Azure Virtual Desktop | Image Builder part I
Azure Virtual Desktop (AVD) is a desktop and app virtualization service running on the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10/11, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. One of the key components of AVD is the use of “Golden Images”.
A “Golden Image” is a pre-configured template for a virtual machine that includes all the apps and configuration settings you want to apply to your deployment. This image serves as the base for creating new virtual machines in your AVD environment.
Azure Image Builder (AIB) is a service that allows admins to build a custom “golden image” with the added capability to include Azure Virtual Desktop built-in customizations as well as your own customization scripts to install other applications or set of configurations. This feature is a wrapper for the Azure Image Builder (AIB) service.
Steps to follow:
- Set up the environment and variables
- Create an Image Template
- Customize your Image
- Run the Image Builder
- Distribute the image
Set up the environment and variables
At first you need to enable some Azure Resource Providers (if not done before) in your subscription.
- Microsoft.VirtualMachineImages
- Microsoft.Storage
- Microsoft.Compute
- Microsoft.Keyvault
- Microsoft.ContainerInstance
This can be done through PowerShell or the Portal.
Register-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages
Register-AzResourceProvider -ProviderNamespace Microsoft.Storage
Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance
When that is done, you need to prepare the environment with a resourceGroup, Managed Identity and a role.
New-AzResourceGroup -Name "MyImageBuilderResourceGroup" -Location "yourLocation"
# set some variables
$currentAzContext = Get-AzContext
$subscriptionID=$currentAzContext.Subscription.Id
Create a user identity
$identityName = "avd-golden-identity"
$imageRoleName = "Azure Image Builder Image Role"
New-AzUserAssignedIdentity -ResourceGroupName "MyPreviousCreatedImageBuilderResourceGroup" -Name $identityName -Location "MyPreviousUsedLocation"
# get the variables filled from above
$identityNameResourceId=$(Get-AzUserAssignedIdentity -ResourceGroupName "MyPreviousCreatedImageBuilderResourceGroup" -Name $identityName).Id
$identityNamePrincipalId=$(Get-AzUserAssignedIdentity -ResourceGroupName "MyPreviousCreatedImageBuilderResourceGroup" -Name $identityName).PrincipalId
Create the role
$aibRoleImageCreationUrl="https://raw.githubusercontent.com/azure/azvmimagebuilder/main/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json"
$aibRoleImageCreationPath = "aibRoleImageCreation.json"
# Download the config
Invoke-WebRequest -Uri $aibRoleImageCreationUrl -OutFile $aibRoleImageCreationPath -UseBasicParsing
((Get-Content -path $aibRoleImageCreationPath -Raw) -replace '<subscriptionID>',$subscriptionID) | Set-Content -Path $aibRoleImageCreationPath
((Get-Content -path $aibRoleImageCreationPath -Raw) -replace '<rgName>', "MyPreviousCreatedImageBuilderResourceGroup") | Set-Content -Path $aibRoleImageCreationPath
((Get-Content -path $aibRoleImageCreationPath -Raw) -replace 'Azure Image Builder Service Image Creation Role', $imageRoleDefName) | Set-Content -Path $aibRoleImageCreationPath
# Create a role definition
New-AzRoleDefinition -InputFile ./aibRoleImageCreation.json
# Grant the role definition to the VM Image Builder service principal
New-AzRoleAssignment -ObjectId $identityNamePrincipalId -RoleDefinitionName $imageRoleDefName -Scope "/subscriptions/$subscriptionID/resourceGroups/MyPreviousCreatedImageBuilderResourceGroup"
The permissions that are required:
- Microsoft.Compute/images/write
- Microsoft.Compute/images/read
- Microsoft.Compute/images/delete
- Microsoft.Compute/galleries/read
- Microsoft.Compute/galleries/images/read
- Microsoft.Compute/galleries/images/versions/read
- Microsoft.Compute/galleries/images/versions/write
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/subnets/join/action
These permissions are required to use a VNET and distribute the image to a shared image gallery.