A Connector Configuration contains the credentials and location information that the appliance needs to access a specific location in Azure. For example, your organization may have one Azure account and several storage locations, and you will need a Connector Configuration so the appliance can access each storage locations. For more about Connectors and Connector Configurations, see Connectors and Connector Configurations.
When you create your first Layers, and later when you publish Layered Images for the first time, you will add a Connector Configuration for each task, as described below.
Your organization may have several Azure subscriptions. For the App Layering service to access your Azure subscriptions, whether it's to import an OS Image or to publish a Layered Image, you must use the procedure below for each Azure subscription that you want to connect to via the App Layering service.
- Name - A name you enter for a new Connector Configuration.
- Subscription ID - In order to deploy Azure virtual machines, your organization must have a subscription ID.
- Tenant ID - An Azure Active Directory instance, this GUID identifies your organization's dedicated instance of Azure Active Directory (AD).
- Client ID - An identifier for the App Registration, which your organization has created for App Layering.
- Client Secret - The password for the Client ID you are using. If you have forgotten the Client Secret, you can create a new one. Note: Each time you use a new subscription and Tenant ID, you must enter a new Client Secret. This is because client secrets are logically associated with Azure tenants.
- Storage Account Name - The Azure storage account you want to use when storing Azure virtual machine disks. This name must adhere to Azure storage account naming restrictions. For example, the storage account name cannot contain uppercase characters.
You must either create a storage account through the portal or use an existing storage account that fits the following criteria. The account:
- Cannot be a classic storage account.
- Be a separate storage account from the one used for the appliance. This new storage account is used during Layer creation and Layered Image publishing.
- Must be in the Azure location where you will deploy virtual machines.
- Must be one of the following types:
- Standard Locally Redundant storage (LRS)
- Standard Geo-Redundant storage (GRS)
- Standard Read-Access Geo-Redundant storage (RAGRS)
- Can be located in any resource group, as long as the resource group's location is the same as the account's location.
To retrieve Azure credentials when adding a new Azure Connector Configuration:
- Identify your Azure Subscription ID.
- Create an App Registration in Azure Active Directory.
- Retrieve the Azure Tenant ID, Client ID, and Client Secret from the App Registration.
- Create a new storage account, or use an existing one inside the subscription. The output of this is the Storage Account Name.
Identify the correct Azure Subscription ID
- Go to the Azure portal.
- In the left sidebar, click Subscriptions.
If this isn't listed, click More Services and search for Subscriptions in that window.
- In the Subscriptions window, locate and click the Azure subscription you want to use for your deployment.
- On the next menu, click Overview. The Subscription ID is located in the top left of the window that appears.
- Enter the information from the Subscription ID box in the App Layering Azure Connector UI.
Create an App Registration
You must create a new App Registration for each Azure Subscription you want to create App Layering connectors for. If you want to have multiple Azure connectors in the same subscription, you can reuse the same App Registration for those.
- Go to the Azure portal.
- In the left sidebar, click Azure Active Directory.
If this isn't listed, click More Services and search for Azure Active Directory.
- In the menu that appears, click App registrations.
- Click New application registration in top of the new window.
A new form appears to fill out.
- In Name, type a descriptive name, such as Citrix App Layering Access.
- For Application type, select Web app / API.
- For Sign-on URL, type http://nothing.
- Click Create.
- In the list of App registrations, click the new app registration that you created in the preceding procedure. It contains the name you entered.
- In the new window that appears, the Application ID appears near the top. Enter this value into the Client ID box in the App Layering Azure Connector UI.
- In the Settings menu on the right, click Properties.
- Find the App ID URI field in the Properties window that appears.
- The Tenant ID you need is in the middle of the App ID URI.
The Tenant ID is everything after the https:// portion of the App ID URI, up until the next slash.
For example, if your App ID URI is this: https://helloworld.onmicrosoft.com/1234-5432-43421
Then your Tenant ID is this: helloworld.onmicrosoft.com
- Copy the Tenant ID and enter it into the Tenant ID box in the App Layering Azure Connector UI.
- In the Settings menu, click Keys.
- In the Keys window that appears, click Key description and type a description, such as App Layering Key 1.
- Click the drop-down menu under Expires and select any value.
- Click Save at the top of the Keys window.
- The key value appears under Value and is your Client Secret. Type this value into the Client Secret box in the App Layering Azure Connector UI.
Note: This key does not appear again after you close this window.
This key is sensitive information. Treat the key like a password. If someone gets access to this value, they can potentially gain administrative access to your Azure subscription.
Open the settings of the app registration you just created in Azure Active Directory > App registrations > [name you just entered] > Settings > Properties.
- Click Subscriptions in the left sidebar. This closes all open windows and brings you to the Subscriptions window. If Subscriptions isn't listed, click More Services and search for Subscriptions in that window
- Click the subscription you are using for this connector.
- In the menu that opens, click Access Control (IAM).
- In the window that appears, click Add on the top bar.
- The Add permissions form appears on the right. Click the drop-down for Role and select Contributor.
- In the Select box, type Citrix App Layering Access or use the name you entered for the Application registration in step 5 and then press Enter.
- Click that name you configured, such as Citrix App Layering Access (or the name you used).
- Click Save on the bottom of this form.
You have now set up an Azure app registration that has read/write access to your Azure subscription.
Use an existing Storage Account, or create a new one
The storage account is where the App Layering software stores all images imported from and published to Azure (virtual hard disks, or VHDs).
Use existing storage account
You can use an existing storage account. It must meet these requirements:
- Must be a Standard (not premium) account.
- Cannot be a classic storage account.
- Must be in the same subscription you've already used in this connector.
If all these requirements are met, enter the Name of the storage account into the Storage account name field in the App Layering Azure Connector UI.
Create new storage account
If you don't have a storage account, you must create one.
- Click Storage accounts in the left sidebar. Do not select Storage Accounts classic..
If this isn't listed, click More Services and search for Storage accounts there.
- In the Storage accounts window that appears, click Add.
- In Name, enter a name that you'll remember.
- In Deployment model, select Resource manager.
- In Account kind, select General purpose.
- In Performance, select Standard.
- In Replication, any value is OK. Read more about the choices here.
- In Storage service encryption, select Disabled.
- In Subscription, select the same subscription you have been using throughout this process.
- In Resource group, select Create New and enter a name that is similar to your Storage account's name.
- In Location, select a location that is closest to your organization.
- Click Create.
- In the App Layering Azure Connector UI, enter the Storage account name.
Test the Connector
After configuring the values in the Connector UI, click the Test button. If everything is set up correctly, this test passes, and you can save your Connector Configuration.
What to do if your Azure Client Secret is lost
If you lose the Azure Client Secret, you can generate a new one by using the steps to get your Client Secret in the procedure Create an App Registration.
To add a new Connector Configuration
- In the wizard for creating a Layer or for adding a Layer Version, click the Connector tab.
- Under the list of Connector Configurations, click New.
A dialog box open.
- Select the Connector Type for the platform and location where you are creating the Layer or publishing the image. Then click New to open the Connector Configuration page.
- Complete the fields on the Connector Configuration page. For guidance, see the field definitions.
- Click the TEST button to verify that the appliance can access the location specified using the credentials supplied.
- Click Save. The new Connector Configuration appears on the Connector tab.
The Azure data structure is as follows:
- Tenant ID
- App Registration
- Subscription ID
- Tenant is your Azure Active Directory instance that users and applications can use to access Azure. The Tenant is identified by your Tenant ID. A Tenant can have access to one or more Azure Subscriptions.
- The Azure Active Directory Tenant contains two types of accounts.
- A User Account for logging into the Azure portal (portal.azure.com).
- An App Registration for accessing the subscription has a Client ID.
- The Client ID has a Client Secret, instead of a password.
- Users can generate the Client Secret, and delete it.
- An Azure Subscription contains everything that can be created in Azure, except for user accounts.
- A Subscription contains Storage Accounts. This is where App Layering VHDs are stored. It is identified by a Storage Account Name.