Azure Power Action Failures due to Storage Account Permissions (Unmanaged disks)

Enable public access

The customer should enable public access on their storage accounts. This document summarizes the requirement and addresses security concerns with public access: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html#securing-storage-accounts-provisioning-by-cvad-service

Workarounds if public access cannot be enabled

We’ve had several customers request a whitelist for the IP range. We do not currently have a set IP address range for Citrix Cloud that we can provide. With managed disks, the customer no longer needs to use storage accounts. This change was put into Cloud 87, so new catalogs created with managed disks will not create storage accounts:

If the customer is unwilling to keep public access, they have a couple options. If the machines are non-persistent, recreate them with managed disks. No storage accounts are created in that case. If the machines are persistent, one option is to move the machines into a power-managed only catalog. To do that:

1. Remove the VMs from the catalog (but do not delete them in Azure Portal)

image.png

2. Optionally perform the unmanaged to managed disk migration in Azure Portal

a. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks

b. This is not a required step. After following these steps, MCS will no longer attempt to access the storage accounts and does not require permissions.

3. Remove any Citrix tags that are on the VMs and the resource group. Example:

image.png


4. Add the machines into a power-managed only catalog

a. This means the machines are non-MCS provisioned, i.e. they are existing machines in Azure Portal that we are adding to a catalog

b. https://docs.citrix.com/en-us/citrix-daas/install-configure/machine-catalogs-create.html#machine-management

image.png

Note that this means you cannot perform provisioning operations on that catalog; it will only be used for power management.

Additional Info

We do not allow changing an existing catalog from unmanaged to managed disks. If a customer attempted to change the UseManagedDisks custom property using Set-ProvScheme, they would receive a preflight exception similar to CannotChangeUseManagedDisks

Customers may have catalogs that are created prior to on-demand provisioning. These catalogs are known internally as “legacy” catalogs. Legacy machines are visible in Azure Portal immediately after being added to the catalog. This is unlike non-legacy machines, which are created after the first power on. Legacy machines have a few key limitations:

Related:

  • No Related Posts

Leave a Reply