Storage Account Disallowed by Policy

Storage Account Disallowed by Policy

Note: This article assumes issues are encountered with the use of standard, out- of- the- box storage accounts naming conventions. You can customize the storage account names. See Configure Custom Storage Account Names for details.

Nerdio Manager creates and uses various storage accounts for Nerdio Manager functions or session host VM diagnostics. These are all blob storage accounts, used for environment administration and management, and do not contain any user data. This article discusses the details of what storage accounts Nerdio Manager may create and why.

Notes:

  • These blob storage accounts are dynamically created after the deployment of Nerdio Manager, as needed.

  • This article excludes any of the profile storage or other user data storage that might be in use. For example, this is not related to Azure Files nor Azure NetApp Files.

Symptoms and Errors

Secure environments enforcing Azure policy on storage accounts may encounter errors after deploying Nerdio Manager or attempting to create new desktop images or session hosts. There may be an error banner at the top of Nerdio Manager, or the task may fail at the Provide storage account step.

The error messages or reason may be slightly different than this example:

This occurs because Nerdio Manager uses storage accounts both for VM boot diagnostics (session hosts and desktop images) and storage for scripted actions and custom scripts. The storage accounts provisioned use Azure's default configuration settings, which include blob public access and public endpoint options enabled.

Environments using Azure private endpoints or applying Azure policy restricting public access to storage accounts may see errors as a result.

Nerdio Manager uses a single storage account for executing scripted actions and custom scripts, plus one storage account per resource group where VMs are provisioned. It is possible to create these storage accounts in advance in the Azure portal, meeting Azure policy requirements and specifying the name prefix and tags. Nerdio Manager finds and uses these accounts automatically, if the correct tags are applied.

Note: If Azure policy in the environment restricts the creation of non-compliant storage accounts, it is possible to pre-create these with a matching name and assign the required tags. See Storage Account Pre-creation Guidelines below for details.

Default Configuration

  • The most common blob storage accounts are named stn*, with various letters and numbers appended to the stn prefix. Nerdio Manager creates these automatically, as needed, when new session host VMs are created. These standard storage accounts and are only used for session host VM Boot Diagnostics. Nerdio Manager automatically creates one of these boot diagnostics accounts for each resource group, for each Azure region. That means, for example, if Nerdio Manager creates session host VMs in one region, and only one resource group, you should only find a single stn* storage account is created.

  • Additionally, Nerdio Manager manager creates a standard blob storage account named with the cssa* prefix. There should be one of these for Nerdio Manager to store custom scripts and scripted actions. Any Windows script or Azure Runbook scripted action that is executed is temporarily saved to this storage account, in order to be attached to the destined session host VM as an extension, or called by the Automation account. This account is also used for other features including Application Management (with FSLogix App Masking).

  • Lastly, Nerdio Manager may create premium blob storage accounts named with the prm* prefix. This is only used if you import a desktop image from an existing session host VM using the generated Disk Export URL. Nerdio Manager first downloads the disk to this premium account, and then converts from that file into a standard managed disk. Nerdio Manager creates one of these for each Azure region where an image is being imported.

Storage Account Pre-creation Guidelines

You many have an Azure policy that restricts storage account creation if the policy is not met. For example, financial or government organizations cannot allow public access to their storage for regulatory purposes. Therefore, Nerdio Manager's request to create the storage account may be rejected. In these cases, you must pre-create the accounts that meet the policy requirements and follow the name and tagging guidelines. See Configure Custom Storage Account Names for details.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.