Best Practices for Azure Virtual Desktop (AVD)

Today I will publish the best practices for implementing the Azure Virtual Desktop (AVD). This is a very detailed article.

  1. Azure Virtual Desktop Enterprise Architecture

Link for reference:

Azure Virtual Desktop for the enterprise – Azure Architecture Center | Microsoft Learn

  1. Azure Virtual Desktop Limitations
Azure Virtual Desktop objectPer Parent container objectService limit
WorkspaceAzure Active Directory tenant1300
Host PoolHost Pool400
Application groupAzure Active Directory tenant500*
RemoteAppApplication group500
Role assignmentAny Azure Virtual Desktop object200
Session hostHostPool10,000
 Per Azure subscription Per region5000 VMs
Automated session-host scaling toolsPer Azure subscription Per region2,500 VMs
Azure Resource Manager (ARM)Subscription API throttling limits600 Azure VM reboots per hour via the Azure portal
  1. Hub and spoke with hybrid connectivity.

Here are some general design considerations and recommendations for Azure Virtual Desktop network topology and connectivity:

A diagram of a computer

Description automatically generated

Considerations:

  • This scenario doesn’t account for client direct network connectivity to session public or private (no RDP Shortpath) hosts.
  • Azure Virtual Desktop control plane gateway (public endpoint) and manages client connections. Therefore, Azure Virtual Desktop clients can create outbound connections to required Azure Virtual Desktop URLs. For more information, see Required URLs for Azure Virtual Desktop https://learn.microsoft.com/en-us/azure/virtual-desktop/safe-url-list?tabs=azure .
  • No public IPs or any other public inbound path to session hosts is needed, traffic from clients to session hosts flows through Azure Virtual Desktop control plane gateway.
  • No virtual network peering between Azure Virtual Desktop spokes, all the traffic goes through the connectivity hub.
  • Outbound internet connection from Azure Virtual Desktop session hosts goes through the default Azure outbound NAT using dynamic Azure public IPs (no customer control on outbound public IPs used).
  • Connections from session hosts to Azure Files (storage accounts) are established using private endpoints.
  • Azure private DNS zones are used to resolve private endpoint namespaces:
    • Storage account file service (privatelink.file.core.windows.net).
    • Key vaults (privatelink.vaultcore.azure.net).
  • Even though for this scenario network filtering is not enforced, NSGs are placed on all subnets to enable monitoring and insights by using network watcher NSG flow logs and traffic analytics.

3: Microsoft Recommended Workload/Users/Apps

Users are the types of users that might find each workload most helpful. Example apps are the kinds of apps that work best for each workload.

Workload TypeExample UsersExample Apps
LightUsers doing basic data entry tasksDatabase entry applications, command-line interfaces
MediumConsultants and market researchersDatabase entry applications, command-line interfaces, Microsoft Word, static web pages
HeavySoftware engineers, content creatorsDatabase entry applications, command-line interfaces, Microsoft Word, static web pages, Microsoft Outlook, Microsoft PowerPoint, dynamic web pages, software development
PowerGraphic designers, 3D model makers, machine learning researchersDatabase entry applications, command-line interfaces, Microsoft Word, static web pages, Microsoft Outlook, Microsoft PowerPoint, dynamic web pages, photo and video editing, computer-aided design (CAD), computer-aided manufacturing (CAM)

Master Image Management

The master image can be managed by already existing process and technologies, including:

  • Azure Update management
  • Microsoft Endpoint Configuration Manager
  • Azure Compute Galleries
  • Azure Image Builder Automation
  • Azure DevOps Pipelines

Microsoft Recommended VM Sizing

Multi-session sizing recommendations:

Workload typeMaximum users per vCPUMinimum vCPU/RAM/OS storageExample Azure instancesMinimum profile storage
Light68 vCPUs, 16 GB RAM, 32 GB storageD8s_v5, D8s_v4, F8s_v2, D8as_v4, D16s_v5, D16s_v4, F16s_v2, D16as_v430 GB
Medium48 vCPUs, 16 GB RAM, 32 GB storageD8s_v5, D8s_v4, F8s_v2, D8as_v4, D16s_v5, D16s_v4, F16s_v2, D16as_v430 GB
Heavy28 vCPUs, 16 GB RAM, 32 GB storageD8s_v5, D8s_v4, F8s_v2, D8as_v4, D16s_v5, D16s_v4, F16s_v2, D16as_v430 GB
Power16 vCPUs, 56 GB RAM, 340 GB storageD16ds_v5, D16s_v4, D16as_v4, NV6, NV16as_v430 GB

Single-session sizing recommendations:

Workload typevCPU/RAM/OS storage minimumExample Azure instancesProfile container storage minimum
Light2 vCPUs, 8 GB RAM, 32 GB storageD2s_v5, D2s_v430 GB
Medium4 vCPUs, 16 GB RAM, 32 GB storageD4s_v5, D4s_v430 GB
Heavy8 vCPUs, 32 GB RAM, 32 GB storageD8s_v5, D8s_v430 GB

FSLogix Agent Architecture

A screenshot of a computer program

Description automatically generated

To the operating system, FSLogix Containers attach seamlessly as in-guest VHD(X)s and they are in distinguishable from local folders.

Managed Storage options for FSLogix

Storage options for FSLogix consideration in Azure virtual desktop. Please refer below table.

FeaturesAzure FilesAzure NetApp FilesStorage Spaces Direct
Use caseGeneral purposeGeneral purpose to enterprise scaleCross-platform
Platform serviceYes, Azure-native solutionYes, Azure-native solutionNo, self-managed
Regional availabilityAll regionsSelect regionsAll regions
RedundancyLocally redundant/zone-redundant/geo-redundant/geo-zone-redundantLocally redundant/geo-redundant with cross-region replicationLocally redundant/zone-redundant/geo-redundant
Tiers and performanceStandard (Transaction optimized)
Premium
Up to max 100K IOPS per share with 10 GBps per share at about 3-ms latency
Standard
Premium
Ultra
Up to max 460K IOPS per volume with 4.5 GBps per volume at about 1 ms latency. For IOPS and performance details, see Azure NetApp Files performance considerations and the FAQ.
Standard HDD: up to 500 IOPS per-disk limits
Standard SSD: up to 4k IOPS per-disk limits
Premium SSD: up to 20k IOPS per-disk limits
We recommend Premium disks for Storage Spaces Direct
Capacity100 TiB per share, up to 5 PiB per general purpose account100 TiB per volume, up to 12.5 PiB per NetApp accountMaximum 32 TiB per disk
Required infrastructureMinimum share size 1 GiBMinimum capacity pool 2 TiB, min volume size 100 GiBTwo VMs on Azure IaaS (+ Cloud Witness) or at least three VMs without and costs for disks
ProtocolsSMB 3.0/2.1, NFSv4.1 (preview), RESTNFSv3, NFSv4.1, SMB 3.x/2.x, dual-protocolNFSv3, NFSv4.1, SMB 3.1

Azure Files – sizing recommendations

• Storage account name cannot be larger than 15 characters (AD/NETBIOS limit)

• Azure Files standard and Premium operate different

  1. • Azure Files standard à 10,000 IOPs
  2. • Premium Files à based on size – consumption – max. 100,000 IOPs

• The (internal) rule of the thumb is that one user consumes 10 IOPS in Steady state and 50 IOPS Sign in/sign out IOPS (depending on the type of workload)

Workload typeFile Tiers
LightStandard file shares
MediumStandard file shares Premium file shares
HeavyPremium file shares
PowerPremium file shares

FSLogix Configuration Settings Recommendations

Profile Container Settings:

Decision PointRecommended SettingsJustification
Profile Management VersionFSLogix Apps 2.9.8228.50276/2.9.8171.14983The latest version at the time of writing. The latest version should be assessed and utilised where appropriate. This agent is installed within the Azure marketplace image. The latest version available at time of deployment should be utilised.
Profile ContainerEnabledFSLogix will be used to manage profiles for the solution.
Office Container  Enabled (optional)  The Office container stores just the Microsoft Office portion of the profile and is utilised to spread storage load over various storage locations.
Note, Microsoft Office data is stored in the profile container when the Office container is not utilised, this can simplify the deployment. See Profile Container vs. Office Container.
Cloud Cache  Not configured  VHDLocations will be used in preference of Cloud Cache (CCDLocations) in this pattern due to the resilience and performance using NetApp Files or Azure files seen when appropriately configured for the size of the user base.
Agencies are encouraged to test CCDLocations if resilience and availability is a problem.
Profile Container LoggingEnabled (All logs enabled)Logging is to be enabled for FSLogix.
Enable Search RoamingDisabledFSLogix search functionality is not compatible with Server 2019, Windows 10 multi-session and should be disabled, and subsequent multi-session operating systems with enhanced native search capabilities.
Search Database ConfigurationNot applicableFSLogix search functionality is not compatible with Server 2019, Windows 10 multi-session.
Outlook Cached ModeEnabledFSLogix Outlook Cached mode will be configured to provide the best user experience.
Dynamic VHD(X) AllocationEnabledDynamic VHD(X) will be configured to provide storage cost savings where possible.
Profile Virtual Disk Location    Agency decision point: Azure Files or Azure NetApp Files for Storage Account.Each user will have a FSLogix virtual disk stored to an Azure location in Australia with data geo-replicated to a secondary location for DR purposes.
Storage Account Name/s: TBD – Share that will be used for profiles  Depending on required usage, performance and disaster recovery requirements, the agency must decide between Azure Files and Azure NetApp files depending on their requirements or consider the Cloud Cache option (out of scope for this blueprint).
Virtual Disk TypeVHDXVHDX is the latest available disk type and suitable for this solution.
Allow concurrent users sessionsEnabledConcurrent user sessions must be enabled to allow multi-session desktop scenarios.
Delete local profile when FSLogix Profile should applyEnabledTo provide the use a clean desktop session on each desktop launch, it is recommended to enable this setting.
Redirections File PathAzure Storage account or other domain shareThe redirections configuration XML will be hosted on a common share, to be determined by the agency.
Redirection Exclusions    Copy Redirections.xml file to [TBD-DOMAIN]\NETLOGON\FsLogix\It is recommended to use the redirections file with caution. Base configuration recommended initially.
See recommended crowd sourced redirections.xml for base inclusions.Note, the folder path to the redirections.xml path is set through Group Policy and points to the folder where the file exists, not the full path of the file itself.  
For structure and creation of the file see Structure of redirections.xml file.
Swap directory name componentsEnabled: Swap directory name componentsThis configuration allows for easier navigation of the user VHDX folders when troubleshooting and during maintenance.

Office Container Settings:

Decision PointRecommended SettingsJustification
O365 Virtual Disk LocationNetwork Share: [TBD – Network Share to be used for Virtual Disks]Each user will have a FSLogix virtual disk stored to an Azure location in other region with data geo-replicated to a secondary location for DR purposes.
Virtual Disk Access typeUnique disk per sessionRequired for this deployment type and provides support for OST and OneDrive.
Virtual Disk TypeVHDXVHDX is the latest available disk type and suitable for this solution.
O365 Container LoggingEnabledLogging is to be enabled for FSLogix.
Concurrent Users SessionsAllowedConcurrent user sessions must be enabled to allow multi-session desktop scenarios.
Office 365 Activation DataEnabledOffice 365 activation data will be stored in the O365 container.
Office Cache DataEnabledOffice 365 cache data will be stored in the O365 container.
OneDrive DataEnabledOneDrive data will be stored in the O365 container.
OneNote DataEnabledOneNote data will be stored in the O365 container.
Outlook DataEnabled Outlook data will be stored in the O365 container.Outlook data will be stored in the O365 container.
Outlook Personalisation DataEnabledOutlook personalisation data will be stored in the O365 container.
SharePoint DataNot configuredNot configured
Teams DataDisabledTeam’s data will not store in the O365 container. This allows optimisation of the profile size in the Profile container to avoid profile bloat.
Outlook Container ModeCachedOutlook cached mode will be enabled on successfully container attach.
Dynamic VHD(x)EnabledDynamic VHD(x) will be utilised to save on required space. Disks will grow only as space is required.
Search RoamingDisabledFSLogix search functionality is not compatible with Server 2019, Windows 10 multi-session and should be disabled, and subsequent multi-session operating systems with enhanced native search capabilities.
Search DatabaseNot applicableFSLogix search functionality is not compatible with Server 2019, Windows 10 multi-session.
Sync OST to VHDEnabled: Move OST to VHDExisting OST’s are sync’d to VHD/X when new VHD/X is created.
Swap directory name componentsEnabled: Swap directory name componentsThis configuration allows for easier navigation of the user VHDX folders when troubleshooting and during maintenance.

FSLogix AV Exclusions

Make sure to configure the following Antivirus exclusions for FSLogix Profile Container – virtual hard drives. Make sure to pass the following information against security team.

  • Exclude Files:
  1. %ProgramFiles%\FSLogix\Apps\frxdrv.sys
  2. %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
  3. %ProgramFiles%\FSLogix\Apps\frxccd.sys
  4. %TEMP%\*.VHD
  5. %TEMP%\*.VHDX
  6. %Windir%\TEMP\*.VHD
  7. %Windir%\TEMP\*.VHDX
  8. \\storageaccount.file.core.windows.net\share\*\*.VHD \\storageaccount.file.core.windows.net\share\*\*.VHDX
  • Exclude Processes
  1. %ProgramFiles%\FSLogix\Apps\frxccd.exe
  2. %ProgramFiles%\FSLogix\Apps\frxccds.exe
  3. %ProgramFiles%\FSLogix\Apps\frxsvc.exe

Configure SMB Storage Permissions

FSLogix works with SMB storage systems to store Profile or ODFC containers. SMB storage is used in standard configurations where VHDLocations holds the UNC path to the storage locations. SMB storage permissions rely on traditional NTFS Access Control Lists (ACL) applied at file or folder levels to ensure the proper security of the data that is stored. When used with Azure Files, you must enable an Active Directory (AD) source, and then assign share-level permissions to the resource.

The table outlines the recommended ACL(s) to be configured.

PrincipalAccessApplies toDescription
CREATOR OWNERModify (Read / Write)Subfolders and files onlyEnsures the profile directory created by the user has the correct permissions only for that user.
Domain AdminsFull ControlThis folder, subfolders and filesReplace with your organizations group used for administrative purposes.
Domain UsersModify (Read / Write)This folder onlyEnables authorized users to create their profile directory. Replace with organizational users who need access to create profiles.

Microsoft Teams and Azure Virtual Desktop

Prepare network:

Teams is designed to give the best audio, video, and content-sharing experience regardless of network conditions. That said, when bandwidth is insufficient, Teams prioritizes audio quality over video quality. Please refer to the table below:

Bandwidth(up/down)Scenarios
30 kbpsPeer-to-peer audio calling
130 kbpsPeer-to-peer audio calling and screen
sharing
500 kbpsPeer-to-peer quality video calling 360p at
30fps
1.2 MbpsPeer-to-peer HD quality video calling with
resolution of HD 720p at 30fps
1.5 MbpsPeer-to-peer HD quality video calling with
resolution of HD 1080p at 30fps
500kbps/1MbpsGroup Video calling
1Mbps/2MbpsHD Group video calling (540p videos on
1080p screen)

Team’s exclusions:

Make sure data in these two folders are synced:

  • C:\Users\username\AppData\Local\Microsoft\IdentityCache (%localAppdata%\Microsoft\IdentityCache)
  • C:\Users\username\AppData\Roaming\Microsoft\Teams (%appdata%\Microsoft\Teams)

Exclude the following from the Teams caching folder, %appdata%/Microsoft/Teams. Excluding these items helps reduce the user caching size to further optimize non-persistent setup.

  • .txt files
  • Media-stack folder
  • meeting-addin\Cache (%appdata%\Microsoft\Teams\meeting-addin\Cache)

Note: For Teams optimization configuration, refer this URL: https://learn.microsoft.com/en-us/azure/virtual-desktop/teams-on-avd

Security Best Practices

End to end security for AVD infrastructure consideration

Security controls and best practices:

  • Require Multifactor Authentication: Activate Azure MFA for Azure Active Directory (AD) accounts.
  • Enable Conditional Access: Configure a conditional access policy and target Azure Virtual Desktop.
  • MEM(Intune) support: Windows 10/11 Enterprise multi-session/single session support.
  • Hybrid AAD and native AADJ virtual machines – will bring end to end SSO and password-less authentication (Windows Hello, FIDO2)
  • Patch software vulnerabilities: Update live host/redeploy using compute gallery images.
  • Control device redirection: Look into disabling smart card, port, drives, camera redirection, USB restrictions, printer redirection etc.
  • Windows security baseline: Apply windows 10/11 Enterprise security baselines.
  • Define group policies: Set time limit for active but idle Remote desktop services sessions. Set time limit for disconnected sessions.
  • Antivirus, Endpoint Detection and Response, Network protection, Web content filtering, Attack surface reduction and Threat vulnerability management.
  • Reverse Connect – Disable all inbound traffic and Encryption: Secures all traffic.
  • RDP Shortpath for managed networks and public networks.
  • NSG/Firewall service tags – allow required service URLs.
  • Screen Capture Protection – Prevent accidental or deliberate sharing of information via screen sharing apps of snipping tools.
  • Enable Azure Defender and Microsoft Defender for Cloud – Provides threat and vulnerability management assessments.
  • Operationalize Secure Score: Secure score provides recommendations and best practice advice for increasing security posture.
  • Microsoft Information protection – Discover, classify, and protect sensitive information wherever it lives or travels.
  • Azure Disk Encryption – Helps protect and safeguard data.

Disaster recovery methods Recommended by Microsoft

The disaster recovery methods we recommend are:

  • Configure and deploy Azure resources across multiple availability zones.
  • Configure and deploy Azure resources across multiple regions in either active-active or active-passive configurations. These configurations are typically found in shared host pools.
  • For personal host pools with dedicated VMs, replicate VMs using Azure Site Recovery to another region.
  • Configure a separate “disaster recovery” host pool in the secondary region. During a disaster, you can switch users over to the secondary region.

Pooled Host Pools:

For Shared host pools is recommended to configure “Active-Passive” strategy, where existing resources are split into a primary and secondary region. Normally, enterprise would conduct all of its business in the primary (or “active”) region, but in the event of an emergency, all that is necessary to transition to the secondary (or “passive”) region is to turn off the primary region’s resources (if possible, depending on the severity of the outage) and turn on those in the secondary region. The reference architecture for Active-Passive deployment.

A diagram of a software application

Description automatically generated

Personal Host Pools:

For personal host pools, the disaster recovery strategy should involve replicating resources to a secondary region using Azure Site Recovery Services Vault. If the primary region goes down during a disaster, Azure Site Recovery can fail over and turn on the resources in the secondary region. The reference architecture for personal host pools deployment.

A diagram of a diagram of a pyramid

Description automatically generated with medium confidence

Azure Native Monitoring tool

Diagnostics is a feature of the managed Azure Service

A screenshot of a computer

Description automatically generated

Enable Diagnostics (below Screenshots are samples taken from Microsoft documentation)

A screenshot of a computer

Description automatically generated

Links for reference:

CategoryArticles
Set up diagnostics to monitor agent updateshttps://learn.microsoft.com/en-us/azure/virtual-desktop/agent-updates-diagnostics
Use Azure Virtual Desktop Insights to monitor your deploymenthttps://learn.microsoft.com/en-us/azure/virtual-desktop/insights
Use Log Analytics for the diagnostics featurehttps://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics
Set up service alertshttps://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-service-alerts
Resolve Azure Advisor recommendationshttps://learn.microsoft.com/en-us/azure/virtual-desktop/azure-advisor-recommendations
Collect and query connection quality datahttps://learn.microsoft.com/en-us/azure/virtual-desktop/connection-quality-monitoring

This article discusses about the best practices of Azure Virtual Desktop and I hope you will like this.

5.00 avg. rating (98% score) - 2 votes
Tags: