A customer using unmanaged disks may be unable to power on/power off machines due to this issue. You can check if a customer has tried to block access to the Storage Account by checking the permissions in Azure Portal. MCS requires that the Storage Account has "Enabled from all networks" selected. If it is not selected, there will likely be power management & provisioning issues:

Errors Observed in cdf tracing 

MachineCreationServiceHCL,,,,1,Error,"[AzPv]: [304eba1809ec] ShutdownMachines: Failure  Exception=Azure.RequestFailedException: The table specified does not exist.
 
MachineCreationServiceHCL,,,,1,Error,"[AzPv]: [304eba1809ec] ManageMachineState - Exception masterImage.inventoryType=template status= exception=Citrix.MachineCreationAPI.MachineCreationException: Error shutting down machine. {0} ---> Azure.RequestFailedException: The table specified does not exist.

 

 

Enable public access

The customer should enable public access on their storage accounts. This document summarizes the requirement and addresses security concerns with public access: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html#securing-storage-accounts-provisioning-by-cvad-service 

Workarounds if public access cannot be enabled

We've had several customers request a whitelist for the IP range. We do not currently have a set IP address range for Citrix Cloud that we can provide. With managed disks, the customer no longer needs to use storage accounts. This change was put into Cloud 87, so new catalogs created with managed disks will not create storage accounts:  

If the customer is unwilling to keep public access, they have a couple options. If the machines are non-persistent, recreate them with managed disks. No storage accounts are created in that case. If the machines are persistent, one option is to move the machines into a power-managed only catalog. To do that:

1. Remove the VMs from the catalog (but do not delete them in Azure Portal)

2. Optionally perform the unmanaged to managed disk migration in Azure Portal
a. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks
b. This is not a required step. After following these steps, MCS will no longer attempt to access the storage accounts and does not require permissions.

3. Remove any Citrix tags that are on the VMs and the resource group. Example:

4. Add the machines into a power-managed only catalog
a. This means the machines are non-MCS provisioned, i.e. they are existing machines in Azure Portal that we are adding to a catalog
b. https://docs.citrix.com/en-us/citrix-daas/install-configure/machine-catalogs-create.html#machine-management

Note that this means you cannot perform provisioning operations on that catalog; it will only be used for power management. 

Additional Info

We do not allow changing an existing catalog from unmanaged to managed disks. If a customer attempted to change the UseManagedDisks custom property using Set-ProvScheme, they would receive a preflight exception similar to CannotChangeUseManagedDisks

Customers may have catalogs that are created prior to on-demand provisioning. These catalogs are known internally as "legacy" catalogs. Legacy machines are visible in Azure Portal immediately after being added to the catalog. This is unlike non-legacy machines, which are created after the first power on. Legacy machines have a few key limitations: 

• Legacy catalogs are only supported with unmanaged disks. MCS will create storage accounts & will need public access to perform operations.
  • As mentioned above, you cannot change a catalog from unmanaged → managed disks
  • You also cannot create a new legacy catalog with managed disks. If attempted, you will receive a preflight exception similar to ManagedDisksNotSupportedForLegacyCatalogs
• You cannot change an existing legacy catalog to a non-legacy catalog
  • This limitation is documented here (Azure on-demand provisioning > Catalogs created before on-demand provisioning): https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/install-configure/install-prepare/azure-resource-manager.html#azure-on-demand-provisioning

 

---

Problem Cause

 When customers use unmanaged disks, MCS will create Storage Accounts in Azure. These Storage Accounts will have public access to the internet. This behavior (& the security concerns) are documented here: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html#securing-storage-accounts-provisioning-by-cvad-service 

Some customers have concerns with allowing public access to the Storage Accounts & attempt to disable it in Azure Portal. This can cause many issues because MCS requires access to those Storage Accounts. If MCS cannot perform the key operations (like Read), then power actions will fail, machines may not be created, etc. 

 When customers use unmanaged disks, MCS will create Storage Accounts in Azure. These Storage Accounts will have public access to the internet. This behavior (& the security concerns) are documented here: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/virtual-apps-and-desktops-azure.html#securing-storage-accounts-provisioning-by-cvad-service  Some customers have concerns with allowing public access to the Storage Accounts & attempt to disable it in Azure Portal. This can cause many issues because MCS requires access to those Storage Accounts. If MCS cannot perform the key operations (like Read), then power actions will fail, machines may not be created, etc.