Edit

Deploy Virtual Machine from the service catalog into a workload

The Virtual Machine (VM) template creates a Virtual Machine which helps with multiple workload scenarios. The Virtual Machine template also allows you to publish an application as an Azure Virtual Desktop RemoteApp so you can host a managed app and stream it to individual users.

In this article, you:

  • Deploy a service catalog template for a Virtual Machine into an existing workload from the Azure portal.

Note

This sample deployment is just for demonstration purposes and doesn't represent all the best practices for network, systems, or applications administration.

Deploy Options

The Virtual Machine template can be deployed in multiple configurations:

  1. Virtual Machine (~10 min)
  2. Virtual Machine domain-joined (~12 min)
  3. Virtual Machine domain-joined and published as a RemoteApp (~20 min)

Before you begin

Prerequisites

There are guardrail requirements on the enclaves to ensure enclave resources are using Customer-Managed Keys (CMK) encryption. You need a key in a key vault and a managed identity to access the key. Create the CMK (optional Key Vault) and Managed Identity in the Common Dependencies service catalog template

  1. Subnet for Private Endpoints: You can create subnets during enclave creation or you can create new subnets after enclave creation. The private endpoint subnet should have no subnet delegation for the private endpoints to work properly.
  2. Quickly create these Private DNS Zones based on what you create next:
    • Key Vault required when creating a Key Vault from this template or the more customizable Key Vault template.
    • Storage File, Storage Queue, Storage Blob, and Storage Table are required when making a Storage Account from this template or the more customizable Storage Account template.
  3. A Key Vault, Customer Managed Key (CMK), and Managed Identity are required for this template. Create a Key Vault, CMK, and Managed Identity in the Common Dependencies service catalog quickstart or create your own.
    • These resources should be created inside a workload resource group.
    • After creating the User Managed Identity, ensure it has access to the CMK key
      • Assign the Key Vault Crypto Service Encryption User role to the managed identity scoped to the key vault with these instructions. This role allows you to then assign the managed identity to another resource, like a Virtual Machine. Then that Virtual Machine can encrypt the operating system disk with the CMK in the key vault without having permissions to do other operations on the key vault. Assigning a managed identity in this way is a least privilege best practice.
  4. (optional) An existing domain to join if the Admin VM is domain joined.

Deploy the template

  1. Navigate to the workload for the intended deployment.
  2. Select +Add an Azure Service button.
  3. Select the Virtual Machine service template from the service catalog list dropdown
  4. Confirm the version you need (default: latest) and select Next.

Screenshot showing the Virtual Machine template selected from the service catalog list.

  1. Enter all the required parameters on each of the tabs.
  2. For OS Disk Encryption Name and OS Disk Encryption Resource Group Name, enter the names used in the prerequisites section.
  3. Adjust the prepopulated parameters as needed.
  4. (Optional) Publish your RemoteApp to other users.
  5. (Optional) Join a domain on your virtual machine.
  6. (Optional) Install application to your RemoteApp.
  7. Select Review + Create, if all validations passed, select Create.

Join a domain (optional)

  1. Should you choose to Domain Join your Virtual Machine, you need to select which method you want (Active Directory or Microsoft Entra ID) on the Basic tab and enter the domain joining information.

  2. For the Active Directory Domain join options, see the following examples

    Note

    If the domain controller is inside an enclave, you need an enclave endpoint for the enclave with the domain controller to allow domain joining in the domain controller subnet, TCP, UDP protocols, and these ports 53,88,135,138,139,389,443,445,464,636,686,3268. You need a DNS Forwarder in your enclave forwarding DNS traffic to your Domain Controller.

    • The Domain name should be in the format of contoso.com
    • Organization Unit (OU) path should be in the format of OU=Organizations,DC=contoso,DC=com and can be left blank if the default Computers OU path is fine.
    • Domain admin username and Domain admin password should match the domain joining credentials for the domain controller
  3. For the Microsoft Entra ID Domain join option,

Publish RemoteApp (Optional)

If you publish your application, all of the following fields on this tab must be filled out.

Screenshot showing the inputs needed to publish an app on the Virtual Machine.

  • Use default naming convention for your publish parameters: Keeping the default to True will ignore the parameter values for host pool, workspace, and Application Group and instead will create resources in this format <vmName>-<resourceName> (for example "vm01-hostpool"). You can still add the friendly names to improve the names that you will see.
  • Application file path: Provide the file path on the VM app for the application (for example, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe with no "quotes")
  • Application icon file path: Provide the file path on the VM for the icon (for example, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe with no "quotes")
  • Azure Virtual Desktop modules URL: Provide the URL for Azure Virtual Desktop modules for your cloud. The Azure Commercial URL is provided by default. As an example, if you are deploying to the Azure Government Cloud the URL is https://wvdportalstorageblob.blob.core.usgovcloudapi.net/galleryartifacts/Configuration_01-20-2022.zip.

It can take 20+ minutes to finish all resource creation. Wait for the deployment to be successfully completed before you take any actions within your deployed resources.

Validate the deployment

  1. Go to the specified resource group, the workload resource group by default, and confirm the intended resources were created. Including: Virtual Machine and OS Disk.
  2. If the RemoteApp was published: host pool, app group, and workspace.

Connect to the Application Virtual Machine

Via the Admin VM: The Admin VM is used for administrator access the resources within the enclave boundary from outside the boundary. The Admin VM might also be called a "jumpbox."

  1. Sign in to a desktop session on the Admin VM page for the enclave.
  2. From the start menu, type RDP, and open the Remote Desktop Connection app.
  3. Enter the Virtual Machine IP address as the destination IP address for the Remote Desktop Connection.
  4. Enter Virtual Machine credentials and select Accept/Yes to warnings about a new connection.
  5. From the Virtual Machine desktop, validate any Virtual Machine settings set during the deployment or complete any custom configuration.
  6. Next, install application
  7. Assign a security group assignment to give users access to your RemoteApp(s).

Install RemoteApp (Optional)

Install an application on your Virtual Machine using one of these methods or a method you're familiar with.

  • Install via Virtual Machine (install or configure an application for RemoteApp publishing)

  • Prerequisites:

    1. A container (artifacts) within the storage account.

      • Private or Public Container
        • Private Container - securely store installers, main script, and any supporting scripts.
          • Choose this option if your scripts or installers can’t be shared with others who have access to that storage account container.
        • Public Container - stores publicly accessible artifacts in the remoteappvm folder in the service catalog's container
      • App Folder:
        • app installer (ex: VSCodeSetup.exe)
        • main script to install the application (and any other supporting scripts)
    2. A copy of AzCopy.exe

    3. A community endpoint to the storage account and AzToolBox.

    4. Enclave connections to the previously made community endpoint.

      • Make an enclave connection to your IP Groups ending in (enclave-name}-ipg-eas and another at {enclave-name}-ipg-mgmt-vms.

      Note

      If the storage account is in a different enclave, create an enclave endpoint in the enclave with the storage account and enclave connection to that storage account.

  • Install Application:

    1. On the workload overview page, select Add an Azure Service.

    2. For Service, select Virtual Machine.

    3. For Version, if not selected by default, select the most recent version (for example, 1.0.1(latest)).

    4. Select Next

    5. Basics Tab:

      • For Virtual Machine name, input the name of the Virtual Machine.
      • For Admin username and Admin password, input the username and password you use to log into your Virtual Machine.
    6. App Tab:

      • For App Folder URI add the URI to the app folder from the container.
      • For Main Script add the name of the main script (ex: main.ps1) in the app folder that installs the application.
      • Private Container:
        • For Storage Container Resource ID add the resource ID of the container.
        • For App folder in private container select true. If it's a private container, selecting true enables reader role access to the storage account via the Virtual Machine.

      Note

      If in Microsoft Azure for U.S. Government, do the following steps: For the AzCopy File URI, add the URI to the azcopy.exe from the container.

    7. Select Review + Create, if all validations passed, select Create. Otherwise, start using the Virtual Machine.

Delete the deployment

If you don't plan on keeping these resources, clean up unnecessary resources to avoid Azure charges. If no other deployments exist in the resource group, the whole resource group can be deleted.

Recommendations

  • Session host or Virtual Machine Sizing
  • Add tags to service catalog deployments to track important information for that resource such as:
    • Owner: <main POC>
    • Deployer: <yourName>
    • Purpose: <user desktop>
    • Service Catalog Name: <Virtual Machine>
    • Service Catalog Version: <version you deployed>
  • Consider adding an Azure Policy to enforce and inherit tags
  • Collect Custom Logs from applications