Design Decision: Citrix Infrastructure Considerations
With Citrix Cloud, Citrix manages several components for you as part of the Apps and Desktops Service. In traditional on-premises environments, all the components are managed by the customer. With Citrix Cloud the control plane components are managed, maintained, and scaled automatically by the Citrix at the regional level. The following table shows each component, responsible party, and install location.
Responsibility | Citrix Cloud Region | Azure Region | |
---|---|---|---|
Citrix Delivery Controller | Citrix | Yes | No |
Citrix Studio & Director | Citrix | Yes | No |
Citrix Licensing Server | Citrix | Yes | No |
Citrix Databases | Citrix | Yes | No |
Citrix Workspace Experience (StoreFront) | Shared | Optional | Optional |
Citrix Gateway | Shared | Optional | Optional |
Cloud Connector | Customer | No | Yes |
Virtual Delivery Agent hosts | Customer | No | Yes |
Resource Groups | Customer | No | Yes |
Master Images | Customer | No | Yes |
Here are the questions that you need to answer about Citrix Infrastructure:
How many Cloud Connectors do I need and what instance types should I use for the Cloud Connectors?
The number of Cloud Connectors should be at least 2 for any resource location and this is sufficient for most deployments
Monitor the CPU and network bandwidth under periods of peak load. Verify that the CPU is not consistently above 80% and the bandwidth is not consistently above 95%. If either of these thresholds occur, increase the number of cloud connectors
Cloud Connectors seem to be the most efficient and cost-effective when hosted on the D-series v2 or V3 platforms. Use smaller sizes such as a D2/DS2 v3 for small deployments while larger deployments can use D4/DS4 v2
The Cloud Connector functions as an ICA Proxy for users. Do not select instances with limited network bandwidth, such as an A2, when a significant number of users are expected
When should I use my own StoreFront?
Citrix Workspace Experience works with customer-managed Citrix Gateway. However, a customer-managed StoreFront requires a customer-managed Citrix Gateway
你需要一个customer-managed Citrix店面服务公司er if a custom URL that is not on the cloud.com domain is used.
Workspace Experience supports regular Active Directory DS and Azure AD Federated Authentication
Workspace Experience includes site aggregation functionality which allows aggregation of resources from any XenApp 6.5 or later farm. The farm can be on-premises or in the cloud. That provides users with a single place to access all their available resources through Workspace. The functionality is useful when migrating users to Citrix Cloud
When should I use the Citrix Cloud Gateway and where should it be?
The Citrix Gateway Service is fully integrated with Citrix Apps and Desktops and managed by Citrix
The Gateway Service handles the ICA Proxy connections from external sites into Citrix Cloud
When using the Workspace Experience with the Citrix Gateway, all connections are treated as external and are sent through a Citrix Gateway. That means all ICA files contain STA tickets instead of private IP addresses of the VDA
Citrix Cloud supports internal connections to allow bypassing of the Gateway if the clients have a route directly to the VDA servers
Citrix recommends a customer-managed Gateway when the Citrix workloads are on-premises
You need a customer-managed Citrix Gateway if any of the following are required:
- A customer-managed StoreFront server is deployed
- Citrix Endpoint Management micro-VPN or Microsoft Endpoint Manager is required
- Federated identities are used or a single sign-on experience is desired
Can my users access both my Citrix Cloud environment and my on-premises Citrix environment from the same StoreFront?
Use the Citrix Workspace Experience to aggregate your local on-premises sites (XenApp 6.5 or later) with the Azure sites to provide a single view for users
The following extra requirements are imposed for site aggregation with legacy farms
- 如果using Citrix FAS, it must be updated to the latest version and the only on-premises versions supported are:
- Citrix Virtual Apps and Desktops 7 1808 or later
- XenApp and XenDesktop versions 7.16 through 7.18
- Requires at least 2 cloud connectors
- 如果you are using a web proxy you must configure it to allow the XML servers to bypass the proxy list
- The on-premises site must use Active Directory DS. However, XML service requests require further configurations in Azure AD
- Works best if all users and resources are in the same forest. Separate forests are supported if they are trusted. Every forest requires two cloud connectors in it
- The Citrix administrator account has at least read-only permissions to the on-premises site
- 如果using Citrix FAS, it must be updated to the latest version and the only on-premises versions supported are:
What information do I need to have about my Citrix VDA hosts?
Collect the server compute, memory, disk, and networking requirements. That helps you identify compatible instance types in Azure
Identify the operating systems in use and verify they are supported in Azure
Have a list of applications that are running on the Citrix servers and verify they work in a virtualized environment
With the VDAs, is it better to scale up or scale out and can I run workloads that require GPUs?
VDA hosts seem to be the most efficient and cost-effective when run on the D-Series and F-Series instance types. Use the F-series when the user workloads are more compute intensive than memory intensive.
More instances of a smaller size may cost more. However users will likely have a better experience with less contention for CPU resources. When an instance goes down, fewer users are negatively affected.
Fewer instances of larger size provide higher density and lower costs. However users may have a negative experience with more contention for CPU resources and more users will be negatively affected when an instance fails.
Most Azure VMs are not oversubscribed for vCPUs. Be aware of the A-series instances, they are oversubscribed
Machine Creation Services uses 2 or 3 disks (Boot Disk, Identity Disk, and optionally the MCSIO Cache disk) for each virtual machine resource
如果your application requires GPUs, NC- and NV-series instance types are supported as VDA hosts
What type of managed disks should I use and should they be encrypted?
With current versions of Citrix Virtual Apps and Desktops, always use managed disks
For multi-session VDA hosts, premium SSDs provide a better user experience if not using the MCSIO cache
For multi-session VDA hosts with 2 GiB MCSIO caches, a standard HDD will provide a similar user experience to a premium SSD and reduce the disk cost. However, the user density decreases because of the 2 GiB of RAM dedicated to the MCSIO cache
For single-session VDA hosts, standard SSD or standard HDD with MCSIO cache is acceptable
All resources related to your customer-managed keys must be in the same subscription and region. Azure Key Vaults and disk encryption sets are examples of customer-managed keys
Once you enable the customer-managed encryption key you cannot disable it later. The only solution is to create a different managed disk and copy the data over
Disks created from encrypted custom images using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. These disks must be in the same subscription
Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys
Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription
Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys
You can only create up to 50 disk encryption sets per region, per subscription
What are the best ways to reduce costs?
Enable Citrix Smart Scale to power down unused servers during low use times. Enabling Citrix Smart Scale saves on compute and disk charges
Take advantage of your Hybrid Use Benefit (HUB) as part of your Microsoft EA license to reduce your compute charges
Purchase reserved instances, when possible, to reduce compute charges
Test or monitor your Citrix workloads to verify that your density and performance are matched with the least cost instance size
Try different instance sizes in production to evaluate their cost efficiency
Minimize the amount of data that leaves Azure to keep costs low. You can achieve that by keeping the data nearest the compute that reads and processes it. If you have a data warehouse that is constantly queried, placing the compute on-premises and the data warehouse in Azure will result in significant egress costs. Move the compute to Azure instead.
How do I move my PVS and MCS golden images to the Citrix Cloud?
只能上传到VHD文件Azure。的VHDxformat is not supported
- For PVS images, you cannot upload the VHDx image as it stands, it must be reverse imaged to a Hyper-V virtual machine and PVS software must be removed before uploading to Azure
- For MCS images, take the source VHDx and convert it to a VHD, then upload it to Azure
Once the VHD is created, verify it can be booted on a Hyper-V virtual machine
Use Storage Explorer to upload the VHD to a storage account in the Azure subscription
Convert the disk to an image then create a VM from the disk image
Update the VM as required then shut it down and create a snapshot which can then be used as a source for the MCS machine catalog
Machine catalogs fail most often for the following reasons:
- The master image used during the machine catalog build process is locked because it is not in a stopped/deallocated state
- Subscription limits are unexpectedly reached, such as vCPUs
- The service principal account permissions are insufficient
- Pre-created resource groups are not empty
- The target subnet for the virtual machines does not have enough available IP addresses
Machine Creation Services still uses storage accounts for temporary purposes during the machine build process and those accounts may be left behind but will be empty
How many resource groups will I need?
Resource groups are containers within an Azure subscription that hold resources that are related to one another and have a similar life cycle. The resource group object itself must exist within a single region, but it can contain objects from multiple regions.
Citrix recommends keeping resource groups in the same region as the hosting connection
Place resources that share a similar lifecycle in the same resource group, such as a particular Citrix workload type, like a virtual desktop
Resource groups can be used to when different administrative permissions need to be assigned
Resource groups cannot be shared across Machine Catalogs, and Citrix recommends one catalog per resource group pool
Resource groups can be used for governance and compliance boundaries, though typically subscriptions are better suited for that function
如果using narrow-scoped service principals, the resource group needs to be pre-created to avoid a failed machine catalog build process.
Links to Additional Resources
Citrix DaaS Standard for Azure
Citrix DaaS Standard for Azure Subscriptions
Deployment Guide: Migrating Citrix Virtual Apps and Desktops from on-premises to Citrix Cloud
Design Decision: The scalability and economics of delivering Citrix DaaS on Azure
Migrate Citrix Virtual Apps and Desktops to Microsoft Azure
Tech Brief: Citrix Virtual Apps and Desktops Standard for Azure