MS Azure Government

When creating layers in Azure Government, you must use an MS Azure Government connector configuration. This article describes the fields included in the connector configuration. For more about App Layering connectors, see Connector configurations.

A connector configuration contains the credentials that the appliance uses to access a specific location in Azure Government. Your organization may have one Azure Government account and several storage locations. If so, you need a connector configuration for the appliance to access each storage location.

Before you create an Azure Government connector configuration

This section explains:

  • The Azure Government account information required to create this connector configuration.
  • The Azure Government storage you need for App Layering.
  • The servers that the appliance communicates with.

Required Azure account information

The Azure Government connector requires the same information as the Azure connector.

Azure Government connector configuration

  • Name - A name you use for a new connector configuration.
  • Subscription ID - To deploy Azure virtual machines, your organization must have a subscription ID.
  • Tenant ID - An Azure Active Directory instance, this GUID identifies your organization’s dedicated instance of Azure Active Directory (AD).
  • Client ID - An identifier for the App Registration, which your organization has created for App Layering.
  • Client Secret - The password for the Client ID you are using. If you have forgotten the Client Secret, you can create a new one. Note: Client secrets are logically associated with Azure tenants, so each time you use a new subscription and Tenant ID, you must use a new Client Secret.
  • Standard Azure storage (required): A storage account for Azure virtual machines (VHD files), the template file that you use to deploy Azure virtual machines, and the boot diagnostics files for those machines. When you specify Premium storage, which is optional, the virtual machines are stored there, and the template and boot diagnostics files remain in Standard storage.

    The storage account must already have been created in the Azure government portal, and the name you enter must match the name in the portal. For details, see Create a storage account below.

  • Premium storage (optional): Optional additional storage for Azure virtual machines (VHD files). Premium storage only supports page blobs and cannot be used to store the template file for deploying Azure virtual machines or the boot diagnostics files for those virtual machines. When you specify a premium storage account, the virtual machine sizes available are limited to those that support premium storage.

    The storage account must already have been created in the Azure government portal, and the name you enter must match the name in the portal. For details, see Create a storage account below.

Required Azure government storage account

Any account you use for App Layering must meet the following requirements:

  • Must not be a classic storage account.
  • Must be separate from the storage account used for the appliance.
  • Must be in the Azure government location where you plan to deploy virtual machines.
  • Can be located in any resource group, as long as the resource group’s location is the same as the account’s location.

Required Standard storage account

One of the following types of Standard Azure Government) storage accounts is required to create a connector configuration.

  • Standard Locally Redundant storage (LRS)
  • Standard Geo-Redundant storage (GRS)
  • Standard Read-Access Geo-Redundant storage (RAGRS)

Premium storage account

In addition to the required Standard account, you can use Premium storage to store your App Layering virtual machine disks.

Servers that the appliance communicates with

Using this connector, the appliance communicates with the following servers:

  • login.microsoftonline.us
  • management.usgovcloudapi.net

The appliance requires network connections with these servers.

Set up your Azure Government subscription(s)

Use the following procedures for each Azure Government subscription that you want to connect to using the App Layering appliance.

Set up and retrieve your Azure Government credentials

To retrieve Azure Government credentials when adding a new Azure Government connector configuration:

  • Identify your Azure Government Subscription ID.
  • Create an App Registration in Azure Government Active Directory.
  • Retrieve the Azure Government Tenant ID, Client ID, and Client Secret from the App Registration.
  • Create a new storage account, or use an existing one inside the subscription. The output of this is the Storage Account Name.

Identify the correct Azure Government Subscription ID

  1. Go to the Azure Government portal.
  2. In the left sidebar, click Subscriptions. When Subscriptions isn’t listed, click More Services and search for Subscriptions in that window.
  3. In the Subscriptions window, locate and click the Azure Government subscription you want to use for your deployment.
  4. On the next menu, click Overview. The Subscription ID is located in the top left of the window that appears.
  5. Enter the information from the Subscription ID box in the App Layering Azure Government Connector UI.

Create an app registration for each Azure Government subscription

You must create a new app registration for each Azure Government subscription for which you want to create connector configurations.

Note:

You can use one Azure Government subscription for multiple Azure Government connector configurations.

To create an app registration:

  1. Log into the Azure Government portal.
  2. In the left sidebar, click Azure Government Active Directory. When this isn’t listed, click More Services and search for Azure Government Active Directory.
  3. In the menu that appears, click App registrations.
  4. Click New application registration in top of the new window. A new form appears to fill out.
  5. In the Name field, type a descriptive name, such as Citrix App Layering access.
  6. For Application type, select Web app / API.
  7. For Sign-on URL, type http://nothing.
  8. Click Create.
  9. In the list of App registrations, click the new app registration that you created in the preceding procedure. It contains the name you entered.
  10. In the new window that appears, the Application ID appears near the top. Enter this value into the Client ID box in the App Layering Azure Government Connector UI.
  11. In the Settings menu on the right, click Properties.
  12. Find the App ID URI field in the Properties window that appears.
  13. The Tenant ID you need is in the middle of the App ID URI. The Tenant ID is everything after the https:// portion of the App ID URI, up until the next slash. For example, if your App ID URI is this: https://helloworld.onmicrosoft.com/1234-5432-43421 Then your Tenant ID is this: helloworld.onmicrosoft.com
  14. Copy the Tenant ID and enter it into the Tenant ID box in the App Layering Azure Government Connector UI.
  15. In the Settings menu, click Keys.
  16. In the Keys window that appears, click Key description and type a description, such as App Layering Key 1.
  17. Click the drop-down menu under Expires and select any value.
  18. Click Save at the top of the Keys window.
  19. The key value appears under Value and is your Client Secret. Type this value into the Client Secret box in the App Layering Azure Government Connector UI.

    Note:

    This key does not appear again after you close this window. This key is sensitive information. Treat the key like a password that allows administrative access to your Azure Government subscription. Open the settings of the app registration you just created in Azure Government Active Directory > App registrations > [name you just entered] > Settings > Properties.

  20. Click Subscriptions in the left sidebar. This closes all open windows and brings you to the Subscriptions window. When Subscriptions isn’t listed, click More Services and search for Subscriptions in that window
  21. Click the subscription you are using for this connector.
  22. In the menu that opens, click Access Control (IAM).
  23. In the window that appears, click Add on the top bar.
  24. The Add permissions form appears on the right. Click the drop-down for Role and select Contributor.
  25. In the Select box, type Citrix App Layering Access or use the name you entered for the Application registration in step 5 and then press Enter.
  26. Click that name you configured, such as Citrix App Layering Access (or the name you used).
  27. Click Save on the bottom of this form.

You have now set up an Azure Government app registration that has read/write access to your Azure Government subscription.

Set up the necessary Storage Account(s)

The Azure Government storage account(s) are where the App Layering software stores all images imported from and published to Azure Government (virtual hard disks, or VHDs), along with the template file that you use to deploy Azure Government virtual machines, and the boot diagnostics files for those machines.

Use existing storage account

You can use an existing storage account. It must meet these requirements:

  • Cannot be a classic storage account.
  • Must be in the same subscription you’ve already used in this connector.

When these requirements are met you can:

  • Enter the Name of the storage account in the Storage account name field in the App Layering Azure Government connector configuration wizard.

Create a new storage account

If you don’t have a storage account, you must create one.

  1. Click Storage accounts in the left sidebar. Do not select Storage Accounts classic. When Storage isn’t listed, click More Services and search for Storage accounts there.
  2. In the Storage accounts window that appears, click Add.
  3. In Name, enter a name that you’ll remember.
  4. In Deployment model, select Resource manager.
  5. In Account kind, select General purpose.
  6. In Performance, select Standard or Premium, based on the type of storage account you need.
  7. In Replication, any value is OK. Read more about the choices here.
  8. In Storage service encryption, select Disabled.
  9. In Subscription, select the same subscription you have been using throughout this process.
  10. In Resource group, select Create New and enter a name that is similar to your Storage account’s name.
  11. In Location, select a location that is closest to your organization.
  12. Click Create.
  13. In the App Layering Azure Government Connector UI, enter the Storage account name.

What to do if your Azure Government Client Secret is lost

You can generate a new Azure Government Client Secret. For details, see the steps in the Create an app registration for each Azure Government subscription section earlier in this article.

Add a Connector Configuration

When all requirements are ready, create an Azure Government connector configurtation:

  1. In the wizard for creating a Layer or for adding a Layer Version, click the Connector tab.
  2. Under the list of Connector Configurations, click New. A dialog box open.
  3. Select the Connector Type for the platform and location where you are creating the Layer or publishing the image. Then click New to open the Connector Configuration page.
  4. Complete the fields on the Connector Configuration page. For guidance, see the field definitions.
  5. Click the TEST button to verify that the appliance can access the location specified using the credentials supplied.
  6. Click Save. The new Connector Configuration appears on the Connector tab.

Azure Government data structure (Reference)

The Azure Government data structure is as follows:

Tenant

  • Tenant ID
  • App Registration
    • Client ID
    • Client Secret
  • Subscription
  • Subscription ID
    • Storage Account
      • Storage Account Name

where:

  • Tenant is your Azure Government Active Directory instance that users and applications can use to access Azure Government. The Tenant is identified by your Tenant ID. A Tenant can have access to one or more Azure Government Subscriptions.
  • The Azure Government Active Directory Tenant contains two types of accounts.
    • A User Account for logging into the Azure Government portal (portal.azure.us).
    • An App Registration for accessing the subscription has a Client ID.
      • The Client ID has a Client Secret, instead of a password.
      • Users can generate the Client Secret, and delete it.
  • An Azure Government Subscription contains everything that can be created in Azure Government, except for user accounts.
  • A Subscription contains Storage Accounts. This is where App Layering VHDs are stored. It is identified by a Storage Account Name.