Apache Guacamole on GKE and Cloud SQL
Apache Guacamole offers a fully browser-based way to access remote desktops through Remote DesktopProtocol (RDP), Virtual Network Computing (VNC), and Secure Shell Protocol (SSH)on Compute Engine virtual machines (VMs). Identity-Aware Proxy (IAP) providesaccess to Guacamole with improved security.
This reference architecture document is intended for server administrators andengineers who want to host Apache Guacamole on Google Kubernetes Engine (GKE) andCloud SQL. This document assumes you are familiar with deployingworkloads to Kubernetes and Cloud SQL for MySQL. This document also assumes youare familiar with Identity and Access Management and Google Compute Engine.
Note: Apache Guacamole is not a full Virtual Desktop Infrastructure (VDI)solution by itself. For alternative solutions that provide a full VDI, seeVirtual Desktops Solutions.Architecture
The following diagram shows how a Google Cloud load balancer isconfigured with IAP, to protect an instance of the Guacamoleclient running in GKE:
This architecture includes the following components:
- Google Cloud load balancer: Distributes traffic across multiple instances,which reduces the risk of performance issues.
- IAP: Provides improved security through a customauthentication extension.
- Guacamole client: Runs in GKE and connects to theguacd backend service.
- Guacd backend service: Brokers remote desktop connections to one or moreCompute Engine VMs.
- Guacamole database in Cloud SQL: Manages configuration data forGuacamole.
- Compute Engine instances: VMs hosted on the Google infrastructure.
Design considerations
The following guidelines can help you to develop an architecture that meets yourorganization's requirements for security, cost, and performance.
Security and compliance
This architecture uses IAP to help protect access to theGuacamole service. Authorized users sign in to the Guacamole instance through acustom IAP authentication extension. For details, see thecustomextension in GitHub.
When you add additional users (through the Guacamole user interface), these additionalusers must have permissions through IAM, with theIAP-secured Web App User role.
The OAuth configuration that this deployment createsis set tointernal.Because of this setting, you must use a Google account in the same organizationas the one you use to deploy Guacamole. If you use a Google account outside theorganization, you receive anHTTP/403 org_internal error.
Performance
Google Cloud load balancer and GKE distributes trafficacross multiple instances, which helps to reduce the risk of performance issues.
Deployment
To deploy this architecture, seeDeploy Apache Guacamole on GKE and Cloud SQL.
What's Next?
- Review the GKE guidance onHardening your cluster's security.
- ReviewEncrypt secrets at the application layer to increase security for secrets, such as database credentials and OAuthcredentials.
- ReviewIAM Conditions to learn how to provide more granular control for user access to Guacamole.
- Understand more about how IAP integration works byreviewing the custom authentication provider in theGitHub repository.
- For more reference architectures, diagrams, and best practices, explore theCloud Architecture Center.
Contributors
Author:Richard Grime | Principal Architect, UK Public Sector
Other contributors:
- Aaron Lind | Solution Engineer, Application Innovation
- Eyal Ben Ivri | Cloud Solutions Architect
- Ido Flatow | Cloud Solutions Architect
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-01-09 UTC.