The benefits and functionalities of integrating Azure Native Qumulo (ANQ) with Nerdio, focusing on streamlining business operations and eliminating performance issues. This integration simplifies operations and reduces complexity, enhancing resource allocation efficiency and leading to significant cost reductions. By providing an easy-to-maintain, comprehensive end-to-end solution, it enables quick setup and rapid deployment within minutes.
ANQ revolutionizes cloud file storage, offering an elegant solution for demanding file-based workloads, while the seamless integration with Nerdio showcases unparalleled simplicity and a straightforward setup process within Azure Virtual Desktop.
Additionally, the simple and predictable cost structure ensures no hidden surprises, and the outstanding performance capabilities are demonstrated through anonymized workload examples and benchmarking.
The ANQ instance connects to your Azure subscription by using VNet injection, an Azure-specific networking technology that establishes an automatic, direct connection between your resources and service resources without complicated manual configuration or VNet peering.
VNet injection lets you:
- Apply routing and security policies to your ANQ service endpoints by using the Azure Portal, CLI, and API.
- Create endpoints that allow access to ANQ by inserting special network interfaces into your subnet. This process binds these network interfaces directly to the compute resources of your ANQ instance.
The service requires an owner or contributor role with access to your Azure subscription. If you use a custom role which must have write permissions to the resource groups in which you create your delegated subnet and service.
The ANQ service requires a dedicated subnet.
Note
- Your subnet address range should be at least
/24(it should contain at least 256 IP addresses, including 251 free IP addresses and 5 IP addresses reserved for Azure.) - Your subnet must be in the same region as the ANQ file system.
To apply a specific subnet configuration, you can first create a subnet and then select it when you create your ANQ instance.
-
Identify the region in which you want to subscribe to ANQ.
-
In the region, create a new virtual network or select an existing virtual network.
-
In your virtual network, create a new subnet.
Use the default configuration or update the subnet network configuration based on your network policy.
-
Delegate the newly created subnet to
Qumulo.Storage/fileSystems.
Network security groups let administrators enforce networking traffic rules. You can assign network security groups to individual network interfaces or to entire subnets.
Because it is possible to create or remove network interfaces from an ANQ instance, we recommend assigning security groups to a delegated subnet.
To ensure that your configuration doesn’t block a specific protocol, follow the guidance in Required Networking Ports for Qumulo Core.
Qumulo provisions multiple endpoints to allow access to ANQ. Every endpoint appears in the Azure Portal as a network interface with an IP address.
To avoid the bandwidth limits of individual endpoints, use round-robin DNS to distribute your workload traffic across your endpoints.
There are many options for customers to manage DNS in Azure: Azure DNS, Azure Private DNS, DNS appliances such as Infoblox or BlueCat, Windows Server (traditional AD), and even BIND. Regardless of the method, Qumulo requires a Fully Qualified Domain Name (FQDN) Round Robin record resolvable by the clients to distribute them for balanced connectivity.
To ensure that client connections to your cluster are balanced evenly, you must provide a single namespace for your cluster. To do this, configure your DNS server to send a different IP address for each DNS request for your ANQ.
For example, you can set the TTL for each record to 0, or 1 to allow each DNS lookup for your ANQ to yield one of the configured IP addresses on ANQ.
To join an Active Directory (AD) domain, an account needs the following permissions:
- Create computer objects in the AD domain.
- Delete computer objects in the AD domain (if re-joining an existing computer account).
- Reset computer accounts in the AD domain (if re-joining an existing computer account).
Typically, these permissions are granted to accounts in the "Domain Admins" or "Administrators" groups by default. However, non-administrative users can be delegated the specific permissions needed to join a computer to the domain.
Nerdio Manager allows you to manage Global Secure Variables. These secure variables can be passed to scripted actions. The variables are stored securely in the Azure Key Vault and can be passed to scripted actions using the $SecureVars.Variable_Name variable name.
Tip: This feature is especially helpful if you want to pass sensitive information to a scripted action without passing it via clear text.
To manage global secure variables:
-
Navigate to Settings > Nerdio environment.
-
In the Secure variables for scripted actions tile, select the Add.
-
To add a global secure variable, enter the following information:
-
Name: Type the name of the variable. The variable name must be between 1 and 20 alphanumeric characters.
-
Value: Type the variable's value.
-
Pass variable to specified scripted actions only: Optionally, select this option to only pass this variable to the scripted action(s) specified. When unselected, it is passed to all scripted actions.
- Scripted actions: From the drop-down list, select the ANQ Deployment script.
-
Note
The variable is listed in the Secure Variables column of each selected scripted action in the Azure runbooks window.
- When you have entered the desired information, select OK.
| Secure Variable | Description |
|---|---|
| ANQAzureSubsID | Azure Subscription ID |
| ANQAzureSubsID | Azure Subscription ID |
| ANQResourceGroupName | Azure Resource Group Name |
| ANQResourceGroupName | Azure Resource Group Name |
| ANQRegionName | Azure Region Name |
| ANQClusterZone | Availability Zone to deploy ANQ Cluster in |
| ANQVirtualNetwork | Azure Virtual Network for ANQ |
| ANQSubnet | ANQ Subnet delegated to ANQ |
| Secure Variable | Description | Details |
|---|---|---|
| ANQAdminEmail | ANQ Administrator Email Address | |
| ANQAdminPassword | ANQ Administrator Password | Password must be 8-128 characters long, including at least 3 of the following: lowercase letter, uppercase letter, number, and one special character. |
| ANQClusterName | ANQ Cluster Name | Must be less than 16 characters |
| Secure Variable | Description |
|---|---|
| ANQDNSServerIPs | ANQ DNS Servers if it is different than the default ones |
| ANQDNSSearchDomains | ANQ Search Domains |
Note
The ANQ cluster needs to know how to resolve the Domain Controller names/IP addresses. Depending on the Identity topology chosen, you may need to manually update this entry. If using integrated Microsoft Entra Domain Services this is done for you.
| Secure Variable | Description |
|---|---|
| ANQADDomainName | ANQ Active Directory Domain Name |
| ANQADUsername | ANQ Active Directory Username for AD join without the Domain Name |
| ANQADPassword | ANQ Active Directory password for AD join |
| Secure Variable | Description |
|---|---|
| NerdioNMEURI | The URI of the Nerdio Management Engine |
| NerdioClientID | The API scope of the Nerdio API application |
| NerdioClientSecret | The client secret of the Nerdio API application |
How to create a new Client Secret:
- Navigate to Microsoft Entra
- Click Applications
- Click App registrations
- Click All applications
- Find nerdio-nmw-app and copy Application (client) ID
- Click nerdio-nmw-app
- Click Certificates & secrets
- Click New client secret
- Define a Description and set expire duration
- Click Add
- Copy the Client Secret
| Secure Variable | Description |
|---|---|
| NerdioTenantID | Nerdio Tenant ID |
| NerdioAPIScope | Nerdio API Scope |
How to see:
- In Nerdio Manager, navigate to Settings > Integrations.
- In the REST API tile, click show to see the credentials.
| Secure Variable | Value |
|---|---|
| ANQOfferID | qumulo-saas-mpp |
| ANQPlanID | azure-native-qumulo-hot-cold-iops-live |
| ANQPublisherId | qumulo1584033880660 |
Important
This feature is only available in the Nerdio Manager Premium edition.
To enable API for your Nerdio Manager installation:
-
In Nerdio Manager, navigate to Settings > Integrations.
-
In the REST API tile, select Disabled to enable it.
Note
The process of enabling API is a multi-step process. Follow the steps below in the pop-up window once you select Disable.
-
In Step #1, select Run.
This creates a new Azure application under the nerdio-nmw-app app registration that currently exists in your Azure tenant.
-
In Step #2, select Grant to navigate to your Azure portal and grant Admin consent and assign permissions to the application.
-
In the Azure portal, select Grant admin consent for Nerdio.
-
Navigate back to Nerdio Manager, and select the refresh icon to confirm that the permissions were granted correctly.
-
In Step #3, select Generate to generate the client secret and other details you need to make API calls.
In the current implementation of Private Link, Automation account cloud jobs cannot access Azure resources that are secured using private endpoint. For example, Azure Key Vault, Azure SQL, Azure Storage account, etc.
The user Hybrid Runbook Worker feature of Azure Automation enables you to run runbooks directly on the Azure machine. From the machine that's hosting the role, you can run runbooks directly on it and against resources in the environment to manage those local resources.
To deploy an ANQ service, you need to use a Hybrid Runbook Worker due to that reason.
Azure Automation provides native integration of the Hybrid Runbook Worker role through the Azure virtual machine (VM) extension framework.
You need to deploy an Azure VM with the below requirements before creating hybrid worker group.
- Two cores
- 4 GB of RAM
- Windows Server 2022 (including Server Core)
- Windows Server 2019 (including Server Core)
- Windows Server 2016, version 1709, and 1803 (excluding Server Core)
- Windows PowerShell 5.1 (download WMF 5.1). PowerShell Core isn't supported.
- .NET Framework 4.6.2 or later.
To create a hybrid worker group in the Azure portal, follow these steps:
-
Sign in to the Azure portal.
-
Go to your Automation account which starts with nmw-app-scripted-actions-.
-
Under Process Automation, select Hybrid worker groups.
-
Select + Create hybrid worker group.
-
From the Basics tab, in the Name text box, enter a name for your Hybrid worker group.
-
For the Use Hybrid Worker Credentials option:
- If you select Default, the hybrid extension will be installed using the local system account.
-
Select Next to advance to the Hybrid workers tab.
-
Select Add machines to go to the Add machines as hybrid worker page. Find the VM that you deployed before.
-
Select the checkbox next to the machine you want to deployed for the hybrid worker group.
-
Select Add.
-
Select Next to advance to the Review + Create tab.
-
Select Create.
The hybrid worker extension installs on the machine and the hybrid worker gets registered to the hybrid worker group. Adding a hybrid worker to the group happens immediately, while installation of the extension might take a few minutes. Select Refresh to see the new group. Select the group name to view the hybrid worker details.
-
Find the Azure Key vault associated with the Nerdio installation. It begins with nmw-app-kv-.
-
In the Key Vault, select Certificates.
-
Select the certificate called nmw-scripted-action-cert.
-
Select Download in PFX/PEM format.
Note
In order to download the certificate, your user account needs permission to list/get certificates AND secrets from the key vault. See this Microsoft article for more information.
- Install the downloaded certificate on the hybrid worker VM.
Note
You can leave the password empty.
Scripted Actions are PowerShell scripts that can be used to extend and customize the functionality of Nerdio Manager. These scripts can be created and customized by the Nerdio Manager administrators. They can be applied at various stages of the Nerdio Manager automation.
-
Navigate to Settings > Nerdio environment.
-
In the Azure runbooks scripted actions tile, select Enabled.
-
Enter the following information:
-
Use Azure Automation Runbooks?: Toggle this option on.
- On: You can select an Azure region where an Automation Account is created to run this Runbook.
-
Automation Account Name: This is a unique name and is only used to run these Azure Runbooks.
-
Hybrid Worker Group: From the drop-down list, select the hybrid worker group that you created.
-
-
Once you have entered the desired information, select OK.
To create a new scripted action:
-
Navigate to Scripted Actions.
-
Select Azure runbooks.
-
Select Add scripted action.
-
Enter the following information:
-
Name: Type the name of the script. This name is displayed when you select this action from the list of available scripted actions.
-
Description: Type the script's description.
-
Tags: From the drop-down list, select optional tags for the script. These tags are used for searching and organization.
-
Script Execution Mode: From the drop-down list, select Combined execution mode.
Combined: Marks the script as one that can be combined safely with other scripts. For example, a script that adds a registry value.
-
Script: Download the PowerShell script for ANQ deployment from the Qumulo GitHub repo.
-
Note
Nerdio Manager allows you to integrate variables into the Azure runbooks scripted actions. The ANQ deployment script has the required variables and secure variables.
- Once you have entered all the desired information, select Save & close.
To create a new scripted action:
-
Navigate to Scripted Actions.
-
Select Azure runbooks.
-
Find the ANQ - Deploy Infrastructure runbook.
-
Select Run / schedule on the Edit menu.
-
Select your Azure Subscription
-
Define the below Variables.
| Variable | Value | Details |
|---|---|---|
| ANQAdminEmail | ANQ Administrator Email Address | |
| ANQAdminPassword | ANQ Administrator Password | You can define a SecureVariable and select here or you can define here. |
| ANQClusterName | ANQ Cluster Name | Must be less than 16 characters |
| ANQStorageSKU | ANQ Storage SKU | Hot or Cold |
| ANQInitialCapacity | ANQ Initial Capacity in TB |
| Variable | Value |
|---|---|
| ANQInternalTenantID | ANQ Internal Tenant ID for the SMB share |
| ANQProfileShareName | ANQ Profile share name (SMB share) |
| ANQFSPath | ANQ File System Path |
| ANQShareDescription | ANQ Share Description |
| Variable | Value |
|---|---|
| ANQGrantReadAccess | ANQ Grant Read Access |
| ANQGrantReadWriteAccess | ANQ Grant Read Write Access |
| ANQGrantAllAccess | ANQ Grant All Access |
Note
Don't use the domain name
Azure runbooks have enhanced logs that help you troubleshoot issues with scripted actions.
To view the Azure runbook logs:
-
Navigate to Scripted Actions > Azure runbooks.
-
At the bottom of the window, in the Scripted Actions Tasks section, locate the task with an Error in the Status column.
-
Select Details.
-
Locate the entry in the log with an error.
-
In the Output section, select any of the following:
-
Show: Select Show to display the standard Azure automation account runbook output.
-
Exception: Select Exception to display the exception's details.
-
The FSLogix frxtray application is a system tray tool designed to provide visibility and troubleshooting capabilities for FSLogix profiles and can be vital in troubleshooting FSLogix UNC connection related issues.
The frxtray tool is vital for managing FSLogix profiles, providing essential monitoring and troubleshooting capabilities to ensure smooth operation and quick resolution of any issues that arise.
1. Status Monitoring:
- The frxtray tool uses a traffic light system to display the status of FSLogix profiles. A green light indicates an active profile, while a yellow light indicates an inactive profile, which can help quickly identify issues such as when a local profile exists instead of an FSLogix profile.
2. Access to Logs:
- By double-clicking the frxtray icon in the system tray, you can access the profile logs, which provide detailed information about the profile status and any errors encountered. This is particularly useful for diagnosing issues with profile loading and connectivity.
3. Advanced View:
- The tool includes an advanced view option, allowing deeper inspection of the profile configuration and status. This can be helpful for IT administrators needing to troubleshoot more complex issues.
- The frxtray application is typically installed at C:\Program Files\FSLogix\Apps\frxtray.exe if the default installation path is used. It's part of the standard FSLogix client installation and can be set up to start automatically for all users by placing it in the startup folder.
- Reference Architecture – Multi-Region Azure Native Qumulo and Azure Virtual Desktop
- Microsoft Configuration Setting Reference
- Nerdio's FSLogix Settings and Configuration
- Connecting Azure Native Qumulo to Microsoft Entra Domain Services
- Azure Native Qumulo Administrator Guide
- What is Azure Native Qumulo Scalable File Service?
- Azure Native Qumulo Scalable File Service (Marketplace)
- Azure Native Qumulo Pricing
- Azure Native Qumulo - Pricing and Performance Calculator
To post feedback, submit feature ideas, or report bugs, use the Issues section of this GitHub repo.
Copyright © 2024 Qumulo, Inc.
See LICENSE for full details
MIT License
Copyright (c) 2022 Qumulo, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
All other trademarks referenced herein are the property of their respective owners.