Virtualization - Cloud

Category: Uncategorized

WVD Common Implementation issues

Below are the common WVD build issues which I encountered during implementations

Issue 1 -Unable to create any Host Pool

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]}

Root Cause:

There was no internet access for the subnet used for host pool creation

Resolution:

Internet connectivity required for WVD VNET as DSC extension need to download from Azure Websites. The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure and the location of the configuration package (.zip file) if it is stored in a location outside of Azure.

Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

Issue 2: Unable to create Host pool from Custom Image

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningTimeout\\”,\r\n \\”message\\”: \\”Provisioning of VM extension dscextension has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot\\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningTimeout\\”,\r\n \\”message\\”: \\”Provisioning of VM extension dscextension has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot\\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]

Root Cause

Issue with Image which is captured from existing Host Pool

Resolution

Do not capture image from Hostpool Sessions as this breaks sometimes , always
Take new image from Market Place ->convert to Image ->Create Host pools -> For Host update , again use previous captured image

Issue 3: Host pools are able to create with fresh images but not  with applications installed on Image (custom)

Error

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”VMExtensionProvisioningTimeout”,”message”:”Provisioning of VM extension joindomain has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot”}]}

Root Cause

Visual studio 2015 & 2017 , customer 3rd part application are blocking to create Host pool – Issue experienced with 2 customers

Resolution

Able to create Hostpools after uninstallation of Visual studio

Mapping of Security Controls across Major Cloud Providers Services

ON-PREMISESAWSAZUREGOOGLEORACLEIBMALIBABA
Firewall & ACLsSecurity Groups

AWS Network ACLs
Network Security Groups

Azure Firewall
Cloud Armor

VPC Firewall
VCN Security ListsCloud Security GroupsNAT Gateway
IPS/IDS3rd Party OnlyAzure Firewall3rd Party Only3rd Party Only3rd Party OnlyAnti-Bot Service

Website Threat Inspector
Web Application Firewall
(WAF)
AWS WAF

AWS Firewall Manager
Application GatewayCloud ArmorOracle Dyn WAFCloud Internet ServicesWeb Application Firewall
SIEM &
Log Analytics
AWS Security Hub

Amazon GuardDuty
Azure Sentinel

Azure Monitor
Chronicle Backstory

Event Threat Detection
Oracle Security Monitoring and AnalyticsIBM Log Analysis

Cloud Activity Tracker
ActionTrail
Antimalware3rd Party OnlyMicrosoft Antimalware

Azure Security Center
3rd Party Only3rd Party Only3rd Party OnlyServer Guard
Data Loss Prevention
(DLP)
Amazon MacieInformation Protection
(AIP)
Cloud Data Loss Prevention API3rd Party Only3rd Party OnlyWeb Application Firewall
File Integrity Monitoring
(FIM)
3rd Party OnlyAzure Security Center3rd Party Only3rd Party Only3rd Party Only3rd Party Only
Key ManagementKey Management Service KMS)Key VaultCloud Key Management ServiceCloud Infrastructure Key ManagementKey Protect

Cloud Security
Key Management Service
Encryption At RestEBS/EFS Volume Encryption

S3 SSE
Storage Encryption for Data at RestPart of Google Cloud PlatformCloud Infrastructure Block VolumeHyper Protect Crypto ServicesObject Storage Service
DDoS ProtectionAWS ShieldBuilt-in DDoS defenseCloud ArmorBuilt-in DDoS defenseCloud Internet ServicesAnti-DDoS
Email Protection3rd Party OnlyOffice Advanced Threat ProtectionVarious controls embeded in G-Suite3rd Party Only3rd Party Only3rd Party Only
SSL Decryption
Reverse Proxy
Application Load BalancerApplication GatewayHTTPS Load Balancing3rd Party OnlyCloud Load BalancerServer Load Balancer (SLB)
Endpoint Protection3rd Party OnlyMicrosoft Defender ATP3rd Party Only3rd Party Only3rd Party OnlyServer Guard
Certificate ManagementAWS Certificate ManagerKey Vault3rd Party Only3rd Party OnlyCertificate ManagerCloud SSL Certificates Service
Container SecurityAmazon EC2 Container Service (ECS)Azure Container Service (ACS)Kubernetes EngineOracle Container ServicesContainers – Trusted ComputeContainer Registry
Identity and Access ManagementIdentity and Access Management (IAM)Azure Active DirectoryCloud Identity

Cloud IAM
Oracle Cloud Infrastructure IAMCloud IAM

App ID
Resource Access Management
Privileged Access Management (PAM)3rd Party OnlyAzure AD Privileged Identity Management3rd Party Only3rd Party Only3rd Party Only3rd Party Only
Multi-Factor AuthenticationAWS MFA (part of AWS IAM)Azure Active DirectorySecurity Key EnforcementOracle Cloud Infrastructure IAMApp IDResource Access Management
Centralized Logging

Auditing
CloudWatch

S3 Bucket Logging
Azure Audit LogsStackdriver Logging

Access Transparency
Oracle Cloud Infrastructure AuditLog Analysis with LogDNALog Service
Load BalancerApplication Load Balancer

Classic Load Balancer
Azure Load BalancerCloud Load Balancing

HTTPS Load Balancing
Cloud Infrastructure Load BalancingCloud Load BalancerServer Load Balancer
LANVirtual Private Cloud (VPC)Virtual NetworkVirtual Private Cloud NetworkVirtual Cloud Network (VCN)VLANsVirtual Private Cloud (VPC)
WANDirect ConnectExpressRouteDedicated InterconnectFastConnectDirect LinkVPN Gateway

Express Connect
VPNVPC Customer Gateway

AWS Transit Gateway
Virtual Network

SSTP
Google VPNDynamic Routing

Gateway (DRG)
IPSec VPN

Secure Gateway
VPN Gateway
Governance Risk and Compliance MonitoringAWS Security Hub

AWS Compliance Center
Azure Security Center

Azure Policy
Cloud Security Command Center3rd Party Only3rd Party OnlyActionTrail
Backup and RecoveryAWS Backup

Amazon S3 Glacier
Azure Backup

Azure Site Recovery
Object Versioning

Cloud Storage Nearline
Archive StorageIBM Cloud BackupHybrid Backup Recovery
Vulnerability AssessmentAmazon Inspector

AWS Trusted Advisor
Azure Security CenterCloud Security ScannerSecurity Vulnerability Assessment ServiceCloud Security Advisor

Vulnerability Advisor
Server Guard

Website Threat Inspector
Patch ManagementAWS Systems ManagerAzure Security Center

Update Management
3rd Party OnlyIBM Cloud Orchestrator3rd Party Only3rd Party Only
Change ManagementAWS ConfigAzure Automation (Change Tracking)3rd Party Only3rd Party Only3rd Party OnlyApplication Configuration Management (ACM)

Windows Virtual Desktop (WVD) Reference Architectures

Below are Azure Windows Virtual Desktop (WVD) Reference conceptual architectures.

WVD Reference Architecture’s -ARM

Reference Architecture -Classic (Non-ARM)

Reference Architecture -Classic (Non-ARM)

Reference Architecture -Classic (Non-ARM)

Reference Architecture -Classic (Non-ARM)

Reference Architecture -Classic (Non-ARM)

© 2021 Tech Blog

Theme by Anders NorenUp ↑