Azure Virtual Desktop – Part 1: Planning

Since the pandemic, remote work requirements was high demand and companies had to adapt to a workable solution that doesn’t take months.
Setting up Windows RDS servers, Hyper-V VDI, VMWare Horizon and Citrix virtual apps are some of the established solutions to cater for the needs of remote working. But all of the above requires a considerable amount of time from planning to implementation and the one key barrier in today’s environment is the lead time for hardware. Microsoft launched Windows virtual desktop later rebranded as Azure Virtual Desktop in September 2019.

The cloud was a great solution that companies could make use of mainly for its provisioning time while not compromising on features. Windows 10 Enterprise multi-session was indeed a game changer compared to other solutions in the marketplace.

As with every new technology, there is a learning curve. And implementing it in a production environment doesn’t depend only on the technology but also whether that will fulfil the business objectives, compliance requirements, user education and more importantly cost benefit to the organisation.

This is the first part of a two-part article which delves into the requirement analysis, technology overview, costing and areas of focus. The second part will be a practical implementation guide going into the technicalities of the implementation steps.

All the areas mentioned in the above diagram should be taken into consideration and well thought about to avoid delays/issues during and after deployment. This will serve as a great blueprint for deployment when the implementation stages are documented prior to the deployment.

Deployment Responsibility

The two main deployment elements based on responsibilities by Microsoft and the customer on deploying Azure Virtual Desktop are:

1. Microsoft responsibilities
   Provision and maintain the infrastructure and platform that Azure Virtual Desktop runs on. Also, ensure that the service is available and performing according to its published service level agreements. Services such as broker, Web Access, Gateway and management pane are managed by Microsoft. These were the features part of the RDS role in a windows environment where the internal IT had to manage in an on-premise RDS deployment.
2. Customer Responsibilities
   Deploy and manage the virtual machines and applications that run on Azure Virtual Desktop. Ensure compliance with relevant laws and regulations. Additionally, manage the access and security of the virtual desktop environment, and provide support for end-users.

Licensing

The absolute basic licenses to host an AVD environment depend on which session host you opt for, whether you will go down the Windows 10 Enterprise multi-session or the RDS route.

Microsoft/Office 365

To use Microsoft 365 in conjunction with Azure Virtual Desktop, customers must have a valid Microsoft 365 license for each user or device that will be accessing the virtual desktop. any of the following licenses per user is required:

    1. Microsoft 365 E3/E5
    2. Microsoft 365 A3/A5/Student Use Benefits
    3. Microsoft 365 F3
    4. Microsoft 365 Business Premium**
    5. Windows 10 Enterprise E3/E5
    6. Windows 10 Education A3/A5
    7. Windows 10 VDA per user

Remote Desktop Services

To use Remote Desktop Services (RDS), customers must have a valid RDS Client Access License (CAL) for each user or device that will be accessing the virtual desktop:

If you already have a Per-user or per-device RDS CAL with Software Assurance through the volume licensing path then your users can access the host controllers that are 2012 R2 upwards.

Authentication

An active directory infrastructure is a must-have requirement to implement Azure Virtual Desktop to provide VM-level authentication for AVDs.

Azure Active Directory (Azure AD)

This is the recommended authentication method for Azure Virtual Desktop. It allows users to sign in to their virtual desktops using their Azure AD credentials, and it provides advanced identity and access management features.

Active Directory Federation Services (AD FS)

This method allows users to authenticate using their on-premises Active Directory credentials, and it requires the use of a federation server to authenticate users.

If you have a cloud-only environment, you would only need to purchase Azure AD Domain Services service and there is not a requirement to buy Azure AD P1 or P2 although the capabilities of the premium add-ons will definitely help you secure the environment and apply more granular rules to the environment.

Networking

There are several network planning considerations that should be taken into account before implementing Azure Virtual Desktop. Depending on the type of users and where they will connect from, i.e: are the majority of the users going to be based at the office or home-based or field-based, are they dispersed geographically? etc.

Network bandwidth

The amount of network bandwidth required for Azure Virtual Desktop will depend on the number of users and the type of workloads that will be running on the virtual desktop environment. It is important to ensure that the network has sufficient bandwidth to support the expected number of users and the required workloads.
Make sure you get an idea of the current bandwidth available and can cater for the number of users who will connect to AVD simultaneously. Your on-premise internet bandwidth may need to increase if your users have not been using much of the cloud services.
Home-based internet connectivity needs to be taken into consideration, if most of the users will work from home and in different parts of the world, are their internet connections stable enough to access AVD? This might not even be a viable solution if this is the case. you may also consider the Azure express route if your entire office-based staff is migrating to AVD.

Latency

Latency is the delay in the time it takes for data to travel from the user’s device to the virtual desktop and back. High latency can result in poor user experience and it’s important to ensure that the network has low latency to provide a good experience.
Use the following latency check tool to understand where you should host your session host servers based on your users’ location: AVD latency checker.

Remote access

If users will be accessing the virtual desktop environment remotely, it’s important to ensure that the network is configured to allow remote access and that the remote access solution is secure.

Redundancy

It’s important to plan for network redundancy to ensure that the network can continue to function in the event of a failure.

Azure Virtual Network (VNET)

A virtual network should be available to launch the session hosts. You can either create a separate vnet or deploy it to an existing vnet.

Security

It’s important to ensure that the network is secure and that all communication between the user’s device and the virtual desktop is encrypted. It’s also important to ensure that the virtual desktop environment is protected against external threats. Utilise Network Security Groups (NSG) or Azure Firewall for a greater level of security to protect the AVD network.

Host Pool

The host pool strategy for Azure Virtual Desktop should be based on the specific requirements of the organization and the virtual desktop environment. Some of the factors to consider when developing a host pool strategy include

Type of the solution, Pooled vs personal

One of the core decisions in adapting the AVD model and determining if it’s a feasible option is to understand what your user requirements are. Does each user need a unique desktop that they always have to have with custom software that is not used by others if so you need to opt for the personal option where the user will always sign into the same VM? If there are applications that can be shared among the users then it would make sense to use the pooled option where many users use the same session host, you will need to decide how many session hosts you need in either model you choose.

Load balancing

The load balancing of the virtual machines in the host pool should be based on the specific requirements of the virtual desktop environment. It is important to ensure that the load is balanced across the virtual machines to ensure optimal performance.
There are two modes of load balancing within AVD which are depth-first and breadth-first. You let users log in to the first session host and when it reaches its limit (you have to set the max limit of sessions) users are diverted to the next available session host which is the depth-first method. Breadth-first evenly distributes the user sessions to different session hosts. You can only configure one type of load balancing for a host pool.

Scale

The number of users and the number of virtual machines in the host pool should be based on the expected scale of the virtual desktop environment. It is important to ensure that the host pool can accommodate an increasing number of users and workloads over time.
Depending on the business requirement this aspect should be considered, you would ideally want to use the windows performance counters on the existing PCs to determine the current usage of CPU, RAM and DISK and the type of work of the user to finalise the number of session-hosts required.

Performance

The performance of the virtual machines in the host pool should be based on the specific requirements of the workloads that will be running on the virtual desktop environment. It is important to ensure that the virtual machines are powerful enough to support the required workloads.

Security

The security of the virtual machines in the host pool should be based on the specific requirements of the virtual desktop environment. It is important to ensure that the virtual machines are secure and that they are protected against external threats.

Personalization

The personalization of the virtual machines in the host pool should be based on the specific requirements of the virtual desktop environment. It is important to ensure that the virtual machines are personalized for each user to provide a good experience.

Maintenance

The maintenance of the virtual machines in the host pool should be based on the specific requirements of the virtual desktop environment. It is important to ensure that the virtual machines are updated and maintained in a timely manner to ensure optimal performance.

Backup

The backup of the virtual machines in the host pool should be based on the specific requirements of the virtual desktop environment. It is important to ensure that the virtual machines are backed up in a timely manner to ensure that data is protected. Ideally, you would want to consider backing up the session host with at least 2 snapshots for quick recovery.

Data Location

For compliance and connectivity/latency purposes, you need to make sure which geographical location you wanted to deploy the host pool.

Profile and Storage

Storage is another core component of the AVD infrastructure and requires much thought in the initial stage. Three main elements to make a decision are:

User Profile Disk

User Profile Disk (UPD) is a feature of Azure Virtual Desktop that enables the personalization of virtual machines, allowing users to have their own settings and preferences. It is important to ensure that the UPD is configured properly and that it is used to store the user profiles.
Local VM can be used to create your user profile but it’s not the recommended method I would avoid this option unless it’s a personal desktop or very less users.
FSLogix is an ideal option as it is essentially a VDH for each user with all the user profile contents. This virtual disk will be attached every time the user logs in and detaches with all the changes on the profile when the user logs out. There is no dependence on the session host.

Storage type

The type of storage that is used to store the user profiles should be based on the specific requirements of the virtual desktop environment. It is important to ensure that the storage type is appropriate for the workloads that will be running on the virtual desktop environment.
For FsLogix, you can either select Azure Files or NetApp files but the minimum storage on NetApp files has to be 4TB.

Storage location & Backup

Again compliance, latency and your backup strategy for the user profile data have to be determined at this stage.

Backup and Disaster Recovery

There are two core resources you need to back up in the AVD environment.

1. Session host VMs
   These need to be backup using Azure backup or your preferred backup solution if its already in place in Azure
2. Profile storage
   Profile storage can be backed up with snapshots as well. This would be highly recommended as with any server infrastructure there will be an issue

Disaster recovery options are available, and two types of Microsoft services are involved when you go for an AVD solution.

Virtual Machines

These are used as your session hosts and the VMs have a 99.95% uptime guarantee SLA which means the VMs can go down for 21 minutes and 44 seconds every month.

Azure Virtual Desktop Service

This is where all the AVD services are provided as a PaaS service by Microsoft, 99.9% uptime guarantee is provided by Microsoft for this service meaning 43 minutes and 28 seconds of downtime every month can be expected. also specifically for this service you cannot claim any financial benefits/Azure credit if there are any SLA violations. However, Azure Virtual Desktop is a global service and Microsoft has assured the traffic will be routed via different regions if there are any outages. With my experience since December 2021, the outages haven’t impacted production.

It all depends on how critical are the AVDs for your business and a decision needs to be made based on Maximum Allowable Downtime (MAD). Azure has the capability of building a disaster recovery configuration for the AVD infrastructure in an active-active or active-passive mode so if there are specific requirements to adhere to a tight RPO/RTO then this is a viable option.

I would also recommend creating a separate VNET and continuously implementing a restore test for your session host VMs to make sure your backups and processes are intact.

Security

As with all implementations, security should be an important area that shouldn’t be neglected. Knowing all the permutations to secure a solution is equally important as implementing the solution itself. layered security or defence-in-depth security approach should be considered don’t only for the AVD environment but the devices and network that are used to connect as it’s your production workstations where users are connecting from various locations.

Utilise the network security groups to restrict access to the AVD subnet. Do not assign a public IP address to any session-host VMs, Microsoft uses a modern methodology for the session hosts to be accessible from the internet without the need for a public IP being assigned to the VM. If you have Azure firewall or your own firewall appliance that can be utilised as well.

Implementing Azure defender for VMs, and storage accounts and utilising conditional access to restrict access for devices/users to access the AVD session hosts are vital. Also utilising azure private links to access services within Azure will create a secure environment in the cloud.

Conclusion

Planning is vital in every project and the purpose of part I is to provide all areas of the azure virtual desktop. Part II will focus on implementing each of the above-mentioned areas with a step-by-step guide.