Citrix Cloud Cost



  1. Citrix Cloud Cost Per User
  2. Citrix Workspace Cost
  3. Citrix Cloud Cost Calculator
downloadWhy can't I download this file?
  • XenDesktop
  • XenApp
  • Citrix Cloud

Objective

Contents

  • Step 1: Manually creating an Azure application registration for Citrix Cloud
  • Step 2: Manually assigning Resource permissions to the Azure App Registration for Citrix Cloud
    • Assigning Resource Permissions
  • Step 4: Add an Azure Resource Location using an existing Azure App registration

Who should use this document

This is an advanced guide intended for customers with federated configurations, Azure B2C, or multi-factor authentication requirements for their Azure Tenant. Citrix Cloud / Studio does not currently support service account creation for these cases.

Citrix Cloud / Studio supports creation of the application service account. If the Studio user has an Azure Active Directory account with sufficient permissions and does not fall into the cases above, Studio will prompt for credentials to generate the service account in the Azure Tenant Azure Active Directory. The result will be adoption of the “Citrix managed” model described later in this document.

Introduction

In order to provision machines in Azure, Citrix Cloud must be granted access to your Azure subscription via an application service account (Azure Active Directory “App registration”) that has been assigned permissions to the relevant Azure resources within your Azure Tenant account.

This approach is preferable to running the application under an Azure Active Directory user credential because:

  • You can assign permissions to the application identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the application needs to do.

  • You do not have to change the application's credentials if your responsibilities change.

This article walks you through manually creating an application registration in the Azure portal, assigning that the necessary permissions, and then creating your host connection in Citrix Cloud.

Instructions

Note: Citrix Cloud Studiocan perform all these actions automatically when using the Create new... option while adding a new Hosting Connection. Account privilege level in Azure must be Owner (not Contributor) to perform the actions listed in Step 1 and Step 4. If your Azure account role is Contributor, you might see the error 'Invalid Azure Credentials' in Citrix Cloud Studio when choosing the Use Existing... option or no error but a window prompting for credentials again when using the Create New option. Only follow the steps below once you've confirmed the current role level for your Azure account.

Step 1: Manually creating an Azure application registration for Citrix Cloud

Define the application registration

  1. Login to your Azure Tenant

  2. Select the Azure Active Directory blade

  3. Select App Registrations

  4. Select '+ New application registration'
    Also select the Account type:

  5. Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to.
    Application Type: 'Web app'
    'Sign-on URL: 'https://citrix.cloud.com'

  6. Select the App Registration from Step 4 to open its Settings
    Grant Access to the Azure API

  7. Select Required Permissions under API Permissions:
    Create the application secret access key

  8. From the Manage tab of the App registration; select “Certificates & Secrets”

    1. Refer the below edoc from Microsoft to create a secret key.
      https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

  9. Copy the value of the Key (this is the secret, similar to a password you will only see once)

  10. Select the Properties

  11. Copy the Application ID of the App registration (this is similar to the username)

The Key and Application ID & Directory ID are pieces of information required to create the Host connection to Azure from Citrix Cloud.

Step 2: Manually assigning Resource permissions to the Azure App Registration for Citrix Cloud

Now that the App registration account has been created and access has been granted to the Azure API it needs to be granted permissions to resources within your Azure account.

Citrix recommends that Citrix Cloud specific subscriptions be created. This reduces the risk of worker provisioning or life cycle actions from interfering with or impacting other production systems.

The following instructions utilize the built-in Azure RBAC Roles. The instructions select the most restrictive built-in Role for a particular resource, this allows Citrix Cloud to do what it needs to for worker machine provisioning and lifecycle actions.

Selecting a Citrix Worker management model

At this point, there is a decision of how much control a customer will grant to the Citrix Cloud App registration for machine provisioning.

Citrix Managed – In this model, Citrix Cloud is in full control of Resource Group(s) during the machine provisioning process. As Resource Groups are required, Citrix Cloud will simply add more as necessary to support the additional catalogs being provisioned. This streamlines the management experience by handling these details. This also makes the Citrix administrator the sole arbiter of how many virtual machines can be deployed.

Customer Managed – In this model, an Azure Admin or Co-Admin pre-creates Resource Groups that worker machines will be provisioned in to. Citrix Cloud cannot create additional Resource Groups as necessary, this will need to be performed by an Azure Subscription Admin or Co-Admin. This will require good communication between the Citrix Administrator and Azure Administrator as the number of Citrix workers in Azure is increased.

Note: The Customer Managed option is currently supported in the Citrix Cloud and in XenApp and XenDesktop 7.16 or later via the Studio GUI.

Citrix Cloud Cost

The primary difference between the two is the level of control that the application service principal has to the Azure Subscription and resources. These two models are detailed below.

Citrix Cloud Cost Per User

Assigning Resource Permissions

The following outlines the permission settings required for the resource that is being secured with the built-in Azure RBAC role that provides the minimum settings necessary for the model.

Most of the settings will be the same for both models, except the settings on the Subscription where Citrix workers will be provisioned and the Resource Groups within it.

For more information about assigning permissions see: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure

For more information about built-in Azure RBAC roles see: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

Subscription

The Subscription where Citrix workers (XenApp and/or XenDesktop will be provisioned) will reside.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributorNone
Azure Admin / Co-Admin must create Resource Groups manually

To grant the App Registration Contributor permission to a Subscription:

  1. Select the Billing blade
  2. Select the desired Subscription
  3. Select “Access control (IAM)”
  4. Select “+ Add”
  5. Select Contributor from the Role drop down menu
  6. Click in the Select search box and type the full name of the App registration
  7. Select the App registration
  8. Select Save

Resource Group(s)

The Resource Groups within the Subscription where Citrix workers will be provisioned.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributor
Inherited from Subscription
Virtual Machine Contributor
Storage Account Contributor

To grant the App Registration Contributor permission to a Resource Group

Citrix Cloud Cost

Citrix Managed – Do nothing, the permissions will be inherited.

Cost

Customer Managed – Complete the following:

  1. Select the Resource Group Blade
  2. Create the Resource Group(s)
    1. Select “+ Add”
    2. Enter:
      1. Resource Group Name
      2. Subscription
      3. Region
    3. Select Create
  3. Refresh the Resource Group list
  4. Select the Resource Group that was created
  5. Select “Access control (IAM)”
  6. Select “+ Add”
  7. Select Contributor from the Role drop down menu
  8. Click in the Select search box and type the full name of the App registration
  9. Select the App registration
  10. Select Save
  11. Repeat for each Resource Group

Virtual Network

The Azure Virtual Network that Citrix worker machines will be joined to.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributor
Inherited from Subscription
Virtual Machine Contributor

Complete this for both scenarios.

Citrix Cloud Cost

Master Image Storage Account

Citrix Workspace Cost

The Resource Group within the Subscription where Citrix worker master images are maintained. Citrix and / or Desktop administrators should have full access, but the App registration does not need to modify the image.

Management ModelCitrix ManagedCustomer Managed
Azure RBAC RoleContributor
Inherited from Subscription
Virtual Machine Contributor

Complete this for both scenarios.

Step 3: Deploy Cloud Connectors to the Azure Subscription

Citrix Documentation - Citrix Cloud Connector

Step 4: Add an Azure Resource Location using an existing Azure App registration

If you have worked through the process of manually creating an App registration in Azure and properly assigning the permissions, this new App registration now needs to be added to Citrix Cloud as a Resource Location for capacity.

Cost

Within the Citrix Cloud management portal / Citrix Studio;

  1. Select Hosting

  2. Select “Add Connection and Resources”

    1. Select “Create a new Connection”

    2. Select the Azure hosting environment

    3. Select Next

  3. Select “Use existing”

  4. Copy and paste;

    1. Azure Subscription ID (where Citrix workers will be provisioned by Citrix Cloud)

    2. Active Directory ID (the Directory ID of the Azure Active Directory in which the App registration was defined)

    3. Application ID (of the App registration)

    4. Application secret (the Key)

  5. Enter a “Connection name”

  6. Select Next

  7. Select the Azure Region where Citrix workers will be provisioned

  8. Select Next

  9. Enter a Citrix Cloud name for this Azure Subscription and Region

  10. Select the Azure Virtual Network that Citrix Worker machines will be joined to

  11. Select the Azure Virtual Network Subnet that Citrix Worker machines will retrieve IP addresses from

  12. Select Next

  13. Select Finish

Citrix Cloud Cost Calculator

  1. Select the Half Circle connection menu in the top center of the browser

  2. Select the Clipboard

  3. Copy your Azure Subscription ID to the Clipboard

  4. Either; right click and paste or use CTRL + v to paste the clipboard contents to the remote clipboard

  5. Select the X to close the Session clipboard

  6. Select the field to paste the data to

  7. Either; right click and paste or use CTRL + v to paste the clipboard contents to the field