Custom Image Templates part 1

calendar Dec 3, 2024 · 4 min read · Azure Journey IaC Infrastructure Bicep Security Best Practices Custom Templates AVD  ·
Share on: linkedin copy

Streamlining Azure Virtual Desktop deployment with Custom Image Templates

In the past, setting up an Azure Virtual Desktop environment required extensive post-deployment configuration. This process, including tasks like installing FSLogix, configuring language packs, or removing unused Windows applications, It was time-consuming and inefficient. However, by leveraging custom image templates, this overhead can be significantly reduced. Custom image templates uses the Azure VM Builder technology to allow predefined scripts and settings that are being applied during the image creation process, ensuring that virtual machines are ready to use immediately after deployment. This approach not only saves time but also ensures consistency across deployments. For more information, refer to the Azure documentation on custom image templates. In this upcomming posts i will guide you to get a better understanding and how do deploy this with best practices, but for now i will guide you to the prerequisites.

Resource Providers

  • Microsoft.DesktopVirtualization
    Manages Azure Virtual Desktop resources like host pools and application groups.

  • Microsoft.VirtualMachineImages
    Supports the Azure Image Builder service used for creating custom images.

  • Microsoft.Storage
    Manages storage accounts for temporary files during the image-building process.

  • Microsoft.Compute
    Manages virtual machines, disks, and other compute-related resources.

  • Microsoft.Network
    Manages virtual networks required for the image-building VM to function.

  • Microsoft.KeyVault
    Provides secure storage of secrets, such as passwords and certificates, used during image creation.

  • Microsoft.ContainerInstance
    Supports running containers that may be used during the image customization process.

You can check this using the following commands

1az provider list --query "[?registrationState=='Registered'].{Provider:namespace}" --output table
2
3az provider register --namespace <ResourceProviderName>

Resource Group

It is highly recommended to place all resources related to the image template within a single resource group. This approach helps with organization, management, and access control. By deploying everything into one resource group, you can easily manage permissions, monitor resources, and streamline the deployment process.

This approach simplifies resource tracking, ensures that all dependencies are grouped together, and improves overall scalability and security.

User Managed Identity

A User Managed Identity is required to obtain the necessary permissions to access various resources such as the Virtual Network, Azure Compute Gallery.

By assigning a managed identity to your custom image template deployment process, you can grant the identity specific roles that provide access to these resources. This ensures that the image-building process has the necessary permissions to interact with and manage resources like networks and image galleries securely.

In addition, you can assign the Contributor role at the Resource Group level to the managed identity. This grants the identity full management permissions over the resource group and all its underlying resources. The Contributor role allows the identity to create, update, and delete resources within the group, ensuring that all related resources can be effectively managed throughout the image template deployment process.

If you prefer to use Custom Roles for more granular access control, you will need to assign specific permissions for managing image galleries and images within Azure. The following permissions are required for working with Azure Compute Galleries and Images:

  • Microsoft.Compute/galleries/read
    Read access to the Compute Gallery resource.

  • Microsoft.Compute/galleries/images/read
    Read access to the images within the Compute Gallery.

  • Microsoft.Compute/galleries/images/versions/read
    Read access to the versions of images within the Compute Gallery.

  • Microsoft.Compute/galleries/images/versions/write
    Write access to the versions of images within the Compute Gallery.

  • Microsoft.Compute/images/write
    Write access to the image resource for creation and modifications.

  • Microsoft.Compute/images/read
    Read access to image resources.

  • Microsoft.Compute/images/delete
    Delete access to image resources.

The Azure Compute Gallery is optional but highly recommended for storing and managing your custom images. It provides a centralized, efficient way to organize and version images used for Azure Virtual Desktop deployments.

Virtual Network

You can use an existing Virtual Network when building an image. This is optional, but depending on your specific setup, it may be required if the image-building process involves network connectivity (e.g., accessing resources or installing software that requires internet access).

If you choose to use an existing virtual network, the Managed Identity you're using for the image-building process must have the necessary permissions to access the virtual network. The Managed Identity must either have access to the virtual network directly or to the resource group that contains the virtual network.

The RBAC role typically needed for the Managed Identity to access the virtual network is the Network Contributor role. This role allows the managed identity to configure and manage network resources such as the virtual network and subnets during the image-building process.

Spoilers incoming!

In the next blog I will show you how you can implement this using Bicep.