Deploy Session Recording resources to a cloud subscription (preview)

You can deploy the following Session Recording resources to your Azure subscription from within the Session Recording service: the Session Recording servers, databases, storage, and load balancer. You can also get recommended VM and storage configurations, predict costs, and view the actual monthly costs for using Azure from within the Session Recording service.

Deploy Session Recording resources to your Azure subscription

To deploy Session Recording resources to your Azure subscription from within the Session Recording service, create and deploy a site using a host connection that connects to your Azure subscription. To do so, complete the following steps:

1. Select Configuration > Server Management from the left navigation of the Session Recording service.

   

2. On the Server Management page, click Create site. The Create Site page appears.

   

3. Select Create and deploy a site through a host connection. The main steps are listed in the left navigation.

   

4. Enter a site name and description, select a host connection that connects to your Azure subscription, and specify a region.

   • If you don’t have a host connection in place, add one by referring to Add a host connection.

   • Azure Government regions are not supported.

5. After completing the site information, click Next to proceed to the next step.

   

6. (Optional) To get recommendations for VM and storage configurations, provide information about your recording needs.

   You can skip this step by clicking I’m good, skip this step or by clicking Next with nothing selected.

   

   When you select an option from the drop-down list, a recommendation is presented according to your selection. A reset button is available next to the recommendation. It lets you clear all selections and the recommendation in that section.

7. Create virtual machines (VMs) as your Session Recording servers.

   

   Note:

   • If your VDAs reside in a different virtual network from the VMs or in an on-premises network, establish connectivity to ensure the VMs can communicate with your VDAs.
   • The Number of VMs field is prefilled with the recommended number if there is one. Change the number as needed.
   • Estimated costs are based on standard pricing and don’t take discounts into consideration. You can expect lower actual costs than estimated.

8. Specify a domain and a certificate for the VMs. Join the VMs to the same domain with your VDAs.

   

9. Configure an Azure storage account and file shares to store your recording files. For pricing information, see Azure Files pricing.

   

10. Create two SQL databases in Azure. One is used as the Session recording database (named sessionrecording) and the other as the administrator logging database (named sessionrecordinglogging).

    

11. Create a load balancer to distribute workload among the VMs (Session Recording servers). Enter the IP addresses or ranges of your VDAs in the Restrict access of the load balancer to only the following addresses field. For pricing information, see Load Balancer pricing.

    

12. (Optional) Apply tags to the Azure resources to be created.

    

13. Create a secure client to onboard the VMs (Session Recording servers) to the Session Recording service.

    Click Create client to let Citrix create a secure client on your behalf. Alternatively, you can create a secure client through the Identity and Access Management > API Access tab of the Citrix Cloud console and then fill in the information below.

    

14. View the summary about the site to be created. Click the pencil icon to edit your settings if needed or click the button to start deployment.

    

    The following are examples of the deployment process:

    Deployment in progress:

    

    While a site deployment is in progress, you can click View status to view the progress. For an example of the progress:

    

    Deployment failed:

    

    If errors occur during the deployment process, click View status to view the error details. For an example of the error details:

    

    You can click Back to configuration or cancel the deployment. If you click Back to configuration, you are taken back to the Create Site page where you can alter your configurations and try again. If you are sure to cancel the deployment, follow the wizard to remove the site and the Azure resources created for the site. For example:

    

    Deployment success:

    When a site deployment is complete, you can expand the site and view and manage the resources created under it. The View status button changes to Settings. An Azure icon is available to represent sites deployed on Azure. For information about site settings, see Site and server settings.

    

Add a host connection

To deploy Session Recording resources to your Azure subscription, you must have a host connection that connects to your Azure subscription. To add a host connection, complete the following steps:

1. Click Add connection on the Create site page with Create and deploy a site through a host connection selected. Or, click Add connection on the Host Connection page.

   To access the Create site page, select Configuration > Server Management from the left navigation of the Session Recording service, and then click Create site.

   

   To access the Host Connection page, select Configuration > Host Connection from the left navigation of the Session Recording service:

   

2. On the Add connection page, give the new host connection a name and a description (optional). Enter your Azure subscription ID and the following required information about your application registration:

   • Application (client) ID
   • Service principal object ID (ID of the service principal object associated with the application)
   • Directory (tenant) ID
   • Client secret
   • Secret expiration date

   

   To find your Azure subscription ID, do the following:

   1. Sign in to the Azure portal.
   2. Under the Azure services section, select Subscriptions.

   3. Find your subscription in the list and copy the Subscription ID shown in the second column.

      

   To obtain the required information about your application registration, do the following:

   1. (Skip this step if you already have an application registered.) Register an application with your Azure AD tenant. An application must be registered to delegate identity and access management functions to Azure AD.

      There are two methods for registering an application.

      Method 1:

      1. Copy the following Citrix-provided script and name it, for example, AppRegistration.ps1:

         <#
         .SYNOPSIS
                 Copyright (c) Citrix Systems, Inc. All Rights Reserved.
         .DESCRIPTION
             Create Azure app registrations and give proper permissions for Citrix Session Recording service deployment
         .Parameter azureTenantID
         .Parameter azureSubscriptionID
         .Parameter appName
         .Parameter customRole
         #>
         [CmdletBinding()]
         Param(
             [Parameter(Position = 0, Mandatory = $true)]  [String] $tenantId,
             [Parameter(Mandatory = $true)] [String] $subscriptionId,
             [Parameter(Mandatory = $true)] [String] $appName,
             [Parameter(Mandatory = $false)] [Switch] $customRole
         )
         # Import the Azure module
         try {
             Get-InstalledModule -Name "Az.Accounts" -ErrorAction Stop
         }
         catch {
             Install-Module -Name "Az.Accounts" -Scope CurrentUser -Repository PSGallery -SkipPublisherCheck -Force
         }
         try {
             Get-InstalledModule -Name "Az.Resources" -ErrorAction Stop
         }
         catch {
             Install-Module -Name "Az.Resources" -Scope CurrentUser -Repository PSGallery -SkipPublisherCheck -Force
         }
         
         # Prompt the user to sign in with their credential
         Connect-AzAccount -TenantId $tenantId
         try
         {
             # Create a new app registration with a display name
             Write-Host "Create a new app registration for Citrix Session Recording service" -ForegroundColor Green
             $azureAdApplication = New-AzADApplication -DisplayName $AppName -AvailableToOtherTenants $false
         
             # Create a service principal for the app registration
             $azureAdApplicationServicePrincipal = New-AzADServicePrincipal -AppId $azureAdApplication.AppId
             $azureAdApplicationServicePrincipal = Get-AzADServicePrincipal -DisplayName $appName
         
             #Attempt to give role assignment
             if($customRole)
             {
                 $rootPath = Get-Location
                 $roleDef = Get-AzRoleDefinition -Name "Citrix Session Recording service"
                 if($roleDef -eq $null)
                 {
                     $customRolePath = $(Join-Path -Path $rootPath -ChildPath "sessionrecording.json") | Resolve-Path
                     $customRoleJson = Get-Content $customRolePath | ConvertFrom-Json
                     $customRoleJson.AssignableScopes[0] = "/subscriptions/" + $subscriptionId
                     $customRoleJson | ConvertTo-Json -depth 32 | Set-Content $customRolePath -Verbose
                     # Create custom role
                     try
                     {
                         New-AzRoleDefinition -InputFile $customRolePath.Path
                     }
                     catch
                     {
                         Write-Host "Failed to create custom roles $_" -ForegroundColor Red
                     }
                 }
         
                 # Assign this custom role to newly created application
                 Write-Host "Try to assign session recording service custom roles to the above app" -ForegroundColor Green
                 New-AzRoleAssignment -RoleDefinitionName "Citrix Session Recording service" -ApplicationId $azureAdApplication.AppId
         
             }
             else
             {
                 Write-Host "Try to assign builtin contributor roles to above app" -ForegroundColor Green
                 New-AzRoleAssignment -RoleDefinitionName "Contributor" -ApplicationId $azureAdApplication.AppId
             }
         
             Write-Host "Tenant ID: $tenantId" -ForegroundColor Green
             Write-Host "Subscription ID: $subscriptionId" -ForegroundColor Green
             Write-Host "Application ID $($azureAdApplication.AppId)" -ForegroundColor Green
             Write-Host "Service principal object ID $($azureAdApplicationServicePrincipal.id)" -ForegroundColor Green
         
         }
         catch
         {
             Write-Host "Failed to assign role assignment to this app $_" -ForegroundColor Red
             Write-Host "Please make sure the current azure admin has permission to assign roles" -ForegroundColor Red
         }
         <!--NeedCopy-->
         

      2. Copy the following custom role file and name it sessionrecording.json. This custom role file helps to assign least permissions for the application to be registered.

         {
             "Name":  "Citrix Session Recording service",
             "Description":  "Custom role for session recording service",
             "AssignableScopes":  [
                                      "/subscriptions/*"
                                  ],
             "Actions":  [
                             "Microsoft.Resources/deployments/write",
                             "Microsoft.Resources/subscriptions/resourceGroups/write",
                             "Microsoft.Resources/deployments/operationstatuses/read",
                             "Microsoft.Resources/deployments/read",
                             "Microsoft.ManagedIdentity/userAssignedIdentities/write",
                             "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                             "Microsoft.KeyVault/vaults/write",
                             "Microsoft.KeyVault/vaults/read",
                             "Microsoft.Sql/servers/databases/write",
                             "Microsoft.Sql/servers/auditingSettings/write",
                             "Microsoft.Sql/servers/write",
                             "Microsoft.Storage/storageAccounts/write",
                             "Microsoft.Storage/storageAccounts/listkeys/action",
                             "Microsoft.Storage/storageAccounts/read",
                             "Microsoft.Sql/servers/read",
                             "Microsoft.Storage/storageAccounts/fileServices/shares/write",
                             "Microsoft.Compute/virtualMachines/extensions/write",
                             "Microsoft.Compute/virtualMachines/runCommands/write",
                             "Microsoft.Compute/virtualMachines/write",
                             "Microsoft.Network/networkInterfaces/write",
                             "Microsoft.Network/loadBalancers/write",
                             "Microsoft.Network/publicIPAddresses/write",
                             "Microsoft.Compute/availabilitySets/write",
                             "Microsoft.Network/publicIPAddresses/read",
                             "Microsoft.Network/publicIPAddresses/join/action",
                             "Microsoft.Network/virtualNetworks/subnets/join/action",
                             "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
                             "Microsoft.Network/networkInterfaces/join/action",
                             "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                             "Microsoft.Compute/virtualMachines/read",
                             "Microsoft.Compute/virtualMachines/runCommands/read",
                             "Microsoft.Compute/virtualMachines/extensions/read",
                             "Microsoft.Sql/servers/firewallRules/write",
                             "Microsoft.Resources/subscriptions/resourceGroups/delete",
                             "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                             "Microsoft.Resources/subscriptions/resourceGroups/read",
                             "Microsoft.CostManagement/forecast/read",
                             "Microsoft.CostManagement/query/read",
                             "Microsoft.Network/networkSecurityGroups/write",
                             "Microsoft.Network/networkSecurityGroups/delete",
                             "Microsoft.Network/networkSecurityGroups/read",
                             "Microsoft.Network/virtualNetworks/read",
                             "Microsoft.Network/virtualNetworks/subnets/read",
                             "Microsoft.Network/networkInterfaces/read",
                             "Microsoft.Network/networkSecurityGroups/join/action"
                         ],
             "NotActions":  [
         
                            ],
             "DataActions":  [
         
                             ],
             "NotDataActions":  [
         
                                ]
         }
         <!--NeedCopy-->
         

      3. Put AppRegistration.ps1 and sessionrecording.json in the same folder.

      4. Run either of the following commands as needed.

         To create an application and assign it least permissions with the preceding custom role file (sessionrecording.json), run:

         .\AppRegistration.ps1 -tenantId <tenant ID> -subscriptionId <subscription ID> -appName <application name> -customRole
         <!--NeedCopy-->
         

         To create an application and assign it the Azure built-in Contributor role, run:

         .\AppRegistration.ps1 -tenantId <tenant ID>-subscriptionId <subscription ID>-appName <application name>
         <!--NeedCopy-->
         

      Method 2:

      Go to the Azure portal and register an application by yourself. Grant proper permissions to the application. For the least permissions that are required, see the sessionrecording.json file in Method 1.

   2. Click the display name of your application.

      

   3. On the overview page, find the application (client) ID and directory (tenant) ID. Click the link next to Managed application in local directory to find the ID of the service principal object associated with the application. Click the link next to Client credentials to find the client secret ID and its expiration date.

      

      ID of the service principal object associated with the application:

      

      Client secret ID and its expiration date:

      

3. Click Save to test whether the host connection you specify is available.

   If the host connection you specify is available, you are taken back to the Host Connection page and prompted that the host connection is added successfully.

   The Session Recording service reminds you of expired and expiring client secrets using error and warning icons, respectively. You can click the corresponding host connection and click Change secret on the Connection details page to update the client secret and its expiration date.

   

View actual costs for using Azure

For a site deployed on Azure, click the cost amount to view the cost details. For example:

Tips for viewing the actual costs:

• When you hover on the area graph for the current month, a reference line for the date and data from that day appears as an overlay.
• The history costs of different resources are represented by line graphs. Line graphs are available when there are at least two months of data. When you hover on the line graphs, a reference line and cost breakdown from the month appears as an overlay. To view the line graph of only a specific resource, hover on the resource.