AZ-140 - Azure Virtual Desktop
Planning
Network requirements:
- Remote Desktop Protocol bandwidth requirements Azure Virtual Desktop - Azure | Microsoft Learn
- Azure Virtual Desktop Experience Estimator | Microsoft Azure
- https://www.azurespeed.com/
Questions:
- How many clients do I have?
- How many hours per day on average?
- What's the region for the end-users location?
- AVD Experience Estimator
Prerequisites
Prerequisites for Azure Virtual Desktop | Microsoft Learn
- Required URL List Required URLs for Azure Virtual Desktop | Microsoft Learn
- Required URL Check Use the Required URL Check tool for Azure Virtual Desktop | Microsoft Learn
Identity Services
AD vs ADDS vs Entra ID
The following table summarizes identity scenarios that Azure Virtual Desktop currently supports:
Identity scenario | Session hosts | User accounts |
---|---|---|
Azure AD + AD DS | Joined to AD DS | In Azure AD and AD DS, synchronized |
Azure AD + AD DS | Joined to Azure AD | In Azure AD and AD DS, synchronized |
Azure AD + Azure AD DS | Joined to Azure AD DS | In Azure AD and Azure AD DS, synchronized |
Azure AD + Azure AD DS + AD DS | Joined to Azure AD DS | In Azure AD and AD DS, synchronized |
Azure AD + Azure AD DS | Joined to Azure AD | In Azure AD and Azure AD DS, synchronized |
Azure AD only | Joined to Azure AD | In Azure AD |
Is ADDS needed for AVD?
- Yes, if active directory is needed online
- No, if Azure AD Join standalone can be used
Azure AD Joined devices notes
- Azure Virtual Desktop (classic) doesn't support Azure AD-joined VMs.
- Azure AD-joined VMs don't currently support external identities, such as Azure AD Business-to-Business (B2B) and Azure AD Business-to-Consumer (B2C).
- Azure AD-joined VMs can only access Azure Files shares for hybrid users using Azure AD Kerberos for FSLogix user profiles.
- The Remote Desktop app for Windows doesn't support Azure AD-joined VMs.
RDP Shortpath
https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath
The following diagram gives a high-level overview of the network connections when using RDP Shortpath for public networks where session hosts joined to Azure Active Directory (Azure AD):
Configuration
- Configure RDP Shortpath - Azure Virtual Desktop | Microsoft Learn
- Session hosts
- Managed networks: Enable RDP Shortpath, Open port 3390
- Public networks: GPO
- Windows Clients
- GPO: Turn off UDP on Client: Disabled
- Intune: Administrative template: Turn off UDP on Client: Disabled
- Teredo Support
- While not required for RDP Shortpath, Teredo adds extra NAT traversal candidates and increases the chance of the successful RDP Shortpath connection in IPv4-only networks.
- Session hosts
Verify RDP Shortpath is working
Links:
- Configure RDP Shortpath - Azure Virtual Desktop | Microsoft Learn
- Troubleshoot RDP Shortpath for public networks - Azure Virtual Desktop | Microsoft Learn
-
RDP Private
-
If TURN is used, the transport protocol is UDP (Relay)
If STUN is used, the transport protocol is UDP
Monitor and troubleshoot network connectivity
- Log Analytics
- Network Watcher
-
For every region with vNet a Network Watcher is created (NetworkWatcherRG)
-
Let us monitor and troubleshoot network issues
-
IP flow verify
-
NSG diagnostics
- Returns all NSGs for source-destination pair
-
Next hop
- Hops from Source to Destination
-
Effective security rules
-
- Network Interface
- Insights
- Metrics
Storage for AVD user data
FSLogix for User Data Storage
- FSLogix recommended
- Stores data in single container
- Is dynamically attached using vhd/vhdx
- User profile shows like normal profile
- Additional folders can be added to the user profiles
Operating system replacement reasons:
- Upgrade OS
- Replacement VM
- Pooled
Azure Files
Azure Files integration with Entra Domain Service
- Azure Files supports AD authentication
- Azure Files is a premium solution due to cost and administrative overhead
Requirements:
- Must be in the same region as the session host VMs
- Permissions should match permissions of Requirements - Profile Containers
- Each host pool VM must be built of the same type and VM based on the same master image
- Each host pool must be in the same group to aid management, scaling and updating
- For optimal performance, storage solution and the FSLogix profile container be in the same data center location
- The storage account containing the master image must be in the same region and subscription where the VMs are being provisioned
Files shares
- Enable Active Directory authentication with “Azure AD Kerberos”
- Azure AD Kerberos allows using Kerberos authentication from Entra ID-joined clients. User accounts must be hybrid identities.
Azure NetApp Files
Overview
- Azure native, first-party, enterprise-class, high performance file storage service
- NAS volumes for which you can create NetApp acounts, capacity pools, service and performance levels
- Supports SMB and NFS
- Builtin HA, data protection and disaster recovery capabilities
- Service levels can be changed anytime
- Support for Availability Zones
- SLA 99.99
- Snapshot copies
- Integrated Backup
- Data replication between regions AZs
- Supports RBAC, AD, Entra Domain Services, LDAP and Azure Policy
Plan host pools and sessions hosts
Supported OS with licenses:
Operating system | User access rights |
---|---|
• Windows 11 Enterprise multi-session • Windows 11 Enterprise • Windows 10 Enterprise multi-session • Windows 10 Enterprise | License entitlement: • Microsoft 365 E3, E5, A3, A5, F3, Business Premium, Student Use Benefit |