Azure Virtual Desktop
Azure virtual desktop is a virtualization technology that
enables quick access to Organizational Azure resources to remote users or work users
connecting to Azure resources with a limited ER or VPN gateway traffic. The file
access to azure file share or DBs could be exponential faster by hosting AVD in
a collocated Azure data center. User experience would be better specifically, if
they are accessing 500 to 2000 pdfs with OCI files etc.
Quite like Citrix or VMware horizon VDI infrastructure AVD
deployment depends on following other infrastructure or cloud resources –
1)
network resources, network logic and network
resource access.
2)
Identity services and Identity sync.
3)
Master image. Custom image like historical VDI
process or in the case of small deployment for Azure we could use pre-populated
image from the gallery.
4)
File share access or cache of user profile. Especially,
in the case of pooled desktop which allows same user experience regardless of
VM change in the pool. Citrix uses file share and enables local cache to write
back to file share for faster writeback to immediate application request on
profile. Similarly, AVD also features cache option if the profile server is not
co-located facility. And cloud printer profile management like Universal print
or printer logic other vendors.
5)
Creating host pool and Scaling logic for the
pooled desktop. AVD uses Breath first and depth first which we will go in length
as we expand more on scaling logic later.
6)
Monitoring and management (Insights, workbook, KQL,
GPO, EPM, RDP properties etc.)
7)
Backup, failover, and high availability.
1)
Network configuration and requirements for AVD
a)
Prior to networking it is important to access
AVD experience with the help of AVD experience estimator.
b)
Like any of the Azure hybrid network requirements.
Setup a vnet or two and the following list of subnets under the vnet.
GatewaySubnet
AzureFirewallSubnet (If traffic filtering
and proper enterprise security is needed using Azure firewall). Not applicable if
only NSG is in use or NVA is in place.
AzureaBastion for secure RDP access to
session host for troubleshooting.
AVD subnet for hosting AVD.
Identity or core subnet for hosting
identity servers like DCs, AADConnect, Federation server etc.
c)
After the vnet and subnets are set up. Setup the
VPN gateway connection or ER as needed for hybrid connection to enterprise on
prem network. Setup Hub to peer vnet to allow traffic from AVD to identity
services. Hub and Spoke peering are required regardless of identity services being
hosted on premises or directly on the cloud.
d)
Add custom DNS in Azure portal or use command
line to support the company domain name.
e)
Deploy a domain controller with all FSMO roles or
multiple DCs as required, along with DNS role on DC or member server.
f)
Update the primary DNS IP on the to Domain controller
IP with DNS role. You could still leave azure wire DNS as secondary DNS if you
wish.
g)
RDP Short Path (RDP
Shortpath - Azure Virtual Desktop | Microsoft Learn)
Reverse connection has been in use from Server 2012 R2 and above
with Remote Desktop Gateway and broker services, which is extremely dependable
with TCP, however, not fast as UDP. RDP short path uses UDP port 3390 to enhance
the connectivity with VPN or ER with direct line of sight or over the over
public network. Above link shows the details description on usage of STUN and TURN
for RDP short path.
RDP Short path provides better performance and reduced
latency with improved RT. For managed line of sight network, it enables QOS and
network throttling with GPO.
If firewalls or other network devices block UDP traffic, the
connection will fall back to a TCP-based reverse connect transport.
Connection sequence in the MS docs shows how it decides on
shortest path and the reference of port 3478.
AVD network port requirements for NSG /Firewall.
AVD requires following outbound connection rule –
1)
Access Azure virtual desktop services on TCP
port 443
2)
Access AzureCloud service tag for TCP port 443
to access Azure monitoring, diagnostics, blob, service bus, queue, catalog Artifact
on Azure marketplace,
3)
Access to Azure.kms.windows.net on port 1688 for
resolving Windows KMS license service authentication.
4)
IP addresses 169.254.269.254 and 169.63.129.16
on port 80 Azure instance metadata service endpoint and session host health monitoring,
respectively.
5)
Additionally for the line of sight to the domain
controller LDAP /Kerberos services for authentication, SMB for SYSVOL GPO
access we need to allow port 53, 88,389,445,464,636 and the higher range ports
49152-65535 for both the UDP and TCP traffic. Along with TCP 135 and UDP 123 port
outbound rule. Similarly, inbound rules on the Identity service VNET or on prem
appliance whichever the case. SMB 445 is required for both the sysvol and the Azure
file access with SMB protocol which will be used for profile Logix later.
Inbound –
1)
You can add allow bastion subnet to for RDP
service to allow access to AVD session host for troubleshooting issues with
master image VM or other session host.
2)
Identity Services
After meeting the network requirement, let us jump right
back to identity services. Which comprises of identity sync and security.
To synchronize identity from domain controller to Azure AD
we would require the ADconnect services. Azure
AD Connect: Get started by using express settings - Microsoft Entra | Microsoft
Learn
1)
Deploy a member server.
2)
Download and deploy ADconnect services.
3)
Deployment would require authentication to AAD
services with the global admin account and authentication to DC with domain
admin account.
4)
For easy and quick deployment, we can select
express setting and password hash sync which will also offer SSO. For detail
about PTA and Federation services to enforce authentication on-premises are
covered in depth on AZ-104, SC-300. Custom settings are useful for updating UPN
and OU selection during initial sync and other reasons.
5)
After the successful deployment user account and
security group in all OUs will be synchronized and updated on AAD and listed as
synched or hybrid identity. For new UPN or identity, it will first need to be
created on the domain controller which will automatically be synchronized after
every 30 mins. Synched process could be enforced immediately with the help of start-ADsyncCyle
with delta switch or by using schedule script on the ADconnect server.
6)
After synchronizing the user identity there are
license requirements that need to be met for security and AVD access. Enforcing
AVD security with conditional access requires AD P1 and above and for AVD
access it requires Microsoft 365 business premium and above which also
incorporates AD P1 license. The other security needs are Azure defender for
cloud and defender for endpoint.
AVD VM image creation process –
Shared Image Gallery
Imaged could be selected from the Azure
marketplace if the default image in the gallery and marketplace suffices.
However, if the organization has a need to setup the gold image with tailored applications,
then it is better to create custom image, wiped UIP with sysprep tool for OOBE
experience and capture the image for deployment and store it in a shared path
or image gallery.
Quite like creating images in the
on-prem hyper V, VMware, or Citrix XenApp for best practices every step of
image change, each application installs, and reboot would require VM snapshot. In
the case of Azure, it will be the snapshot of the OS disk and keeping version
of snapshot for roll back if needed to restore from the snapshot.
Optimizing image for performance –
Running Image optimizer script.
Running application specific image.
For example to optimize and install Microsoft teams for all users, please
follow this article to make recommended registry change, install WebSocket and PowerShell
to deploy on computer Use
Microsoft Teams on Azure Virtual Desktop - Azure | Microsoft Learn
Installing OneDrive on VM Install
Office on a master VHD image - Azure | Microsoft Learn
Installing office on gold image VM
Install
Office on a master VHD image - Azure | Microsoft Learn
Allowing user to choose language
option in OS. Step 2 of Install
language packs on Windows 10 VMs in Azure Virtual Desktop - Azure | Microsoft
Learn
After the final change on the gold
image VM. Run the sysprep tool with OBBE and generalize option and select
shutdown from the dropdown. After the identify of VM gets cleared with sysprep.
Switch back to Azure portal on the master VM blade and select Capture button. During
the capture process select “share image to Azure compute gallery.” Select the target
VM image definition by selecting create new and creating resource group during
the process to keep VM image definition in a separate RG.
For the version select the semantic
version e.g., x.x.x.
Choose the replicate count within
a region or across the region based on the organizational need and the volume
of deployments. (Note – one replica per twenty concurrent steaming deployment
of VM deployment and two hundred per region if AVset is enabled on four hundred
without AVset per session host).
Once the VM image gets deployed
and saved under the gallery, you can navigate to the gold image version anytime
to start “Create VM” from the master image for a quick test deployment and
access how the final VM deployment looks like.
Once deployed verify the VM with
RDP and make sure all application works and VM shows as optimized based on organizational
need. Once the VM state looks good, delete all the snapshots that were created during
the process of image preparation and delete VM tool.
Deployment VM in host pool using
gold image from the Gallery –
1)
Search from AVD on Azure portal
2)
Click on the host pool blade.
3)
Click the registration key to generate a new key
for the host pool.
4)
Select session host on the host pool blade.
5)
Click “ADD” button.
6)
On the basic tab, fill all the details for host
pool settings name, RG, and the type of host pool.
7)
On the “Virtual machine” tab naming prefix ensuing
the total length of prefix and suffix does not exceed eleven characters.
8)
Select AV zone or no redundancy.
9)
Under the image section. Select see all images
and click on “My images – shared images” and click on the gold image we prepared.
10)
Type the value for number VM to deployed. For
storage it is recommended to have premium SSD for a pooled desktop with SKU
supporting at least 4 CPU cores and 16 GB RAM.
11)
Select AD join or AAD join. For AD join type username
with UPN suffix and password with correct privilege to join machine to domain
and select custom OU path where you would like to create new computer account.
12)
Finally, provide the local admin username and
password that needs to be created on the new VM.
13)
Enabled diagnostic and store to Log analytics.
14)
The entire process of imaging could be automated
with Azure image builder. The benefit of image builder is scripted process to
maintain image with recent updates, generalize and create recent version and redeployed
and reapply to VMs as the update release. It will require a managed identity and
an automation account. Please follow docs Azure
VM Image Builder overview - Azure Virtual Machines | Microsoft Learn and repo
Azure/azvmimagebuilder:
Azure VM Image Builder Samples Repo (github.com) and Create
a Windows VM by using Azure VM Image Builder - Azure Virtual Machines |
Microsoft Learn. Git repo has image optimizer, FLlogix deployment and
deployment on MI with ARM template. For the town image, we need to replace the image
publisher with the ID or our own master image and finally, the ARM deployment
would deploy the image to shared gallery.
File Share and FSLogix
FXlogix includes – User Profile, Office profile, App masking
and Java version control.
User profile redirection to the Azure file share is the commonly
used cases for FxLogix. As office profile is only applicable if we have separate
roaming profile for user share which are rare nowadays.
App masking allows restricting access to users or groups. For
e.g., applications used by HR should be accessible to other departments in the
case of common pool.
Cloud cache provides faster write operation to user profile
update if the file share location is remote. This is like the technology Citrix
used for Profile share write operation by using quick write operation on temp VHD
and steaming the change to the remote file share later or during log off to avoid
writeback latency and retain best user experience. Cloud Cache Overview - FSLogix | Microsoft Learn
License requirement - Microsoft 365 E3, E5, F1, F3 or for companies
who are eligible for education licensing, A3, A5. You can also utilize Windows
10 Enterprise E3, E5 or A3, A5 for the education sector.
Install Fxlogix using this article if the image is not
replicated from Azure gallery - Install
FSLogix Applications - FSLogix | Microsoft Learn
Here is a script to on GitHub to domain join Azure file
share to enable NTFS permission Releases ·
Azure-Samples/azure-files-samples (github.com)
Before configuring Fxlogix path on session host. Create Azure
file with SMB authentication using following article - Use
Azure Active Directory Domain Services (Azure AD DS) to authorize user access
to Azure Files over SMB | Microsoft Learn. Disable password expiration on
the AzureFileShare computer account AD to never expire or apply the same with
GPO on OU where the computer account is located. Or
update-AzStorageAccountADObjectPassword in a schedule interval before password
expires.
RBAC Permission on Azure file share
1)
For administrative purposes - file contributor privilege
2)
For user access – file contributor
NTFS permission for AVD users – modify NTFS permission at
the profile folder.
Login to Windows session host and launch registry editor.
HKLM – software – Fxlogix – create/ Add a Dword “Enabled”
value 1. Additionally, create multi string value “VHDLocations” with value data
as FQDN of Azure share user profile path.
Configuring cloud cache - HKLM – software – Fxlogix –
Profile – Add new Dword32 “Enabled” value 1. create multi string value “CCDLocations””
with value data as FQDN of Azure share user profile path prefixed with “type=SMB,ConnectionString=”
Creating host pool and scaling
Azure Virtual Desktop (AVD) consists of three features, Host
Pools, App Groups, and Workspaces.
The service offers a secure and easy-to-use remote desktop solution
with minimum setup and maintenance overhead.
A Host Pool is a collection of Azure virtual machines.
Session host of VM in AVD registered either to Azure AD or Active Directory Domain
services. The session hosts are registered to the host pool collection and are
readily available for end-users to interact with and use. Currently, Azure
offers two types of host pool options: Personal, for
individual use, and pooled for shared usage by an
authorized group of users. A load balancing mechanism is used to determine the
traffic flow on the session hosts.
An App Group is a logical grouping of applications installed
on a session host. The Workspace is a logical grouping of application groups in
AVD. The app groups are associated with workspace to enable IAM access and
publish applications to users to access remote desktops and apps. RBAC
assignment to access AVD desktop or application is implemented through application
group access management.
As application groups are linked to Workspace. We can first create
workspace from the AVD blade or host pool first.
Creating workspace -
On the basic tab of the AVD workspace. Type the workspace
name and the description. Create the new RG or select the existing RG as it
applies. Select the location for the workspace which should be in the same
region as the network resources, however, the host pool metadata could be on
different region and resource group.
As we do not have application group pre-staged, we can “NO”
for the “Register Application group” tab.
Enabled diagnostic for the workspace, if you have a log analytics
workspace setup to store the diagnostic logs for the workspace and review and
create after completing the tag.
Creating host pool –
On the AVD blade select create host pool –
On the first tab Type the host pool name, select or create
new Resource group and the location of the host pool metadata. Metadata location
and RG is not tied up or dependent on the other Azure resources, therefore, it could
be in any other region or separate RG.
On the host pool type, select pooled or personal desktop.
Pooled desktops are muti session desktop where the user and user application
session are redirected and saved to FsLogix profile on a SMB file share. Whereas
personal desktops are useful if the dedicated system is required for each user.
Personal Desktop has automatic and direct assignment. Automatic is the default
assignment, where a user account or a group only needs access to the host pool
and a user would automatically get assigned to assigned to available VM based
on the load balancer logic. Direct assignment requires host pool and the VM
level aka session host access for the user Azure
Virtual Desktop personal desktop assignment type - Azure | Microsoft Learn
For the pooled desktop we have Breadth-first and depth-first
algorithm. The default option is the breadth first which will assign or load
balance the user session to any available VM in the pool randomly before redirecting
user session on the same session host. Whereas depth first will not redirect
resource to other available session host and try to optimize cost by directing
most session to first session host and once the first session host is
overutilized the new user session would be redirected to new session host.
To avoid performance degradation when configuring
depth-first load balancing, you must set a maximum session limit per session host
in the host pool.
There is an option to create a validation environment for
the host pool which is used for validating updates before deploying it actual
production session host in production pool.
On the virtual machine tab for the host pool, select Add
virtual machine.
Select Resource Group and Type name prefix for VM. VM name
with prefix should be under eleven characters.
Select availability zone or set as required.
Set the security type as standard. If there is a need to
secure VM for PCI or other security requirements, then TPM can be applied to
the VM with additional cost and supported SKU in SKU selection.
Select the image type as gallery and select the default images
from the gallery or the custom image.
Select the size and SKUs needed. For pooled desktop it is recommended
to choose size or SKU supporting at least 4 vCPU and 16 GB plus memory and
premium SSD for the storage performance on shared pool desktops.
Select network and security groups that are in direct line
of sign with identify services with vnet peering or for lab subnet in the same
vnet will keep it in same network anyway.
Type the username and password with RBAC permission to join machine
to domain for AD join machine and similar RBAC if you are only joining AAD instead.
For AD domain join machine, you can also specify custom OU path to join VM to
custom OU other than default computer account.
Click yes to register Desktop application group to workspace
we created earlier, as user will see this VM and App group in their workspace when
they sign in. Click next and click review and create after tag assignment and click
create once the validation passes.
During the process of host pool creation, a new application group
generates with the prefix of host pool name and suffix of DAG (Desktop
application group). However, an application group needs to be created and named
separately if it is deployed with IAC or PowerShell command.
Host Pool configuration
On the host pool you can configure the schedule agent update
to update the agent on session host on schedule maintenance time based on the
time zone, instead of automatically updating whenever available to avoid the
session host degradation during the production hour.
You configure all RDP properties related to connection,
session, display from the host pool or GPO. Supported
RDP properties with Azure Virtual Desktop - Azure Virtual Desktop | Microsoft
Learn
Host pool scaling plan –
To scale host poot AVD requires custom RBAC role at the
Azure subscription level with allowed action for read/write operation on VM and
host pool and the subscription level.
Once the custom role name is defined. On the host pool IAM
blade click Add role assignment and find the custom role and assigned to “Windows
virtual desktop” identity.
After RBAC assignment is completed for the custom role is
completed. Create a scaling plan and with Friendly name and resource group and
location.
One the schedule for scaling plan goes through general, ramp
up, peak hours, ramp down and off-peak hours schedule.
For peak hours it is recommended to have breadth first mode
load balancing to avoid boot storm on a single session host and keep “capacity
threshold” to 50-60% so the host inactive session host starts automatically to
offset the morning user session. Once the ramp up is completed during the day
or peak hours could be assigned depth first load balancing to redirect few additional
user sessions to existing session without bringing more session host unless
needed, therefore, keeping the compute cost down during day and once the user
sessions are stable.
During Ram down we could leave depth first load balancing but
increase the capacity threshold to leave the session on existing session host.
Off-peak hours at nighttime with high-capacity threshold to keep the session
host to minimum during night or weekend.
We could also use the VM SKU that supports ephemeral disk to
create non-persistent Host pool if the workloads require no persistent data for
user session.
A useful feature of personal desktop pool is to start the VM
on connect which could not be achieved with the help of custom or power on VM role
at the subscription level for WVD/AVD identity. As defined in the article below.
Set
up Start VM on Connect for Azure Virtual Desktop | Microsoft Learn
Prior to support for VM auto start with IAM role. It needed
scripting which is shown on the training Article by Travis Roberts who has authored
bunch of Azure trainings including IAC and AVD.
Auto
Start and Stop Session Hosts in Windows Virtual Desktop Spring Update (ARM) Edition
with an Azure Function - Ciraltos
Group Policy for the AD joined Session host -
The GPO for network properties restricts user from changing network location, name and icon. Also, ICS sharing could be disallowed with Prohibit ICS on session host policy.
Disabling bits peer-caching will disallow session host from sharing downloaded content to other session host.
Instead of GPO. Endpoint management could be use to enforce policy on session host for Azure AD joined devices with the following limitations on EPM. No WiFi policy on EPM, no Auto pilot reset from EPM console for AVD and not remote wipe for AVD.
AVD High availability /DR and backup –
For a pooled desktop HA could be achieved by selecting Availability
set or availability zones. That way in one fault domain or zone is down then
user session is redirected to available VMs on the set or zone accordingly. Connecting
resource or data between VM is different zone does incur the egress traffic
cost for data transfer.
For the Azure Virtual Desktop (AVD) Disaster Recovery (DR)
plan, there are a few options for replicating the required resources to the
secondary region. One option is to use Azure Site Recovery (ASR) to replicate
the virtual machines and other resources to the secondary region. ASR can be
configured for both active-passive and active-active replication.
Another option is to replicate the profile storage across
regions, as you mentioned. This can be done using Azure Blob Storage or Azure
Files, depending on the type of profile storage being used. By replicating the
profile storage across regions, you can quickly spin up new VMs in the
secondary region and point them to the replicated profile storage. This can be
a faster and simpler solution than using ASR to replicate the VMs themselves.
However, it is worth noting that if you choose to replicate
the profile storage, you will need to make sure that all other required
resources (such as Active Directory domain controllers, DNS servers, and any
necessary network connectivity) are also available in the secondary region.
Additionally, you will need to make sure that any necessary changes to the AVD
deployment (such as updating the DNS records and load balancer configuration)
are made to enable the secondary region to function as the primary region in
case of a failover.
In summary, both ASR and replicating the profile storage
across regions are valid options for AVD DR, but each has its own
considerations and requirements. The choice of which solution to use will
depend on the specific needs of your organization and the resources available
in the secondary region.
Important URLs for reading -
WVD Scaling script
RDS-Templates/basicScale.ps1 at master · Azure/RDS-Templates (github.com)
