Plan a Host Pool Architecture and Recommendations for Resource Groups, Subscriptions, and Management Groups – Design the Azure Virtual Desktop Architecture

Plan a Host Pool Architecture and Recommendations for Resource Groups, Subscriptions, and Management Groups

We’ll cover several topics in this section.

What Are Host Pools?

A host pool is a collection of Azure virtual machines with the same configuration. An Azure VM can be registered to Azure Virtual Desktop as session hosts when you run the Azure Virtual Desktop agent on the Azure VM. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.

A host pool can be one of two types.

•\   Personal, where each user gets assigned to an individual session host.

•\   Pooled, where session hosts can accept connections from any user authorized to an app group within the host pool

You can set additional properties on the host pool to change its load-balancing behavior and the number of sessions each session host can take. You control the resources published to users through app groups. Refer to the “Configure host pool settings” section in Chapter 8 for a detail hostpool configuration.

What Are App Groups?

An app group is a logical grouping of applications installed on session hosts in the host pool. An app group can be one of two types.

•\    RemoteApp: Users access RemoteApp (a single application like Word or Excel) to individually publish to the app group. To publish to RemoteApp, you must create a RemoteApp app group. You can create multiple RemoteApp app groups to accommodate different worker scenarios. Different RemoteApp app groups can also contain overlapping RemoteApp instances.

•\    Desktop: Users access the full desktop. By default, a desktop app group is automatically created whenever you create a host pool. You can’t create another desktop app group in the host pool while a default desktop app group exists, but you can delete the default desktop group and create new one with a different name or use PowerShell/ARM to create a desktop group as per the naming standards you want.

To publish resources to users, you must assign them to app groups. When assigning users to app groups, consider the following:

•\   A user can be assigned to both a desktop app group and a RemoteApp app group in the same host pool. However, users can’t launch both types of app groups at the same time in a single session.

•\   A user can be assigned to multiple app groups within the same host pool, and their feed will be an accumulation of both app groups.

Azure Advisor Tool to Monitor Azure Virtual Desktop – Implement and Manage Networking for Azure Virtual Desktop

Azure Advisor Tool to Monitor Azure Virtual Desktop

You can use Azure Advisor to monitor Azure Virtual Desktop. Azure Advisor is the go-to tool, and I frequently use it for monitoring issues. Whenever you come across an issue in Azure Virtual Desktop, always check Azure Advisor first. Azure Advisor will give you directions for how to solve the problem, or at least point you toward a resource that can help. This section will tell you how to set up Azure Advisor in your Azure Virtual Desktop deployment to help your users.

What Is Azure Advisor?

Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.

How Do I Start Using Azure Advisor?

All you need to get started is an Azure account on the Azure portal. First, open the Azure portal and then select Advisor under Azure Services, as shown in Figure 4-40. You can also enter Azure Advisor into the search bar in the Azure portal.

Figure 4-40.  Azure Advisor

When you open Azure Advisor, you will see five different categories: Cost, Security, Reliability, Operational Excellence, and Performance.

Tips  For Azure Advisor, make sure to check your recommendations regularly. Azure Advisor updates its active recommendations multiple times per day. Reviewing the latest recommendations can help you avoid larger issues by assisting you in spotting and solving smaller ones. Constantly attempt to solve the issues with the highest priority level in Azure Advisor. High-priority issues are marked with red. Leaving high-priority recommendations unresolved can lead to problems down the line.

Best practice: If a recommendation seems less important, you can dismiss it or postpone it. But do not dismiss recommendations until you know why they are appearing and are sure they won’t have a negative impact on you or your users.

Troubleshoot Graphic Performance and Quality Issues – Implement and Manage Networking for Azure Virtual Desktop

Troubleshoot Graphic Performance and Quality Issues

You as an admin must know how to detect and troubleshoot experience quality issues with your remote desktop sessions. Counters are offered under the “RemoteFX Graphics” section of Performance Monitor. Below question assists you in identifying and resolving graphics-related performance bottlenecks during Remote Desktop Protocol (RDP) sessions using these counters.

•\    How Do I Find the Remote Session Name?

It is important to find the remote session name to find the graphics performance counters. Follow these steps to identify your instance of each counter:

\ 1.\ First open the Windows command prompt from your remote session and then run the qwinsta command and find your session name.

If your session is hosted in a multisession virtual machine (VM), your instance of each counter is suffixed by the same number that suffixes your session name, such as rdp-tcp 37.

If your session is hosted in a VM that supports virtual graphics processing units (vGPUs), your instance of each counter is stored on the server instead of in your VM. Your counter instances include the VM name instead of the number in the session name, such as “Win8 Enterprise VM.”

•\    How Do I Access Performance Counters?

Once you have decided your remote session name, then perform these steps to collect the RemoteFX Graphics performance counters for your remote session:

\  1.\  First click Start ➤ Administrative Tools ➤ Performance Monitor.

\ 2.\ In the Performance Monitor dialog box, expand Monitoring Tools, select Performance Monitor, and then select Add.

\  3.\  In the Add Counters dialog box, from the Available Counters

list, expand the section RemoteFX Graphics. Then choose the counters to be monitored.

\ 4.\ In the “Instances of selected object” list, select the specific instances to be monitored for the selected counters and then select Add. To select all the available counter instances, select All instances, and then after adding the counters, select OK.

Finally, the chosen performance counters will appear on the Performance Monitor screen.

•\    How Do I Diagnose the Graphics-Related Performance Issues?

Remember, the graphics-related performance problem normally fall into four types:low frame rate, random stalls, high input latency, and poor frame quality.

To address low frame rate, random stalls, and high input latency, first check the Output Frames/Second counter. This measures the number of frames made available to the client. If this value is less than the Input Frames/Second counter, frames are being skipped. To identify the bottleneck, use the Frames Skipped/Second counters. There are three types of Frames Skipped/Second counters.

•\   Frames Skipped/Second (Insufficient Server Resources)

•\   Frames Skipped/Second (Insufficient Network Resources)

•\   Frames Skipped/Second (Insufficient Client Resources)

A high value for any of the Frames Skipped/Second counters implies that the problem is related to the resource the counter tracks. If the Output Frames/Second counter matches the Input Frames/Second counter, you will still notice unusual lag or stalling, and Average Encoding Time may be the culprit. Encoding is a synchronous process that occurs on the server in the single-session (vGPU) scenario and on the VM in the multisession scenario. Average Encoding Time should be less than 33 ms.

Since RDP supports an Average Encoding Time value of 33 ms, it supports an input frame rate up to 30 frames/second. Note that 33 ms is the maximum supported frame rate. In many cases, the frame rate experienced by the user will be lower, depending on how often a frame is provided to RDP by the source.

•\    How to Check the Poor Frame Quality?

Make use of the Frame Quality counter to diagnose frame quality issues. This counter expresses the quality of the output frame as a percentage of the quality of the source frame. The quality loss may be due to RemoteFX, or it may be inherent to the graphics source. If RemoteFX caused the quality loss, the issue may be a lack of network or server resources to send higher-fidelity content.

Azure Virtual Desktop Multisession (Pooled) – Design the Azure Virtual Desktop Architecture

Azure Virtual Desktop Multisession (Pooled)

Sizing Recommendation

Table 2-6 are the reference usage profiles and VM sizes available for pooled/multisession AVD. The table shows an example of a smaller, proof-of-concept scenario with a user workload of fewer than 20 users.

Table 2-6.  Azure Virtual Desktop Pooled Sizing Recommendation for POC

Table 2-7 shows an example of a smaller, proof-of-concept scenario with a user workload of more than 20 users.

Table 2-7.  Azure Virtual Desktop Pooled Sizing Recommendation

It is always recommended to consider the application/software recommendations while deciding on the usage profile for pooled instances.

Multisession (Pooled) sizing example: Consider you have 100 users who want to use application “xyz” on a pooled host pool, and all users are from the same region. The application xyz recommendation is to have minimum one CPU and 2 GB memory. In this case, you can go with a D8s_v4 size VM, which comes with eight CPUs and 16 GB memory, and it will allow us to assign eight users per VM. D4s_v4 can be used, but it will increase the number of VMs, which results in additional cost for the OS disk. Table 2-8 is the reference size and per user cost calculation.

Table 2-8.  Azure Virtual Desktop Pooled Sizing Example

Azure Virtual Desktop Single-Session (Personal) Sizing Recommendations for Greenfield Deployment

For VM sizing recommendations for single-session scenarios, we recommend at least two physical CPU cores per VM (typically four vCPUs with hyperthreading). If you need more specific VM sizing recommendations for single-session scenarios, ask the software vendors specific to your workload. VM sizing for single-session VMs will likely align with physical device guidelines.

Test Pooled/Personal Azure Virtual Desktop Workload

Microsoft recommends using simulation tools (such as LoginVSI) to test your Azure Virtual Desktop with both stress tests and real-life usage simulations. Make sure your system is responsive and resilient enough to meet user needs, and remember to vary the load size to avoid surprises after moving into production.

Select an Appropriate Licensing Model for Azure Virtual Desktop Based on the Requirements – Design for User Identities and Profiles

Select an Appropriate Licensing Model for Azure Virtual Desktop Based on the Requirements

Azure Virtual Desktop requires a per-user or per-device license to access the desktop, so you must plan the licensing model before you plan the Azure Virtual Desktop deployment. Azure Virtual Desktop (AVD) supports Windows 7/10 and Windows Server licenses as well, and you can select the appropriate licenses based on the operating system you want to use for AVD. The following are the supported licenses for Azure Virtual Desktop:

•\    BYOL Windows 10 and Windows 7: You are eligible to access Windows 10 and Windows 7 with Azure Virtual Desktop if you have one of the following per-user licenses:

•\   Microsoft 365 E3/E5

•\   Microsoft 365 A3/A5/Student Use Benefits

•\    Microsoft 365 F3

•\   Microsoft 365 Business Premium

•\   Windows 10 Enterprise E3/E5

•\   Windows 10 Education A3/A5

•\   Windows 10 VDA per user

•\    BYOL Windows Server: You are eligible to access Windows Server with Azure Virtual Desktop if you have a per-user or per-device RDS CAL license with active Software Assurance (SA).

•\    Per user access pricing for external users: You can also pay a monthly per-user fee to access Azure Virtual Desktop for external users.

Plan for Azure Virtual Desktop Client Deployment – Design for User Identities and Profiles

Plan for Azure Virtual Desktop Client Deployment

The Azure Virtual Desktop client helps end users to connect to the Azure Virtual Desktop instance assigned to them over the Internet/intranet. There are different Azure Virtual Desktop clients available based on the end-user device/operating system type. It is recommended to use a desktop client instead of a web client as a desktop client supports audio/video redirection on Azure Virtual Desktop.

The following are the clients available to access Azure Virtual Desktop:

•\   Windows Desktop clients

•\   Web clients

•\   Android clients

•\   macOS clients

•\   iOS clients

•\   Linux or thin clients

There are different ways to install a client on an end-user device.

•\    Domain-joined user device (automated deployment): SCCM can be used to push the Azure Virtual Desktop client on the end-user device, or the client can be published in the software center so that authorized users can deploy it on their devices/laptops. Alternatively, AD Group Policy can be used to deploy the Azure Virtual Desktop client on an end user’s laptop using a logon script, and Group Policy can be assigned to the security group created for each host pool.

•\    Nondomain-joined user device (automated deployment): An appropriate Azure Virtual Desktop client can be downloaded from a Microsoft site/other app store and installed on the user laptop/device manually.

Plan for User Profiles

A user profile is an important factor that needs to be considered during pooled Azure Virtual Desktop planning and designing. As we know by now, the pooled version is nonpersistent, and the Azure Virtual Desktop load balancer can send the session to any of the back-end session hosts on the pooled host pool. In this case, the user profile needs

to be available on all session hosts so that the user will get the same desktop/settings at every login, and that can be done using FSLogix. FSLogix allows you to store user profiles on the storage account so that FSLogix can attach the user profile to the VM where the user session is redirected by Azure Virtual Desktop.

FSLogix needs to be configured on all session hosts in the host pool, pointing to the same storage account where user profiles are stored. It is recommended to use a premium storage account for each host pool in each region. Storage account support failover so that the user profile data can be fail over to DR region in case of disaster recovery.

Figure 3-1 shows a typical pooled desktop user profile placement. The following are some recommendations:

•\   You need a separate virtual network with dedicated subnets for each host pool (pooled and personal) in each region, and you need to peer AVD vnet with hub virtual network in that region.

•\   You need a dedicated user profile storage for each pooled host pool.

•\   User profile storage access is restricted to a specific virtual network/subnet.

•\   Enable storage account access over a private endpoint from the virtual network.

•\   The same type of host pool in the same region (i.e. belongs to the same Business Unit) can use the same storage account for a user profile as far as there is no compliance/information security requirements.

•\   The storage account needs to join to the domain and allow specific users/groups to access the content.

•\   Consider GEO replication to a DR region if you are planning to enable disaster recovery for the pooled host pool. Premium file storage does not support GEO replication, so if you want to implement DR, then you must select the standard storage account tier or use an FSLogix cloud cache to store a user profile on multiple storage accounts in different regions.

Figure 3-1.  Azure Virtual Desktop pooled user profile placement

Table 3-2 lists the workload types and recommended storage tier to achieve better performance of AVD.

Recommended Solution for Network Connectivity – Design for User Identities and Profiles

Recommended Solution for Network Connectivity

Azure networking products and services support a wide variety of networking capabilities, so it is important to correctly identify the network requirements for your Azure Virtual Desktop deployment. How you structure these services and the networking architectures you choose depend on your organization’s workload, governance, and connectivity requirements.

The decision tree (common assessment framework) in Figure 3-2 can help you determine the networking tools or services to use for Azure Virtual Desktop.

The following questions can help you make decisions based on the Azure networking services:

•\   How many IP addresses do you need in your virtual network (based on the size of Azure Virtual Desktop virtual network)?

The number of IP addresses needed in the virtual network will mainly depend on the number of session hosts you want to deploy in the virtual network plus a buffer IP address for future growth. Use appropriate address ranges as defined in your existing networking architecture to be able to scale out your Azure virtual network infrastructure.

•\   Will your workloads require connectivity between virtual networks and your on-premises datacenter?

You need on-premises connectivity in case you want to extend your Active Directory on-premises domain in Azure or allow an application that runs on your Azure Virtual Desktop deployment to reach on-premises resources.

•\   Will you need to inspect and audit outgoing traffic by using on-premises network devices?

Your security policies might require Internet-bound outgoing traffic to pass through centrally managed devices in the cloud or on-premises environment. This can be achieved by using forced tunneling to direct all traffic to a specific firewall/device.

•\   Do you need multiple virtual networks?

The number of virtual networks you will need depends on the number of regions you want to deploy Azure Virtual Desktop session hosts in. If you are planning to deploy Azure Virtual Desktops in multiple regions, then you need a virtual network in that region with all the connectivity and security.

•\   Do you need to connect multiple virtual networks?

You can use virtual network peering to connect services in another Azure virtual network. For example, you have all the shared services such as extended ADDS and DNS present in a hub virtual network, and you want Azure Virtual Desktop to use the shared services for name resolution and authentication.

•\   Will you need custom DNS and a domain join?

Yes, Azure Virtual Desktop supports domain join for session hosts so that you can apply an organization-specific compliance policy to the session host. AVD virtual network DNS settings can be changed to custom DNS and can point it to organization-specific DNS server so that it can help to resolve Active Directory domain names and join the session host to the domain.

Plannig Azure AD Connect for User Identities – Design for User Identities and Profiles

Plannig Azure AD Connect for User Identities

Azure Virtual Desktop supports desktop authentication with Active Directory Domain Services. The AD DS directory can be synchronized with Azure AD to enable it to authenticate on-premises users.

There are two levels of authentications for Azure Virtual Desktop, one at the Azure Virtual Desktop access level and another at desktop login. The Azure Virtual Desktop session host can join to the AD domain, and domain credentials can be used to log in to the desktop, whereas Azure Virtual Desktop authentication can be done by Azure AD, but AD DS needs to be synced with Azure AD if you want to use same credentials for both logins.

Note  Azure AD domain services (AAD DS) and Active Directory Domain Services (AD DS) are two different services.

There are two different AD DS options available and supported by Azure Virtual Desktop. You can select the appropriate AD DS solution based on your organization requirements.

Identity Design Considerations

The following are some identity design considerations:

•\   Azure Virtual Desktop users must be sourced from either the same instance of on-premises Active Directory Domain Services that is synchronized to Azure Active Directory (Azure AD) and the session host needs to be joined to same Active Directory Domain Services (AD DS), or an instance of Azure AD Domain Services (Azure AD DS) synchronized from Azure AD.

Note  Azure Virtual Desktop does not support business-to-business or Microsoft accounts.

•\ A domain join account can’t have multifactor authentication or
interactive prompts, and it needs permission on the ADDS OU to add
a computer account.
•\ Azure Virtual Desktop supports AD DS or Azure AD DS, and an
appropriate identity provider needs to be selected based on the
application requirement.
•\ When joining to an Azure AD DS domain, the account must be part
of the Azure AD DC administrators’ group, and the account password
must work in Azure AD DS.
•\ Azure AD DS (AAD DS) is a supported option, but there are
limitations:
•\ You must have password hash synchronization enabled
(uncommon when federating Azure AD).
•\ You can project Azure AD DS into only a single virtual network
(and single Azure region) that uses a nonpublic IP address range.
You can’t add domain controllers to an Azure AD DS domain.
•\ You cannot use a hybrid join for Azure Virtual Desktop VMs
to enable Azure Active Directory seamless single sign-on for
Microsoft 365 services.

•\ Always specify an organizational unit distinguished name (DN) fordomain joining without quotation marks.

•\ The user principal name used to subscribe to Azure Virtual Desktop must exist in the Active Directory domain where the session host virtual machine is joined.

•\ Smart cards and Windows Hello authentication need a direct connection (line of sight) with an Active Directory domain controller for Kerberos.

•\ Using Windows Hello for Business requires the hybrid certificate trust model to be compatible with Azure Virtual Desktop.

•\ Single sign-on can improve user experience, but it requires additional configuration and is supported only using Active Directory Federation Services.

How Does AVD Secure the Connection? – Implement and Manage Networking for Azure Virtual Desktop

How Does AVD Secure the Connection?

Azure Virtual Desktop utilizes TLS 1.2 for all connections initiated from the clients and session hosts to the Azure Virtual Desktop infrastructure components. For reverse connect transport, both the client and session hosts connect to the Azure Virtual Desktop gateway. After establishing the TCP connection, the client or session host validates the Azure Virtual Desktop gateway’s certificate. After establishing the base transport, RDP establishes a nested TLS connection between the client and session host using the session host’s certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment.

Implement and Manage Network Security

Before understanding how to manage network security in a Azure Virtual desktop, you as an Azure Virtual Desktop admin must remember that when an end user connects to an Azure Virtual Desktop environment, their session is run by a host pool. A host pool is nothing but a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts.

Since you will connect these virtual desktops remotely in your virtual network, they are subject to the virtual network security controls. They need outbound Internet access to the Azure Virtual Desktop service to operate properly and might also need outbound Internet access for end users. Azure Firewall is an essential part of the network security, and it can assist you in locking down your environment and filtering outbound traffic.

The “Filtering outbound traffic” option allows only required connections, and unwanted traffic you can drop at the firewall level. Figure 4-33 shows the Azure Virtual Desktop Security system.

Figure 4-33.  Azure Virtual Desktop Security system

Additionally, Figure 4-33 provides additional protection for your Azure Virtual Desktop host pool using Azure Firewall.

What Is a Workspace? – Design the Azure Virtual Desktop Architecture

What Is a Workspace?

A workspace is a logical grouping of application groups in Azure Virtual Desktop. Each Azure Virtual Desktop application group must be associated with a workspace for users to see the remote apps and desktops published to them.

Figure 2-8 shows the reference architecture for host pool placement.

Figure 2-8.  Azure Virtual Desktop host pool, session host, resource group placement

This diagram shows a typical Azure Virtual Desktop host pool placement recommendations are as follows:

•\   A dedicated subscription is recommended for Azure Virtual Desktop resources for easy management and scaling on-demand.

•\   A separate virtual network is recommended with multiple subnets for pooled and personal in each region and peering with a hub virtual network in that region.

•\   A virtual network scope range needs to be decided on, considering the number of VMs for pooled as well as personal and future growth.

•\   Multiple host pools of the same type can use the same subnet as far as there is no compliance/InfoSec requirement. Each subnet can be

restricted with a set of NSG rules.

•\   You need a separate host pool for each VM size, each region, and each type (pooled/personal).

•\   You need a dedicated resource group for each host pool to manage RBAC on the host pool–specific resources.

•\   RDP properties can be a set of host pool levels, so if we have a set of users that need different RDP properties, then we have to create different host pools. For example, some users need to copy the Azure Virtual Desktop option and some not.

•\   A separate pooled host pools for users who need a different set of applications.