Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
When creating a template for cloning VMs in Microsoft Azure, you need to select an Azure resource group where VM clones will be created. Note that this must be a group to which you granted permissions to the Microsoft Entra ID application. You also need to select a VM size and disk type to be used for cloned VMs. These settings are specified on the Advanced page of the Create Template Wizard.
Both Virtual Desktop and RD Session Host templates can be created with Microsoft Azure as a Provider. When VMs are cloned, you will see them appear in the RAS Console. At the same time, you can also see them in the Microsoft Azure portal.
Note: If there are multiple RAS installations using the same subscription, then the workaround is to change the Provider Agent application read access from subscription level to resource group level or a set of resource groups. This is necessary to avoid a situation when a given Provider Agent intersects with the set of resource groups of another Provider Agent application.
For complete information about creating and using templates, including Microsoft Azure specifics, please see the Templates section.
Organizations using or interested in using Microsoft Azure can provision, scale, and manage VDI and RD Session Host workloads directly from the Parallels RAS console and deploy on to Microsoft Azure using Azure Resource Manager (ARM). Parallels RAS uses a service principal with required permissions on relevant Azure resources (subscription and resource groups) to authenticate, provision and manage the resources.
To use Microsoft Azure as a Provider, you need the following:
An existing Microsoft Azure account and subscription.
The necessary Microsoft Azure providers must be enabled, including Microsoft.ResourceGraph, Microsoft.Resources, Microsoft.Compute, Microsoft.Network.
An ARM virtual network and subnet in your preferred region with connectivity to AD services. Microsoft Entra ID with Active Directory Domain Services (AADDS), Domain Controller in Azure IAAS or hybrid with connectivity to on-premises domain can be used.
Site-to-site VPN or ExpressRoute is required if hybrid RAS deployment is used.
A configured VM to be used for VDI or RD Session Host as a template.
Adding Microsoft Azure as a Provider is a two-step process:
First, you need to create an application in Microsoft Azure to access the resources in your subscription. This step is described in the Create a Microsoft Entra ID application section.
Once the application is created and registered, you can add Microsoft Azure as a Provider in the Parallels RAS Console. This step is described in Add Microsoft Azure as a Provider.
Read on to learn how to perform the steps above.
This section describes how to add a cloud-based Provider. For the information on how to add a hypervisor provider, see Add a hypervisor Provider.
To complete the steps below, you must have a Microsoft Azure subscription and account. If you don't have a subscription, you need to purchase one first.
An Microsoft Entra ID application is used with the role-based access control. You need to create an Microsoft Entra ID application to access resources in your subscription from Parallels RAS.
To create an Microsoft Entra ID application:
Log in to the Microsoft Azure portal.
Open the portal menu and select Microsoft Entra ID.
In the left pane, select App registrations.
Click New registration (at the top of the right pane).
The Register an application blade opens.
In the Name field, type a name you want to use for the application.
In the Redirect URI (optional) section, make sure that Web is selected in the drop-down list. Leave the URI field empty.
Click Register (at the bottom left).
The new Microsoft Entra ID app is created and its blade is displayed in the portal.
Note the following app properties, which are displayed at the top of the right pane:
Display name
Application (client) ID*
Directory (tenant) ID*
Object ID*
* Copy and save these properties. You will need to specify them later when adding Azure as a Provider in the RAS Console.
A client secret is a string that the application uses to prove its identity when requesting a token. It essentially acts as an application password. You will need to specify this string in the RAS Console when adding Azure as a Provider.
To create a client secret:
If you are not on the application page anymore, navigate to it from the Home page by selecting Microsoft Entra ID > App registration and then clicking the app in the right pane.
In the left pane, click Certificates & secrets.
In the right pane, click New client secret.
Type a client name and select a desired expiration option.
Click Add. The new client secret appears in the Client secrets list.
IMPORTANT: Copy and save the client secret (the Value column). If you leave this page without copying the secret, it will be hidden and you will not be able to retrieve it later.
The Microsoft Entra ID app that you created must have read and write access to Azure resources. The following instructions demonstrate how to give the application read and write access to a resource group. You can also give access to a specific resource or to your entire Azure subscription. For more information, please see the Microsoft Azure documentation.
To give the app write access to the resource group where new VMs will reside:
In the Azure portal menu, select Resource groups.
Click a resource group where the new VMs will reside.
In the left pane, select Access control (IAM).
In the right pane, locate the Grant access to this resource box and click Add role assignment.
On the Role tab of the Add role assignment page, select Privileged administrator roles, then the Contributor role.
Click Next.
On the Members tab, select the User, group, or service principal option.
Click on the Select members link and enter the name of the previously created application in the Select field. Select the application in the drop-down list and click Select.
Click Next.
On the Review + assign tab, confirm that the configuration is correct and click Review + assign.
To give the app read access to the resource group:
Repeat steps 1-4 from the list above.
On the Role tab of the Add role assignment page, select Job function roles, then the Reader role.
Repeat steps 6-10 from the list above.
Note: If you would like to give the application read access to your entire subscription (not just a specific resource groups), select All services in the Azure portal menu, then navigate to Categories > All > Subscriptions and select your subscription. Select Access control (IAM) in the middle pane and click Add in the Add a role assignment box. Repeat steps 2-4 from the list above.
When you'll be adding Microsoft Azure as a Provider in the RAS Console, you will need to specify your Azure subscription ID. If you don't remember it, here's how to find it in the Microsoft Azure portal:
In the portal menu, choose All services.
In the Categories list, click All.
In the right pane, click Subscriptions.
Click a subscription and then copy and save the value from the Subscription ID field.
When you complete all of the above steps, you should have the following values saved and ready to be used to add Microsoft Azure as a Provider in the RAS Console:
App (client) ID: Application ID.
Directory (tenant) ID: Tenant ID.
Client secret: Client secret (application key).
Subscription ID: Your Microsoft Azure subscription ID.
Read on to learn how to add Microsoft Azure as a Provider in the RAS Console.
To add Microsoft Azure as a Provider:
In the RAS Console, navigate to Farm > Site > Providers.
On the Providers tab, click Tasks > Add > Microsoft Azure.
The Add Cloud Computing wizard opens.
In the wizard, specify the following:
Name: Name of the provider.
Description: Description of the provider.
Manage credentials: the administrative accounts that will be used to deploy Parallels Agents.
Authentication URL: Prepopulated with the Microsoft authentication site URL. Unless otherwise required or indicated, keep the default value provided.
Management URL: Prepopulated with the Microsoft Azure management site URL. Unless otherwise required or indicated, keep the default value provided.
Resource URI: Prepopulated with the Microsoft Azure resource URI. Unless otherwise required or indicated, keep the default value provided.
Tenant ID: The "Directory (tenant) ID" value of the Microsoft Entra ID app that you created earlier.
Subscription ID: Your Microsoft subscription ID.
Application ID: The "App (client) ID" value of the Microsoft Entra ID app that you .
Application key: The "Client secret" value of the Microsoft Entra ID app that you c.
Click the Advanced Settings link to open a dialog where you can configure the following optional settings:
Use dedicated Provider Agent: When this option is cleared (default), the built-in RAS Provider Agent will be used. If you want to use a dedicated RAS Provider Agent, select this option and specify the host FQDN or IP address.
Agent address: This option becomes enabled if you select the option above it. Specify the FQDN or IP address of the host where the RAS Provider Agent is (or will be) installed. This can be either a physical box or virtual machine.
Preferred Connection Broker: Select a RAS Connection Broker to be the preferred agent for this Provider. For more info, see .
Click Next. The wizard will display the new Provider information and will indicate the RAS Provider Agent status. If everything is OK, click Finish to exit the wizard. If something is not as expected, click Back and correct any mistakes if necessary.
The new Provider will now appear on the Providers tab in the RAS Console. Complete the Provider addition as follows:
Click Apply to apply the changes.
Verify the value of the Status column. If it's anything other than OK, right-click the Provider and choose Troubleshooting > Check agent. Verify the agent status and install it if necessary, then click OK. The Status column on the Providers tab should now say OK.
To view and modify the Provider configuration, right-click it and choose Properties. In the dialog that opens, view and modify the Provider properties.
To create the IAM user account, you can use the AWS Management Console, the AWS CLI,?Tools for Windows PowerShell, or AWS API operation. In this example, we will be using the AWS Management Console:
Sign in to the AWS Management Console and open the IAM page at .
In the navigation pane, choose Users and then click the Add users button.
Under Set user details section, provide a user name such as "ParallelsConnector".
Under AWS access type, select Access key - Programmatic access, as the Parallels RAS Console will be using APIs to communicate with your AWS account. This will create an access key for the IAM user. You can view or download the access keys when you get to the Final page. Click Next to proceed to the permissions page.
On the permissions page, you can create a user group for the new IAM user to be a part of. This is recommended as its beneficial for management purposes, although not mandatory.
If you are not using groups, choose Attach existing policies directly. A list of the AWS managed and customer managed policies in your account will appear.
Filter policies and choose AmazonEC2FullAccess, which is an AWS managed preconfigured policy, and click Next to proceed to the next page.
Optionally, on this page, you can use the tags to organize, track, or control access for this user.
Once the tags are ready, click Next to see all of the choices you made up to this point. When you are ready to proceed, click Create user.
To view the user's access key ID and secret access keys, click Show next to each password and access key that you want to see. To save the access keys, choose Download CSV and then save the file to a safe location.
Please note that this is your only opportunity to view or download the secret access keys.
Save the user's new access key ID and secret access key in a safe and secure place to be used next in Parallels RAS Console.
Note: For security reasons, it is recommended to regularly change keys of the IAM user as described in .
Proceed to
This section contains design advice that you might want to keep in mind when using AWS in Parallels RAS.
You might need to use an AWS DHCP options set to specify a custom DNS pointing to the domain controller so that the VMs created from templates are able to join the Active Directory domain. If the custom DNS is not set, the default AWS public DNS will be used, and the VMs won't be able to communicate with the domain controller.
For information on how to configure DHCP options sets, see .
The Provider Agent and Guest Agents need to be on the same subnet for the Guest Agent to discover the Provider Agent using broadcasts. If this is not possible, then a registry setting with the IP of the Provider Agent needs to be added on the VM as described here: .
Sometimes solutions scale in usage, invocations, number of instances, and so on. Due to this, the standard AWS service quotas can be reached. For more information about AWS service quotas, see .
Parallels RAS integrations are subject to the EC2 and EBS endpoint limits as specified here:
The storage of clones created from RAS templates will be encrypted if the AWS administrator enables encryption of the RAS template VM storage in AWS Management Console.
Encryption can be enabled by default or explicitly when launching a new EC2 VM:
To configure Amazon Web Services as a Cloud Computing provider:
In the RAS Console, navigate to Farm > Providers.
Click the Tasks drop-down menu and choose Add (or click the [+] icon).
In the menu, select Amazon EC2. The Add Cloud Computing Provider wizard opens.
In the Wizard, specify the following:
Name: Name of the provider.
Description: Description of the provider.
Manage credentials: the administrative accounts that will be used to deploy Parallels Agents on the session hosts (Amazon EC2 instances). The current RAS administrator is already present in this list, but you can other accounts.
Access Key ID: Your access key ID.
Secret Access Key: Your secret key.
Click Next.
Wait until Parallels RAS validates the settings and click Next.
Select the Region that you will use. In most cases, the best Region would be the one closest to you. You can also choose one of opt-in AWS Regions by selecting the Opted-in Region option or specify a custom EC2 endpoint URL by selecting the EC2 Endpoint URL option.
Click Finish.
Proceed to creating a Template as described in . During template creation you can configure the instance type for the clones and the storage including Type, Size, and IOPS. Note that you can also do this from Farm > RD Session Hosts > right-click the template > Properties.
For more information about encryption, see .
Amazon Web Services (AWS) is a leading cloud platform provider offering over 200 fully featured services from data centers globally. Parallels RAS 19 provides the ability to integrate, configure, maintain, support, and access Amazon EC2 workloads on top of the existing capabilities of Parallels RAS.
Support is targeted at multi-session (RDSH), single session (server-based VDI) server operating systems, and other Microsoft operating systems, if your organization holds licenses for them. For more information about using Microsoft operating systems with AWS, see https://aws.amazon.com/windows/faq/.
Parallels RAS Console allows you to do the following:
Manage Amazon EC2 instances
Create and manage templates
Create and manage instance pools
Configure autoscaling
Enable, reboot, start up and shut down instances via schedules
Configure image optimization
Use FSLogix Profile Container and MSIX app attach
Change instance types and storage types
An AWS account. If you do not already have an account, you can create it for free at aws.amazon.com/ec2/.
A working Microsoft Active Directory environment to join the Amazon EC2 cloned instances to your domain.
A preconfigured Virtual Private Cloud (VPC) as your virtual network and security groups that act as a virtual firewall for your EC2 instances.
A preconfigured Amazon EC2 instance, which will be used later as a Parallels RAS template, running on Windows Server 2012 up to Windows Server 2022.