Cloud Workstations architecture

Stay organized with collections Save and categorize content based on your preferences.

Cloud Workstations manages resources used by workstations, such as Compute Engine VMs and persistent disks (PDs), inside your projects to provide you with higher visibility and more control over these resources. For example, for all workstations PDs, you can set up scheduled disk snapshot policies that enforce backup policies. Similarly, having VMs inside your project allows you to seamlessly access and manage resources in your VPC network.

Workstations are contained in and managed by workstation clusters.

  • Administrators create workstation clusters, which define a group of workstations in a particular region and the VPC network they're attached to.
  • Workstation clusters are not related to Google Kubernetes Engine (GKE) clusters.
  • Each workstation cluster has a dedicated controller that is connected to a VPC within which workstations reside with Private Service Connect (and this has no impact on VPC peering limits). This controller manages the workstations resources throughout their lifecycle and provides network egress and ingress to the workstations through a public cluster gateway.
  • Each cloud region requires at least one workstation cluster.

If necessary, it is also possible to enable a fully private gateway, so that only endpoints inside your private network have access to Cloud Workstations. The following diagram illustrates the components of Cloud Workstations.

Architecture diagram

Figure 1. Cloud Workstations Architecture

Workstation cluster

A workstation cluster contains and manages a collection of workstations in a single cloud region and VPC network inside your project. Each workstation cluster includes two components that are managed by Google Cloud: a controller and a gateway.

  • Controller: responsible for managing the lifecycle of VM instances and other workstation resources inside of your project.

  • Gateway: receives traffic from clients bound for particular workstations, and forwards it to the appropriate VM instance. Each workstation cluster has a unique domain name, and each workstation can be reached at a subdomain of the workstation cluster's domain—for example, $WORKSTATION_ID.$CLUSTER_ID.cloudworkstations.dev.

The controllers use the Compute Engine API to manage the lifecycle of the resources, and utilize Private Service Connect to route traffic to the workstations' VMs.

VPC network

When creating a workstation cluster, you specify a project and a VPC network to host the resources. Cloud Workstations then provisions the following resources in your project:

  • Private Service Connect: establishes a connection between the Cloud Workstations controller and your VPC, enabling the creation of resources inside your project.
  • VM instance: a Compute Engine VM is dynamically created inside a your project and VPC after a workstation is started, and automatically deleted at the end of a user session or after a configurable session timeout.

    • VM Gateway: pulls client traffic from the workstation cluster gateway, authenticates and authorizes it, and forwards it to the container.

    • Container: defines the tools pre-installed in a workstation, such as the IDE or code editor, and any other programs or settings as specified by the workstation configuration.

  • Persistent Disk: a persistent disk attached to the workstation VM mounted to the /home folder, allowing for data and files to be stored after the session ends.