AZ-140 Note #1 Plan an Azure Virtual Desktop implementation
Azure Virtual Desktop (AVD) is a cloud-based desktop and application virtualization service that supports multiple devices (Windows, Mac, iOS, Android, and Linux) and modern web browsers.
AVD Architecture
We can integrates on-premises networks with the Azure cloud using ExpressRoute or VPN and synchronizes Active Directory Domain Services (AD DS) with Microsoft Entra ID via Microsoft Entra Connect.
Azure Virtual Desktop components
Microsoft-Managed Components in Azure Virtual Desktop
Web Access: Browser access with MFA.
Gateway: Secures remote connections.
Connection Broker: Manages sessions.
Diagnostics: Logs for troubleshooting.
Extensibility: PowerShell & APIs.
Azure Virtual Desktop: Customer-Managed Components
Azure Virtual Network: Enables secure communication to AVD via VPN or ExpressRoute.
Microsoft Entra ID: Manages identity with conditional access and multi-factor authentication.
AD DS: VMs must domain-join; integrates with Microsoft Entra ID via Entra Connect.
Session Hosts: Supports Windows 10/11, Multi-session, and custom VMs with GPU options.
Workspace: Manages and publishes host pool resources.
Azure Virtual Desktop Host Pools
1. Host Pools: Groups of identical VMs with app groups for user interaction.
2. Types:
Pooled: Shared VMs, no admin rights, limited customization.
Personal: Dedicated VMs, admin rights, full customization.
3. Features:
Personal: Persistent connection, ideal for saving files and custom apps.
Pooled: Dynamic assignment, optimized resource sharing.
Azure Virtual Desktop Updates
MCM: Updates server and desktop OS.
Windows Updates for Business: Updates desktop OS (e.g., Windows 10 multi-session).
Azure Update Management: Updates server OS.
Azure Log Analytics: Ensures compliance.
Deploy a new custom or Marketplace image monthly to session hosts for the latest Windows and app updates.
Azure Virtual Desktop Limitations
Object Limits:
Workspaces per Microsoft Entra tenant: 1,300
HostPools per workspace: 400
Application groups per Microsoft Entra tenant: 500
RemoteApps per application group: 500
Role assignments per Azure Virtual Desktop object: 200
Session hosts per HostPool: 10,000
VM Deployment Limits:
Recommended: No more than 5,000 VMs per Azure subscription per region (applies to both personal and pooled host pools).
Automated scaling tools: Limited to ~2,500 VMs per subscription per region due to resource consumption.
For larger deployments, use multiple subscriptions in a hub-spoke architecture or deploy VMs in different regions.
Other Constraints:
ARM template deployment: Up to 132 VMs per deployment (run multiple deployments for more).
VM name prefixes: Limited to 11 characters due to auto-assigning of instance names.
Resource group limits: Up to 800 instances of most resource types (Azure Compute is exempt).
For exceeding limits (e.g., >500 application groups), submit a support ticket via the Azure portal. For more details, refer to Azure subscription and service limits.
Azure Virtual Desktop VM Sizing
Follow Azure's VM sizing guidelines for user-to-vCPU ratios and workload configurations. Test deployments with simulations to ensure responsiveness and resilience under varying loads. Proper sizing ensures optimal performance.
Azure Virtual Desktop Cost Optimization
Save costs with:
Windows 10 Multi-Session for multiple users per VM.
Azure Hybrid Benefit for Software Assurance discounts.
Reserved Instances for prepaid VM savings.
Load-Balancing (Breadth-first or Depth-first) to optimize resource use.
Design the Azure Virtual Desktop architecture
Assessing Network Capacity and Speed for Azure Virtual Desktop
To ensure a smooth user experience in Azure Virtual Desktop (AVD), it’s crucial to assess and optimize network bandwidth. Key points include:
Bandwidth Recommendations:
Light workload: 1.5 Mbps
Medium workload: 3 Mbps
Heavy workload: 5 Mbps
Power workload: 15 Mbps
Factors Affecting Bandwidth:
Frame rate and display resolution directly impact bandwidth needs.
Example: A light workload with high resolution requires more bandwidth than the same workload with low resolution.
Scenarios with Variable Bandwidth Needs:
Voice/video conferencing.
Real-time communication.
Streaming 4K video.
Display Resolution Bandwidth Requirements (at 30 fps):
1024 × 768 px: 1.5 Mbps
1280 × 720 px: 3 Mbps
1920 × 1080 px: 5 Mbps
3840 × 2160 px (4K): 15 Mbps
Testing and Optimization:
Use simulation tools like Login VSI to load test scenarios.
Run stress tests and simulate common user scenarios to understand network requirements.
Azure Virtual Desktop Experience Estimator
The Azure Virtual Desktop Experience Estimator helps determine the connection round-trip time (RTT) from your current location to the Azure region where your virtual machines (VMs) are deployed. This tool highlights the Azure region with the lowest RTT, providing estimates to assess end-user experience quality.
Key Points:
Purpose:
Estimate RTT to optimize Azure Virtual Desktop performance.
Identify the Azure region with the lowest latency for your deployment.
Factors Affecting Experience:
- Network conditions, end-user devices, and VM configurations can influence actual performance.
Sample RTT Estimates (in milliseconds):
Lowest Latency: West US 2 (30 ms).
Highest Latency: South Africa North (323 ms).
Other regions:
Central US: 66 ms
East US: 94 ms
UK South: 167 ms
Southeast Asia: 189 ms
Australia East: 206 ms
Use Case:
- Helps plan deployments by selecting the Azure region with the best RTT for your users.
OS and Client Support for using Azure Virtual Desktop
Supported OS:
Windows: Windows 10, Windows 10 IoT Enterprise, Windows 7 (via Windows App, formerly Remote Desktop client):64-bit, 32-bit, ARM64.
macOS: Supported via Windows App (formerly Microsoft Remote Desktop client, available on Mac App Store):Multi-monitor, dynamic resolution support.
Web Access: Use the AVD Web Client for browser-based access.No installation needed, supports ARM devices.
Recent Changes:
Windows Desktop client rebranded as Windows App.
Web client now supports ARM-based devices.
Balancing Host Pools in Azure Virtual Desktop
Load-Balancing Methods:
Breadth-First Load Balancing: Distributes sessions evenly across hosts, ideal for optimizing user experience. It selects hosts with the fewest sessions.
The method randomly selects a session host from the half of the pool with the fewest active sessions.
Example: If there are 9 session hosts with 11–19 sessions, a new session will be assigned to one of the 5 hosts with the lowest session counts (11–15).
Depth-First Load Balancing: Saturates one host at a time until it reaches its session limit, then moves to the next. Ideal for cost efficiency and minimizing active VMs.
The method selects the session host with the highest number of active sessions (within its limit). In case of a tie (same highest number of sessions), the first host in the query is chosen.
Requires setting a maximum session limit per host to ensure optimal performance.
Behaviors:
If a user reconnects to an existing session, they are redirected to the same session host, even if
AllowNewConnectionsis set toFalse.If a user does not have an existing session, session hosts with
AllowNewConnectionsset toFalseare excluded from load balancing.
Key Considerations:
Breadth-First: Best for environments where user experience (performance) and even distribution are priorities.
Depth-First: Best for environments focused on cost efficiency and controlled resource allocation.
Each host pool can only use one load-balancing method, and the choice depends on organizational goals and user requirements.
Design for user identities and profiles
Azure Virtual Desktop Licensing & Cost Optimization
Licensing Models
Windows 10/7 Enterprise Desktops & Apps:
No additional cost with eligible licenses:
Microsoft 365 (E3/E5/F3/A3/A5/Business Premium, Student Use Benefits).
Windows 10 Enterprise/Education (E3/E5/A3/A5) or Windows 10 VDA per user.
Windows 7 Extended Security Updates: Free until January 2023 for legacy app support.
Windows Server RDS Desktops:
No extra cost with valid RDS Client Access License (CAL) + active Software Assurance (SA).
Supports Windows Server 2012 R2 and newer.
Non-Windows Endpoints:
- Access requires Microsoft 365 (E3/E5/F3/Business/A3/A5) or Windows 10 VDA per user license.
Desktop Configuration Options
| Type | Use Cases | Key Features |
| Multi-Session | Cost efficiency, shared infrastructure, compatible workloads. | Pooled OS, FSLogix profiles, user retention. |
| Personal Desktop | Admin rights, persistent OS changes, legacy app compatibility. | Dedicated VMs, retained after restart. |
Cost Considerations
Core Components:
Virtual Machines (VMs) and OS storage.
Data disks (required only for personal desktops).
User profile storage (e.g., Azure Files/NetApp).
Networking (egress/data transfer costs).
Session Host Pricing:
- Windows 10 (single/multi-session) and Windows Server VMs via Citrix/VMware Horizon are billed at Linux compute rates.
Cost-Saving Strategies
Multi-Session Desktops: Maximize user density and reduce VM costs.
Reserved VM Instances: Pre-purchase for long-term discounts (exchange/return options available).
FSLogix: Optimize profile management for multi-session environments.
Key Takeaways
Licensing: Align with existing Microsoft 365 or Windows licenses to minimize costs.
Desktop Type: Choose multi-session for scalability or personal desktops for specialized needs.
Pricing: Focus on VM sizing, storage, and leveraging Linux rates for Citrix/VMware deployments.
For details:
Azure Virtual Desktop Licensing Guide | Pricing Calculator
Utilize Azure Reserved VM Instances (1 or 3-year terms) for up to 72% savings versus pay-as-you-go.
Azure Storage Recommendations for FSLogix Profile Containers
Top Recommendation: Azure Files
Best For: Most customers due to simplicity, cost-effectiveness, and seamless Azure integration.
Key Features:
Performance: Up to 100K IOPS/share, 10 Gbps throughput, ~3ms latency (Premium tier).
Redundancy: Multiple options (LRS, ZRS, GRS, GZRS).
Protocols: SMB 3.0/2.1, NFSv4.1 (preview).
Scalability: 100 TiB per share, up to 5 PiB per storage account.
Management: Native Azure service with hybrid access (Azure File Sync), Microsoft Entra integration, and Azure Backup support.
Alternative Solutions
1. Azure NetApp Files
Best For: Ultra-high performance (e.g., CAD/3D modeling, legacy NetApp migrations).
Key Features:
Performance: Up to 4.5 Gbps/volume, ~1ms latency (Ultra tier).
Protocols: NFSv3, NFSv4.1 (preview), SMB 3.x/2.x.
Scalability: 100 TiB per volume, up to 12.5 PiB per subscription.
Limitations: Limited regional availability; requires minimum 4 TiB capacity pool.
2. Storage Spaces Direct (S2D)
Best For: Cross-platform or self-managed, on-premises-like deployments.
Key Features:
Performance: Up to 20K IOPS/disk (Premium SSD).
Protocols: NFSv3, NFSv4.1, SMB 3.1.
Limitations: Requires manual setup (2+ VMs + Cloud Witness), max 32 TiB/disk.
Comparison Summary
| Feature | Azure Files | Azure NetApp Files | Storage Spaces Direct |
| Use Case | General-purpose, hybrid scenarios | Ultra-performance, low latency | Self-managed, cross-platform |
| Latency | ~3ms (Premium) | ~1ms (Ultra) | Varies (disk-dependent) |
| Redundancy | LRS/ZRS/GRS/GZRS | LRS | LRS/ZRS/GRS |
| Management | Fully managed Azure service | Fully managed Azure service | Self-managed |
| Cost Efficiency | High (no minimum capacity) | High (for high-performance needs) | Moderate (requires infrastructure) |
Key Considerations
Performance Needs:
Use Azure NetApp Files for latency-sensitive workloads (e.g., simulations, large-scale CAD).
Azure Files Premium is ideal for most AVD users (Office 365, general productivity).
Redundancy & Compliance:
Azure Files supports geo-redundancy for disaster recovery.
All solutions meet Azure compliance standards (ISO, Microsoft Entra integration).
Hybrid Scenarios:
- Azure Files + Azure File Sync enables seamless on-premises/cloud profile syncing.
Cost Optimization:
Avoid overprovisioning with Azure Files’ pay-as-you-go model.
Use Storage Spaces Direct only if you require full control over infrastructure.
Conclusion:
Default Choice: Azure Files (Premium tier) for most FSLogix profile containers due to ease of use, scalability, and Azure-native integration.
Specialized Cases:
Azure NetApp Files for mission-critical, low-latency needs.
Storage Spaces Direct for organizations with existing S2D expertise or multi-platform requirements.
Hybrid Identity with Microsoft Entra ID
All three methods(PHS, PTA, ADFS) provide single sign-on (SSO) capabilities, allowing users to sign in automatically when connected to corporate devices or networks.
Common Scenarios & Recommendations:
Supported by all methods:
Sync on-premises Active Directory data to the cloud
Office 365 hybrid scenarios
Sign-in using on-premises passwords
Single sign-on with corporate credentials
Enable cloud or on-premises multifactor authentication:
Supported by PTA and ADFS :
- Ensure no password hashes in the cloud
Only with ADFS:
Support smartcard authentication:
Password expiry notifications
Plan for Microsoft Entra Connect for User Identities
Microsoft Entra Connect is a tool that helps synchronize your on-premises Active Directory (AD) with Microsoft Entra ID, supporting hybrid identity setups. It provides key features to manage user identities and access across cloud and on-premises systems.
Key Features:
Password Hash Synchronization
Pass-through Authentication
Federation Integration
Synchronization
Health Monitoring
Considerations for Azure Virtual Desktop (AVD):
Hybrid Identity: AVD supports hybrid identities through Microsoft Entra ID, including federated identities via ADFS.
Limitations: AVD does not support standalone Active Directory with ADFS. Users must be discoverable via Microsoft Entra ID.
Credential Management: To avoid re-entering credentials, users can save their credentials in the client, but this should only be done on secure devices.
Windows 10 Enterprise Multi-session:
- Hybrid Join: Windows 10 Enterprise multi-session is supported for Microsoft Entra hybrid join. After domain-joining, use Group Policy to enable Entra registration.