the left pane.
Select Add Connection and Resources in the action bar.
On the Connection page, select Create a new Connection and Citrix provisioning tools, and then select Next.
- Zone name. Select a zone (equivalent to a resource location) where you want your host resources to reside. Zones are created automatically when you create a resource location and add a Cloud Connector to it. For more information, see Zones.
- Connection type. Select Google Cloud from the menu.
- Service account key. Import the key contained in your Google credential file (.json). To do so, locate your credential file, open the file with Notepad (or any text editor), and then copy the content. After that, return to the Connection page, select Import key, paste the content, and then select Save.
- Service account ID. The field automatically populates with the information from the imported key.
- Connection name. Type a name for the connection.
On the Region page, select a project name from the menu, select a region containing the resources you want to use, and then select Next.
On the Network page, type a name for the resources, select a virtual network from the menu, select a subset, and then select Next. The resource name helps identify the region and network combination. Virtual networks with the (Shared) suffix appended to their name represent shared VPCs. If you configure a subnet-level IAM role for a shared VPC, only specific subnets of the shared VPC appear on the subnet list.
Note:
- The resource name can contain 1–64 characters, and cannot contain only blank spaces or the characters
\ / ; : # . * ? = < > | [ ] { } " ' ( ) ' )
.
- The resource name can contain 1–64 characters, and cannot contain only blank spaces or the characters
On the Summary page, confirm the information and then select Finish to exit the Add Connection and Resources window.
After creating the connection and resources, the connection and resources you created are listed. To configure the connection, select the connection and then select the applicable option in the action bar.
Similarly, you can delete, rename, or test the resources created under the connection. To do so, select the resource under the connection and then select the applicable option in the action bar.
Prepare a master VM instance and a persistent disk
Tip:
Persistent disk is the Google Cloud term for virtual disk.
To prepare your master VM instance, create and configure a VM instance with properties that match the configuration you want for the cloned VDA instances in your planned machine catalog. The configuration does not apply only to the instance size and type. It also includes instance attributes such as metadata, tags, GPU assignments, network tags, and service account properties.
As part of the mastering process, MCS uses your master VM instance to create the Google Cloud instance template. The instance template is then used to create the cloned VDA instances that comprise the machine catalog. Cloned instances inherit the properties (except the VPC, subnet, and persistent disk properties) of the master VM instance from which the instance template was created.
After configuring the properties of the master VM instance to your specifics, start the instance and then prepare the persistent disk for the instance.
We recommend that you manually create a snapshot of the disk. Doing so lets you use a meaningful naming convention to track versions, gives you more options to manage earlier versions of your master image, and saves time for machine catalog creation. If you do not create your own snapshot, MCS creates a temporary snapshot for you (which is deleted at the end of the provisioning process).
Create a machine catalog
Note:
Create your resources before you create a machine catalog. Use the naming conventions established by Google Cloud when configuring machine catalogs. See Bucket and object naming guidelines for more information.
Follow the guidance in Create machine catalogs. The following description is unique to Google Cloud catalogs.
From Manage > Full Configuration, select Machine Catalogs in the left pane.
Select Create Machine Catalog in the action bar.
On the Machine Type page, select Multi-session OS and then select Next.
- Citrix DaaS also supports single-session OS.
On the Machine Management page, select the Machines that are power managed and the Citrix Machine Creation Services options and then select Next. If there are multiple resources, select one from the menu.
On the Master Image page, select a VM and the minimum functional level for the catalog and then select Next. If you want to use the sole tenancy functionality, be sure to select an image whose node group property is correctly configured. See Enable zone selection.
On the Storage page, select the type of storage used to contain the operating system for this machine catalog. Each of the following storage options has unique price and performance characteristics. (An identity disk is always created using the zonal standard persistent disk.)
- Standard persistent disk
- Balanced persistent disk
- SSD persistent disk
For details about Google Cloud storage options, see https://cloud.google.com/compute/docs/disks/.
On the Virtual Machines page, specify how many VMs you want to create, view the detailed specification of the VMs, and then select Next. If you use sole tenant node groups for machine catalogs, be sure to select only the zones where reserved sole tenant nodes are available. See Enable zone selection.
On the Disk Settings page, you can configure the following settings:
Choose whether to enable write-back cache. After enabling write-back cache, you can do the following:
- Configure the size of the disk and RAM used for caching temporary data. For more information, see Configure cache for temporary data.
- Select the storage type for the write-back cache disk. The following storage options are available to use for the write-back cache disk:
- Standard persistent disk
- Balanced persistent disk
- SSD persistent disk
For details about GCP storage options, see https://cloud.google.com/compute/docs/disks/.
- Select the type for the write-back cache disk.
- Use non-persistent write-back cache disk. If selected, the write-back cache disk does not persist for the provisioned VMs. The disk is deleted during power cycles and any data redirected to the disk will be lost.
- Use persistent write-back cache disk. If selected, the write-back cache disk persists for the provisioned VMs. Enabling this option increases your storage costs.
When MCS storage optimization (MCS I/O) is enabled, you can choose whether to retain system disks for VDAs during power cycles. For more information, see Enabling MCS storage optimization updates.
Choose whether to use your own key to protect disk contents. To use the feature, you must first create your own Customer Managed Encryption Keys (CMEKs). For more information, see Using Customer Managed Encryption Keys (CMEK).
Note:
This feature is available as a preview. It is available only in the Manage > Full Configuration interface.
After creating the keys, you can select one of those keys from the list. You cannot change the key after you create the catalog. Google Cloud does not support rotating keys on existing persistent disks or images. Therefore, after you provision a catalog, the catalog is tied to a specific version of the key. If that key is disabled or destroyed, the instances and disks encrypted with it become unusable until the key is reenabled or restored.
On the Machine Identities page, select an Active Directory account and then select Next.
- If you select Create new Active Directory accounts, select a domain and then enter the sequence of characters representing the naming scheme for the provisioned VM computer accounts created in the Active Directory. The account naming scheme can contain 1–64 characters, and cannot contain blank spaces, or non-ASCII or special characters.
- If you select Use existing Active Directory accounts, select Browse to navigate to the existing Active Directory computer accounts for the selected machines.
On the Domain Credentials page, select Enter credentials, type the user name and password, select Save, and then select Next.
- The credential you type must have permissions to perform Active Directory account operations.
On the Scopes page, select scopes for the machine catalog and then select Next.
- You can select optional scopes or select custom scope to customize scopes as needed.
On the Summary page, confirm the information, specify a name for the catalog, and then select Finish.
Note:
The catalog name can contain 1–39 characters, and cannot contain only blank spaces or the characters
\ / ; : # . * ? = < > | [ ] { } " ' ( ) ' )
.
Machine catalog creation might take a long time to complete. When it completes, the catalog is listed. You can verify that the machines are created on the target node groups in the Google Cloud console.
Create a machine catalog using a machine profile
When you create a catalog to provision machines using Machine Creation Services (MCS), you can use a machine profile to capture the hardware properties from a virtual machine and apply them to newly provisioned VMs in the catalog. When MachineProfile
parameter is not used, the hardware properties are captured from the master image VM or snapshot. Some properties you define explicitly, for example, StorageType
, CatalogZones
and CryptoKeyIs
are ignored from machine profile.
- To create a catalog with a machine profile, use the
New-ProvScheme
command. For example,New-ProvScheme –MachineProfile “path to VM”
. If you do not specify theMachineProfile
parameter, hardware properties are captured from the master image VM. - To update a catalog with a new machine profile, use the
Set-ProvScheme
command. For example,Set-ProvScheme –MachineProfile “path to new VM”
. This command does not change the machine profile of the existing VMs in the catalog. Only the newly created VMs added to the catalog have the new machine profile. - You can also update the master image, however, when you update the master image, the hardware properties are not updated. If you want to update the hardware properties, you need to update the machine profile using
Set-ProvScheme
command. These changes will only apply to the new machines in the catalog. For updating the hardware properties of an existing machine, you can useRequest-ProvVMUpdate
command.
Add machines to a catalog
To add machines to a catalog, follow these steps:
From Manage > Full Configuration, select Machine Catalogs in the left pane.
Select the machine catalog to which you want to add machines.
Select Add Machines in the action bar.
On the Virtual Machines page, specify the number of machines you want to add and then select Next.
On the Machine Identities page, select an Active Directory account and then select Next.
On the Domain Credentials page, select Enter credentials, type the user name and password, select Save, and then select Next.
On the Summary page, confirm the information and then select Finish.
Update machines
This feature can be useful in cases where you want to update your master image or the minimum functional level.
To update machines, follow these steps:
From Manage > Full Configuration, select Machine Catalogs in the left pane.
Select the machine catalog that contains machines you want to update.
Select Update Machines in the action bar.
On the Master Image page, select a VM and the minimum functional level for the catalog and then select Next.
On the Rollout Strategy page, specify when you want to update the machines and then select Next.
On the Summary page, confirm the information and then select Finish.
To roll back a machine update, follow these steps:
Important:
Do not rename, delete, or move master images. Otherwise you cannot roll back the update.
From Manage > Full Configuration, select Machine Catalogs in the left pane.
Select the machine catalog where you want to roll back the machine update.
Select Rollback Machine Update in the action bar.
On the Overview page, confirm the information and then select Next.
On the Rollout Strategy page, configure the rollout strategy and then select Next.
On the Summary page, confirm the information and then select Finish.
Power management
Citrix DaaS lets your power management of Google Cloud machines. Use the Search node in the navigation pane to locate the machine you want to power manage. The following power actions are available:
- Delete
- Start
- Restart
- Force Restart
- Shut Down
- Force Shutdown
- Add to Delivery Group
- Manage Tags
- Turn On Maintenance Mode
You can also power manage Google Cloud machines by using Autoscale. To do so, add the Google Cloud machines to a Delivery Group and then enable Autoscale for that Delivery Group. For more information about Autoscale, see Autoscale.
Update provisioned machines using PowerShell
The Set-ProvScheme
command changes the provisioning scheme. However, it does not affect existing machines. Using the PowerShell command Request-ProvVMUpdate
command, you can now apply the current provisioning scheme to an existing persistent or non-persistent machine or set of machines. Currently, in GCP, the property update supported by this feature is machine profile.
You can update:
- A single VM
- A list of specific VMs or all existing VMs associated with a provisioning scheme ID
- A list of specific VMs or all existing VMs associated with a provisioning scheme name
To update the existing VMs:
Check the configuration of the existing machines. For example,
Get-ProvScheme | select ProvisioningSchemeName, ProvisioningSchemeVersion <!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论