Enable public access
The customer should enable public access on their storage accounts. This document summarizes the requirement and addresses security concerns with public access: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html#securing-storage-accounts-provisioning-by-cvad-service
Workarounds if public access cannot be enabled
We’ve had several customers request a whitelist for the IP range. We do not currently have a set IP address range for Citrix Cloud that we can provide. With managed disks, the customer no longer needs to use storage accounts. This change was put into Cloud 87, so new catalogs created with managed disks will not create storage accounts:
If the customer is unwilling to keep public access, they have a couple options. If the machines are non-persistent, recreate them with managed disks. No storage accounts are created in that case. If the machines are persistent, one option is to move the machines into a power-managed only catalog. To do that:
1. Remove the VMs from the catalog (but do not delete them in Azure Portal)
2. Optionally perform the unmanaged to managed disk migration in Azure Portal
b. This is not a required step. After following these steps, MCS will no longer attempt to access the storage accounts and does not require permissions.
3. Remove any Citrix tags that are on the VMs and the resource group. Example:
4. Add the machines into a power-managed only catalog
a. This means the machines are non-MCS provisioned, i.e. they are existing machines in Azure Portal that we are adding to a catalog
Note that this means you cannot perform provisioning operations on that catalog; it will only be used for power management.
We do not allow changing an existing catalog from unmanaged to managed disks. If a customer attempted to change the UseManagedDisks custom property using Set-ProvScheme, they would receive a preflight exception similar to CannotChangeUseManagedDisks
Customers may have catalogs that are created prior to on-demand provisioning. These catalogs are known internally as “legacy” catalogs. Legacy machines are visible in Azure Portal immediately after being added to the catalog. This is unlike non-legacy machines, which are created after the first power on. Legacy machines have a few key limitations:
- Legacy catalogs are only supported with unmanaged disks. MCS will create storage accounts & will need public access to perform operations.
- As mentioned above, you cannot change a catalog from unmanaged → managed disks
- You also cannot create a new legacy catalog with managed disks. If attempted, you will receive a preflight exception similar to ManagedDisksNotSupportedForLegacyCatalogs
- You cannot change an existing legacy catalog to a non-legacy catalog
- This limitation is documented here (Azure on-demand provisioning > Catalogs created before on-demand provisioning): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-prepare/azure-resource-manager.html#azure-on-demand-provisioning