Enabling Private Desktop Access

Secure Desktops provides an option to enable desktop access through a private network.

The administrator can enable private desktop access within Oracle Cloud Infrastructure from a virtual cloud network (VCN) or on-premises network by using a private endpoint. A private endpoint is a private IP address within your VCN that you can use to access a given service within Oracle Cloud Infrastructure. A private endpoint is represented as a private IP address within a subnet in your VCN.

When creating a desktop pool, the desktop administrator can enable desktop access using the private endpoint configured in the VCN.

Note

This feature can only be enabled when creating new desktop pools.

Prerequisites

Complete the following steps before creating a desktop pool with a private endpoint:

  1. Set required policies for the resources you are working with. Depending on your compartments, additional policies may be required.

    The <private-access-network-compartment> is the compartment containing the VCN and subnet used for private access.

    • If this compartment is the same as the <desktops-network-compartment>, then no new policies are required.
    • If this compartment is different than the <desktops-network-compartment>, you must add the following service-level policies:
      Allow dynamic-group <dynamic-group> to use virtual-network-family in in compartment <private-access-network-compartment>
      Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <private-access-network-compartment>
  2. Create a VCN within the region that will access your desktop pools. For more information, see VCNs and Subnets. The VCN must be in the region where you plan to create the desktop pool.
  3. Configure a subnet within your VCN configured with default DHCP options. See DNS in Your Virtual Cloud Network for more information.
    Note

    • The private access subnet and desktop pool subnet can be provisioned in the same VCN or in different VCNs.
    • Private access and desktop pool access can be provisioned in the same subnet.
    • Desktop access from an on-premises network requires available address space in the VCN for additional subnets, if needed for host name resolution.
  4. (Optional) Specify a Network Security Group (NSG) within your VCN. The NSG specifies rules for connectivity to the service. See Network Security Groups for more information.

DNS Settings

Private Endpoint Desktop Pool access will be through an IP address in a DNS zone in this format:

private.devices.desktops.<region-id>.oci.oraclecloud.com

On-premises clients must have the ability to resolve DNS entries for the above zone. To do this, a DNS listener must be configured on a subnet with the DNS resolver type set to Internet and VCN Resolver.

VCN DNS Listener Setup

  1. Edit the subnet to set the following DHCP options:
    • For DNS Type, select Internet and VCN Resolver.
    • DNS Servers: Not needed

    For more information, see To update options in an existing set of DHCP options.

  2. Create a VCN DNS Resolver Endpoint.

    This resolver endpoint can used for forwarding and listening to DNS queries to or from another private DNS system such as a peered VCN or an on-premises network.

    • Select a name for the endpoint.
    • Select the Listening endpoint type.
    • Select a subnet for the endpoint from the pull-down list. Select the subnet with "Internet and VCN Resolver" DHCP

    For more information, see Creating a Resolver Endpoint.

  3. Create a security list for the VCN to set the following ingress rules to allow DNS:
    • Stateless=No
    • Source=0.0.0.0/0
    • IP Protocol=TCP
    • Source Port Range=All
    • Destination Port Range=53
    • Allows TCP traffic for ports: 53 Domain Name System (DNS)

    For more information, see Creating a Security List.

On-premises DNS Setup

After the DNS listener is configured, the DNS server used by on-premises clients must be configured to use the DNS listener IP address created above.

Configure your on-premises intranet DNS server with conditional DNS forwarding to the DNS listener configured in the VCN, and specify the zone name:

private.devices.desktops.<region-id>.oci.oraclecloud.com

Creating a Desktop Pool with the Private Endpoint

To create a desktop pool using the private endpoint, the desktop administrator provides the following private access details during desktop pool creation using the Secure Desktops console or API.

  • Virtual Cloud Network (VCN).
  • Subnet for private access.
  • (Optional) IP address to be assigned to the private endpoint. If not defined, an IP address is automatically assigned. Secure Desktops defines the fully qualified domain name for the IP address.
  • (Optional) One or more Network Security Groups (NSGs) for additional control of network traffic.

For more information, see Creating a Desktop Pool.

Note

To provide private access for multiple pools in the tenancy, multiple private endpoints are supported. The DNS name for each private pool endpoint will be unique and in the form:

<pool-specific-id>.private.devices.desktops.<region-id>.oci.oraclecloud.com

FastConnect

Private desktop access occurs through the use of Oracle Cloud Infrastructure FastConnect private peering. FastConnect provides an easy way to create a dedicated, private connection between your on-premises data center and Oracle Cloud Infrastructure, with port speeds from 1G to 400G and no per-byte charge for data movement. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections.

For more information about FastConnect private peering, including tenancy requirements, networking scenarios, and configuration, see FastConnect.

Dynamic Routing Gateway

FastConnect private peering (using a private virtual circuit) requires a Dynamic Routing Gateway (DRG).

A DRG is a virtual edge router attached to your VCN. The DRG is a single point of entry for private traffic coming in to your VCN, whether it's over FastConnect or a Site-to-Site VPN link. After creating the DRG, you must attach it to your VCN and add a route for the DRG in the VCN's route table to enable traffic flow.

A DRG includes a VIRTUAL_CIRCUIT network attachment type. You can attach one or more FastConnect virtual circuits to your DRG to connect to on-premises networks.

Use the Oracle Cloud Infrastructure Console to set up a DRG, attach it to your VCN, and update routing in your VCN to include a route rule to send traffic to the DRG. It's easy to forget to update the route table. Without the route rule, no traffic will flow.

For more information see:

Once the DRG is set up, create a private virtual circuit in FastConnect, selecting the DRG to route the FastConnect traffic to. For more information, see Getting Started with FastConnect .