Citrix DAAS | 2402 CU1 | MCS-Unable to create machine catalog on GCP with shared VPC

book

Article ID: CTX695926

calendar_today

Updated On:

Description

While creating a Machine Catalog, the following error appears:

Error:
“Unable to find valid INGRESS and EGRESS quarantine firewall rules for VPC ‘xxxxxxxxx’ in project ‘xxxxxxxx’. Please ensure you have created ‘deny all’ firewall rules with the network tag ‘citrix-provisioning-quarantine-firewall’ and proper priority.”

It is mandatory to verify this Citrix document & configure the firewall rules : https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/2411/install-configure/machine-catalogs-create/create-machine-catalog-gcp.html#firewall-rules
IAM Permissions:

The primary Citrix Service Account has been granted the Computer Admin and Service Account User roles.
Both the primary Citrix Service Account and the Cloud Build Service Account have been granted the Computer Network User role.

Firewall Rules:

Both the Ingress (Allow) and Egress (Deny) rules were created
Both rules use the exact target tag: citrix-provisioning-quarantine-firewall.
Both rules have high priority values
All rule parameters (source, destination, ports) have been checked and found to be correct.

Cause

The issue occurs because the quarantine firewall rules were not configured with the highest priority.

Resolution

GCP firewall rule priorities range from 0 to 65535, where lower values indicate higher priority. If a priority is not explicitly set, GCP assigns a default priority of 1000.
During catalog creation.

The Citrix plugin evaluates firewall rules and selects the rule with the highest priority (lowest numeric value). If multiple rules exist, the plugin may not identify the intended quarantine rule when priorities are higher or equal to the default value.

Set the priority of firewall rules to 0.
This ensures the rules are selected correctly by the Citrix provisioning plugin and resolves the catalog creation failure.

Issue/Introduction

This article describes about the creation of machine catalog in GCP when using shared VPC where the machines are hosted in one project & firewall rules are applied in different project

Additional Information

https://docs.cloud.google.com/firewall/docs/firewalls#priority_order_for_firewall_rules

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"