I am pleased to announce preview support in Citrix Cloud XenApp and XenDesktop service to provision VDAs on Azure US Government cloud. This allows Citrix administrators to quickly deploy and manage XenApp and XenDesktop workloads in Azure Government Cloud using the same familiar Machine Creation Services (MCS) interface currently available for various other worldwide Azure regions.
Operating in six government-only data center regions, Azure Gov cloud is Level 5 DoD approved and is exclusively meant to serve the needs of U.S. federal, state, local and tribal governments – a sector where Citrix has historically been a strong leader in providing secure IT solutions.
Provisioning VDAs in Azure Gov Cloud consists of two steps:
- First you establish a connection between Citrix Cloud XenApp and XenDesktop service and your Azure US Gov subscription by creating Host Connection and defining Hosting Resources.
- Second step is to create VDAs using the established connection and resources using Citrix Machine Creation Services (MCS).
Prerequisites:
- Entitlement to XenApp and XenDesktop service within Citrix Cloud.
- An Azure US Government Subscription.
- An account which is a member of the Azure Active Directory (Azure AD) associated with your subscription, which is also a co-administrator/owner of the subscription. Please visit blog Demystifying Azure AD Authentication to learn more about Azure AD and member accounts.
- A Resource Location in Azure US Government cloud having a virtual network and subnet(s) in your preferred Azure Gov region with connectivity to an AD controller and a pair of Citrix Cloud Connector VMs joined to AD domain.
Create Connection
To create connection from Citrix Studio, navigate to Hosting option under Configuration in the left pane and select option Add Connection and Resources from the Actions pane. Host connection creation wizard gets launched, under Create a new Connection select connection type Microsoft Azure, notice that under the Azure environment drop-down, there is new option Azure US Government – Preview, you need to select this environment type.
When Citrix started support for provisioning VDAs in Azure Resource Manager, the first environment we supported was Azure Global, but now you will notice Azure China, Azure US Government – Preview and also there is Azure Germany-Preview (coming soon), this option will get enabled once the feature becomes available in the Citrix Cloud. So the Azure environment drop-down is a dynamic list, it will keep on updating as soon as XenDesktop starts supporting new Azure environment. That means there is pretty much no need to introduce new wizard pages, learning new concepts or processes to provision VDAs in various Azure environments – it’s exactly the same across all instances.
To provision VDAs using MCS, select option Studio tools (Machine Creation Services) and navigate to Next page. Notice that the Connection Details page and all other pages in the wizard are same as other Azure environments supported so far by XenDesktop.
Same as other supported Azure environments, you can connect to your Azure US Gov subscription in two ways, either by using Create new or Use existing option. There is already an excellent blog on Connecting to Azure Resource Manager in XenApp & XenDesktop, please follow that blog to learn more about creating host connection and hosting resources. Since the steps to be followed are exactly the same, I wouldn’t like to repeat it again in this blog, but only focus on the differences and revisit the important points.
The authentication process used by XenDesktop behind the scenes is same for any supported Azure environment. Please remember that, if you use Create new option to create host connection, the Service Principal created behind the scenes has contribute access on the entire subscription. You can either let XenDesktop create it or use Azure PowerShell to create it and then use the Use existing option to create connection and provide the details of pre-created Service Principal.
Once you establish the connection next step is to define hosting resources. Regions page in this case will show only the regions in Azure US Government environment accessible to your subscription.
Proceed with the wizard and finish the connection and resources creation process. Follow the blog mentioned above to accomplish this task.
Create Connection using an existing Application/Service Principal
If you are familiar with ARM, Azure AD, Azure PowerShell, you may already be using Application and Service Principals. XenDesktop allows you to define Service Principals outside of Studio and provide details of existing Service Principals to establish connection. Let’s look at the Use existing studio wizard page.
Notice the difference between the Authentication URL, Management URL and Storage suffix for Azure Global and Azure US Government. These endpoints are unique for each Azure environment. We need to use these unique endpoints to establish the connection to those specific environments.
You may also want to use the Use existing option when you don’t want to use the Service Principal that has contribute access on the entire subscription. If your organization’s security policies don’t allow the use of subscription scope Service Principals, you can use PowerShell to define a Service Principal that has access only on the minimum required resources and provide details of that Service Principal in the Use existing option. Please visit the blog Azure Role Based Access Control in XenApp & XenDesktop to learn more about creating narrow scope Service Principals.
PowerShell Scripting Support
You can choose to automate the creation of a connection rather than using Studio’s interactive authentication option. Please find below the sample script to define connection, it uses Azure PowerShell commands and Citrix snap-ins. This same script can be used to create connection to any supported Azure environment, but you need to modify the “EnvironmentName “, “AuthenticationAuthority”, “ManagementEndPoint” and “StorageSuffix” custom properties in the script below to appropriate values based on the environment of your choice.
param(
[Parameter(Mandatory=$true)][string]$connectionName,
[Parameter(Mandatory=$true)][string]$applicationId,
[Parameter(Mandatory=$true)][string]$applicationPassword,
[Parameter(Mandatory=$true)][string]$subscriptionId,
[Parameter(Mandatory=$true)][string]$tenantId,
[Parameter(Mandatory=$true)][string]$zoneUId
)
Add-PsSnapin Citrix*
$customProperties = @"
<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type=`"StringProperty`" Name=`"EnvironmentName`" Value="AzureUSGovernment"/>
<Property xsi:type="StringProperty" Name="AuthenticationAuthority" Value="https://login-us.microsoftonline.com/"/>
<Property xsi:type="StringProperty" Name="ManagementEndpoint" Value="https://management.usgovcloudapi.net/"/>
<Property xsi:type="StringProperty" Name="StorageSuffix" Value="core.usgovcloudapi.net"/>
<Property xsi:type="StringProperty" Name="TenantId" Value="$tenantId"/>
<Property xsi:type="StringProperty" Name="SubscriptionId" Value="$subscriptionId"/>
</CustomProperties>
"@
$connection = New-Item -ConnectionType "Custom" -CustomProperties $customProperties -HypervisorAddress @("https://management.usgovcloudapi.net/") `
-Path @("XDHyp:\Connections\$connectionName") -Persist -PluginId "AzureRmFactory" -Scope @() `
-SecurePassword (ConvertTo-SecureString -AsPlainText -Force $applicationPassword) -UserName $applicationId -ZoneUid "$zoneUId"
New-BrokerHypervisorConnection -HypHypervisorConnectionUid $connection.HypervisorConnectionUid
Once this script is executed, host connection gets created and can be seen in Citrix Studio, you can then use either Studio or PowerShell to create hosting resources.
Create and Manage MCS Catalog
Once you create host connection and hosting resources, creating MCS catalog in Azure US Gov cloud is same as other Azure environments. Please refer to existing blog Using XenApp & XenDesktop in Azure Resource Manager to learn more about creating MCS catalogs in Azure.
Once you have MCS catalog created in Azure US Gov, you may want to do image updates for the catalogs in use for various reasons. Please refer to existing blog Update and Rollback XenDesktop Azure Resource Manager Catalog for doing image updates.
If you are using narrow scope Service Principal for your host connection then you will have to create custom pre-defined resource groups in Azure and then use PowerShell as explained in the blog Azure Role Based Access Control in XenApp & XenDesktop to create catalog. At present there is no Studio support for provisioning VDAs in custom resource groups, but very soon we will be announcing support in Citrix Studio to provision VDAs in custom resource groups, so you don’t have to use PowerShell anymore.