Microsoft Azure Resource Manager cloud environments 编辑

Follow the guidance in this article when using the Microsoft Azure Resource Manager to provision virtual machines in your Citrix Virtual Apps and Desktops deployment.

We assume you are familiar with the following:

• Azure Active Directory: https://docs.microsoft.com/en-in/azure/active-directory/fundamentals/active-directory-whatis/
• Consent framework: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-an-application-integration
• Service principal: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals/

Azure on-demand provisioning

With Azure on-demand provisioning, VMs are created only when Citrix Virtual Apps and Desktops initiates a power-on action, after the provisioning completes.

When you use MCS to create machine catalogs in the Azure Resource Manager, the Azure on-demand provisioning feature:

• Reduces your storage costs
• Provides faster catalog creation

When you create an MCS catalog, the Azure portal displays the network security group, network interfaces, base images, and identity disks in the resource groups.

The Azure portal does not show a VM until Citrix Virtual Apps and Desktops initiates a power-on action for it. There are two types of machines with the following differences:

• For a pooled machine, the operating system disk and write-back cache exist only when the VM exists. When you shut down a pooled machine in the console, the VM is not visible in the Azure portal. There is a significant storage cost saving if you routinely shut down machines (for example, outside of working hours).
• For a dedicated machine, the operating system disk is created the first time the VM is powered on. The VM in the Azure portal remains in storage until the machine identity is deleted. When you shut down a dedicated machine in the console, the VM is still visible in the Azure portal.

Connection to Azure Resource Manager

Connections and resources describes the wizards that create a connection. The following information covers details specific to Azure Resource Manager connections.

Considerations:

• Citrix recommends using Service Principal with contributor role. However, see Minimum permissions section to get the list of minimum permissions.
• When creating the first connection, Azure prompts you to grant it the necessary permissions. For future connections you must still authenticate, but Azure remembers your previous consent and does not display the prompt again.
• Accounts used for authentication must be a co-administrator of the subscription.
• The account used for authentication must be a member of the subscription’s directory. There are two types of accounts to be aware of: ‘Work or School’ and ‘personal Microsoft account.’ See CTX219211 for details.

• While you can use an existing Microsoft account by adding it as a member of the subscription’s directory, there can be complications if the user was previously granted guest access to one of the directory’s resources. In this case, they might have a placeholder entry in the directory that does not grant them the necessary permissions, and an error is returned.

  Rectify this by removing the resources from the directory and add them back explicitly. However, exercise this option carefully, because it has unintended effects for other resources that account can access.

• There is a known issue where certain accounts are detected as directory guests when they are actually members. Configurations like this typically occurs with older established directory accounts. Workaround: add an account to the directory, which takes the proper membership value.
• Resource groups are simply containers for resources, and they can contain resources from regions other than their own region. This can potentially be confusing if you expect resources displayed in a resource group’s region to be available.
• Ensure that your network and subnet are large enough to host the number of machines you require. This requires some foresight, but Microsoft helps you specify the right values, with guidance about the address space capacity.

You can establish a host connection to Azure in two ways:

• Authenticate to Azure to create a service principal.
• Use the details from a previously created service principal to connect to Azure.

Create a service principal

Important:

This feature is not yet available for Azure China and Azure Germany subscriptions.

Before you start, authenticate to Azure. Ensure:

• You have a user account in your subscription’s Azure Active Directory tenant.
• The Azure AD user account is also a co-administrator for the Azure subscription that you want to use for provisioning resources.
• You have global administrator, application administrator, or application developer permissions for authentication. These permissions can be revoked after you create host connection. For more information about roles, see Azure AD built-in roles.

When you authenticate to Azure to create a service principal, an application is registered in Azure. A secret key (client secret) is created for the registered application. The registered application uses the client secret to authenticate to Azure AD. Be sure to change the client secret before it expires. You receive an alert on the console before the secret key expires.

To authenticate to Azure to create a service principal, complete the following steps in the Add Connection and Resources wizard:

1. On the Connection page, select Create a new connection, the Microsoft Azure connection type, and your Azure environment.

2. Select which tools to use to create the virtual machines and then select Next.

3. On the Connection Details page, enter your Azure subscription ID and a name for the connection. After you enter the subscription ID, the Create new button is enabled.

   Note:

   The connection name can contain 1–64 characters, and cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.

4. Select Create new and then enter the Azure Active Directory account user name and password.

5. Select Sign in.

6. Select Accept to give Citrix Virtual Apps and Desktops the listed permissions. Citrix Virtual Apps and Desktops creates a service principal that allows it to manage Azure resources on behalf of the specified user.

7. After you select Accept, you return to the Connection page in the wizard.

   Note:

   After you successfully authenticate to Azure, the Create new and Use existing buttons disappear. The Connection successful text appears, with a green check mark, indicating the successful connection to your Azure subscription.

8. On the Connection Details page, select Next.

   Note:

   You cannot proceed to the next page until you successfully authenticate to Azure and consent to giving the required permissions.

9. Configure resources for the connection. Resources comprise the region and the network.

   • On the Region page, select a region.
   • On the Network page, do the following:
     • Type a 1–64 character resource name to help identify the region and network combination. A resource name cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.
     • Select a virtual network/resource group pair. (If you have more than one virtual network with the same name, pairing the network name with the resource group provides unique combinations.) If the region you selected on the previous page does not have any virtual networks, return to that page and select a region that has virtual networks.

10. On the Summary page, view a summary of settings and select Finish to complete your setup.

Use the details from a previously created service principal to connect to Azure

To create a service principal manually, connect to your Azure Resource Manager subscription and use the PowerShell cmdlets provided in the following sections.

Prerequisites:

• SubscriptionId: Azure Resource Manager SubscriptionID for the subscription where you want to provision VDAs.
• ActiveDirectoryID: Tenant ID of the application that you registered with Azure AD.
• ApplicationName: Name for the application to be created in Azure AD.

To create a service principal:

1. Connect to your Azure Resource Manager subscription.

   Connect-AzAccount

2. Select the Azure Resource Manager subscription where you want to create the service principal.

   Get-AzSubscription -SubscriptionId $subscriptionId | Select-AzSubscription

3. Create the application in your AD tenant.

   $AzureADApplication = New-AzADApplication -DisplayName $ApplicationName

4. Create a service principal.

   New-AzADServicePrincipal -ApplicationId $AzureADApplication.AppId

5. Assign a role to the service principal.

   New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $AzureADApplication.AppId –scope /subscriptions/$SubscriptionId

6. From the output window of the PowerShell console, note the ApplicationId. You provide that ID when creating the host connection.

In the Add Connection and Resources wizard:

1. On the Connection page, select Create a new connection, the Microsoft Azure connection type, and your Azure environment.

2. Select which tools to use to create the virtual machines and then select Next.

3. On the Connection Details page, enter your Azure subscription ID and a name for the connection.

   Note:

   The connection name can contain 1–64 characters, and cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.

4. Select Use existing. In the Existing Service Principal Details window, enter the following settings for the existing service principal. After you enter the details, the Save button is enabled. Select Save. You cannot progress beyond this page until you provide valid details.

   • Subscription ID. Enter your Azure subscription ID. To obtain your subscription ID, sign in to the Azure portal and navigate to Subscriptions > Overview.
   • Active Directory ID (tenant ID). Enter the Directory (tenant) ID of the application that you registered with Azure AD.
   • Application ID. Enter the Application (client) ID of the application that you registered with Azure AD.
   • Application secret. Create a secret key (client secret). The registered application uses the key to authenticate to Azure AD. We recommend that you change keys regularly for security purposes. Be sure to save the key because you cannot retrieve the key later.

   • Secret expiration date. Enter the date after which the application secret expires. You receive an alert on the console before the secret key expires. However, if the secret key expires, you receive errors.

     Note:

     For security purposes, the expiration period cannot be more than two years from now.

   • Authentication URL. This field is automatically populated and is not editable.
   • Management URL. This field is automatically populated and is not editable.
   • Storage suffix. This field is automatically populated and is not editable.

5. After selecting Save, you return to the Connection Details page. Select Next to proceed to the next page.

6. Configure resources for the connection. Resources comprise the region and the network.

   • On the Region page, select a region.
   • On the Network page, do the following:
     • Type a 1–64 character resource name to help identify the region and network combination. A resource name cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.
     • Select a virtual network/resource group pair. (If you have more than one virtual network with the same name, pairing the network name with the resource group provides unique combinations.) If the region you selected on the previous page does not have any virtual networks, return to that page and select a region that has virtual networks.

7. On the Summary page, view a summary of settings and select Finish to complete your setup.

Create a machine catalog using an Azure Resource Manager image

An image is the template that is used to create the VMs in a machine catalog. Before creating the machine catalog, create an image in Azure Resource Manager. For general information about images, see Create machine catalogs.

Using a machine profile with trusted launch as Security Type is mandatory when you select an image or snapshot that has trusted launch enabled. You can then enable or disable SecureBoot and vTPM by specifying their values in the Machine Profile. For information about Azure trusted launch, see Trusted launch for Azure virtual machines.

The machine catalog uses the following properties that are defined in the custom properties:

• Availability zone
• Dedicated Host Group Id
• Disk Encryption Set Id
• OS type
• License type
• Storage type

If these custom properties are not defined explicitly, then the property values are set from the ARM template spec or VM, whichever is used as the machine profile. In addition, if ServiceOffering is not specified, then it will be set from the machine profile.

Note:

If some of the properties are missing from the machine profile and not defined in the custom properties, then the default values of the properties take place wherever applicable.

The following section describes some scenarios at New-ProvScheme and Set-ProvScheme when CustomProperties either have all the properties defined or values are derived from the MachineProfile.

New-ProvScheme Scenarios

• MachineProfile has all the properties and CustomProperties are not defined. Example:

  New-ProvScheme -MachineProfile "XDHyp:\HostingUnits\azureunit\machineprofile.folder\azure.resourcegroup\mpA.vm"

  The following values are set as custom properties for the catalog:

   Get-ProvScheme | select CustomProperties
   <CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <Property xsi:type="StringProperty" Name="StorageAccountType" Value="<mpA-value>"/>
   <Property xsi:type="StringProperty" Name="OSType" Value="<mpA-value>"/>
   <Property xsi:type="StringProperty" Name="LicenseType" Value="<mpA-value>"/>
   <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="<mpA-value>"/>
   <Property xsi:type="StringProperty" Name="DedicatedHostGroupId" Value="<mpA-value>"/>
   <Property xsi:type="StringProperty" Name="Zones" Value="<mpA-value>"/>
   </CustomProperties>
   <!--NeedCopy-->