Configuring Workspace to Access the Internet

Scenario

After you purchase a cloud desktop, the cloud desktop is in the VPC subnet by default and cannot access the Internet. You need to configure the NAT gateway to share an EIP so that users can access the Internet from the cloud desktop after accessing the cloud desktop. If the cloud desktop has multiple service subnets, the Internet function must be enabled for each service subnet. When a user logs in to a cloud desktop in a subnet for which the Internet is not enabled, the user cannot access the Internet from the desktop.

This section described how to enable the Internet using the purchasing NAT and EIP pages provided by Workspace. You can also access the NAT or EIP page to purchase the service to enable the Internet by referring to How Do I Enable the Internet on Other Cloud Service Pages?

Prerequisites

• You have obtained the region, project, VPC, and subnet information of the desktop that needs to access the Internet.
• You have the permission to perform operations on the NAT and EIP services.
  

  • By default, a Huawei account has the operation permissions on all Huawei Cloud services.
  • To use NAT and EIP, the IAM account created under the Huawei account must be added to the admin user group or a user group with NAT and EIP operation permissions. Go to the IAM page to check whether the user belongs to the admin user group. If not, grant the IAM account the permission to use the NAT and EIP services. For details, see Creating a User and Granting NAT Gateway Permissions and Creating a User and Granting EIP Permissions.

Procedure

1. Log in to the Workspace console.
2. Check whether the Internet access address is enabled.
   

   After a desktop is purchased, the Internet access address is enabled by default.

   1. In the navigation pane on the left, choose Tenant Configuration.
   2. Check the status of Internet access address.
      • If the IP address is displayed, the Internet access address is enabled. Go to 3.
      • If Disable is displayed, the Internet access address is disabled. Click Enable and go to 3.
        

        After the Internet access address is disabled, you can enable Internet access address again. After the function is enabled again, the IP address changes. You need to notify the desktop user to use the new IP address to access the desktop.

3. Check whether the desktop can access the Internet.
   1. In the navigation pane on the left, click Desktop Management.
   2. Check the Enabling the Internet column of the target desktop.
      • If the value is disabled, end users cannot access the Internet through cloud desktop. In this case, go to 4.
      • If the value is enabled, end users can access the Internet through the cloud desktop. In this case, skip subsequent operations.

4. In the navigation tree on the left, click Desktop Internet Access Management.

   The desktop Internet access management page is displayed.

5. In the upper right corner of the page, click Enabling the Internet.

   The Internet configuration page is displayed, as shown in Figure 1.

   Figure 1 Enabling the Internet
   

6. Configure network parameters by referring to Table 1. Retain the default values for parameters not listed.

   Table 1 Internet parameters

   Parameter	Description	Example Value
   Billing Mode	The billing mode of Internet resources that can be purchased are Pay-Per-Use.	Pay-Per-Use
   Network	Select the virtual subnet to which the desktop to be enabled with the Internet function belongs.	-
   NAT Gateway	The name of the public NAT gateway. If the cloud desktop has multiple service subnets: You need to configure NAT for each service subnet. Multiple service subnets can share the same NAT or has their own independent NAT. Select an existing NAT or create a NAT as required. The NAT gateway name can contain a maximum of 64 characters and include only digits, letters, underscores (_), and hyphens (-). If the cloud desktop has only one service subnet: If a public NAT gateway has been configured for the virtual subnet, you do not need to configure this parameter. If no public NAT gateway is configured for the virtual subnet, you need to customize the NAT gateway name. The name can contain a maximum of 64 characters and include only digits, letters, underscores (_), and hyphens (-).	NATNetname-workspace_subnet01
   NAT Gateway Specifications	The specification of the public NAT gateway If an existing NAT gateway is used, you do not need to configure this parameter. To create a NAT gateway, you need to configure the NAT gateway specifications. There are four specifications of NAT gateways: small, middle, large, and xlarge. You can click Find out more on the page to view details about each specification.	small
   EIP Name	The name of the EIP.	EIP-workspace_subnet01
   Public Network Bandwidth	Select the bandwidth billing mode based on the service scenario. Bandwidth-based charging: You need to specify a bandwidth limit and pay for the amount of time you use the bandwidth. This is suitable for scenarios with heavy or stable traffic. Traffic-based charging: You specify a maximum bandwidth and pay for the total traffic you generate. This is suitable for scenarios with light or sharply fluctuating traffic.	Traffic-based charging
   Bandwidth (Mbit/s)	Select a bandwidth size. If you pay by traffic, you can customize the value from 1 Mbit/s to 300 Mbit/s.	99

7. Click OK.

   After configuring the parameters, you can view the Internet information configured for the corresponding service subnet on the Desktop Internet Access Management page.

   

   • If the current tenant VPC has multiple service subnets and cloud desktops in each service subnet need to access the Internet, enable the Internet for each service subnet by referring to 5 to 7.
   • If multiple NAT gateways are created in the same VPC, ensure that the default route to all NAT gateways is configured in the route table. For details, see

8. (Optional) Configure DNS forwarding.

   If a Windows AD server is connected, you need to configure DNS domain name resolution on the Windows AD server. For details, see 8.a to 8.j. If no Windows AD is connected, skip the following operations.

   1. Log in to the DNS server as the administrator.
   2. On the taskbar in the lower left corner, click .
   3. Click on the right of the Start menu.
   4. The Server Manager window is displayed.
   5. In the navigation pane on the left, click DNS.
   6. In the SERVERS area, right-click a Server name and choose DNS Manager from the shortcut menu.
   7. The DNS Manager dialog box is displayed.
   8. Expand DNS. Right-click the computer name, and choose Properties from the shortcut menu.
   9. On the Advanced tab page, deselect Disable recursion (also disable forwarders) and click Apply.
   10. On the Forwarder tab page, click Edit, enter the default DNS server IP address of the desktop region in the text box, and click OK.
       

       The default DNS server IP address of the desktop region can be obtained from What Are Huawei Cloud Private DNS Server Addresses?.

9. Notify end users to use the Internet access address to access cloud desktops.

Follow-up Operations

When a user does not need to access the Internet, delete the SNAT bound to the EIP, delete the NAT, and release the EIP to disable the Internet to save resources.

After SNAT is deleted, Workspace cannot access the Internet. Determine whether to delete the NAT and EIP as required.

1. Log in to the Workspace console.
2. On the Desktop Internet Access Management page, click Disable the Internet.

   The page for disabling the Internet is displayed, as shown in Figure 2.

   Figure 2 Disabling the Internet
   

   Record the NAT gateway name and the EIP bound to the SNAT rule. After the SNAT rule is deleted, the EIP is unbound from the SNAT rule. You need to delete the corresponding EIP and NAT gateway on the EIP list and NAT gateway list.

3. Click Go to cancel.

   The SNAT rule list is displayed.

Deleting an SNAT Rule

4. Locate the SNAT rule bound to the EIP used by the cloud desktop and click Delete in the Operation column.

   You can determine which SNAT needs to be deleted based on the EIP recorded in 2.

5. In the displayed dialog box, click Yes.

(Optional) Deleting a NAT

Multiple SNAT and DNAT rules can be created for a NAT, and the NAT can be deleted only after all related SNAT and DNAT rules are deleted. Determine whether to delete the NAT as required. If you decide to delete the NAT, delete it when it is used only by the cloud desktop of the current subnet.

6. Click in the upper left corner to return to the public NAT gateway list.
7. Locate the public NAT gateway to be deleted and choose More > Delete in the Operation column.
   

   All SNAT and DNAT rules created for the public NAT gateway must be deleted.

8. In the displayed dialog box, click Yes.

Deleting an EIP

9. In the navigation pane on the left, choose Elastic IP and Bandwidth > EIPs.

   The EIP list is displayed.

10. Select the EIP recorded in 2.
11. In the upper part of the list, choose More > Release.
12. In the displayed dialog box, click Yes.