Azure subscriptions in Quick Deploy

Introduction

When you create a catalog or build an image in Quick Deploy, you choose among the available Azure subscriptions. Quick Deploy supports both Citrix Managed Azure subscriptions and your own, customer-managed Azure subscriptions.

• To use your own Azure subscription, you first import (add) one or more of those subscriptions to Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). That action enables Citrix DaaS to access your Azure subscriptions.
• Using a Citrix Managed Azure subscription requires no subscription configuration. However, a Citrix Managed Azure subscription is available only when youorder the Citrix Azure Consumption Fund, in addition to Citrix DaaS.

Some Citrix DaaS features differ, depending on whether the catalog uses a Citrix Managed Azure subscription or in your own Azure subscription.

Citrix Managed Azure subscription	Your own Azure subscription
Supports domain-joined or non-domain-joined machines.	Supports only domain-joined machines.
Supports quick create and custom create catalogs.	Supports only custom create catalogs.
Always available when creating catalogs and images.	Must add the Azure subscription to Citrix DaaS before creating a catalog.
For user authentication, supports Citrix Managed Azure Active Directory or your own Active Directory.	Can connect your own Active Directory and Azure Active Directory.
Network connection options includeNo connectivity.	Network connection options include only your own virtual networks.
When using Azure VNet peering to connect to your resources, you must create a VNet peer connection in Citrix DaaS.	Select an existing virtual network.
When importing an image from Azure, you specify the image’s URI.	When importing an image, you can select a VHD or browse storage in the Azure subscription.
Can create a bastion machine in customer’s Azure subscription to troubleshoot machines.	No need to create a bastion machine because you can already access the machines in your subscription.

View Azure subscriptions

To view Azure subscription details, fromManage > Quick Deploy, expandCloud Subscriptionson the right. Then select a subscription entry.

• TheDetailspage includes the number of machines, plus the numbers and names of catalogs and images using the subscription.
• TheResource Locationspage lists the resource locations where the subscription is used.

Add customer-managed Azure subscriptions

To use a customer-managed Azure subscription, you must add it to Citrix DaaS before creating a catalog or building an image that uses that subscription. You have two options when adding your Azure subscriptions:

• If you are a Global Administrator for the directory and have owner permissions for the subscription:Simply authenticate to your Azure account.
• If you are not a Global Administrator and have owner permissions on the subscription:Before adding the subscription to Citrix DaaS, create an Azure app in your Azure AD and then add that app as a contributor of the subscription. When you add that subscription to Citrix DaaS, you provide relevant app information.

Add customer-managed Azure subscriptions if you’re a Global Administrator

This task requires Global Administrator permissions for the directory, and owner permissions for the subscription.

1. FromManage > Quick Deploy, expandCloud Subscriptionson the right.
2. SelectAdd Azure subscription.
3. On theAdd Subscriptionspage, selectAdd your Azure subscription.
4. Select the button that allows Citrix DaaS to access your Azure subscriptions on your behalf.
5. SelectAuthenticate Azure Account. You’re taken to the Azure sign-in page.
6. Enter your Azure credentials.
7. You’re returned automatically to Citrix DaaS. TheAdd Subscriptionpage lists the discovered Azure subscriptions. Use the search box to filter the list, if needed. Select one or more subscriptions. When you’re done, selectAdd Subscriptions.
8. Confirm that you want to add the selected subscriptions.

The Azure subscriptions you selected are listed when you expandSubscriptions. The added subscriptions are available for selection when you create a catalog or image.

Add customer-managed Azure subscriptions if you’re not a Global Administrator

Adding an Azure subscription when you’re not a global administrator is a two-part process:

• Before you add a subscription to Citrix DaaS,create an app in Azure AD and then add that app as a contributor of the subscription.
• Add the subscription to Citrix DaaS, using information about the app you created in Azure.

Create an app in Azure AD and add it as a contributor

1. Register a new application in Azure AD:

   1. From a browser, navigate tohttps://portal.azure.com.
   2. In the upper left menu, selectAzure Active Directory.
   3. In theManagelist, selectApp registrations.
   4. Select+ New registration.

   5. On theRegister an applicationpage, provide the following information:

      • Name:Enter the connection name
      • Application type:SelectWeb app / API
      • Redirect URI:leave blank
   6. SelectCreate.

2. Create the application’s secret access key and add the role assignment:

   1. From the previous procedure, selectApp Registrationto view details.
   2. 做一个没有te of theApplication IDandDirectory ID. You’ll use this later when adding your subscription to Citrix DaaS.
   3. UnderManage, selectCertificates & secrets.
   4. On theClient secretspage, select+ New client secret.
   5. On theAdd a client secretpage, provide a description and select an expiration interval. Then selectAdd.
   6. 做一个没有te of the client secret value. You’ll use this later when adding your subscription to Citrix DaaS.
   7. Select the Azure subscription you want to link (add) to Citrix DaaS, and then selectAccess control (IAM).
   8. In theAdd a role assignmentbox, selectAdd.

   9. On theAdd role assignmenttab, select the following:

      • Role:Contributor
      • Assign access to:Azure AD user, group, or service principal
      • Select:The name of the Azure app you created earlier.
   10. SelectSave.

Add your subscription to Citrix DaaS

You need the application ID, directory ID, and client secret value from the app you created in Azure AD.

1. FromManage > Quick Deploy, expandCloud Subscriptionson the right.
2. SelectAdd Azure subscription.
3. On theAdd Subscriptionspage, selectAdd your Azure subscriptions.
4. SelectI have an Azure App with contributor role to the subscription.
5. Enter the tenant ID (directory ID), client ID (application ID), and client secret for the app you created in Azure.
6. SelectSelect your subscriptionand then select the subscription you want.

Later, from the subscription’sDetailspage in Citrix DaaS dashboard, you can update the client secret or replace the Azure app from the ellipsis menu.

If Citrix DaaS can’t access an Azure subscription after it’s added, several catalog power management and individual machine actions aren’t allowed. A message provides an option to add the subscription again. If the subscription was originally added using an Azure app, you can replace the Azure app.

Add Citrix Managed Azure subscriptions

A Citrix Managed Azure subscription supports a certain number of machines. (In this context,machinesrefers to VMs that have a Citrix VDA installed. These machines deliver apps and desktops to users. It does not include other machines in a resource location, such as Cloud Connectors.)

如果你的Citrix Azure likel订阅管理y to reach its limit soon, and you have enough Citrix licenses, you can request another Citrix Managed Azure subscription. The dashboard contains a notification when you’re close to the limit.

You can’t create a catalog (or add machines to a catalog) if the total number of machines for all catalogs that use that Citrix Managed Azure subscription would exceed the limit.

For example, assume a hypothetical limit of 1,000 machines per Citrix Managed Azure subscription.

• Let’s say you have two catalogs (Cat1andCat2) that use the same Citrix Managed Azure subscription.Cat1currently contains 500 machines, andCat2has 250.

• As you plan for future capacity needs, you add 200 machines toCat2. The Citrix Managed Azure subscription now supports 950 machines (500 inCat 1and 450 inCat 2). The dashboard indicates that the subscription is near its limit.

• When you need 75 more machines, you can’t use that subscription to create a catalog with 75 machines (or add 75 machines to an existing catalog). That would exceed the subscription limit. Instead, you request another Citrix Managed Azure subscription. Then, you can create a catalog using that subscription.

When you have more than one Citrix Managed Azure subscription:

• Nothing is shared between those subscriptions.
• Each subscription has a unique name.

• You can choose among the Citrix Managed Azure subscriptions (and any customer-managed Azure subscriptions that you’ve added) when:

  • Creating a catalog.
  • Building or importing an image.
  • Creating a VNet peering or SD-WAN connection.

Requirement:

• You must have enough Citrix licenses to warrant adding another Citrix Managed Azure subscription. Using the previous hypothetical example, if you have 2,000 Citrix licenses in anticipation of deploying at least 1,500 machines through Citrix Managed subscriptions, you can add another Citrix Managed Azure subscription.

To add a Citrix Managed Azure subscription:

1. Contact your Citrix representative to request another Citrix Managed Azure subscription. You are notified when you can proceed.
2. FromManage > Quick Deploy, expandCloud Subscriptionson the right.
3. SelectAdd Azure subscription.
4. On theAdd Subscriptionspage, selectAdd a Citrix Managed Azure subscription.
5. On theAdd a Citrix Managed Subscriptionpage, selectAdd Subscriptionat the bottom of the page.

If you’re notified that an error occurred during creation of a Citrix Managed Azure subscription, contact Citrix Support.

Remove Azure subscriptions

Before you can remove an Azure subscription, you must delete all catalogs and images that use it.

If you have one or more Citrix Managed Azure subscriptions, you cannot remove all of them. At least one must remain.

1. FromManage > Quick Deploy, expandCloud Subscriptionson the right.
2. Select the subscription entry.
3. On theDetailstab, selectRemove Subscription.
4. SelectAuthenticate Azure Account. You’re taken to the Azure sign-in page.
5. Enter your Azure credentials.
6. You’re returned automatically to Citrix DaaS. Confirm the deletion and then selectYes, Delete Subscription.

Update expired client secrets

When the client secret of a subscription expires, you can’t create machine catalogs for it and an alert appears in the subscription’s entry. To resolve this issue, you have two choices:

• Update the client secret of the Azure app in use
• Switch to an Azure app with a valid expiration date

Update the client secret of the Azure app in use

To continue using the existing Azure app to access Azure resources, follow these steps:

1. In Azure, create a client secret for the Azure app in use. Note down the new secret and expiration date for future use. For more information, seeCreate an application secret in Azure.
2. In DaaS, provide the newly created secret information to the subscription. Detailed steps are as follows:
   1. From theManage > Azure Quick Deploydashboard in Citrix DaaS for Azure, expandCloud Subscriptionson the right.
   2. Click the subscription that needs secret updates.
   3. On the subscription page that appears, click the ellipsis menu in theAzure App Detailspane, and then selectUpdate Client Secret.
   4. On theUpdate Client Secretpage, type the newClient SecretandSecret Expiration Date.
   5. ClickUpdate Secret.

Switch to an Azure app with a valid expiration date

To switch to a valid Azure app to access Azure resources, get the necessary app information and provide it to the subscription using the following steps:

1. In Azure, get a valid Azure app and note down its details. Make sure that the new Azure app is assignedContributorrole. For more information, seeCreate an app in Azure AD and add it as a contributor.
2. In DaaS, provide details of the Azure app to the subscription. Detailed steps are as follows:
   1. From theManage > Azure Quick Deploydashboard in Citrix DaaS for Azure, expandCloud Subscriptionson the right.
   2. Click the subscription that needs secret updates.
   3. On the subscription page that appears, click the ellipsis menu in theAzure App Detailspane, and then selectReplace Azure App.
   4. On theReplace Azure Apppage, type the new Azure app details in the corresponding fields forDirectory (tenant) ID,Application (client) ID,Client Secret, andSecret Expiration Date for the service principal.
   5. ClickReplace App.