Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Azure Virtual Desktop

Dependent Azure Resource Recommendations

RecommendationProvider NamespaceResource Type
Create a validation host pool for testing of planned updatesDesktopVirtualizationhostPools
Configure host pool scheduled agent updatesDesktopVirtualizationhostPools
Ensure a unique OU is used when deploying host pools with domain joined session hostsDesktopVirtualizationhostPools
Use Azure Site Recovery or backups to protect VMs supporting personal desktopsDesktopVirtualizationhostPools
Scaling plans should be created per region and not scaled across regionsDesktopVirtualizationscalingPlans
Replicate your Image Templates to a secondary regionComputegalleries
A minimum of three replicas should be kept for production image versionsComputegalleries
Zone redundant storage should be used for image versionsComputegalleries
Deploy VMs across Availability ZonesComputevirtualMachines
Backup VMs with Azure Backup serviceComputevirtualMachines
Production VMs should be using SSD disksComputevirtualMachines
Configure diagnostic settings for all Azure Virtual MachinesComputevirtualMachines
Connect on-prem networks to Azure critical workloads via multiple ExpressRoutesNetworkexpressRouteCircuits
Ensure ExpressRoute’s physical links connect to distinct network edge devicesNetworkexpressRouteCircuits
Use Zone-redundant ExpressRoute gateway SKUsNetworkvirtualNetworkGateways
Configure NSG Flow LogsNetworknetworkSecurityGroups
Ensure that storage accounts are zone or region redundantStoragestorageAccounts
Enable Azure Private Link Service for Key vaultKeyvaultvaults
Configure Service Health AlertsInsightsactivityLogAlerts

Dependent Well-Architected Framework - Reliability Recommendations

RecommendationReliability Stage
Ensure that all fault-points and fault-modes are understood and operationalizedDesign
Design a BCDR strategy that will help to meet the business requirementsDesign

General Workload Guidance

Summary

RecommendationImpactCategoryAutomation AvailablePG Verified
Monitor service health and resource health for AVDHighGovernanceNoVerified
Configure AVD Insights workbookHighMonitoring and AlertingNoVerified
Ensure separate log analytics workspaces for Prod and DRLowDisaster RecoveryNoVerified
Organize AVD resources using the AVD scale unit model described by the AVD landing zone methodologyLowGovernanceNoVerified
Monitor and plan capacity for AVD resourcesLowDisaster RecoveryNoVerified
Ensure DNS regions are replicated to avoid single point of failureHighHigh AvailabilityNoVerified
Implement a multi-region BCDR PlanMediumDisaster RecoveryNoVerified
Create only one FSLogix file share per Storage AccountMediumStorageNoVerified
Create a dedicated FSLogix file share and setup per host poolMediumStorageNoVerified
Enable Azure backup for FSLogix storage account file sharesMediumHigh AvailabilityNoVerified
Implement RDP shortpath for public or managed networksMediumOther Best PracticesNoVerified
Validate AVD session hosts connectivity to the AVD control plane and that UDP ports are allowed if RDP shortpath is in useMediumGovernanceNoVerified
Ensure secondary Entra ID connect synchronization serverLowSecurityNoVerified
Ensure virtual networks have route tables/route server configured for all regionsMediumHigh AvailabilityNoVerified
Ensure virtual networks isolation with separate IP space and NSGs for Prod and DRMediumBusiness ContinuityNoVerified
Ensure route tables accommodate failoverMediumDisaster RecoveryNoVerified
Configure static routes to allow session hosts traffic to AVD control plane to go directly out of the subnet to internetMediumPerformanceNoVerified
Create updated image version and replace session hosts rather than updating host directlyLowGovernanceNoVerified
Ensure the standard FSLogix configuration is deployedMediumGovernanceNoVerified
Ensure user permissions are set correctly on FSLogix SMB sharesMediumSecurityNoVerified
Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix eventsMediumMonitoring and AlertingNoVerified
Manually install FSLogix updatesLowGovernanceNoVerified
Turn on continuous availability for ANF when using it for app attachMediumHigh AvailabilityNoVerified
Use dedicated file share for App attach and include the storage in the disaster recovery planMediumDisaster RecoveryNoVerified
Ensure resilient deployment of key vaults for AVD Host PoolsHighDisaster RecoveryNoVerified
Deploy a pair of domain controllers on Azure virtual machines across availability zones in the same region as AVD session hostsHighDisaster RecoveryNoVerified
Deploy a pair of DNS on Azure virtual machines across availability zones in the same region as AVD session hostsHighHigh AvailabilityNoVerified

Details

Monitor service health and resource health for AVD

Impact:  High Category:  Governance PG Verified:  Verified

Description:

Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. Use Resource Health to monitor your VMs and storage solutions.

Potential Benefits:

Enhanced AVD error tracking and resolution
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This resource graph query, will return rows if service health alerts haven't been configured for AVD service
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| project subscriptionAlerts=tostring(id),name,tags
| join kind=leftouter (
  resources
  | where type == 'microsoft.insights/activitylogalerts' and properties.condition contains "ServiceHealth"
  | extend subscriptions = properties.scopes
  | project subscriptions
  | mv-expand subscriptions
  | project subscriptionAlerts = tostring(subscriptions)
) on subscriptionAlerts
| where isempty(subscriptionAlerts1)
| project-away subscriptionAlerts1
| project recommendationID = "0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b",id=subscriptionAlerts,name,tags, param1 = "AVDServiceHealthAlertsConfigured: False"

Configure AVD Insights workbook

Impact:  High Category:  Monitoring and Alerting PG Verified:  Verified

Description:

Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.

Potential Benefits:

Enhanced AVD monitoring and troubleshooting
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Ensure separate log analytics workspaces for Prod and DR

Impact:  Low Category:  Disaster Recovery PG Verified:  Verified

Description:

Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.

Potential Benefits:

Improved DR visibility and operation
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Organize AVD resources using the AVD scale unit model described by the AVD landing zone methodology

Impact:  Low Category:  Governance PG Verified:  Verified

Description:

Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads.

Potential Benefits:

Enhanced organization and scalability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Monitor and plan capacity for AVD resources

Impact:  Low Category:  Disaster Recovery PG Verified:  Verified

Description:

Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.

Potential Benefits:

Avoids limits, ensures smooth scaling
Learn More:
Capacity Planning
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure DNS regions are replicated to avoid single point of failure

Impact:  High Category:  High Availability PG Verified:  Verified

Description:

Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.

Potential Benefits:

Improves uptime & resilience
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Implement a multi-region BCDR Plan

Impact:  Medium Category:  Disaster Recovery PG Verified:  Verified

Description:

It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.

Potential Benefits:

Enhanced resilience and uptime
Learn More:
Multi-region BCDR
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Create only one FSLogix file share per Storage Account

Impact:  Medium Category:  Storage PG Verified:  Verified

Description:

To maximize capacity and performance scaling it is recommended to creat only one file share per Azure files storage account, with this approach the single file share will be able to grow to the maximum capacities of the storage account.

Potential Benefits:

Enhanced scaling and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Create a dedicated FSLogix file share and setup per host pool

Impact:  Medium Category:  Storage PG Verified:  Verified

Description:

To maximize capacity and performance scaling of the file share service and avoid user's profile contention, it is recommended to create one file share target and FSLogix setup per host pool.

Potential Benefits:

Enhanced performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Enable Azure backup for FSLogix storage account file shares

Impact:  Medium Category:  High Availability PG Verified:  Verified

Description:

It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.

Potential Benefits:

Ensures data resilience and consistency
Learn More:
FSLogix
Backup Storage Account

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Implement RDP shortpath for public or managed networks

Impact:  Medium Category:  Other Best Practices PG Verified:  Verified

Description:

RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. UDP-based transport offers better connection reliability and more consistent latency.

Potential Benefits:

Better reliability and consistent latency
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Validate AVD session hosts connectivity to the AVD control plane and that UDP ports are allowed if RDP shortpath is in use

Impact:  Medium Category:  Governance PG Verified:  Verified

Description:

Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections.

Potential Benefits:

Enhanced performance & user experience
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Ensure secondary Entra ID connect synchronization server

Impact:  Low Category:  Security PG Verified:  Verified

Description:

Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.

Potential Benefits:

Improved failover reliability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure virtual networks have route tables/route server configured for all regions

Impact:  Medium Category:  High Availability PG Verified:  Verified

Description:

For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.

Potential Benefits:

Enhanced availability & routing
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR

Impact:  Medium Category:  Business Continuity PG Verified:  Verified

Description:

NSG and ASG per AVD persona and IP space per Prod/DR regions.
It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges.

Potential Benefits:

Enhances security and prevents IP conflicts
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure route tables accommodate failover

Impact:  Medium Category:  Disaster Recovery PG Verified:  Verified

Description:

Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections.
AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected.

Potential Benefits:

Enhanced failover reliability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Configure static routes to allow session hosts traffic to AVD control plane to go directly out of the subnet to internet

Impact:  Medium Category:  Performance PG Verified:  Verified

Description:

Ensure that Route Tables have static routes to allow session host traffic that targets AVD control plane to go outbound directly out of the subnet to the internet (next hop), this will avoid any delays of inspecting or adding additional hops in the communication of trusted traffic.

Potential Benefits:

Enhanced performance and Disaster Recovery
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Create updated image version and replace session hosts rather than updating host directly

Impact:  Low Category:  Governance PG Verified:  Verified

Description:

Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations.

Potential Benefits:

Ensures consistency; minimizes drift
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure the standard FSLogix configuration is deployed

Impact:  Medium Category:  Governance PG Verified:  Verified

Description:

Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.

Potential Benefits:

Optimized session reliability and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Ensure user permissions are set correctly on FSLogix SMB shares

Impact:  Medium Category:  Security PG Verified:  Verified

Description:

Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.

Potential Benefits:

Enhanced security & disaster recovery
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events

Impact:  Medium Category:  Monitoring and Alerting PG Verified:  Verified

Description:

Configure diagnostic settings on FSLogix storage resources and regularly its metrics and FSLogix logs for errors. Events can be reviewed by looking locally inside the Session Host, but it is recommended to configure AVD insights workbook to consolidate this information to a Log Analytics workspace.

Potential Benefits:

Enhanced AVD error tracking and resolution
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Manually install FSLogix updates

Impact:  Low Category:  Governance PG Verified:  Verified

Description:

Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case.

Potential Benefits:

Enhanced reliability & support
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Turn on continuous availability for ANF when using it for app attach

Impact:  Medium Category:  High Availability PG Verified:  Verified

Description:

Turn on Continuous Availability if using Azure Netapp Files.
Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.

Potential Benefits:

Enhanced stability & user limit checks
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Use dedicated file share for App attach and include the storage in the disaster recovery plan

Impact:  Medium Category:  Disaster Recovery PG Verified:  Verified

Description:

App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements.
Your file share should be in the same Azure region as your session hosts.

Potential Benefits:

Enhances performance and scalability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure resilient deployment of key vaults for AVD Host Pools

Impact:  High Category:  Disaster Recovery PG Verified:  Verified

Description:

To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region.

Potential Benefits:

Ensures DR readiness and access
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Deploy a pair of domain controllers on Azure virtual machines across availability zones in the same region as AVD session hosts

Impact:  High Category:  Disaster Recovery PG Verified:  Verified

Description:

When using an AD DS identity solution with AVD, it is recommended to deploy domain controllers on Azure virtual machines across availability zones. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication.
This recommendation doesn't apply when using Microsoft Entra ID or Entra Domain Services joined session hosts.

Potential Benefits:

Enhanced identity resilience
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Deploy a pair of DNS on Azure virtual machines across availability zones in the same region as AVD session hosts

Impact:  High Category:  High Availability PG Verified:  Verified

Description:

When using custom DNS servers, it is recommended to deploy DNS servers on Azure virtual machines across availability zones. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for name resolution.

Potential Benefits:

Enhanced reliability and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development