9 Azure Virtual Desktop best practices for management

9 best practices for Azure Virtual Desktop management

Tasks such as setting up a proper landing zone, automating management tasks, and choosing the right VM size and configuration are essential for all AVD administrators.

1. Set up a landing zone

When building an Azure environment, the first piece organizations should have in place is known as the landing zone. An Azure landing zone is a preconfigured environment designed to help deploy and manage workloads in Azure securely and efficiently.

If IT admins deploy the virtual network with the wrong configuration or design, it is difficult to change it later without affecting the active workloads.

The best practice here is to use the guidance and reference design from Microsoft as a starting point. By using that guidance as a starting point, it ensures that each organization can start with a secure and scalable architecture before it builds the entire AVD environment.

2. Use automation for management tasks

When organizations implement the landing zone and other services in Azure, they also have options related to deploying and managing the environment. One of the biggest benefits of public cloud environments is the ability to automate almost everything using infrastructure as code (IaC). Admins can accomplish this by using frameworks such as Terraform or the native framework from Microsoft called Bicep.

Before deploying VMs in Azure, admins must learn all about resource allocation. Azure has hundreds of different SKUs for VMs, and the naming conventions may not always be intuitive.

IT can simply use the Azure portal for all of this, but that comes with challenges and limitations.

Using these third-party tools and frameworks presents a steep learning curve for many. IT departments should determine if anyone in the organization is familiar with these tools and processes to take advantage of their expertise.

Small IT departments that only want to simplify the management without needing complicated management tasks can use third-party tools, such as Nerdio Manager, that can automate the deployment and operations of the AVD environment.

3. Carefully plan workload sizing

Before deploying VMs in Azure, admins must learn all about resource allocation. Azure has hundreds of different SKUs for VMs, and the naming conventions may not always be intuitive.

For instance, the SKU named DCads_v5 has the properties shown in Figure 1.

This VM type comes in different sizes with different amounts of virtual CPUs (vCPUs) and memory.

For AVD, the most commonly used VM SKUs include the following:

• Ddsv6-series. This offers a memory-to-vCPU ratio of 8 GB per 2 vCPUs.
• Edsv6-series. This offers a memory-to-vCPU ratio of 16 GB per 2 vCPUs.
• NVads-A10 for Nvidia GPU or NVv4 for AMD GPU. This SKU is ideal for graphical workloads.

For high-performing data disks, a best practice is to use SSD v2 disks, which are cost-effective and provide higher performance than standard solid-state drive disks.

4. Build and distribute a golden image

For admins with a history of using Citrix or Horizon to manage golden images and session host updates, they need a different approach with AVD. Both Citrix and Omnissa Horizon provide native tools that manage golden images and update the session hosts with the new image, but Azure does not have this feature natively.

Best practices for managing golden images in Azure include using tools and features such as the following:

• Azure VM Image Builder or HashiCorp Packer to automate image creation.
• Continuous integration/continuous delivery pipelines to streamline the image-building process.
• IaC deployment to roll out new images automatically.
• Third-party tools, such as Nerdio, which provide a Citrix- and Horizon-like experience for image management.

Automating the image-building process ensures your golden image is kept up to date with the latest software versions, security patches and business applications.

5. Secure the environment

Azure Virtual Desktop is known as a secure service because access to the VMs is masked behind other services from Microsoft. This means that they are not directly accessible from the internet. However, there are a few things that admins should consider with regard to AVD security:

• Make sure to use Entra ID Conditional Access to require multifactor authentication or use phishing-resistant MFA to access the service.
• Have endpoint detection and response and antivirus capabilities on the VMs via services such as Defender for Endpoint or third-party security tools.
• Have an automated patching platform in place that ensures security updates are applied to both the OS and third-party applications. Services such as Microsoft Intune or Patch My PC can help with this.
• Ensure that access to manage and operate AVD is given using least privilege. Use custom Entra ID roles to match the permissions needed, such as Desktop Virtualization User or Desktop Virtualization Reader.

6. Optimize UX

One important piece of AVD or any other desktop virtualization service is ensuring that admins can provide positive UX. The chosen VM SKU affects the performance, but there are also other components and features that can provide the best UX possible.

7. Manage profiles

Implementing FSLogix profile containers ensures consistent UX across sessions. This ensures the same UX, regardless of which machine the user logs on to. A common best practice is to use this in combination with Azure Files to provide a serverless file service where the profiles are stored.

8. Use ephemeral OS disks when applicable

Organizations that require even higher disk performance from their VMs should consider ephemeral OS disks for VM storage. This provides much higher IOPS and bandwidth for no additional cost. The downside of using this feature is that the VMs are deleted if they stop running or restart. Admins need to either build custom automation or use features from Nerdio or similar services to manage the workload.

9. Take advantage of AVD Shortpath

Ensure that AVD Shortpath is enabled to optimize network performance and reduce latency between end-user clients and the session hosts. This feature uses User Datagram Protocol instead of regular TCP for transfer. While this feature is enabled by default, it is easy to forget to open the necessary firewall rules that need to be in place for it to function.

Marius Sandbu is a cloud evangelist for Sopra Steria in Norway who mainly focuses on end-user computing and cloud-native technology.