Design Decision: Image Management
The primary image management solution used in Azure is Machine Creation Services (MCS) and until recently was the most common option for Citrix image management.
Citrix has been focused on improving the image management within Citrix Cloud.
These improvements help ease our customer’s migration to the Azure cloud and spin up any workload in a matter of minutes.
One of the new Citrix services includes the Image Portability Service (IPS).
This service provides a way to port images between your on-premises data center and your Azure environment. The service uses a temporary Virtual Machine (VM) to host the Compositing Engine (CE).
The CE has two modes: Prepare or Export:
- The Prepare mode converts virtual disk formats used for Citrix Workloads and updates the portable properties.
- The Export mode copies the prepared disk to the target cloud. A connector appliance controls the individual jobs, spawns the CE VM, and secures communications between Azure and your on-premises environment.
Azure supports a version of Citrix Provisioning Services (PVS) which allows you to stream a virtual disk to multiple VMs simultaneously.
With PVS, you can create 2500 identical VMs within a single subscription. Most of the administration and the functionality are the same as for an on-premises PVS environment, except for a few changes.
Azure does not allow the use of the Pre-boot Execution Environment (PXE), so changes were required for the streaming and boot process. This version of PVS includes a UEFI-based Boot Disk Manager (BDM) to create UEFI boot disks.
These boot disks require Azure Gen2-VMs and cannot support 32-bit operating systems. The Citrix broker is now responsible for all power management of the PVS VMs, though the PVS console can still power off the targets.
The Citrix Virtual Apps and Desktops Setup Wizard handles all the provisioning steps.
How can I use the image portability service to move my Citrix workloads?
Deploy golden images on-premises, using either Machine Creation Services or PVS.
The entire process for using IPS is completed through PowerShell commands from a remote workstation.
The latest version of PowerShellGet should be installed on the remote workstation before beginning the process.
Citrix connector appliances must be installed at each resource location where IPS is used.
At the on-premises location, a Windows SMB File share is required for temporary data storage during export jobs. The file share should have enough free space to hold two copies of the disk to be exported.
Automated publishing is only available with PVS on Azure deployments. Manual publishing to Azure is available for both PVS images and MCS images.
The following machine catalog configurations have been tested with the IPS
- Windows Server 2016, Windows Server 2019, or Windows 10 2004 or later
- Source images provisioned by Citrix Provisioning 1912 or later
- Citrix Virtual Apps and Desktops VDA 1912 or later
What are the limitations and requirements for deploying PVS in Azure?
The Azure subscription must have the ReserveMacOnCreateNic feature enabled.
At most 2500 VMs can be streamed in a single subscription.
All provisioned VMs must be created in the same region as the hosting unit. VMs are automatically spread across all availability zones in the target region.
Cross-region provisioning is not supported.
Requires UEFI boot of Generation 2 Azure VMs. Generation 1 (BIOS-based) VMs are not supported. Boot images that are created using the PXE or ISO format are not supported.
Supports only 64-bit versions of Windows 10 and Windows Server 2019 for streaming.
Use the Citrix Image Portability Service to import an existing image.
Active Directory support is required for machine naming using one of these methods:
- Azure Active Directory Domain Services (AADDS) added to your Azure Active Directory (AAD) tenant
- ExpressRoute connection to your on-premises Active Directory environment
- Active Directory domain controllers installed in Azure and synchronized with your on-premises AD environment and the AAD tenant
When using Azure Files Services for PVS vDisk storage, premium storage or Azure NetApp Services are required and must be in the same region as the PVS server.
SQL Server or SQL Server Express VM are required. Currently, using any authentication method except Windows Integrated Authentication or using an Azure SQL database is not supported.
The Golden VM must have the same disk and vGPU configurations.
Set up a virtual network for streaming to targets and peer that network with the network used for the VM communication to Active Directory. Use the AD Domain Controller IP addresses for DNS servers.
The PVS Server VM must have at least one vNIC on each virtual network where targets reside. The PVS server should also have at least 2 vCPUs and 8 GiB of memory.
What are the best practices for Image Management in Azure?
Always make a copy or snapshot of your golden image and use the copy or snapshot for machine catalog images. This practice allows for easy image updates and provides protection against image corruption.
Point existing image-based machines (PVS and MCS) to the cloud connectors by modifying the ListOfDDCs registry key on the golden images. The registry key can be found at HKLM\Software\Citrix\VirtualDeliveryAgent. After modifying the registry key, take a snapshot of the image. Update the machine catalog with the new snapshot when ready for the images to register with Citrix Cloud.
Use the Citrix Group Policy (Computer Configuration > Citrix Policies > Controllers) to point the other Citrix workload servers to the FQDN of the cloud connector and set the Enable auto update of Controllers to “allowed”.
Use Managed disks for the golden images, unless you are using App Layering.
Be sure to keep copies of golden images is different regions.
Automate the build of the Golden Image
- PowerShell SDKs can be used for full automation of the Golden Image build
- PowerShell v5.x
- Azure PowerShell Module
- Citrix Cloud Remote PowerShell SDK
- Use Azure PowerShell to do the following:
- Create a new Azure VM
- Configure the Windows Firewall
- Remove the Azure Public IP address (if present)
- Automate domain join
- Automate software installation such as the VDA
- Seal the image
- Reset Log files
- Reset Office Licensing
- Clear GPO cache
- Remove user profiles used for the build process
- Copy golden image to business continuity region
- Install any other software manually that cannot be automated.
- Use the Citrix Cloud Remote PowerShell SDK to do the following:
- Update the Machine Catalog
- Do not store passwords unencrypted in any scripts or change any stored passwords (such as the local admin password) immediately after building.
- PowerShell SDKs can be used for full automation of the Golden Image build
Should I do anything different from on-premises when managing MCS images in Azure?
- Use the Azure shared image gallery for storing MCS images to reduce the time required to create and hydrate the OS disks and improve application performance.
How do I manage images across geographic regions?
- Use Azure shared image gallery to provide multiple replicas in different regions.
How do I enable MCSIO in Azure?
- MCSIO can be enabled on MCS catalogs in Azure by using PowerShell to create a new Provisioning Scheme and Catalog
- Use VDA version 1912 or later for the best results since not all earlier versions are supported.
- Do not forget to pre-create a Resource group in Azure for the MCS catalog.
- Install Citrix Remote PowerShell SDK to access Citrix Cloud configurations.
- In Azure, the write-back cache is stored on non-persistent media.