Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. Use Resource Health to monitor your VMs and storage solutions.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//Thisresourcegraphquery,willreturnrowsifservicehealthalertshaven't been configured for AVD service
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| project subscriptionAlerts=tostring(id),name,tags
| join kind=leftouter (
resources
| where type == 'microsoft.insights/activitylogalerts' and properties.condition contains "ServiceHealth"
| extend subscriptions = properties.scopes
| project subscriptions
| mv-expand subscriptions
| project subscriptionAlerts = tostring(subscriptions)
) on subscriptionAlerts
| where isempty(subscriptionAlerts1)
| project-away subscriptionAlerts1
| project recommendationID = "0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b",id=subscriptionAlerts,name,tags, param1 = "AVDServiceHealthAlertsConfigured: False"
Configure AVD Insights workbook
Impact:HighCategory:Monitoring and AlertingPG Verified:Verified
Description:
Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.
Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.
Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.
Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.
It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.
Click the Azure Resource Graph tab to view the query
//under-development
Create only one FSLogix file share per Storage Account
Impact:MediumCategory:StoragePG Verified:Verified
Description:
To maximize capacity and performance scaling it is recommended to creat only one file share per Azure files storage account, with this approach the single file share will be able to grow to the maximum capacities of the storage account.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Create a dedicated FSLogix file share and setup per host pool
Impact:MediumCategory:StoragePG Verified:Verified
Description:
To maximize capacity and performance scaling of the file share service and avoid user's profile contention, it is recommended to create one file share target and FSLogix setup per host pool.
It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.
Click the Azure Resource Graph tab to view the query
//under-development
Implement RDP shortpath for public or managed networks
Impact:MediumCategory:Other Best PracticesPG Verified:Verified
Description:
RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. UDP-based transport offers better connection reliability and more consistent latency.
Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure secondary Entra ID connect synchronization server
Impact:LowCategory:SecurityPG Verified:Verified
Description:
Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.
For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.
NSG and ASG per AVD persona and IP space per Prod/DR regions.
It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges.
Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections.
AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected.
Ensure that Route Tables have static routes to allow session host traffic that targets AVD control plane to go outbound directly out of the subnet to the internet (next hop), this will avoid any delays of inspecting or adding additional hops in the communication of trusted traffic.
Click the Azure Resource Graph tab to view the query
//under-development
Create updated image version and replace session hosts rather than updating host directly
Impact:LowCategory:GovernancePG Verified:Verified
Description:
Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations.
Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.
Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events
Impact:MediumCategory:Monitoring and AlertingPG Verified:Verified
Description:
Configure diagnostic settings on FSLogix storage resources and regularly its metrics and FSLogix logs for errors. Events can be reviewed by looking locally inside the Session Host, but it is recommended to configure AVD insights workbook to consolidate this information to a Log Analytics workspace.
Click the Azure Resource Graph tab to view the query
//under-development
Manually install FSLogix updates
Impact:LowCategory:GovernancePG Verified:Verified
Description:
Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case.
Turn on Continuous Availability if using Azure Netapp Files.
Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.
App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements.
Your file share should be in the same Azure region as your session hosts.
To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region.
When using an AD DS identity solution with AVD, it is recommended to deploy domain controllers on Azure virtual machines across availability zones. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication.
This recommendation doesn't apply when using Microsoft Entra ID or Entra Domain Services joined session hosts.
When using custom DNS servers, it is recommended to deploy DNS servers on Azure virtual machines across availability zones. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for name resolution.