Google Cloud Platform
Overview
The Bring Your Own Google Cloud Platform (BYO GCP) feature allows customers to integrate their GCP environment with the Frame Platform, enabling direct deployment of virtual desktops and applications within their own GCP infrastructure. With BYO GCP, customers retain complete control over their cloud resources while leveraging Frame’s orchestration capabilities for seamless workload management. This approach ensures organizations can optimize performance, control costs, and scale their virtual workspaces efficiently to meet evolving business needs.
Setup
Requirements
In order to register your GCP Project (account) with Frame, ensure that you have addressed the following before proceeding:
The GCP Project principal who will execute the Frame-provided
deploy.sh
script has the role of “Owner” or has sufficient permissions to grant the required GCP roles to the Frame Platform service userframe-prod@frame-customer-iaas-prod.iam.gserviceaccount.com
. Once the deploy.sh script is executed, the principal who executed the script is no longer needed for Frame.The specific GCP roles granted to the Frame Platform service user will depend on the desired Frame functionality to be used with your GCP Project.
To use all Frame features, the Frame Platform service user must have the following roles, which are granted when the default
deploy.sh
script is executed:- compute.instanceAdmin
- compute.networkAdmin
- compute.securityAdmin
- compute.storageAdmin
- dns.admin
For customers who must control and manage all GCP networking resources and will only use Frame accounts deployed using customer-managed private networking, the Frame Platform service user must have the following roles, at a minimum. The
deploy.sh
script will need to be modified before the script is executed:- compute/instanceAdmin
- compute.networks.getEffectiveFirewalls
For customers who want to use their own OS images (BYO OS image), rather than Frame-provided images, Frame must be able to list the images in the project, read those images, and create instances from those images. Frame will not delete, tag, or create BYO images. The operations necessitates the Frame Platform service user being granted the role:
- compute.imageUser
You know your GCP Account ID that will be registered with Frame. The GCP Account ID can be found by going to the Dashboard of your GCP console.
Shared VPC
For customers who wish to use GCP Shared VPCs, you will need to register both your GCP Host and Service Projects in Frame.
- GCP Host Project: After the GCP Host Project has been added as a Cloud Account in Frame, the GCP Administrator can remove assigned roles described above and assign the
Compute Network User
role. - GCP Service Project: The GCP Service Project which will use the Shared VPC and specific subnets within the Shared VPC must then be added as a second Cloud Account in Frame.
Once you have registered the two GCP projects, you can configure Frame to share specific subnets from your Shared VPC in your GCP Host Project Cloud Acount with your GCP Service Project Cloud Account.
Both the GCP Host and Service Projects should only be registered (imported) once, even if additional subnets are created later in the Host Project and shared with one or more Service Projects.
Workload VM Service Account
Frame allows customers to attach a GCP service account to each workload VM Frame Platform provisions. The GCP service account can be specified at the Frame Cloud Account level (by default, all VMs created within the Cloud Account will have this service account assigned) or for a specific Frame Account. The service account specified for an Account takes precedence over the service account specified for the Cloud Account.
Once the GCP Cloud Account is registered in Frame, open a support case and specify the name of your Frame Customer (or Organization) entity, name of the GCP Cloud Account, and the GCP service account (email address).
If you want to use a different GCP service account with the specific Frame Account, create the Frame Account and then open a support case with the name of the Frame Account, Frame Vendor ID, and the GCP service account (email address). Once the GCP service account is attached to your Frame Account, you will need to terminate the Sandbox (and any other workload VMs) in the Frame Account in order for Frame Platform to reprovision the workload VMs with the GCP service account.
Before a GCP service account can be attached to each workload VM, the customer must add the role roles/iam.serviceAccountUser
to the Frame Platform service user frame-prod@frame-customer-iaas-prod.iam.gserviceaccount.com
.
Customer-Managed Encryption Keys
Frame allows customers to specify a customer-managed encryption key (CMEK) for encryption of persistent disks at the GCP Cloud Account level or at the Frame Account level. The CMEK specified at the Frame Account level will take precedence over the CMEK specified at the GCP Cloud Account level.
You must open a support case with the name of the GCP Cloud Account or Frame Account and the name of the key used to encrypt the persistent disks.
Adding your Cloud Acount
Procedure
- Navigate to your Google Cloud Platform console by going to https://console.cloud.google.com/.
- Locate and copy the Project ID found in your GCP console Dashboard.
- Go to your Frame Admin Console.
- Navigate to the Customer or the Organization page (depending on where you wish to add the cloud account).
- Click on Cloud Accounts in the left-hand menu.
- Click the Add Cloud Account button on the top-right corner of the page.
- A new window will appear prompting you for the following information:
- Cloud Provider: Select GCP.
- Name: Enter the desired name of your cloud service. This will be the name of the Cloud Account in Frame Console.
- Cloud Project ID: Enter your GCP Project ID in this field.
- Once you have entered the information, click the “Open GCP Cloud Shell" button. A new tab will open, taking you to your GCP Console.
- A prompt will appear asking you to confirm that you trust the Github repo storing the deploy.sh file. Select the Trust checkbox and click “Confirm.”
The GCP Project principal who will execute the Frame-provided deploy.sh script has the role of “Owner” or has sufficient permissions to grant the required GCP roles to the Frame Platform service user frame-prod@frame-customer-iaas-prod.iam.gserviceaccount.com
. Once the deploy.sh script is executed, the principal who executed the script is no longer needed for Frame.
If required, you can modify the deploy.sh script to remove or add specific GCP IAM role/permission lines to grant the required roles, based on your use case (as described in the Requirements).
- After the Cloud Shell has initialized, paste the deployment command into the cloud shell and press “Enter.” You will be asked to authorize the use of your credentials to make a GCP API call. Once the command has completed successfully, you can close the Google Cloud Shell tab.
Navigate back to your browser tab containing your Add new Frame cloud account configuration window and click the “Verify credentials” button.
Once your credentials are verified, you can select the data centers (GCP regions) for your Frame accounts. You may add additional data centers in the future.
Check the box at the bottom informing you of possible resource usage on your GCP cloud infrastructure and then click "Add Account." After a few minutes, you will see your GCP Cloud Account listed as “Ready”.
Now that your GCP Cloud Account is created and accessible within Frame, you will be able to create Frame accounts using this BYO cloud account.
Resources Created During BYO GCP Cloud Account Creation
During the creation of a BYO GCP Cloud Account, Frame will immediately create multiple roles comprised of the minimum required permissions for Frame Platform communication and orchestration with Google API Gateway on behalf of your Google Project. Frame also enables Google's Compute Engine and Cloud DNS APIs.
Service Limits
By default, a newly created GCP account will impose certain service limits on available resources. Depending on the number of the Frame workload VMs required of a given machine type (e.g., number of concurrent users on n1-standard-4-GPU-P4-Windows), how the Frame account is created (e.g., Frame networking with or without an SGA), and whether you use Publish or Quick Publish, you will likely need to adjust the default limits imposed on the GCP account. If these limits are set to values that are lower than what is required by the Frame platform, you can expect certain functions to either fail, or be substantially delayed. The requirements by Frame for these service limits depends on the desired workload and required resources. The recommended service limit increases include the following:
GCP Resource | Recommendation |
---|---|
CPUs and Machine Types | GCP has quota metrics on the total number of CPUs and number of CPUs for specific machine types, on a per-location basis. We recommend you first determine the expected max number of instances by machine type (per Frame account) for your needs. Next, calculate the total number of CPUs based on the expected max number of instances and the required number of CPUs for a specific machine type. If you use Publish, set your CPU quota to 2.2 times the required number of CPUs and specific machine type quotas to 2.2 times your expected max number of instances. The additional 20% will accommodate any additional resources such as Sandboxes, Utility servers, etc. If you use Quick Publish, you can use a minimum factor of 1.X times to calculate the required number of CPUs and the max instances. X is computed as the “Number of production instances created on publish” divided by expected max instances. By default, the “Number of production instances created on publish” value is configured to be 10 VMs. A factor of 1.3-1.5 should be sufficient to account for typical Quick Publishes and overhead. |
Persistent Disk SSD | Frame provisions Persistent Disks for all workload VM disks. These persistent disks are zonal SSDs. Typically, this resource does not need to be modified. To estimate total disk storage consumption, multiply the total number of VMs you expect to provision by the size of the Sandbox VM (e.g., 80 GiB) across all Frame accounts you plan to provision. Number and size of any utility servers, number of Sandbox image backups, number and size of personal drives, and number and size of enterprise profile disks would be additional storage to consider. |
GPU-backed Instances | If you plan to use GPU-backed instances, you will need to increase the specific Virtual Workstation GPU (e.g., “NVIDIA T4 Virtual Workstation GPUs”) quota to the maximum number of workload VMs that will be provisioned. As was discussed in the CPU recommendation, make sure to account for the temporary increase of GPU VMs during a Publish or Quick Publish when the new production VMs with attached GPUs are created and before the old production VMs with attached GPUs are terminated. |
IP Addresses | If a Frame account is created with Frame public networking, each workload VM will have both an ephemeral external IP address and a private IP address. If the Frame account is created using Frame private networking, all workload VMs will only have private IP addresses. If the Frame account is created using Frame private networking with Streaming Gateway Appliance (SGA), then Frame will provision 1 ephemeral external IP address and 1 private IP address for each SGA VM as well as 1 ephemeral external IP address and 1 private IP address for the load balancer in front of the SGA VMs. All of the workload VMs will only have private IP addresses. You will also need to account for the temporary increase of in-use IP addresses during a Publish or Quick Publish when the new production VMs are created and before the old production VMs are terminated. |
Networks | If Frame public networking or Frame private networking is used to create Frame accounts, the number of VPC networks equals the number of Frame accounts. If Frame private networking with SGA is used to create Frame accounts, the required number of VPC networks is two times the number of Frame accounts. For BYO networking, no new networks are created. |
Subnetworks | If Frame networking is used to create Frame accounts, the number of subnetworks equals the number of Frame accounts. For BYO networking, no new subnetworks are created. |
To review all of your quota metrics and current usage on your GCP account, you will need to click on the “IAM & Admin” link in the navigation panel on the left of the GCP console and select “Quotas” at the bottom of the IAM & Admin navigation panel.
Service limit increases may not be necessary for smaller production environments or trial accounts.
Instance Types
Each IaaS provider has a unique naming scheme for their instance types. GCP names their instance types (or “machine types”) based on the “machine type families” they have created for specific workload use cases. More information about machine types and machine type families can be found in GCP's official documentation.
For the latest GCP instances supported by Frame, refer to our Supported Instance Types table.
Resource Naming
Frame provisions the resources below based on a specific naming convention. The resource name value is also saved as value for the tag Name
.
Resource | Resource Name | Example |
---|---|---|
Workload VM | ins-prod-v{vendor_id}-s{server.id} | ins-prod-v53209-s8059811 |
Workload VM root volume | ins-prod-v{vendor_id}-s{server.id} | ins-prod-v53209-s8059811 |
User Volume | usrd-prod-v{vendor_id}-{random 8 characters}-{disk_type} | usrd-prod-v53328-6f4ee921-profile |
User Volume backup (Snapshot) | usrd-snp-prod-v{vendor_id}-d{user_volume_id}-{random 5 characters} | usrd-snp-prod-v53328-d6332356439841759759-915cb |
Image | img-prod-v{vendor_id}-s{server_id}-{image_type}-{random 5 characters} OR img-prod-v{vendor_id}-{image_type}-{random 5 characters} | img-prod-v53272-s8066276-manual-b1896 |
Master Image | img-prod-master_image-src-{source_image_id}-{random 5 characters} | img-prod-master_image-src-123438931-3251 |
VPC | vpc-prod-v{vendor.id}-i{index} | vpc-prod-v53272-i0 |
Subnet | vpc-prod-v{vendor.id}-i{index}-sn | vpc-prod-v53272-i0-sn |
NAT router | vpc-prod-v{vendor.id}-i{index}-nat-router | vpc-prod-v53272-i0-nat-router |
NAT gateway | vpc-prod-v{vendor.id}-i{index}-nat-gateway | vpc-prod-v53272-i0-nat-gateway |
SGA VPC | sga-vpc-prod-{streaming_configuration_id} | sga-vpc-prod-2430 |
SGA subnet | sga-vpc-prod-{streaming_configuration_id}-sn | sga-vpc-prod-2430-sn |
SGA VM | sga-vpc-prod-{streaming_configuration_id}-s{sga_server_id} | sga-vpc-prod-2430-s1658 |
SGA VM root disk | sga-vpc-prod-{streaming_configuration_id}-s{sga_server_id} | sga-vpc-prod-2430-s1658 |
SGA load balancer static public IP | sga-{sga_vpc_id}-static-ip | sga-69830-static-ip |
SGA load balancer target pool | sga-{sga_vpc_id}-target-pool | sga-69830-target-pool |
SGA load balancer forward rule | sga-{sga_vpc_id}-forwarding-rule | sga-69830-forwarding-rule |
{image_type} can be one of the following values:
manual
- for manual backupspublish
- for backups created for publishing purposetest_publish
- for backups created for test publishauto
- for scheduled backupssystem
- for backups created internally in various processes (e.g. cloning, generalization)master
- from a master image
{disk_type} can be one of the following values:
profile
- Enterprise profile diskpersonal
- Personal drive
The Streaming Gateway Appliance (SGA) resource naming applies only to Frame-provisioned and managed SGAs.
Disk Options
Frame supports two types of GCP persistent disk types. By default, Frame provisions zonal performance (SSD) persistent disks (pd-ssd) for VM boot disks and user volumes.
If a customer needs lower cost, albeit slower performing disks, for a given Frame account, the customer can contact Support and request that the Frame account be configured to use zonal balanced persistent disks (pd-balanced) for VM boot disks and user volumes.
Disks of a particular disk type that were provisioned prior to the disk type configuration change will remain as they were provisioned. Therefore, customers are advised to create the Frame account, request Support update the disk type to the desired disk type and terminate the Sandbox, in order for the Sandbox disk to be re-created with the newly configured disk type. Then, verify the Sandbox disk was provisioned with the desired disk type before continuing on to configure the Frame account, including installing applications in the Sandbox and publishing.