In a world of increasing security threats, IBM Cloud offers a variety of solutions to assist you in security and compliance. We have incorporated several IBM Cloud services into our Citrix-DaaS solution, enabling you to easily stand up a secure deployment out of the box. In managing your threat vectors, it is a good idea to have a single point of entry into your VPC. Additionally, having zero exposure to the internet and encryption helps prevent attackers from compromising your deployments. Centralized logging helps you track down issues in your environment quickly and effectively.

If you require stricter security and compliance standards within your Citrix DaaS deployment on IBM Cloud, you can use these IBM Cloud resources and features to customize your workload security:

  • Bastion host: Provides a secure way to access remote instances within a Virtual Private Cloud (VPC).
  • Client-to-site VPN: Provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network by using an OpenVPN software client.
  • Customer-managed encryption: Protects data while in transit from block storage to the host/hypervisor and while at rest in volumes.
  • Access control list (ACLs): Used with security groups to restrict access to NIC port ranges.
  • Log analysis: Uses IBM Log Analysis to provide logs all in one place.

Provision a bastion host

A bastion host is an instance that is provisioned with a public IP address and can be accessed via SSH. After setup, the bastion host acts as a jump server, allowing secure connection to instances provisioned without a public IP address.

Before you begin, you need to create or configure these resources in your IBM cloud account:

  • IAM permissions
  • VPC 
  • VPC Subnet 
  • SSH Key

To reduce the exposure of servers within the VPC, create and use a bastion host. Administrative tasks on the individual servers are performed by using SSH, proxied through the bastion. Access to the servers and regular internet access from the servers (e.g., software installation) are allowed only with a special maintenance security group that is attached to those servers.

For more information, see Securely access remote instances with a bastion host.

If you want to set up a bastion host that uses teleport, see Setting up a bastion host that uses teleport.

Create a client-to-site VPN for security

The VPN server is deployed in a selected multi-zone region (MZR) and VPC. All virtual server instances are accessible from the VPN client in the single VPC:

You can create your VPN server in the same region and VPC where your DaaS deployment resides.

Depending on the client authentication you selected during VPN server provisioning, users can connect to the VPN server by using a client certificate, user ID with passcode or both.

Now you can connect to your DaaS VSIs from your local machine(s) by using private IP only.

Use customer-managed encryption to encrypt your data end-to-end

By default, VPC volumes are encrypted at rest with IBM provider-managed encryption. There is no additional cost for this service. For end-to-end encryption in IBM Cloud, you can also use customer-managed encryption where you can manage your own encryption. Your data is protected while in transit from block storage to the host/hypervisor and while at rest in volumes.

Customer-managed encryption is provided in VPC by using IBM Key Protect for IBM Cloud or IBM Hyper Protect Crypto Services (HPCS). The Key Protect or HPCS instance must be created and configured before the order flow within Citrix-DaaS. The Identity volume encryption selection on the Citrix-DaaS order UI is then used to encrypt each identity disk associated with your machine catalog inside Citrix Machine Creation Services (MCS).

Use access control lists to restrict port ranges

By default, Citrix-DaaS deployments create several security groups (SGs) designed to isolate access between NICs. For more information on SGs, see About security groups. There is no inbound access from the internet by default unless you choose to assign floating IPs (FIP). We recommend setting up VPN as described in this article over using FIPs. Security groups come with a limitation of 5 SGs per network interface card (NIC), which leaves some unnecessary port ranges open that can be further restricted by using access control lists (ACLs).

For more information about using ACLs, see About network ACLs. For information about Citrix-DaaS port ranges, see Technical Paper: Citrix Cloud Communication.

Use IBM Log Analysis to monitor logs for compliance and security

For most Citrix-DaaS deployments, centralized logging is important. Without centralized logging, you are forced to find logs for each individual component across several resources. For example, some logs are on the Cloud Connector VSIs (Connector Logs and Plug-in) and Domain Controller logs are on the Active Directory Server. If you are using Volume Worker, logs are split between IBM Cloud Functions and the worker VSIs that complete the jobs. Some of these logs are ephemeral and are not accessible if not being recorded by centralized logging.

Centralized logging is provided by using an IBM Log Analysis instance and can provide logs all in one place. IBM Log Analysis can either be provisioned with the Citrix-DaaS deployment or an ingestion key for an existing instance provided through a Terraform variable. Because centralized logging is extremely important for this product, it is enabled by default; optionally (with a Terraform variable), it can be disabled.


Several IBM Cloud services are incorporated into the Citrix DaaS solution, so you can easily stand up a secure deployment out of the box. You can configure stricter security within your deployment on IBM Cloud. Based on the business needs, you can customize the security precautions that you require to integrate with your deployment.

Get started with Citrix DaaS on IBM Cloud


More from Cloud

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…

IBM NS1 Connect: How IBM is delivering network connectivity with premium DNS offerings

4 min read - For most enterprises, how their users access applications and data is an essential part of doing business, and how they service those application and data responses has a direct correlation to revenue generation.    According to We Are Social’s Digital 2023 Global Overview Report, there are 5.19 billion people around the world using the internet in 2023. There’s an imperative need for businesses to trust their networks to deliver meaningful content to address customer needs.  So how responsive is the…