Getting Started with Google GCP

Introduction

This process creates a simple Workspot pilot deployment for Workspot on Google GCP. The majority of the process is automated via PowerShell and Terraform scripts.

After completing the procedures in this document, administrators will be able to:

• Create fully functional Workspot Cloud Desktops and Cloud Applications server from the Google GCP Cloud.

• Manage all resources through Workspot Control.

End-users will be able to access their Workspot Desktops and Applications securely via the Workspot Client.

The difference between the pilot deployment described here and a production deployment is primarily as follows:

• The AD Domain Controller created here is a standalone instance that doesn’t communicate with your production Domain Controller.

• The virtual networks declared here are chosen arbitrarily rather than being chosen to work with your WAN/LAN routing.

• Advanced configuration such as multi-factor authentication, posture checking, and so on are not configured.

Prerequisites

• A Windows PC with Administrative access on which to run:

  • PowerShell

  • Terraform

• A GCP account with permissions to create a Terraform service account with the permissions required by Terraform.

• A Workspot account and access to Workspot Control with full Administrator permissions.

Create Your Workspot Account

• In a browser, go to https://service.us.workspot.com/#/signup.

• Fill in the form. Critical fields:

  • The “Corporate Email” address will be used as the administrative account for your Workspot Deployment. Domains such as “gmail.com” are not allowed.

  • Set “Company Headquarters” to your actual corporate headquarters location, not your personal location.

  • Set the “Control Deployment Location” to “European Union” if your HQ is the EU, and “United States” otherwise.

• Press “Sign Up.”

• Wait for the email sent to the address you provided. This may take a few minutes.

• Click the link. You will see a second form:

• Fill in the form. Notable fields:

• The “Company Identifier” field:

  • Is used by all your end-users when they use the Workspot Client for the first time.

  • Is part of the URLs you use to access Workspot Control, Watch and Trends.

  • Should be a version of your organization’s name.

  • Cannot contain punctuation or special characters except for a hyphen.

• The password will be used along with the email address you provided in the previous form when you sign into Workspot Control.

• Press Register.

• You will be signed in automatically to the “Add Public Cloud” page of Workspot Control, with “Workspot on Google GCP” already selected.

• Leave this browser tab open. We will return to it soon.

Initial GCP Configuration

The initial steps with GCP are as follows:

• Create a GCP Project.

• Create a Service account in GCP.

• Configure the GCP Cloud in Workspot Control.

These are covered in detail below.

Create a GCP Project

The project resource is an organizing entity required by Google Cloud, and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding, and removing collaborators, and managing permissions.

In the GCP Organizational Structure, a Project can be in a Folder or directly under the Organization. The diagram below shows an example of Google Cloud resource hierarchy in its complete form.

To be able to create a project, you must have the resourcemanager.projects.create permission. This permission is included in roles like the Project Creator role (roles/resourcemanager.projectCreator). To create a new project, see Google’s documentation, Creating and managing projects.

Enable the Compute API

In your project, enable the Compute API in the Google Cloud Console. This will create the default Compute Service Account and also create a default VPC network with subnets.

To enable Compute API in Google Cloud Console, go to “Compute Engine > VM Instances > enable Compute API.”

Delete the Default Network

When a new project is initiated, GCP automatically generates a default network, which is an auto-mode VPC network containing one subnet in each region. It's advisable to manually remove this VPC network to maintain a tidy environment before proceeding.

(Alternatively, you can implement the "compute.skipDefaultNetworkCreation" policy Constraint at the organizational or Folder level where you intend to establish the new project for Test Drive purposes. Once applied, any new projects created within the designated folder will not be equipped with a default network. However, existing projects created before the implementation of this constraint are unaffected by this modification.)

Create a Service Account in the Project

The service account will be used by Workspot Control to communicate with your GCP project for managing resources. We will use the Compute Engine Default Service Account when connecting a GCP project to Workspot Control.

To create a service account:

Go to IAM and Admin > Service Account

• Click on the three dots next to the Default Service Account

• Select “Manage Keys.”

• Click “Add Key > Create New Key.”

• Set Key Type to JSON.

• Save the JSON file to a local directory.

For more details, see GCP: Creating a Service Account With Custom Permissions for Workspot Control.

Note: Editor permission is adequate to deploy the Test drive project, however in case a new Service Account needs to be created later, Owner permission will be required for the user at the Project Level.

Configure the GCP Cloud in Workspot Control

Return to the “Setup > Cloud > Add Public Cloud” page in Workspot Control.

Fill out the form. From top to bottom:

• Type a name for your GCP project (which Control calls “a Public Cloud”). “GCPcloud” is shown in the example.

• Leave “Use Secure Cloud Proxy” unchecked.

• Set “Configuration Type” to “Google Cloud Platform.”

• Click “Import Service Account.”

• In the popup, click “Choose File, ” select the JSON file you saved in the previous section, and click “Import File.”

  • This will populate the “Project ID,” “Service Account ID,” and “Service Account User” fields.

• Select a GCP region to use as your main region.

• Leave “Use Shared VPC” and “Host Project ID” unchecked.

• Click “Save.”

• Control can now communicate with GCP.

Installing and configuring Terraform

To create the Workspot on AWS WorkSpaces Core deployment, including subnets, servers, an Active Directory Domain Controller, and a Workspot Enterprise Connector, you must first install Terraform on your local Windows device.

• Download the Terraform file from https://developer.hashicorp.com/terraform/install.

• Extract the file into c:\Terraform.

• The next step is to set up environmental variables.

• Under System properties (View Advanced System Settings) – Advanced- Environmental Variables

• Under User Variables for UserName

• Click on Path and edit, then select New and key in the path where you have the terraform.exe copied (c:\Terraform)

• Once it is applied, open a PowerShell window.

• Type terraform version

  • It should display the version of Terraform if the environmental variable is set correctly.

• Download GCP_Terraform_SingleRegion.zip

• Extract the files to the local folder where you want the project files to be located. There are three configuration files:

• Go to the folder with the three newly extracted files shown above.

• Copy the JSON file you saved earlier in Create a Service Account in the Project to this folder.

• Set the variables in the the top section of terraform.tfvars file.

  • Open it in Notepad++ (or the text editor of your choice).

  • Edit the values as in the first few lines to match your deployment.

    • (See the file for guidance about the form each line takes, which helps to identify what is being asked for.)

    • project_id: GCP project ID.

    • region1: the GCP region in which you’re deploying Workspot.

    • zone: a zone within the region.

    • serviceaccount: the full name of the Service Account.

    • source_Project_id: the Source Project ID from which Images should be copied.

    • templatesourcedisk: location of Windows 11 images.

    • source_project_Location: the GCP region of the Source Project.

    • src_credential_path: The service account JSON of the Source Project.

  • Save and close the file.  

Deploying the Workspot for Google GCP Landing Zone

• Open a PowerShell window if you haven’t done this already.

• Go to  directory with the configuration files from GCP_Terraform_SingleRegion.zip.

• To initialize Terraform, enter terraform init.

• Once the initialization is completed, typeterraform apply

• This will first list the changes that will be made (shown below in three screen shots) and then ask for permission to proceed:

• If you see any errors above, fix them before proceeding. However, if you see only warnings, you can ignore them if they don’t seem important.

  • To exit the deployment instead of proceeding, just press ENTER without answering “yes.”

• Answer yes to the question “Enter a value” if you are ready to perform the changes listed by Terraform.

• Wait for the process to complete.  

In Case of Errors

• If you see Errors during the deployment, the script will automatically exit.

• If most of the components have been deployed and the error is with just one or two components, try running terraform apply again. This should usually create the remaining components.

• If the above step doesn’t help, then there could be some genuine errors in the configuration files.

  • Try to fix them.

  • Once fixed, make sure to run the terraform destroy command to clean up the filed infrastructure.

  • Run terraform apply again.

Actions Performed by Terraform

The Terraform script deploys the following resources:

• Creates a VPC - "ws-tfproject-vpc" with address space 10.0.0.0/16. (See https://cloud.google.com/vpc/docs/create-modify-vpc-networks#create-custom-network.)

• Creates the following subnets (See https://cloud.google.com/vpc/docs/create-modify-vpc-networks#subnet-rules).

  • subnet-reg1-dmz - 10.0.0.144/28

  • subnet-reg1-mgmt - 10.0.0.128/28

  • subnet-reg1-vm - 10.0.0.0/25

• Creates NAT Routers and Gateways and apply them to the VM subnets (See https://cloud.google.com/nat/docs/overview).

• Creates Firewall Rules (See https://cloud.google.com/firewall/docs/firewalls#firewall-rules-in-google-cloud).

  • allow-egress-all – To open outbound traffic to the internet (0.0.0.0/0)

  • allow-internal-all – To allow traffic within the VPC Network.

  • allow-metadata-service – to enable communication to the metadata.google.internal service (169.254.169.254)

  • allow-3389-jump server – to enable RDP access to the jump server.

• Copies Windows 10 Image for Template from Source Project.

• Copies Windows 11 Image for Template from Source Project.

• Copies an AD Image from Source Project.

• Copies the App Server Image from the Source Project.

• Creates a Utility Server.

• Creates a Server to deploy EC.

• Creates a Static IP for AD Server - 10.0.0.135.

  • Creates an AD Server from the AD Image with Static IP - 10.0.0.135.

• Creates a Cloud Application Server.

• Creates a Project level-Metadata Entry: domain-controller-addresses: 10.0.0.135.

Completing the Configuration

Configure the AD Domain Controller

• Configure the AD Domain Controller. Do this first; the steps below depend upon it.

Install and Configure Workspot Enterprise Connector

The Terraform script has created a server for Workspot Enterprise Connector named ws-ec1.

• Sign into ws-ec1.

  • Username: Administrator

  • Password: Workspot@1601

• Once you log in, Set the machine DNS to point to the AD server 10.0.0.135.

• Install Java Runtime. Connector requires the Java Runtime Environment. Workspot recommends Azul Zulu OpenJDK. As of July 4, 2025, we require version 8.58 and version 21.0.7, but the requirement for 8.58 will be removed soon.

  • Download and install https://cdn.azul.com/zulu/bin/zulu8.58.0.13-ca-jre8.0.312-win_x64.msi

  • Download and install https://cdn.azul.com/zulu/bin/zulu21.42.19-ca-jre21.0.7-win_x64.msi

• After Azul Zulu is installed, join the machine to the Domain and reboot the server.

• Next, Create Workspot Enterprise Connector.

Finish Configuration Using Workspot Control

• Create a Workspot Managed Gateway via Workspot Control. See Managed Gateways (Gateway Clusters).

• Create a Desktop Pool. See Control: Desktop Pools.

• Download and use the Workspot Client. See Workspot Client Downloads and User Self-Registration and Resource Entitlements.

• (Optional) Create an Application Server Pool. See Workspot Application Server Pools (Cloud App Pools)

• (Optional) Create Web Applications. See The Workspot Browser and Web Applications.

Next Steps

You have created a complete, working Workspot for Google GCP deployment.

Your next steps are:

• To test this deployment thoroughly.

• To plan your production deployment that dovetails with your corporate networking, authentication, and other requirements.

Deleting the Infrastructure:

Using the Terraform command, we can also remove the resources we have built earlier if we are done with the deployment.

Note: The Terraform Destroy command will only delete what was created by Terraform. Resources created outside Terraform, Gateways, Template, Pool VDIs, or any other will need to be deleted manually first, before running the Terraform destroy command.

To destroy the previously created resources, follow the instructions:

• Open the command prompt and change the directory to where you have the project-related terraform files are placed.

• To initialize Terraform, enter terraform init.

•  Once Terraform is initialized, enter terraform destroy. This will list the infrastructure details that will be destroyed.

• Type Yes to give the final confirm to delete the resources.

• Any components built in the GCP Account using anything except Terraform must be deleted manually.