Create a Microsoft Azure catalog test

Create machine catalogs describes the wizards that create a machine catalog. The following information covers details specific to Microsoft Azure Resource Manager cloud environments.

Note:

Before creating a Microsoft Azure catalog, you need to finish creating a connection to Microsoft Azure. See Connection to Microsoft Azure.

Create a machine catalog

You can create a machine catalog in two ways:

• Full Configuration interface.
• PowerShell. See Creating a catalog.

Create a machine catalog using an Azure Resource Manager image in the Full Configuration interface

This information is a supplement to the guidance in Create machine catalogs.

An image can be a disk, snapshot, or an image version of an image definition inside the Azure Compute Gallery that is used to create the VMs in a machine catalog.

Before creating the machine catalog, create an image in Azure Resource Manager.

Note:

• Use of unmanaged disk to provision VM is deprecated.
• Support for using a master image from a region different from that configured in the host connection is deprecated. Use Azure Compute Gallery to replicate the master image to the desired region.

During image preparation, a preparation virtual machine (VM) is created based on the original VM. This preparation VM is disconnected from the network. To disconnect the network from the preparation VM, a network security group is created to deny all inbound and outbound traffic. The network security group is created automatically once per catalog. The network security group’s name is Citrix-Deny-All-a3pgu-GUID, where GUID is randomly generated. For example, Citrix-Deny-All-a3pgu-3f161981-28e2-4223-b797-88b04d336dd1.

In the machine catalog creation wizard:

1. The Machine Type and Machine Management pages do not contain Azure-specific information. Follow the guidance in the Create machine catalogs article.

2. On the Image page, select an image that you want to use as the master image for all machines in the catalog. The Select an image wizard appears. Follow these steps to select an image:

   1. (Applicable only to connections configured with shared images within or across tenants) Select a subscription where the image resides.
   2. Select a resource group.
   3. Navigate to the Azure managed disk, Azure Compute Gallery, or Azure image version.

   When selecting an image, consider the following:

   • Verify that a Citrix VDA is installed on the image.
   • If you select a disk attached to a VM, you must shut down the VM before proceeding to the next step.

   Note:

   • The subscription corresponding to the connection (host) that created the machines in the catalog is denoted with a green dot. The other subscriptions are those that have the Azure Compute Gallery shared with that subscription. In those subscriptions, only shared galleries are shown. For information about how to configure shared subscriptions, see Share images within a tenant (across subscriptions) and Share images across tenants.
   • You can create a provisioning scheme using ephemeral OS disk on Windows with trusted launch. When you select an image with trusted launch, then you must select a machine profile with trusted launch that is enabled with vTPM. To create machine catalogs using ephemeral OS disk, see How to create machines using ephemeral OS disks.
   • When image replication is in progress, you can proceed and select the image as the master image and complete the setup. However, catalog creation might take longer to complete while the image is being replicated. MCS requires the replication to complete within an hour starting from catalog creation. If the replication times out, catalog creation fails. You can verify the replication status in Azure. Try again if the replication is still pending or after the replication completes.
   • You can provision a Gen2 VM catalog by using a Gen2 image to improve boot time performance. However, creating a Gen2 machine catalog using a Gen1 image is not supported. Similarly, creating a Gen1 machine catalog using a Gen2 image is also not supported. Also, any older image that does not have generation information is a Gen1 image.

   Choose whether you want VMs in the catalog to inherit configurations from a machine profile. By default, the Use a machine profile (mandatory for Azure Active Directory) checkbox is selected. Click Select a machine profile to browse to a VM or an ARM template spec from a list of resource groups.

   Examples of configurations that VMs can inherit from a machine profile include:

   • Accelerated networking
   • Boot diagnostics
   • Host disk caching (relating to OS and MCSIO disks)
   • Machine size (unless otherwise specified)
   • Tags placed on the VM

   Note:

   • When you select a master image for machine catalogs in Azure, the machine profile is filtered based on the master image you selected. For example, the machine profile is filtered based on the Windows OS, security type, hibernation support, and disk encryption set ID of the master image.
   • Using a machine profile with trusted launch as Security Type is mandatory when you select an image or snapshot that has trusted launch enabled. You can then enable or disable SecureBoot and vTPM by specifying their values in the Machine Profile. For information about Azure trusted launch, see https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch.

   Validate the ARM template spec to make sure whether it can be used as a machine profile to create a machine catalog. For information on creating an Azure template spec, see Create an Azure template spec.

   There are two ways to validate the ARM template spec:

   • After you select the ARM template spec from the resource group list, click Next. Error messages appear if the ARM template spec has errors.
   • Run one of the following PowerShell commands:
     • Test-ProvInventoryItem -HostingUnitName <string> -InventoryPath <string>
     • Test-ProvInventoryItem -HostingUnitUid <Guid> -InventoryPath <string>

     For example:

      Test-ProvInventoryItem -HostingUnitName "we-vdi0101-d-vnet" -InventoryPath machineprofile.folder/vdi01-d-rg.resourcegroup/VDD-templ-spec.templatespec/1.5.templatespecversion
      <!--NeedCopy-->
     

   After you create the catalog, you can view the configurations that the image inherits from the machine profile. On the Machine Catalogs node, select the catalog to view its details in the lower pane. Then, click the Template Properties tab to view machine profile properties. The Tags section displays up to three tags. To view all tags placed on the VM, click View all.

   If you want MCS to provision VMs on an Azure dedicated host, enable the Use a host group checkbox and then select a host group from the list. A host group is a resource that represents a collection of dedicated hosts. A dedicated host is a service that provides physical servers that host one or more virtual machines. Your server is dedicated to your Azure subscription, not shared with other subscribers. When you use a dedicated host, Azure ensures that your VMs are the only machines running on that host. This feature is suitable for scenarios where you must meet regulatory or internal security requirements. To learn more about host groups and considerations for using them, see Provision VMs on Azure dedicated hosts.

   Important:

   • Only host groups that have Azure auto-placement enabled are shown.
   • Using a host group changes the Virtual Machines page offered later in the wizard. Only machine sizes that the selected host group contains are shown on that page. Also, Availability Zones are selected automatically and not available for selection.

3. The Storage and License Types page appears only when you use an Azure Resource Manager image.

   You have the following storage types to use for the machine catalog:

   • Premium SSD. Offers a high-performance, low-latency disk storage option suitable for VMs with I/O-intensive workloads.
   • Standard SSD. Offers a cost-effective storage option that is suitable for workloads that require consistent performance at lower IOPS levels.
   • Standard HDD. Offers a reliable, low-cost disk storage option suitable for VMs that run latency-insensitive workloads.
   • Azure ephemeral OS disk. Offers a cost-effective storage option that reuses the local disk of the VMs to host the operating system disk. Alternatively, you can use PowerShell to create machines that use ephemeral OS disks. For more information, see Azure ephemeral disks. Consider the following when using an ephemeral OS disk:
     • Azure ephemeral OS disk and MCS I/O cannot be enabled at the same time.
     • To update machines that use ephemeral OS disks, you must select an image whose size does not exceed the size of the VM’s cache disk or temporary disk.
     • You cannot use the Retain VM and system disk during power cycles option offered later in the wizard.

   Note:

   The identity disk is always created using Standard SSD irrespective of the storage type that you choose.

   The storage type determines which machine sizes are offered on the Virtual Machines page of the wizard. MCS configures premium and standard disks to use Locally Redundant Storage (LRS). LRS makes multiple synchronous copies of your disk data within a single data center. Azure ephemeral OS disks use the local disk of the VMs to store the operating system. For details about Azure storage types and storage replication, see the following:

   • Introduction to Azure Storage
   • Azure premium storage: Design for high performance
   • Azure Storage redundancy

   Select whether to use existing Windows licenses or Linux licenses:

   • Windows licenses: Using Windows licenses along with Windows images (Azure platform support images or custom images) lets you run Windows VMs in Azure at a reduced cost. There are two types of licenses:

     • Windows Server license. Lets you use your Windows Server or Azure Windows Server licenses, allowing you to use Azure Hybrid Benefits. For details, see https://azure.microsoft.com/en-us/pricing/hybrid-benefit/. Azure Hybrid Benefit reduces the cost of running VMs in Azure to the base compute rate, waiving the cost of extra Windows Server licenses from the Azure gallery.

     • Windows Client license. Lets you bring your Windows 10 and Windows 11 licenses to Azure, allowing you to run Windows 10 and Windows 11 VMs in Azure without the need for extra licenses. For details, see Client Access Licenses and Management Licenses.

   • Linux licenses: With bring-your-own-subscription (BYOS) Linux licenses, you do not have to pay for the software. The BYOS charge only includes the compute hardware fee. There are two types of licenses:

     • RHEL_BYOS: To use RHEL_BYOS type successfully, enable Red Hat Cloud Access on your Azure subscription.
     • SLES_BYOS: The BYOS versions of SLES include support from SUSE.

   See the following:

   • Verify the Windows license
   • Configure the Linux license

   See the following documents to understand License types and their benefits:

   • https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachine.licensetype?view=azure-dotnet

   • https://docs.microsoft.com/en-us/azure/virtual-machines/linux/azure-hybrid-benefit-linux

   Azure Compute Gallery is a repository for managing and sharing images. It lets you make your images available throughout your organization. We recommend that you store an image in Azure Compute Gallery when creating large non-persistent machine catalogs because doing that enables faster resets of VDA OS disks. After you select Place prepared image in Azure Compute Gallery, the Azure Compute Gallery settings section appears, letting you specify more Azure Computer Gallery settings:

   • Ratio of virtual machines to image replicas. Lets you specify the ratio of virtual machines to image replicas that you want Azure to keep. By default, Azure keeps a single image replica for every 40 non-persistent machines. For persistent machines, that number defaults to 1,000.

   • Maximum replica count. Lets you specify the maximum number of image replicas that you want Azure to keep. The default is 10.

   For information on Azure Compute Gallery, see Azure Compute Gallery.

4. On the Virtual Machines page, indicate how many VMs you want to create and the machine size. After catalog creation, you can change the machine size by editing the catalog.
5. The NICs page does not contain Azure-specific information. Follow the guidance in the Create machine catalogs article.

6. On the Disk Settings page, choose whether to enable write-back cache. With the MCS storage optimization feature enabled, you can configure the following settings when creating a catalog. These settings apply to both Azure and GCP environments.

   After enabling write-back cache, you can do the following:

   • Configure the size of the disk and RAM used for caching temporary data. For more information, see Configure cache for temporary data.

   • Select the storage type for the write-back cache disk. The following storage options are available to use for the write-back cache disk:

     • Premium SSD
     • Standard SSD
     • Standard HDD

   • Choose whether you want the write-back cache disk to persist for the provisioned VMs. Select Enable write-back cache to make the options available. By default, Use non-persistent write-back cache disk is selected.

   • Select the type for the write-back cache disk.

     • Use non-persistent write-back cache disk. If selected, the write-back cache disk is deleted during power cycles. Any data redirected to it will be lost. If the VM’s temporary disk has sufficient space, it is used to host the write-back cache disk to reduce your costs. After catalog creation, you can check whether the provisioned machines use the temporary disk. To do so, click the catalog and verify the information on the Template Properties tab. If the temporary disk is used, you see Non-persistent Write-back Cache Disk and its value is Yes (using VM’s temporary disk). If not, you see Non-persistent Write-back Cache Disk and its value is No (not using VM’s temporary disk).
     • Use persistent write-back cache disk. If selected, the write-back cache disk persists for the provisioned VMs. Enabling the option increases your storage costs.

   • Choose whether to retain VMs and system disks for VDAs during power cycles.

     Retain VM and system disk during power cycles. Available when you’ve selected Enable write-back cache. By default, VMs and the system disks are deleted on shutdown and recreated on startup. If you want to reduce VM restart times, select this option. Keep in mind that enabling this option also increases storage costs.

   • Choose whether to Enable storage cost saving. If enabled, save storage costs by downgrading the storage disk to Standard HDD when the VM shuts down. The VM switches to its original settings on restart. The option applies to both storage and write-back cache disks. Alternatively, you can also use PowerShell. See Change the storage type to a lower tier when a VM is shut down.

     Note:

     Microsoft imposes restrictions on changing the storage type during VM shutdown. It’s also possible that Microsoft will block storage type changes in the future. For more information, see this Microsoft article.

   • Choose whether to encrypt data on machines in this catalog and which encryption key to use. Server-side encryption with a customer-managed key (CMK) lets you manage encryption at a managed disk level and protect data on the machines in the catalog. Default settings are inherited from either the machine profile or the master image, with the profile taking priority:

     • If you’re using a machine profile with a CMK, the Use the following key to encrypt data on each machine option is auto-selected and defaults to the key from the machine profile.
     • If you’re using a machine profile with a Platform Managed Key (PMK) and the master image is CMK encrypted, the Use the following key to encrypt data on each machine option is auto-selected and defaults to the key from the master image.
     • If you’re not using a machine profile and the master image is CMK encrypted, the Use the following key to encrypt data on each machine option is auto-selected and defaults to the key from the master image.

   For more information, see Azure server side encryption.

7. On the Resource Group page, choose whether to create resource groups or use existing groups.

   • If you choose to create resource groups, select Next.
   • If you choose to use existing resource groups, select groups from the Available Provisioning Resource Groups list.

   Note:

   Select enough groups to accommodate the machines you’re creating in the catalog. A message appears if you choose too few. You might want to select more than the minimum required if you plan to add more VMs to the catalog later. You can’t add more resource groups to a catalog after the catalog is created.

   For more information, see Azure resource groups.

8. On the Machine Identities page, choose an identity type and configure identities for machines in this catalog. If you select the VMs as Azure Active Directory joined, you can add them to an Azure AD security group. Detailed steps are as follows:

   1. From the Identity type field, select Azure Active Directory joined. The Azure AD security group (optional) option appears.
   2. Click Azure AD security group: Create new.
   3. Enter a group name, and then click Create.
   4. Follow the onscreen instructions to sign in to Azure. If the group name doesn’t exist in Azure, a green icon appears. Otherwise, an error message appears requesting you to enter a new name.
   5. To add the security group to an assigned security group, select Join an assigned security group as a member, and then click Select a group to choose an assigned group to join.
   6. Enter the machine account naming scheme for the VMs.

   After catalog creation, Citrix DaaS accesses Azure on your behalf and creates the security group and a dynamic membership rule for the group. Based on the rule, VMs with the naming scheme specified in this catalog are automatically added to the security group.

   Adding VMs with a different naming scheme to this catalog requires you to sign in to Azure. Citrix DaaS can then access Azure and create a dynamic membership rule based on the new naming scheme.

   When deleting this catalog, deleting the security group from Azure also requires signing in to Azure.

   Note:

   To rename the Azure AD security group after catalog creation, edit the catalog and go to Azure AD Security Group from the left navigation. Names of Azure AD security groups must not contain the following characters: @ " \ / ; : # . * ? = < > | [ ] ( ) '.

• The Domain Credentials and Summary pages do not contain Azure-specific information. Follow the guidance in the Create Machine Catalogs article.

Complete the wizard.

Create an Azure template spec

You can create an Azure template spec in the Azure portal and use it in the Full configuration interface and PowerShell commands to create or update an MCS machine catalog.

To create an Azure template spec for an existing VM:

1. Go to the Azure portal. Select a resource group, and then select the VM and network interface. From … menu on the top, click Export template.
2. Clear Include parameters checkbox if you want to create a template spec for catalog provisioning.
3. Click Add to library to modify the template spec later.
4. On the Importing template page, enter the required information such as Name, Subscription, Resource Group, Location, and Version. Click Next: Edit Template.

5. You also need a network interface as an independent resource if you want to provision catalogs. Therefore, you must remove any dependsOn specified in the template spec. For example:

   "dependsOn": [
   "[resourceId('Microsoft.Network/networkInterfaces', 'tnic937')]"
   ],
   <!--NeedCopy-->
   

6. Create Review+Create and create the template spec.
7. On the Template Specs page, verify the template spec you created. Click the template spec. On the left panel, click Versions.
8. You can create a new version by clicking Create new version. Specify a new version number, make changes to the current template spec, and click Review + Create to create the new version of the template spec.

You can get information about the template spec and template version using the following PowerShell commands:

• To get information about the template spec, run:

   get-item XDHyp:\HostingUnits\East\machineprofile.folder\abc.resourcegroup\bggTemplateSpec.templatespec
   <!--NeedCopy-->
  

• To get information about the template spec version, run:

   get-item XDHyp:\HostingUnits\East\machineprofile.folder\abc.resourcegroup\bggTemplateSpec.templatespec\bgg1.0.templatespecversion
   <!--NeedCopy-->
  

Where to go next

• If this is the first catalog created, you are guided to create a delivery group.
• To review the entire configuration process, see Plan and build a deployment.
• To manage catalogs, see Manage machine catalogs and Manage a Microsoft Azure catalog.

• For information on specific features, see:

  • Storage
  • Encryption

More information

• Create and manage connections and resources
• Connection to Microsoft Azure Resource Manager
• Create machine catalogs