Prepare Azure

For smooth integration of the Azure platform with the HyWorks Controller, use the following guides:

• Supported Feature Matrix

• Prerequisites

• Add URLs to whitelist in the Firewall or Proxy server

• Configure Controller for Domain Account Authentication in Proxy server

• Desktop Operation Support

• Limitation with Azure handler

Supported Feature Matrix

Feature	Sub Feature Category	Sub Feature	Azure
Deploy pool with existing VMs	-	-	Yes
Desktop VM Provisioning	Clone Type	Linked Clone	Not Applicable
		Full Clone	Yes
	Clone from Snapshot	-	No
	Network Preserve	-	Yes
	Disk Encryption	-	Yes
	Disk persistence	Persistent VM Deployment	Yes
		Non-persistent VM Deployment	No
		Enable DVM Reset	No
		Deployment Setting	Only resource group, not Location
		Customization	Both (Sysprep and Hyprep)
		IP Address Filter	Yes
		Shared hosted desktop provisioning and automated deployment	Yes
		Automated power management and scaling	Yes
Desktop Power Operations	-	-	Yes
Operating Systems Support on Provider	Windows Desktops	Windows 7	Yes
		Windows 8.1	Yes
		Windows 10	Yes
		Windows 11	Yes
	Windows Servers	Windows Server 2008 R2	Yes
		Windows Server 2012 R2	Yes
		Windows Server 2016	Yes
		Windows Server 2019	Yes
		Windows Server 2022	Yes
	Linux Desktops	CentOS 7	Yes
		Ubuntu 16.04/1	Yes
		Ubuntu 18.04/1	Yes
		Ubuntu 20.04/1	Yes
		RHEL v7.9	Yes

Prerequisites

1. Application ID:  Application ID is a unique identifier (GUID) of an application created and granted under tenant.

2. Secret:  A client secret is known only to your application and the authorization server. It protects your resources by only granting tokens to authorized requestors.

3. Tenant ID:  Tenant ID is a Globally Unique Identifier (GUID) different from the tenant name or domain.

4. Subscription ID:  The subscription ID is a GUID that uniquely identifies your subscription to use Azure services.

Configure Azure App

1. Sign in to your Azure Account through the Azure portal: https://portal.azure.com/.

2. Select Azure Active Directory: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

3. Select App Registrations followed by New Registration.

4. After setting the values, select Register.

5. Select your registered application followed by Certificates and Secret, then create and copy a new Secret.

6. Navigate to app Overview and copy the application ID, tenant ID, secret key, and subscription ID.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Create Secret

Follow the steps to create a Secret for the configured app:

1. Select Azure Active Directory.

2. From App registrations in Azure AD, select your application.

3. Select Certificates & Secret.

4. Select Client Secret > New Client Secret.

5. Provide a description, check expiry, and click Add.

The value of the Client Secret is displayed upon saving it. Make sure to copy this value, as it won’t be able to retrieve the key later. Make a copy (Save) of the auto-generated Client Secret key in the personal vault.

Configure Access Control

To access resources in your Subscription, you must assign a role to the application.

1. Select your Subscription on the Home page.

2. Select Access Control (IAM).

3. Navigate to Role Assignments and click Add. Select Role assignment.

4. Select Role as Contributor for HyWorks based delivery and Role as Owner for AVD delivery via HyLabs.

   1. Set Assign access to as Azure Ad user, group, or Service principal.

      Note

      If Azure is being configured for AVD delivery via HyLabs the role must be Owner and not contributor.

5. Select your app.

6. Click Save to finish assigning the role.

Important

The above Application ID may take around 30 minutes to become active. Configuring the application in HyWorks before it becomes active will give an error message as: Invalid credentials.

Add URLs to whitelist in the Firewall or Proxy server

If a Firewall is used to control internet access and HyWorks is deployed behind a Firewall or proxy server, then the HyWorks controller will not have internet access. In such case, you will have to whitelist the following URLs in your Firewall or allow access via the proxy server:

1. https://login.microsoftonline.com

2. https://management.azure.com

Following the URL to integrate with Azure automation

1. https://<workspaceId>.agentsvc.azure-automation.net

2. *.azure-automation.net

3. Port: Only TCP 443 is required for outbound internet access

Important

If it's a multi-node active-active deployment, the configurations must be made on all controller management and session nodes.

Configure Controller for Domain Account Authentication in Proxy server

The following configurations are required to be done in the Controller when a proxy server is configured on the Controller, and an Azure-based Desktop Provider is used:

• Install HyWorks Controller Service using this account (not the Local System account)

  • The account should be configured as Logon as Service.

  • Configuration can be done at the time of installation or later.

  • A specified account will be used to authenticate in the proxy server.

  • Whitelist URLs mentioned above.

    

Fig: Configuration post installation

<system.net>
   <defaultProxy> 
   <proxy usesystemdefault="true" /> 
   </defaultProxy> 
</system.net>

or alternate configuration

<system.net>
    <defaultProxy useDefaultCredentials="true" >
    </defaultProxy>
</system.net>

• Verify the above configuration in the HyWorks controller.

  x:\Program Files (x86)\Accops\HyWorks\Service\EDC.Service.exe.config

Fig: Configuration file change

Note

• You need to re-login to apply the above changes.

• If it's a multi-node active-active deployment, the configurations must be made on all controller management and session nodes.

Desktop Operation Support

Operation	Support	Status on Azure	Status on HyWorks
Power On	Yes	Powered On	Powered On
Power Off	Yes (De-allocated)	De-allocated	powered Off
Shutdown	Yes (De-allocated)	De-allocated	powered Off
Restart	Yes	Restart	Restart
De-allocate	Yes (Use power off)	De-allocated	powered Off
Reset	No	-	-
Refresh (Desktop Information on HyWorks)	Yes	-	Update the VM details and call the DVM agent.
Re-Create (single VM from Desktop VMs page)	Yes	-	-

Limitations with Azure Handler

• The non-de-allocated shutdown VM is shown as being Powered Off. There is no difference between a Non-deallocated and a De-allocated VM.

• Change Location (current VM will be cloned in source VM location).

• Gold Master Disk should be a Managed disk.