← Back to Dashboard

Design 34: Azure Virtual Desktop (AVD)

Summary

This design implements Azure Virtual Desktop to provide secure remote desktops.

Topology: The AVD Host Pool (VMs) sits in a Spoke VNet. It peers to the Hub VNet to reach Domain Controllers (AD DS) or On-Premises resources.

1. Key Design Decisions (ADR)

ADR-01: Identity

  • Decision: Hybrid Identity (AD Connect).
  • Rationale: Users login with corporate credentials. VMs join the domain.

ADR-02: Storage

  • Decision: Azure Files (Premium) with FSLogix.
  • Rationale: Stores user profiles (containers). Fast IOPS ensures fast login times.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Remote User |           |        HUB VNet          |           |  SPOKE VNet  |
|  (HTML5/App) |           |      (Domain Ctlr)       |           |  (Session)   |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  AVD Gateway |           +------------+-------------+           +------+-------+
|  (PaaS)      |---------->| Active Directory         |<--------->|  AVD Hosts   |
+--------------+           | (DNS)                    |           |  (Win 11)    |
                           +--------------------------+           +------+-------+
                                                                         |
                                                                         v
                                                                  +--------------+
                                                                  |  Azure Files |
                                                                  |  (Profiles)  |
                                                                  +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Domain Controller     |                                           |
|   | (10.0.1.4)            |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-avd-spoke (10.1.0.0/16)                              |
|   +-----------------------+       +-----------------------+           |
|   | Subnet: Hosts         |       | Subnet: Storage       |           |
|   | [AVD Host Pool]       |------>| [Private Endpoint]    |           |
|   | (Joined to Domain)    |       | (Azure Files)         |           |
|   +-----------------------+       +-----------|-----------+           |
+-----------------------------------------------|-----------------------+
                                                |
                                                v
                                    +-----------------------+
                                    | Storage Account       |
                                    | (FSLogix Profiles)    |
                                    +-----------------------+

                                      |
                                      | (Azure File Sync / GRS)
                                      v

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR SPOKE VNet                                                         |
|   +-----------------------+                                           |
|   | AVD Host Pool (DR)    |                                           |
|   | (Stopped)             |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • FSLogix: Roaming profiles. When user logs in, their profile VHD mounts instantly.
  • Host Pool: Collection of identical VMs.

5. Strategy: High Availability (HA)

  • Pooled: Users land on any available VM. If one dies, they reconnect to another.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Active-Passive.
  • Process:

* Replicate the "Golden Image" to West US (Shared Image Gallery).

* Replicate User Profiles (GRS Storage).

* In disaster, spin up new Host Pool in West US using the image.

7. Strategy: Backup

  • Profiles: Azure Backup for Azure Files.
  • Image: Backup the Golden Image.

8. Strategy: Security

  • Screen Capture Protection: Prevents users from taking screenshots of sensitive data.
  • Private Link: AVD traffic stays on backbone (RDP Shortpath).

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High. No open RDP ports (Reverse Connect).
  • Cost Optimization: High. Use "Start VM on Connect" to deallocate VMs when not in use.
  • Operational Excellence: High.
  • Performance Efficiency: High.

10. Detailed Traffic Flow

1. User: Opens AVD Client. Authenticates (MFA).

2. Gateway: Azure PaaS Gateway brokers connection.

3. Host: Gateway connects to Session Host in Spoke.

4. Profile: Host mounts User Profile from Azure Files.

5. Session: User sees Desktop.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Prerequisites

1. Domain Controller: Ensure you have a DC (VM) in vnet-hub or AADDS.

2. VNet: Create vnet-avd-spoke in East US.

3. Peering: Peer vnet-avd-spoke to vnet-hub.

4. DNS: Change vnet-avd-spoke DNS Servers to Custom: 10.0.1.4 (DC IP). Restart VNet.

Phase 2: Create Host Pool

1. Search: "Azure Virtual Desktop" -> Create host pool.

2. Resource Group: rg-avd-corp.

3. Name: hp-corp-east.

4. Location: East US.

5. Host pool type: Pooled.

6. Load balancing: Breadth-first.

7. Virtual Machines:

* Add Azure virtual machines: Yes.

* Resource Group: rg-avd-hosts.

* Name prefix: avd-vm.

* Image: Windows 11 Enterprise Multi-session.

* Number of VMs: 2.

* Virtual network: vnet-avd-spoke.

* Domain to join: Active Directory.

* AD domain join UPN: admin@contoso.com.

* Password: ....

8. Workspace: Create new ws-corp.

9. Create. (Takes 20 mins).

Phase 3: Create Storage (FSLogix)

1. Create Storage Account: stprofilecorp[uniqueid].

2. File Shares: Create share named fslogix.

3. Active Directory:

* Go to Storage Account -> File shares -> Active Directory: Not configured.

* Follow Microsoft Guide to join Storage Account to AD (Requires PowerShell Join-AzStorageAccount).

4. Permissions: Grant Storage File Data SMB Share Contributor to AVD Users.

Phase 4: Assign Users

1. Go to Azure Virtual Desktop -> Application groups.

2. Click hp-corp-east-DAG (Desktop Application Group).

3. Assignments -> + Add.

4. Select a test user (e.g., alice@contoso.com).

Phase 5: Verify

1. Download: Remote Desktop Client for Windows (or use Web Client: client.wvd.microsoft.com/arm/web/client).

2. Subscribe: Login with alice@contoso.com.

3. Launch: Double click SessionDesktop.

4. Success: You are logged into a Windows 11 desktop in Azure.