Citrix Cloud Azure Questions on MCS Disk Network Access
Article ID: CTX692411
Updated On:
Description
Security alerts are receiving for VM disks on our Citrix Cloud Azure environment and is raising Security concerns. Currently, all our VDIs have two disks, an Identity and Data disk. These disks are created with the default Azure setting of “Enable public access from all networks”. We are investigating the process for disabling this for our VDI disks.
We have found that we can modify the Image VM to have this set to disabled for the data disk and this disabled setting will copy over to any VMs created off this image. However, this setting does not apply to the Identity Disk. Is there any process on the Citrix / MCS side to automatically set the newly created Identity Disk to “Disable Public and Private Access”.
Another issue we have run into is we found that setting this to disabled on an Image VM hosted in Azure East will prevent this image from being used on an Azure West Machine Catalog. Any ideas on if there is a workaround for this, or do images that need to cross Azure regions require public network access (or have a private address configured)?
Instructions
1.Azure's default behavior for new resources is to allow public access unless explicitly restricted. Unfortunately, Identity Disks (OS disks) in Citrix MCS do not inherit custom settings from the image VM when new VMs are created. Currently, Citrix Cloud does not provide an automated way to configure these settings directly during MCS provisioning.
2.When images are moved between Azure regions, there are constraints on how the disks (and their access settings) are handled. If public network access is disabled for the image in one region, it can block MCS from accessing the image in a different region.
For #1, does Citrix have any recommendations for best methods of locking the Identity Disk down after creation if it cannot be automated during the VM creation process?
Workaround:
If you need to restrict access, consider creating a policy in Azure that applies to the Identity Disk after it has been created. This may involve using Azure PowerShell or Azure CLI to modify the access settings of the Identity Disk after provisioning. However, this requires manual intervention or scripting to automate the process.
For #2, Are there any options besides leaving an image disk as public access? Or is this a requirement for the MCS process for Azure image machines.
Workaround for Cross region access:
To enable cross-region access without public network access, you can set up Private Endpoints. This allows you to create a private link to the storage account where the disks are stored, enabling secure access without exposing the disks to the public internet 3 4 .
Here are the steps to set up Private Endpoints:
++Create a Private Endpoint for the storage account where your disks are located.
++Configure the necessary DNS settings to ensure that the VMs in the Azure West region can resolve the private endpoint.
++Ensure that the network security groups (NSGs) allow traffic between the VMs and the private endpoint.
OR
Using Azure Shared Image Gallery:
Consider using the Azure Shared Image Gallery for managing your images. This service allows you to replicate images across regions and can help streamline the process of using images in different Azure regions without requiring public access 5 6.
Recommendations:
Identity Disk Access: Currently, there is no automated process in Citrix MCS to disable public access for Identity Disks. Manual intervention or scripting is required post-creation.
Cross-Region Image Access: Use Private Endpoints to enable secure access to disks across regions without public access. Alternatively, consider using the Azure Shared Image Gallery for better management of images across regions.
Please refer the link below:
For further details on managing Azure storage and security settings, you can refer to the following resources:
https://community.citrix.com/tech-zone/design/reference-architectures/securing-citrix-daas-azure/
Issue/Introduction
