---
title: "Getting Started with Google GCP"
slug: "getting-started-with-google-gcp"
updated: 2025-10-08T14:38:08Z
published: 2025-10-08T14:38:08Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.workspot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Getting Started with Google GCP

## Introduction

This process creates a simple Workspot pilot deployment for Workspot on Google GCP. The majority of the process is automated via PowerShell and Terraform scripts.

After completing the procedures in this document, administrators will be able to:

- Create fully functional Workspot Cloud Desktops and Cloud Applications server from the Google GCP Cloud.
- Manage all resources through Workspot Control.

End-users will be able to access their Workspot Desktops and Applications securely via the Workspot Client.

The difference between the pilot deployment described here and a production deployment is primarily as follows:

- The AD Domain Controller created here is a standalone instance that doesn’t communicate with your production Domain Controller.
- The virtual networks declared here are chosen arbitrarily rather than being chosen to work with your WAN/LAN routing.
- Advanced configuration such as multi-factor authentication, posture checking, and so on are not configured.

## Prerequisites

- A Windows PC with Administrative access on which to run:
  - PowerShell
  - Terraform
- A GCP account with permissions to create a Terraform service account with the permissions required by Terraform.
- A Workspot account and access to Workspot Control with full Administrator permissions.

## Create Your Workspot Account

![Workspot account creation form with fields for user information and sign-up button.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/gcp-terraform-1.png)

- In a browser, go to [https://control.workspot.com/signup](https://control.workspot.com/signup).
- Fill in the form. Critical fields:
  - The “Corporate Email” address will be used as the administrative account for your Workspot Deployment. Domains such as “gmail.com” are not allowed.
  - Set “Company Headquarters” to your actual corporate headquarters location, not your personal location.
  - Set the “Control Deployment Location” to “European Union” if your HQ is the EU, and “United States” otherwise.
- Press “Sign Up.”

![Email notification confirming the setup of a Workspot account with activation link.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/pilot-amazon-core-v2-07.png)

- Wait for the email sent to the address you provided. This may take a few minutes.
- Click the link. You will see a second form:

![Registration form for creating a Workspot account with required fields and agreement.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/pilot-amazon-core-v2-09.png)

- Fill in the form. Notable fields:
- The “Company Identifier” field:
  - Is used by all your end-users when they use the Workspot Client for the first time.
  - Is part of the URLs you use to access Workspot Control, Watch and Trends.
  - Should be a version of your organization’s name.
  - Cannot contain punctuation or special characters except for a hyphen.
- The password will be used along with the email address you provided in the previous form when you sign into Workspot Control.
- Press Register.

![Form for adding a public cloud provider with required fields highlighted.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/gcp-terraform-02.png)

- You will be signed in automatically to the “Add Public Cloud” page of Workspot Control, with “Workspot on Google GCP” already selected.
- Leave this browser tab open. We will return to it soon.

## Initial GCP Configuration

The initial steps with GCP are as follows:

- Create a GCP Project.
- Create a Service account in GCP.
- Configure the GCP Cloud in Workspot Control.

These are covered in detail below.

### Create a GCP Project

The *project*resource is an organizing entity required by Google Cloud, and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding, and removing collaborators, and managing permissions.

In the GCP Organizational Structure, a Project can be in a Folder or directly under the Organization. The diagram below shows an example of Google Cloud resource hierarchy in its complete form.

![Organizational structure of a company showing departments, teams, projects, and resources.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/1_shYs8Kxi_BU2JHHeyRUGqA.jpg)

*GCP organizational structure.*

To be able to create a project, you must have the `resourcemanager.projects.create` permission. This permission is included in roles like the Project Creator role (roles/resourcemanager.projectCreator). To create a new project, see Google’s documentation, [Creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects#console).

#### Enable the Compute API

In your project, enable the Compute API in the Google Cloud Console. This will create the default Compute Service Account and also create a default VPC network with subnets.

To enable Compute API in Google Cloud Console, go to “Compute Engine > VM Instances > enable Compute API.”

#### Delete the Default Network

When a new project is initiated, GCP automatically generates a default network, which is an auto-mode VPC network containing one subnet in each region. It's advisable to manually remove this VPC network to maintain a tidy environment before proceeding.

(Alternatively, you can implement the "compute.skipDefaultNetworkCreation" policy Constraint at the organizational or Folder level where you intend to establish the new project for Test Drive purposes. Once applied, any new projects created within the designated folder will not be equipped with a default network. However, existing projects created before the implementation of this constraint are unaffected by this modification.)

### Create a Service Account in the Project

The service account will be used by Workspot Control to communicate with your GCP project for managing resources. We will use the Compute Engine Default Service Account when connecting a GCP project to Workspot Control.

![](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/image(64).png)

To create a service account:

Go to IAM and Admin > Service Account

- Click on the three dots next to the Default Service Account
- Select “Manage Keys.”
- Click “Add Key > Create New Key.”
- Set Key Type to JSON.
- Save the JSON file to a local directory.

For more details, see [GCP: Creating a Service Account With Custom Permissions for Workspot Control](/v1/docs/gcp-creating-a-service-account-with-custom-permissions-for-workspot-control).

> **Note:**Editor permission is adequate to deploy the Test drive project, however in case a new Service Account needs to be created later, Owner permission will be required for the user at the Project Level.

### Configure the GCP Cloud in Workspot Control

Return to the “Setup > Cloud > Add Public Cloud” page in Workspot Control.

![Form for adding a public cloud provider with required fields and options.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/gcp-terraform-02(1).png)

Fill out the form. From top to bottom:

- Type a name for your GCP project (which Control calls “a Public Cloud”). “GCPcloud” is shown in the example.
- Leave “Use Secure Cloud Proxy” unchecked.
- Set “Configuration Type” to “Google Cloud Platform.”
- Click “Import Service Account.”
- In the popup, click “Choose File, ” select the JSON file you saved in the previous section, and click “Import File.”
  - This will populate the “Project ID,” “Service Account ID,” and “Service Account User” fields.
- Select a GCP region to use as your main region.
- Leave “Use Shared VPC” and “Host Project ID” unchecked.
- Click “Save.”
- Control can now communicate with GCP.

## Installing and configuring Terraform

To create the Workspot deployment, including subnets, servers, an Active Directory Domain Controller, and a Workspot Enterprise Connector, you must first install Terraform on your local Windows device.

- Download the Terraform file from [https://developer.hashicorp.com/terraform/install](https://developer.hashicorp.com/terraform/install).
- Extract the file into `c:\Terraform.`
- The next step is to set up environmental variables.
- Under System properties (View Advanced System Settings) – Advanced- Environmental Variables

![System Properties window showing Advanced settings and Environment Variables option highlighted.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/image018.png)

- Under User Variables for `UserName`
- Click on Path and edit, then select New and key in the path where you have the terraform.exe copied (c:\Terraform)

![User variables for 'praveenj' displayed in Windows environment variables settings.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/image019.png)

- Once it is applied, open a PowerShell window.
- Type `terraform version`
  - It should display the version of Terraform if the environmental variable is set correctly.
- Download `GCP_Terraform_SingleRegion.zip`

[](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/GCP_Terraform_SingleRegion.zip)GCP_Terraform_SingleRegion3.36 KB[**](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/GCP_Terraform_SingleRegion.zip)

- Extract the files to the local folder where you want the project files to be located. There are three configuration files:

![List of Terraform files with their types and compressed sizes displayed in a table.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/terraform-zip.png)

- Go to the folder with the three newly extracted files shown above.
- Copy the JSON file you saved earlier in [Create a Service Account in the Project](/v1/docs/getting-started-with-google-gcp#create-a-service-account-in-the-project) to this folder.
- Set the variables in the the top section of `terraform.tfvars` file.
  - Open it in Notepad++ (or the text editor of your choice).
  - Edit the values as in the first few lines to match your deployment.
    - (See the file for guidance about the form each line takes, which helps to identify what is being asked for.)
    - project_id: GCP project ID.
    - region1: the GCP region in which you’re deploying Workspot.
    - zone: a zone within the region.
    - serviceaccount: the full name of the Service Account.
    - source_Project_id: the Source Project ID from which Images should be copied.
    - templatesourcedisk: location of Windows 11 images.
    - source_project_Location: the GCP region of the Source Project.
    - src_credential_path: The service account JSON of the Source Project.
  - Save and close the file.

![Configuration details for a GCP project including service account and image paths.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/terraform-tfvars.png)

### Deploying the Workspot for Google GCP Landing Zone

- Open a PowerShell window if you haven’t done this already.
- Go to directory with the configuration files from `GCP_Terraform_SingleRegion.zip`.

- To initialize Terraform, enter `terraform init.`

![Command line interface showing successful initialization of Terraform for infrastructure management.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/terraform-init.png)

- Once the initialization is completed, type`terraform apply`
- This will first list the changes that will be made (shown below in three screen shots) and then ask for permission to proceed:

![Terraform execution plan showing firewall rules for Google Cloud Platform resources.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/Picture3.png)

![Terraform configuration for Google Cloud subnet with various parameters listed.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/Picture4a.png)

![Terraform plan showing 23 resources to add, awaiting user confirmation to proceed.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/image025.png)

- If you see any errors above, fix them before proceeding. However, if you see only warnings, you can ignore them if they don’t seem important.
  - To exit the deployment instead of proceeding, just press ENTER without answering “yes.”
- Answer `yes `to the question “Enter a value” if you are ready to perform the changes listed by Terraform.
- Wait for the process to complete.

#### In Case of Errors

- If you see Errors during the deployment, the script will automatically exit.
- If most of the components have been deployed and the error is with just one or two components, try running `terraform apply` again. This should usually create the remaining components.
- If the above step doesn’t help, then there could be some genuine errors in the configuration files.
  - Try to fix them.
  - Once fixed, make sure to run the `terraform destroy` command to clean up the filed infrastructure.
  - Run `terraform apply` again.

### Actions Performed by Terraform

The Terraform script deploys the following resources:

- Creates a VPC - "ws-tfproject-vpc" with address space 10.0.0.0/16. (See [https://cloud.google.com/vpc/docs/create-modify-vpc-networks#create-custom-network.)](https://cloud.google.com/vpc/docs/create-modify-vpc-networks#create-custom-network.))
- Creates the following subnets (See [https://cloud.google.com/vpc/docs/create-modify-vpc-networks#subnet-rules](https://cloud.google.com/vpc/docs/create-modify-vpc-networks#subnet-rules)).
  - subnet-reg1-dmz - 10.0.0.144/28
  - subnet-reg1-mgmt - 10.0.0.128/28
  - subnet-reg1-vm - 10.0.0.0/25
- Creates NAT Routers and Gateways and apply them to the VM subnets (See [https://cloud.google.com/nat/docs/overview).](https://cloud.google.com/nat/docs/overview).)
- Creates Firewall Rules (See [https://cloud.google.com/firewall/docs/firewalls#firewall-rules-in-google-cloud).](https://cloud.google.com/firewall/docs/firewalls#firewall-rules-in-google-cloud).)
  - allow-egress-all – To open outbound traffic to the internet (0.0.0.0/0)
  - allow-internal-all – To allow traffic within the VPC Network.
  - allow-metadata-service – to enable communication to the metadata.google.internal service (169.254.169.254)
  - allow-3389-jump server – to enable RDP access to the jump server.
- Copies Windows 10 Image for Template from Source Project.
- Copies Windows 11 Image for Template from Source Project.
- Copies an AD Image from Source Project.
- Copies the App Server Image from the Source Project.
- Creates a Utility Server.
- Creates a Server to deploy EC.
- Creates a Static IP for AD Server - 10.0.0.135.
  - Creates an AD Server from the AD Image with Static IP - 10.0.0.135.
- Creates a Cloud Application Server.
- Creates a Project level-Metadata Entry: domain-controller-addresses: 10.0.0.135.

## Completing the Configuration

### Configure the AD Domain Controller

- Configure the [AD Domain Controller](/v1/docs/ad-server-configuration). Do this first; the steps below depend upon it.

### Install and Configure Workspot Enterprise Connector

The Terraform script has created a server for Workspot Enterprise Connector named `ws-ec1`.

- Sign into ws-ec1.
  - Username: Administrator
  - Password: Workspot@1601
- Once you log in, Set the machine DNS to point to the AD server 10.0.0.135.
- Install Java Runtime.****Connector requires the Java Runtime Environment. Workspot recommends Azul Zulu OpenJDK. As of July 4, 2025, we require version 8.58 *and*version 21.0.7, but the requirement for 8.58 will be removed soon.
  - Download and install [https://cdn.azul.com/zulu/bin/zulu8.58.0.13-ca-jre8.0.312-win_x64.msi](https://cdn.azul.com/zulu/bin/zulu8.58.0.13-ca-jre8.0.312-win_x64.msi)
  - Download and install [h](https://cdn.azul.com/zulu/bin/zulu21.42.19-ca-jre21.0.7-win_x64.msi)[ttps://cdn.azul.com/zulu/bin/zulu21.42.19-ca-jre21.0.7-win_x64.msi](https://cdn.azul.com/zulu/bin/zulu21.42.19-ca-jre21.0.7-win_x64.msi)
- After Azul Zulu is installed, join the machine to the Domain and reboot the server.
- Next, [Create Workspot Enterprise Connector](/v1/docs/create-workspot-enterprise-connector).

### Finish Configuration Using Workspot Control

- Create a Workspot Managed Gateway via Workspot Control. See [Managed Gateways (Gateway Clusters)](/v1/docs/managed-gateways-gateway-clusters).
- Create a Desktop Pool. See [Control: Desktop Pools](/v1/docs/control-desktop-pools).
- Download and use the Workspot Client. See [Workspot Client Downloads](https://www.workspot.com/support/client-download/) and [User Self-Registration and Resource Entitlements](/v1/docs/user-self-registration-and-resource-entitlements).
- (Optional) Create an Application Server Pool. See [Workspot Application Server Pools (Cloud App Pools)](/v1/docs/workspot-application-server-pools-cloud-app-pools)
- (Optional) Create Web Applications. See [The Workspot Browser and Web Applications](/v1/docs/the-workspot-browser).

## Next Steps

You have created a complete, working Workspot for Google GCP deployment.

Your next steps are:

- To test this deployment thoroughly.
- To plan your production deployment that dovetails with your corporate networking, authentication, and other requirements.

## Deleting the Infrastructure:

Using the Terraform command, we can also remove the resources we have built earlier if we are done with the deployment.

> **Note:**The Terraform Destroy command will only delete what was created by Terraform. Resources created outside Terraform, Gateways, Template, Pool VDIs, or any other will need to be deleted manually *first,* before running the Terraform destroy command.

To destroy the previously created resources, follow the instructions:

- Open the command prompt and change the directory to where you have the project-related terraform files are placed.
- To initialize Terraform, enter `terraform init.`
- Once Terraform is initialized, enter `terraform destroy`*.*This will list the infrastructure details that will be destroyed.
- Type Yes to give the final confirm to delete the resources.
- Any components built in the GCP Account using anything except Terraform must be deleted manually.