Storage Accounts are used by both AVD and Nerdio Manager to store various sorts of data. In this Article, we will cover key steps and important considerations when implementing tighter security for common scenarios using storage accounts. Most notably, storage accounts are used for holding end-user's FSLogix Profiles, boot diagnostics, custom scripted actions, and MSIX app attach packages.
- The App Service Plan (essentially the "performance tier" for the server that is hosting the App) will need to be upgraded from the default of Basic (B3), to Standard or Premium (i.e. S3) This will require increased operating costs.
- A virtual network (vNet) that can be used to to connect to the App Service and the Storage Account. This virtual network will need outbound for Nerdio Manager to talk to Nerdio licensing servers via HTTPS (TCP/443).
Enable VNet Integration for the Nerdio Manager App Service
Without VNet integration, Nerdio Manager will be unable to connect to a storage account with network restrictions. Follow these steps to enable and configure this functionality:
Upgrade the App service to Standard or Premium
Find the Nerdio App service within Azure. Generally it will start with nmw-app-XXXXXXXX. Go to settings and click "scale up"
The standard setting will be set to B3, unless it has been changed since initial deployment of the app. If it has already been changed to a standard or premium tier, skip forward to the next section.
To upgrade the service plan, click the Production tab, then select a standard or premium tier (S3 recommended)
Note: Upgrading the app service can cause a short temporary interruption as the web server is moved to a new hosting node. It is generally safe to do this during "production hours", though it is advised not to do this if a major migration or complex task is being executed within the console (Auto-scale will not be adversely affected).
Enable VNet Integration
Go to the settings on the left of the app service page, and click "networking" or "networking preview", then go to "VNet Integration"
Then Click the + sign, then select the VNet you will want to use. See the Microsoft documentation for more details on adding integration to VNets: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Keep in mind that it may be necessary to add an additional subnet that is compatible for the integration. A similar action will be done for the Storage Account as well. In this example, there was already a VNet used for session hosts, which still had unallocated IP address ranges within the address block.
When the VNet is successfully integrated, the page should look something like this:
Harden the Storage Account
|Important: Implementing this restriction incorrectly can cause session hosts to lose access to FSLogix profiles, user data, MSIX apps, software data, etc. Be sure to take these new network restrictions into consideration before proceeding.|
Apply network restrictions
Find the storage account in Azure you would like to harden. If the storage account was created using Nerdio, you can quickly access it by clicking the name of the storage account in the Nerdio console under Storage -> Azure files:
Once at the storage account. Go to the settings and select "Networking". Then under the tab "Firewalls and virtual networks", under the "allow access from:" option, choose "Selected Networks". This will present additional configuration options.
Select "Add existing virtual network", then on the pop-up blade, select the networks that had been used in earlier steps.
After clicking "add", you may receive this message:
In which case, it will take time as described for these changes to fully take effect.
Once it has finished, the network should appear like so:
IMPORTANT! Don't forget to click "save" to prevent losing this configuration:
Finally, refresh the Nerdio Manager console and check the storage account locations (or attempt to preform an action that led to an error previously due to improper storage account restrictions)