Azure Virtual Desktop
Mariano Carro Arrubarrena
Solution Consultant | Technical Enabler | Technical Presales | Partner Engagement | Relationship developer | Bilingual in English and Spanish Give service with excellence to gain trust and transform lives.
Let’s talk this week about a similar subject with different approach, Azure Virtual Desktop.
?
As far as Azure Virtual Desktop is concerned, it is a desktop and application virtualization service that runs in the cloud.
?
When you run Azure Virtual Desktop on Azure, you have these capabilities:
?
There are a few things you need to get started with Azure Virtual Desktop. Here you can find the prerequisites that you must complete to successfully provide users with virtual desktops and remote applications.
?
To implement it, you will need:
? An Azure account with an active subscription
? An identity provider
? A compatible operating system
? Appropriate licenses
? Network connectivity
? A Remote Desktop client
??
You have a choice of operating systems that you can use for session hosts to provide virtual desktops and remote applications. You can use different operating systems with different host pools to provide flexibility for users. The following 64-bit versions of these operating systems are supported, where the supported versions and dates are aligned with Microsoft's Lifecycle Policy.
Important
? Azure Virtual Desktop does not support 32-bit operating systems or SKUs that are not listed in the table above.
? Support for Windows 7 ended on January 10, 2023.
? OS ephemeral disks are not supported for Azure virtual machines.
?
?
Users need accounts that are in Azure AD. If you are also using AD DS or Azure AD DS in your Azure Virtual Desktop deployment, these accounts will need to be hybrid identities, which means that the user account is in sync. You will need to consider the following depending on the account you use:
? If you're using Azure AD with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Azure AD.
? If you use Azure AD with Azure AD DS, user accounts are synchronized one-way from Azure AD to Azure AD DS. This synchronization process is automatic;
?
To successfully deploy Azure Virtual Desktop, you'll need to meet the following network requirements:
? You will need a virtual network for the session hosts. If you create the session hosts at the same time as a host pool, you must create this virtual network beforehand for it to appear in the drop-down list. The virtual network must be in the same Azure region as the session host.
? Make sure this virtual network can connect to the relevant domain controllers and DNS servers if you are using AD DS or Azure AD DS, as you will need to join the session hosts to the domain.
? Session hosts and users must be able to connect to the Azure Virtual Desktop service. These connections also use TCP on port 443 for a specific list of URLs. For more information, see List of required URLs. You must ensure that these URLs are not blocked by network filtering or a firewall for your implementation to work correctly and be compatible. If users need to access Microsoft 365, make sure that the session hosts can connect to Microsoft 365 endpoints.
?
Consider the following:
? Users may need access to applications and data hosted on different networks, so you must ensure that session hosts can connect to them.
? The round-trip latency (RTT) from the customer's network to the Azure region containing the host groups must be less than 150 ms. Use the experience estimator to see the connection status and the recommended Azure region. To optimize network performance, it is recommended to create session hosts in the Azure region closest to your users.
? Use Azure Firewall for Azure Virtual Desktop implementations to help you lock down your environment and filter outbound traffic.
?
?
For the complete documentation of the Azure Virtual Desktop requirements, we can go to the link:
What is Azure Virtual Desktop?
Prerequisites for Azure Virtual Desktop
?
For this solution, we have the following architecture diagram.
?
??
Comparing the architectures, we see that the solution involves the same elements as RDS:
We see that the architecture management elements in the red box are equivalent, as well as the green boxes, as follows:
Red box is the environment management architecture, and, speaking of a high availability architecture, we have:
In RDS in Virtual Machines (IaaS):
·????????4 virtual machines and a SQL database
In AVD:
·????????Provided on Platform as a Service.
?
Green Box is the architecture for hosting users and their data, and, speaking of a high availability architecture, we have:
In RDS in Virtual Machines (IaaS):
·????????5 virtual machines (1 Domain Controller, 2 user session, and 2 to save data and user profiles)
In AVD:
·????????5 virtual machines (1 domain controller, 2 user session, and 2 to store data and user profiles)
User Profiles
The Azure Virtual Desktop service recommends FSLogix profile containers as a solution for user profiles. FSLogix is designed to roam profiles in remote computing environments, such as Azure Virtual Desktop. Stores an entire user profile in a single container. At login, this container is dynamically attached to the computing environment using the natively supported Virtual Hard Disk (VHD) and Hyper-V Virtual Hard Disk (VHDX). The user profile is immediately available and appears in the system exactly like a native user profile.
A user profile contains data items about a person, including configuration information such as desktop settings, persistent network connections, and application settings. By default, Windows creates a local user profile that is tightly integrated with the operating system.
?
A remote user profile provides a partition between the operating system and user data. This allows you to replace or change the operating system without affecting user data. On Remote Desktop Session Host (RDSH) and Virtual Desktop Infrastructures (VDI), the operating system can be replaced for the following reasons:
? An operating system update.
? A replacement of an existing virtual machine.
? A user who is part of a pooled (non-persistent) RDSH or VDI environment.
?
?
Azure Virtual Desktop offers FSLogix profile containers as a recommended solution for user profiles. FSLogix is designed to roam profiles in remote computing environments, such as Azure Virtual Desktop. At login, this container is dynamically attached to the computing environment using the natively supported Virtual Hard Disk (VHD) and Hyper-V Virtual Hard Disk (VHDX). The user profile is immediately available and appears in the system exactly like a native user profile.
?
Azure Files offers two different tiers of storage: Premium and Standard. These tiers allow you to customize the performance and cost of file shares to meet the requirements of your scenario.
? Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency for input and output (I/O) intensive workloads.
? Standard file shares are backed by hard disk drives (HDDs) and are implemented in the General Purpose Version 2 (GPv2) storage account type. Standard file shares offer reliable performance for I/O workloads less sensitive to performance variability, such as general-purpose file shares and development and test environments. Standard file shares are only available on a pay-as-you-go billing model.
?
The following table lists the recommendations for the performance level to use based on your workload. These recommendations will help you select the performance level that meets your performance goals, budget, and regional considerations. We have based these recommendations on example scenarios for Remote Desktop workload types.
?
For documentation, we can go to the link:
Storage options for FSLogix profile containers in Azure Virtual Desktop
?
?
Related to the use of profiles in Azure Storage Accounts, before you begin, make sure that the domain controller is in sync with Azure and can be resolved from the Azure virtual network that the domain hosts connect to session.
?
Azure Files supports identity-based authentication via Server Message Block (SMB) with Kerberos authentication protocol using the following three methods:
?
Enabling identity-based access to Azure file shares allows existing file servers to be replaced with Azure file shares without replacing the existing directory service, maintaining seamless user access to shared resources.
?
Before you can enable identity-based authentication on Azure file shares, you must set up your domain environment.
?
Before you enable Azure AD DS authentication with SMB for Azure file shares, verify that the Azure Storage and Azure AD environments are set up correctly. It is recommended that you review the prerequisites to ensure that you have completed all the necessary steps.
?
Then, take these actions to grant access to Azure Files resources using Azure AD credentials:
?
The following diagram illustrates the end-to-end workflow to enable Azure AD DS authentication over SMB for Azure Files.
?
?
?To enable Azure AD DS authentication over SMB for Azure Files, you can set a property on storage accounts using the Azure portal, Azure PowerShell, or Azure CLI. Setting this property implicitly "domain joins" the storage account with the associated Azure AD DS deployment. Azure AD DS authentication over SMB is then enabled for all new and existing file shares in the storage account.
?
Note that you can only enable Azure AD DS authentication with SMB after you have successfully deployed Azure AD DS to your Azure AD tenant. For more information, see the Prerequisites section.
?
For the documentation and the Step by Step to add permissions to the Azure Files folders, we can go to the links:
Overview of Azure Files identity-based authentication options for SMB access
?
Enable Azure Active Directory Domain Services authentication on Azure Files
领英推荐
?
Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services
?
Create a profile container with Azure Files and Azure Active Directory
?
?
Once we have the permissions established, we can tell the session servers the location of the folders where the user profiles are located.
?
?
You will need to follow these instructions each time you set up a session host. Before you start configuring, follow the instructions in Download and Install FSLogix. There are several options available that ensure that the registry keys are set on all hosts in the session. You can set these options on an image or configure a group policy.
To configure FSLogix on the session host virtual machine:
1. Running RDP on the Azure Virtual Desktop host pool session host virtual machine.
2. Download and install FSLogix
3. Follow the instructions in Configuring the profile container registry:
?????o Go to Computer > HKEY_LOCAL_MACHINE > SOFTWARE > FSLogix.
?????o Create a Profiles key.
?????o Create Enabled, DWORD with a value of 1.
?????o Create VHDLocations, MULTI_SZ.
?????o Set the value of VHDLocations to the UNC path that you generated in Obtaining the UNC path.
4. Reboot the VM.
??
The values required to enable the profiles and define the location of the profiles are found in the registry of each host server, and that is where you have to change the path with the new storage account.
Create a profile container with Azure Files and Azure Active Directory
?
?Profile disk size
?The default size of the profiles is 30 GB, now, the size can also be changed by working with the Registry values.
Combining 2 values.
The "IsDynamic" variable has a value of "1" which makes the disk variable in length until it reaches the maximum indicated by the "SizeInMBs" variable, which by default is 30000.
?
For the complete documentation we can go to the links:
Profile Container registry configuration reference
?Tutorial: Configure profile containers
?
??
Azure Active Directory (Azure AD) provides many benefits for organizations, such as modern authentication protocols, single sign-on (SSO), and support for FSLogix user profiles. Azure Virtual Desktop virtual machine (VM) session hosts can join directly to Azure AD. Joining directly to Azure AD removes an earlier need to use Active Directory Domain Services (AD DS) domain controllers.
?
Originally, Azure Virtual Desktop domain join needed both Azure AD and AD DS domain controllers. Traditional Windows Server AD DS domain controllers were on-premises machines, Azure VMs, or both. Azure Virtual Desktop accessed the controllers over a site-to-site virtual private network (VPN) or Azure ExpressRoute. Alternatively, Azure Active Directory Domain Services platform-as-a-service (PaaS) provided AD DS in Azure and supported trust relationships to existing on-premises AD DS. Users had to sign in to both Azure AD and AD DS.
?
Applications, Server Message Block (SMB) storage, and other services that Azure Virtual Desktop hosts consume might still require AD DS. But Azure Virtual Desktop itself no longer requires AD DS. Removing this requirement reduces cost and complexity.
?
?
For the step-by-step implementation process, we can go to the link:
Azure AD join for Azure Virtual Desktop
?
?
For the details of prices and examples of scenarios and what is paid for the solution, you can go to the link:
Azure Virtual Desktop pricing
?
??Idle Disconnected Sessions
?Regarding the disconnected sessions, we can configure the disconnection time limit and end the sessions.
?Be sure to set the time limit for the "End a disconnected session" policy to a value greater than five minutes. A low time limit can cause users' sessions to terminate if their networks lose connection for too long, resulting in lost work.
?
For the procedure, please go to:
Are VMs automatically deallocated when a user stops using them?
?
?Autoscaling lets you scale your session host virtual machines (VMs) in a host pool up or down to optimize deployment costs. You can create a scaling plan based on:
-?????????Time of day
-?????????Specific days of the week
-?????????Session limits per session host
?
For the autoscaling process, we can go to the links:
Create an autoscale scaling plan for Azure Virtual Desktop
Assign scaling plans to host pools in Azure Virtual Desktop
?
??Bandwidth Requirements
?Remote Desktop Protocol (RDP) is a sophisticated technology that uses various techniques to perfect the server's remote graphics' delivery to the client device. Depending on the use case, availability of computing resources, and network bandwidth, RDP dynamically adjusts various parameters to deliver the best user experience.
?The amount of the data sent over RDP depends on the user activity. For example, a user may work with basic textual content for most of the session and consume minimal bandwidth, but then generate a printout of a 200-page document to the local printer. This print job will use a significant amount of network bandwidth.
?RDP uses various compression algorithms for different types of data. The table below guides estimating of the data transfers:
Other scenarios can have their bandwidth requirements change depending on how you use them, such as:
-?????????Voice or video conferencing
-?????????Real-time communication
-?????????Streaming 4K video
?
Remote Desktop Protocol is a modern protocol designed to adjust to the changing network conditions dynamically. Instead of using the hard limits on bandwidth utilization, RDP uses continuous network detection that actively monitors available network bandwidth and packet round-trip time. Based on the findings, RDP dynamically selects the graphic encoding options and allocates bandwidth for device redirection and other virtual channels.
This technology allows RDP to use the full network pipe when available and rapidly back off when the network is needed for something else. RDP detects that and adjusts image quality, frame rate, or compression algorithms if other applications request the network.
?
For the full documentation and estimations, we can go to:
Remote Desktop Protocol (RDP) bandwidth requirements
?
Protecting Azure Virtual Desktop with Azure Firewall
Azure Virtual Desktop is a desktop and app virtualization service that runs on Azure. When an end user connects to an Azure Virtual Desktop environment, their session is run by a host pool. A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. These virtual machines run in your virtual network and are subject to the virtual network security controls. They need outbound Internet access to the Azure Virtual Desktop service to operate properly and might also need outbound Internet access for end users. Azure Firewall can help you lock down your environment and filter outbound traffic.
?
Depending on your organization needs, you might want to enable secure outbound internet access for your end users. If the list of allowed destinations is well-defined (for example, for Microsoft 365 access), you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the internet for best performance.
?
If you want to filter outbound user internet traffic by using an existing on-premises secure web gateway, you can configure web browsers or other applications running on the Azure Virtual Desktop host pool with an explicit proxy configuration. These proxy settings only influence your end-user internet access, allowing the Azure Virtual Desktop platform outbound traffic directly via Azure Firewall.
?
For the detailed documentation, we can go to the link:
Use Azure Firewall to protect Azure Virtual Desktop deployments.
?
?For the full learning paths on Azure Virtual Desktop, we can go to the link:
?
?
Thanks for reading and I hope it is helpful for you.
Your comments are appreciated.
?
Mariano Carro Arrubarrena.