Catalog Creation or Change Master Image fails when attempting to create ProvVM

book

Article ID: CTX579633

calendar_today

Updated On:

Description

Machine Creation Services actions, such as catalog creation, master image change, or adding additional VMs, may error unexpectedly for failure to create image preparation machine.  CDF traces may indicate one of the following:

  • "Error: creating virtual machine failed. AzureWriter-1 timed out while retrying operation."
  • "Error: creating virtual machine failed. Access not permitted for resource /subscriptions/xxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.Compute/disks/prepare-identity-xxxxx because the public network access is Disabled. Please enable public network access or associate disk access resource to access via private endpoints."
Within the Azure tenant, logs will show failures for "Get Disk SAS URI" with error code "PublicNetworkAccessDisabled".

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

Re-enable public network access.

If this is not possible, first follow Citrix documentation for routing Azure API traffic through the Cloud Connectors.
https://docs.citrix.com/en-us/citrix-daas/install-configure/connections/connection-azure-resource-manager.html#create-a-secure-environment-for-azure-managed-traffic

Once this is completed, you need to create a either a Private Endpoint or Private Link for Azure Storage to proxy storage access.
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-private-links-for-import-export-portal#enable-private-endpoint-on-your-disk ​​​​​​​

Problem Cause

This issue can occur if the Network Connectivity Method on Managed Disks has been changed to something other than Public Endpoints, either directly or via Policy.

Issue/Introduction

During the Machine Creation Services processes, Citrix will make an Azure API call to create a new disk; it will then request a SAS URL be created for this disk in order to upload a disk image.  SAS URLs are inherently accessible by all Public addresses, and it is not possible to request a private SAS URL. Because of this, blocking Public access will cause the API call to fail.

Additional Information

https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-private-links-for-import-export-portal#enable-private-endpoint-on-your-disk
Powered by Wolken Software