Deploy Session Recording resources to a cloud subscription (preview)

You can deploy the following Session Recording resources to your Azure subscription from within the Session Recording service: the Session Recording servers, databases, storage, and load balancer. You can also get recommended VM and storage configurations, predict costs, and view the actual monthly costs for using Azure from within the Session Recording service.

Deploy Session Recording resources to your Azure subscription

To deploy Session Recording resources to your Azure subscription from within the Session Recording service, create and deploy a site using a host connection that connects to your Azure subscription. To do so, complete the following steps:

  1. Select Configuration > Server Management from the left navigation of the Session Recording service.

    Server Management page

  2. On the Server Management page, click Create site. The Create Site page appears.

    Create site page

  3. Select Create and deploy a site through a host connection. The main steps are listed in the left navigation.

    Create and deploy a site through a host connection

  4. Enter a site name and description, select a host connection that connects to your Azure subscription, and specify a region.

    • If you don’t have a host connection in place, add one by referring to Add a host connection.

    • Azure Government regions are not supported.

  5. After completing the site information, click Next to proceed to the next step.

    Completing the site information

  6. (Optional) To get recommendations for VM and storage configurations, provide information about your recording needs.

    You can skip this step by clicking I’m good, skip this step or by clicking Next with nothing selected.

    Your recording needs

    When you select an option from the drop-down list, a recommendation is presented according to your selection. A reset button is available next to the recommendation. It lets you clear all selections and the recommendation in that section.

  7. Create virtual machines (VMs) as your Session Recording servers.

    Create VMs as Session Recording servers

    Note:

    • If your VDAs reside in a different virtual network from the VMs or in an on-premises network, establish connectivity to ensure the VMs can communicate with your VDAs.
    • The Number of VMs field is prefilled with the recommended number if there is one. Change the number as needed.
    • Estimated costs are based on standard pricing and don’t take discounts into consideration. You can expect lower actual costs than estimated.
  8. Specify a domain and a certificate for the VMs. Join the VMs to the same domain with your VDAs.

    Specify a domain and a certificate for the VMs

  9. Configure an Azure storage account and file shares to store your recording files. For pricing information, see Azure Files pricing.

    Configure an Azure storage account and file shares to store your recording files

  10. Create two SQL databases in Azure. One is used as the Session recording database (named sessionrecording) and the other as the administrator logging database (named sessionrecordinglogging).

    Create two SQL databases in Azure

  11. Create a load balancer to distribute workload among the VMs (Session Recording servers). Enter the IP addresses or ranges of your VDAs in the Restrict access of the load balancer to only the following addresses field. For pricing information, see Load Balancer pricing.

    Creating a load balancer

  12. (Optional) Apply tags to the Azure resources to be created.

    Applying tags to Azure resources

  13. Create a secure client to onboard the VMs (Session Recording servers) to the Session Recording service.

    Click Create client to let Citrix create a secure client on your behalf. Alternatively, you can create a secure client through the Identity and Access Management > API Access tab of the Citrix Cloud console and then fill in the information below.

    Create client button

  14. View the summary about the site to be created. Click the pencil icon to edit your settings if needed or click the button to start deployment.

    Summary about the site to be created

    The following are examples of the deployment process:

    Deployment in progress:

    Deployment in progress

    While a site deployment is in progress, you can click View status to view the progress. For an example of the progress:

    View status button

    Deployment failed:

    Deployment failed

    If errors occur during the deployment process, click View status to view the error details. For an example of the error details:

    Deployment error details

    You can click Back to configuration or cancel the deployment. If you click Back to configuration, you are taken back to the Create Site page where you can alter your configurations and try again. If you are sure to cancel the deployment, follow the wizard to remove the site and the Azure resources created for the site. For example:

    Deployment canceled

    Deployment success:

    When a site deployment is complete, you can expand the site and view and manage the resources created under it. The View status button changes to Settings. An Azure icon is available to represent sites deployed on Azure. For information about site settings, see Site and server settings.

    Deployed site

Add a host connection

To deploy Session Recording resources to your Azure subscription, you must have a host connection that connects to your Azure subscription. To add a host connection, complete the following steps:

  1. Click Add connection on the Create site page with Create and deploy a site through a host connection selected. Or, click Add connection on the Host Connection page.

    To access the Create site page, select Configuration > Server Management from the left navigation of the Session Recording service, and then click Create site.

    Server Management page

    To access the Host Connection page, select Configuration > Host Connection from the left navigation of the Session Recording service:

    Host Connection page

  2. On the Add connection page, give the new host connection a name and a description (optional). Enter your Azure subscription ID and the following required information about your application registration:

    • Application (client) ID
    • Service principal object ID (ID of the service principal object associated with the application)
    • Directory (tenant) ID
    • Client secret
    • Secret expiration date

    Add connection page

    To find your Azure subscription ID, do the following:

    1. Sign in to the Azure portal.
    2. Under the Azure services section, select Subscriptions.
    3. Find your subscription in the list and copy the Subscription ID shown in the second column.

      Finding the Azure Subscription ID

    To obtain the required information about your application registration, do the following:

    1. (Skip this step if you already have an application registered.) Register an application with your Azure AD tenant. An application must be registered to delegate identity and access management functions to Azure AD.

      There are two methods for registering an application.

      Method 1:

      1. Copy the following Citrix-provided script and name it, for example, AppRegistration.ps1:

        <#
        .SYNOPSIS
                Copyright (c) Citrix Systems, Inc. All Rights Reserved.
        .DESCRIPTION
            Create Azure app registrations and give proper permissions for Citrix Session Recording service deployment
        .Parameter azureTenantID
        .Parameter azureSubscriptionID
        .Parameter appName
        .Parameter customRole
        #>
        [CmdletBinding()]
        Param(
            [Parameter(Position = 0, Mandatory = $true)]  [String] $tenantId,
            [Parameter(Mandatory = $true)] [String] $subscriptionId,
            [Parameter(Mandatory = $true)] [String] $appName,
            [Parameter(Mandatory = $false)] [Switch] $customRole
        )
        # Import the Azure module
        try {
            Get-InstalledModule -Name "Az.Accounts" -ErrorAction Stop
        }
        catch {
            Install-Module -Name "Az.Accounts" -Scope CurrentUser -Repository PSGallery -SkipPublisherCheck -Force
        }
        try {
            Get-InstalledModule -Name "Az.Resources" -ErrorAction Stop
        }
        catch {
            Install-Module -Name "Az.Resources" -Scope CurrentUser -Repository PSGallery -SkipPublisherCheck -Force
        }
        
        # Prompt the user to sign in with their credential
        Connect-AzAccount -TenantId $tenantId
        try
        {
            # Create a new app registration with a display name
            Write-Host "Create a new app registration for Citrix Session Recording service" -ForegroundColor Green
            $azureAdApplication = New-AzADApplication -DisplayName $AppName -AvailableToOtherTenants $false
        
            # Create a service principal for the app registration
            $azureAdApplicationServicePrincipal = New-AzADServicePrincipal -AppId $azureAdApplication.AppId
            $azureAdApplicationServicePrincipal = Get-AzADServicePrincipal -DisplayName $appName
        
            #Attempt to give role assignment
            if($customRole)
            {
                $rootPath = Get-Location
                $roleDef = Get-AzRoleDefinition -Name "Citrix Session Recording service"
                if($roleDef -eq $null)
                {
                    $customRolePath = $(Join-Path -Path $rootPath -ChildPath "sessionrecording.json") | Resolve-Path
                    $customRoleJson = Get-Content $customRolePath | ConvertFrom-Json
                    $customRoleJson.AssignableScopes[0] = "/subscriptions/" + $subscriptionId
                    $customRoleJson | ConvertTo-Json -depth 32 | Set-Content $customRolePath -Verbose
                    # Create custom role
                    try
                    {
                        New-AzRoleDefinition -InputFile $customRolePath.Path
                    }
                    catch
                    {
                        Write-Host "Failed to create custom roles $_" -ForegroundColor Red
                    }
                }
        
                # Assign this custom role to newly created application
                Write-Host "Try to assign session recording service custom roles to the above app" -ForegroundColor Green
                New-AzRoleAssignment -RoleDefinitionName "Citrix Session Recording service" -ApplicationId $azureAdApplication.AppId
        
            }
            else
            {
                Write-Host "Try to assign builtin contributor roles to above app" -ForegroundColor Green
                New-AzRoleAssignment -RoleDefinitionName "Contributor" -ApplicationId $azureAdApplication.AppId
            }
        
            Write-Host "Tenant ID: $tenantId" -ForegroundColor Green
            Write-Host "Subscription ID: $subscriptionId" -ForegroundColor Green
            Write-Host "Application ID $($azureAdApplication.AppId)" -ForegroundColor Green
            Write-Host "Service principal object ID $($azureAdApplicationServicePrincipal.id)" -ForegroundColor Green
        
        }
        catch
        {
            Write-Host "Failed to assign role assignment to this app $_" -ForegroundColor Red
            Write-Host "Please make sure the current azure admin has permission to assign roles" -ForegroundColor Red
        }
        <!--NeedCopy-->
        
      2. Copy the following custom role file and name it sessionrecording.json. This custom role file helps to assign least permissions for the application to be registered.

        {
            "Name":  "Citrix Session Recording service",
            "Description":  "Custom role for session recording service",
            "AssignableScopes":  [
                                     "/subscriptions/*"
                                 ],
            "Actions":  [
                            "Microsoft.Resources/deployments/write",
                            "Microsoft.Resources/subscriptions/resourceGroups/write",
                            "Microsoft.Resources/deployments/operationstatuses/read",
                            "Microsoft.Resources/deployments/read",
                            "Microsoft.ManagedIdentity/userAssignedIdentities/write",
                            "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                            "Microsoft.KeyVault/vaults/write",
                            "Microsoft.KeyVault/vaults/read",
                            "Microsoft.Sql/servers/databases/write",
                            "Microsoft.Sql/servers/auditingSettings/write",
                            "Microsoft.Sql/servers/write",
                            "Microsoft.Storage/storageAccounts/write",
                            "Microsoft.Storage/storageAccounts/listkeys/action",
                            "Microsoft.Storage/storageAccounts/read",
                            "Microsoft.Sql/servers/read",
                            "Microsoft.Storage/storageAccounts/fileServices/shares/write",
                            "Microsoft.Compute/virtualMachines/extensions/write",
                            "Microsoft.Compute/virtualMachines/runCommands/write",
                            "Microsoft.Compute/virtualMachines/write",
                            "Microsoft.Network/networkInterfaces/write",
                            "Microsoft.Network/loadBalancers/write",
                            "Microsoft.Network/publicIPAddresses/write",
                            "Microsoft.Compute/availabilitySets/write",
                            "Microsoft.Network/publicIPAddresses/read",
                            "Microsoft.Network/publicIPAddresses/join/action",
                            "Microsoft.Network/virtualNetworks/subnets/join/action",
                            "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
                            "Microsoft.Network/networkInterfaces/join/action",
                            "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                            "Microsoft.Compute/virtualMachines/read",
                            "Microsoft.Compute/virtualMachines/runCommands/read",
                            "Microsoft.Compute/virtualMachines/extensions/read",
                            "Microsoft.Sql/servers/firewallRules/write",
                            "Microsoft.Resources/subscriptions/resourceGroups/delete",
                            "Microsoft.KeyVault/locations/deletedVaults/purge/action",
                            "Microsoft.Resources/subscriptions/resourceGroups/read",
                            "Microsoft.CostManagement/forecast/read",
                            "Microsoft.CostManagement/query/read",
                            "Microsoft.Network/networkSecurityGroups/write",
                            "Microsoft.Network/networkSecurityGroups/delete",
                            "Microsoft.Network/networkSecurityGroups/read",
                            "Microsoft.Network/virtualNetworks/read",
                            "Microsoft.Network/virtualNetworks/subnets/read",
                            "Microsoft.Network/networkInterfaces/read",
                            "Microsoft.Network/networkSecurityGroups/join/action"
                        ],
            "NotActions":  [
        
                           ],
            "DataActions":  [
        
                            ],
            "NotDataActions":  [
        
                               ]
        }
        <!--NeedCopy-->
        
      3. Put AppRegistration.ps1 and sessionrecording.json in the same folder.
      4. Run either of the following commands as needed.

        To create an application and assign it least permissions with the preceding custom role file (sessionrecording.json), run:

        .\AppRegistration.ps1 -tenantId <tenant ID> -subscriptionId <subscription ID> -appName <application name> -customRole
        <!--NeedCopy-->
        

        To create an application and assign it the Azure built-in Contributor role, run:

        .\AppRegistration.ps1 -tenantId <tenant ID>-subscriptionId <subscription ID>-appName <application name>
        <!--NeedCopy-->
        

      Method 2:

      Go to the Azure portal and register an application by yourself. Grant proper permissions to the application. For the least permissions that are required, see the sessionrecording.json file in Method 1.

    2. Click the display name of your application.

      Application display name

    3. On the overview page, find the application (client) ID and directory (tenant) ID. Click the link next to Managed application in local directory to find the ID of the service principal object associated with the application. Click the link next to Client credentials to find the client secret ID and its expiration date.

      Application essentials

      ID of the service principal object associated with the application:

      Service principal object ID

      Client secret ID and its expiration date:

      Client secret ID and its expiration date

  3. Click Save to test whether the host connection you specify is available.

    If the host connection you specify is available, you are taken back to the Host Connection page and prompted that the host connection is added successfully.

    The Session Recording service reminds you of expired and expiring client secrets using error and warning icons, respectively. You can click the corresponding host connection and click Change secret on the Connection details page to update the client secret and its expiration date.

    Change secret

View actual costs for using Azure

For a site deployed on Azure, click the cost amount to view the cost details. For example:

Cost for using Azure

Cost analysis

Tips for viewing the actual costs:

  • When you hover on the area graph for the current month, a reference line for the date and data from that day appears as an overlay.
  • The history costs of different resources are represented by line graphs. Line graphs are available when there are at least two months of data. When you hover on the line graphs, a reference line and cost breakdown from the month appears as an overlay. To view the line graph of only a specific resource, hover on the resource.
Deploy Session Recording resources to a cloud subscription (preview)