There are several key decisions an admin must make when planning a design for a resource location to be used with the Citrix Cloud Virtual Apps and Desktops Service. The first of these decisions is the Subscription Workspace model they plan to utilize. 

Subscriptions 
Selecting a subscription model is a complex decision as it involved the planned growth of the footprint in azure considering both the initial design and planned growth of the environment. 

Single Subscription workspace model 
In a single subscription, all core and citrix infrastructure remain inside the same subscription. This configuration is recommended for environments that require up to 1,000 Citrix VDA Machines. 


Multi-Subscription Workspace Model 
In this model, Citrix and Core resources reside in seperated subscriptions to help manage scalability in large deployments. 



Protecting Citrix Cloud Resource location hosted in azure 
NSG (Network Security Groups) are simplified packet inspection devices the allow or deny  traffic over specific ports to the resources hosted inside the azure platform for usage with Citrix Cloud Virtual Apps and Desktops Service. The port requirement for a Citrix Cloud Resource location are as follows: 

Granting Access for Citrix Cloud to Access your Azure Subscirption
When considering how to connect the Citrix Cloud Virtual Apps and desktops Service to the Azure subscriptions, there are 2 primary options for connecting Citrix Cloud to the Azure Subscription: 

1. Subscription Scope Principals. 
2. Narrow Scope Service Principals 

When an admin creates a host connection to azure for the first time, Microsoft Azure creates a Service Principal which is an application template created that impersonates the user and the rights it has over the subscription. When the Citrix Service creates the Service principal for the host connection through studio, a Subscription Scope principal is created that provides the list of permissions included in the service principal across all resources hosted in the Azure subscription. 

Customers that have needs for more granular controls over their resources, the admin can also create what is called a Narrow scope service principal. This requires a bit more planning in designing the environment in that the admins not only need to pre-create the resource groups the vda's reside in, but the access to these resource groups needs to be defined to a pre-created service principal prior to creating the service principal. 

The requirements and process to create this narrow scope service principal are defined in greater detail at Tech Article - https://support.citrix.com/article/CTX219243. 

At this stage, the admin is now prepared to deploy their first machine catalog to Azure using the Citrix Cloud Virtual Apps and desktops service. For more information as to how to Prepare a Master Image and deploy a machine catalog, review the following article: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/machine-catalogs-create.html#prepare-a-master-image-on-the-hypervisor-or-cloud-service 

References: 

https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html
https://support.citrix.com/article/CTX219243