Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Azure Virtual Desktop

Dependent Azure Resource Recommendations

RecommendationProvider NamespaceResource Type
Create a validation host poolDesktopVirtualizationhostPools
Configure host pool scheduled agent updatesDesktopVirtualizationhostPools
Ensure a unique OU is used when deploying host pools with domain joined session hostsDesktopVirtualizationhostPools
[Use Azure Site Recovery to protect stateful session hosts](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#use-azure-site-recovery-to-protect-stateful-session hosts)DesktopVirtualizationhostPools
Create scaling plans per regionDesktopVirtualizationscalingPlans
Replicate your image templates to a secondary regionComputevirtualMachineImages
Create image Versions replicas in secondary regionComputegalleries
Configure image version replica count per regionComputegalleries
A minimum of three replicas should be kept for production image versionsComputegalleries
Zone redundant storage should be used for image versionsComputegalleries
Deploy VMs across Availability ZonesComputevirtualMachines
Backup VMs with Azure Backup serviceComputevirtualMachines
Mission Critical Workloads should consider using Premium or Ultra DisksComputevirtualMachines
Configure diagnostic settings for all Azure Virtual MachinesComputevirtualMachines
Connect on-prem networks to Azure critical workloads via multiple ExpressRoutesNetworkexpressRouteCircuits
Ensure ExpressRoute’s physical links connect to distinct network edge devicesNetworkexpressRouteCircuits
Use Zone-redundant ExpressRoute gateway SKUsNetworkvirtualNetworkGateways
Ensure that storage accounts are zone or region redundantStoragestorageAccounts
Enable Azure Private Link Service for Key vaultKeyvaultvaults
Configure Service Health AlertsInsightsactivityLogAlerts

General Workload Guidance

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Monitor service health and resource health for AVDHighGovernanceYesNo
Configure AVD Insights workbookHighMonitoring and AlertingNoNo
Ensure separate log analytics workspaces for Prod and DRLowDisaster RecoveryNoNo
Organize AVD resources using the AVD scale unit model described by the AVD landing zone methodologyLowGovernanceNoNo
Monitor and plan capacity for AVD resourcesLowDisaster RecoveryNoNo
Ensure DNS regions are replicated to avoid single point of failureHighHigh AvailabilityNoNo
Implement a multi-region BCDR PlanHighDisaster RecoveryNoNo
Create only one FSLogix file share per Storage AccountMediumScalabilityNoNo
Create a dedicated FSLogix file share and setup per host poolMediumScalabilityNoNo
Enable Azure backup for FSLogix storage account file sharesMediumHigh AvailabilityNoNo
Implement RDP shortpath for public or managed networksMediumOther Best PracticesNoNo
Ensure AVD session hosts connect to control plane & allow UDP ports for RDP shortpathMediumGovernanceNoNo
Ensure secondary Entra ID connect synchronization serverLowSecurityNoNo
Ensure virtual networks have route tables/route server configured for all regionsMediumHigh AvailabilityNoNo
Ensure virtual networks isolation with separate IP space and NSGs for Prod and DRMediumBusiness ContinuityNoNo
Configure static routes for session hosts to directly access the AVD control plane subnetMediumOther Best PracticesNoNo
Create updated image version and replace session hosts rather than updating host directlyLowGovernanceNoNo
Ensure the standard FSLogix configuration is deployedMediumGovernanceNoNo
Ensure user permissions are set correctly on FSLogix SMB sharesMediumSecurityNoNo
Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix eventsMediumMonitoring and AlertingNoNo
Manually install FSLogix updatesLowGovernanceNoNo
Turn on continuous availability for ANF when using it for app attachMediumHigh AvailabilityNoNo
Use dedicated file share for App attach and include the storage in the disaster recovery planMediumDisaster RecoveryNoNo
Ensure resilient deployment of key vaults for AVD Host PoolsHighDisaster RecoveryNoNo
Deploy multiple domain controllers across availability zones in each region with AVD session hosts.HighDisaster RecoveryNoNo
Deploy two or more DNS servers across availability zones in each region with AVD session hosts.HighHigh AvailabilityNoNo

Details

Monitor service health and resource health for AVD

Impact:  High Category:  Governance

APRL GUID:  0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b

Description:

Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. Use Resource Health to monitor your VMs and storage solutions.

Potential Benefits:

Enhanced AVD error tracking and resolution
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This resource graph query, will return rows if service health alerts haven't been configured for AVD service
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| project subscriptionAlerts=tostring(id),name,tags
| join kind=leftouter (
  resources
  | where type == 'microsoft.insights/activitylogalerts' and properties.condition contains "ServiceHealth"
  | extend subscriptions = properties.scopes
  | project subscriptions
  | mv-expand subscriptions
  | project subscriptionAlerts = tostring(subscriptions)
) on subscriptionAlerts
| where isempty(subscriptionAlerts1)
| project-away subscriptionAlerts1
| project recommendationId = "0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b",id=subscriptionAlerts,name,tags, param1 = "AVDServiceHealthAlertsConfigured: False"

Configure AVD Insights workbook

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  0cf72d91-644d-4591-9bb7-84ba3f705a41

Description:

Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.

Potential Benefits:

Enhanced AVD monitoring and troubleshooting
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Ensure separate log analytics workspaces for Prod and DR

Impact:  Low Category:  Disaster Recovery

APRL GUID:  89b4d8f6-6345-4d66-9012-c3fc2aef94e8

Description:

Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.

Potential Benefits:

Improved DR visibility and operation
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Organize AVD resources using the AVD scale unit model described by the AVD landing zone methodology

Impact:  Low Category:  Governance

APRL GUID:  204b56b0-9710-4c16-b506-bafb5fb318ed

Description:

Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads.

Potential Benefits:

Enhanced organization and scalability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Monitor and plan capacity for AVD resources

Impact:  Low Category:  Disaster Recovery

APRL GUID:  ef4b3561-c85f-47cf-8cb0-51fae9ddf929

Description:

Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.

Potential Benefits:

Avoids limits, ensures smooth scaling
Learn More:
Capacity Planning
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure DNS regions are replicated to avoid single point of failure

Impact:  High Category:  High Availability

APRL GUID:  e1a34ac6-8761-4020-b537-d60c0be7514e

Description:

Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.

Potential Benefits:

Improves uptime & resilience
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Implement a multi-region BCDR Plan

Impact:  High Category:  Disaster Recovery

APRL GUID:  0714d039-535e-468d-9732-e32b5c094faa

Description:

It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.

Potential Benefits:

Enhanced resilience and uptime
Learn More:
Multi-region BCDR
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Create only one FSLogix file share per Storage Account

Impact:  Medium Category:  Scalability

APRL GUID:  ed1f0327-0914-49e8-9518-16acb0d6b8d6

Description:

To maximize capacity and performance scaling it is recommended to creat only one file share per Azure files storage account, with this approach the single file share will be able to grow to the maximum capacities of the storage account.

Potential Benefits:

Enhanced scaling and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Create a dedicated FSLogix file share and setup per host pool

Impact:  Medium Category:  Scalability

APRL GUID:  ff916698-7507-4519-b545-c94dd81d73c5

Description:

To maximize capacity and performance scaling of the file share service and avoid user's profile contention, it is recommended to create one file share target and FSLogix setup per host pool.

Potential Benefits:

Enhanced performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Enable Azure backup for FSLogix storage account file shares

Impact:  Medium Category:  High Availability

APRL GUID:  0025ed2e-41f4-4ada-93c1-12484cef8b0c

Description:

It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.

Potential Benefits:

Ensures data resilience and consistency
Learn More:
FSLogix
Backup Storage Account

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Implement RDP shortpath for public or managed networks

Impact:  Medium Category:  Other Best Practices

APRL GUID:  3835b4b3-0479-4be8-9ffd-34ae29fa33b9

Description:

RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, RDP tries to use UDP and falls back to TCP if needed. UDP transport offers better connection reliability and consistent latency.

Potential Benefits:

Better reliability and consistent latency
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure AVD session hosts connect to control plane & allow UDP ports for RDP shortpath

Impact:  Medium Category:  Governance

APRL GUID:  e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f

Description:

Ensure AVD session hosts can communicate with the AVD control plane and that UDP ports are open if used. Validate VM connectivity to the AVD Control Plane and confirm UDP TURN port accessibility. Whitelist global URLs and ensure UDP/TURN ports are open for smooth user connections.

Potential Benefits:

Enhanced performance & user experience
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Ensure secondary Entra ID connect synchronization server

Impact:  Low Category:  Security

APRL GUID:  d984eaf9-0fa1-4f8d-a326-bda751993c6f

Description:

Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.

Potential Benefits:

Improved failover reliability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure virtual networks have route tables/route server configured for all regions

Impact:  Medium Category:  High Availability

APRL GUID:  db1727d1-5c8e-4a01-a31e-f0d58cfd95b1

Description:

For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.

Potential Benefits:

Enhanced availability & routing
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR

Impact:  Medium Category:  Business Continuity

APRL GUID:  37d1091b-e599-4548-a067-a9286be16e45

Description:

NSG and ASG per AVD persona and IP space per Prod/DR regions. Plan IP addressing to avoid overlaps between on-premises and Azure regions, preventing major contention challenges.

Potential Benefits:

Enhances security and prevents IP conflicts
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Configure static routes for session hosts to directly access the AVD control plane subnet

Impact:  Medium Category:  Other Best Practices

APRL GUID:  1c6c97d7-4d03-4f53-985d-fa239f715173

Description:

Ensure Route Tables have static routes for session host traffic targeting the AVD control plane to go directly to the internet (next hop). This avoids delays from additional hops or inspections in trusted traffic communication.

Potential Benefits:

Enhanced performance and Disaster Recovery
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Create updated image version and replace session hosts rather than updating host directly

Impact:  Low Category:  Governance

APRL GUID:  2831dab9-6a43-44a1-8aec-90a8e84894bc

Description:

Establish a process for handling image updates in your AVD environment. Instead of updating session hosts directly, create a new version of the updated image. This involves creating and configuring a golden image with the necessary updates and configurations.

Potential Benefits:

Ensures consistency; minimizes drift
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure the standard FSLogix configuration is deployed

Impact:  Medium Category:  Governance

APRL GUID:  c15b2b73-52a1-4db2-88dd-d592424ff4e4

Description:

Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.

Potential Benefits:

Optimized session reliability and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Ensure user permissions are set correctly on FSLogix SMB shares

Impact:  Medium Category:  Security

APRL GUID:  7b170ddd-5770-4945-9bc3-cd1ccf5f8672

Description:

Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.

Potential Benefits:

Enhanced security & disaster recovery
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg

Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  483f5a00-84a0-49f7-903b-ef6f1fc0c389

Description:

Configure diagnostic settings on FSLogix storage and regularly monitor its metrics and logs for errors. While events can be reviewed locally on the Session Host, it is recommended to use AVD insights workbook to consolidate this information into a Log Analytics workspace.

Potential Benefits:

Enhanced AVD error tracking and resolution
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Manually install FSLogix updates

Impact:  Low Category:  Governance

APRL GUID:  d51e0a70-8b50-4be3-af8a-7c9065e47360

Description:

Ensure a process to regularly check and update FSLogix agent. Upgrade to the latest version promptly to address bugs and meet support requirements. FSLogix releases hotfixes to resolve issues impacting deployments. Keeping FSLogix updated is crucial for support and reliability.

Potential Benefits:

Enhanced reliability & support
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Turn on continuous availability for ANF when using it for app attach

Impact:  Medium Category:  High Availability

APRL GUID:  9b2301af-9cac-4f1a-871a-f17475d01812

Description:

Turn on Continuous Availability if using Azure Netapp Files.
Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.

Potential Benefits:

Enhanced stability & user limit checks
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Use dedicated file share for App attach and include the storage in the disaster recovery plan

Impact:  Medium Category:  Disaster Recovery

APRL GUID:  7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb

Description:

App Attach packages should be on a separate share from profiles and backed up. Requirements vary based on the number of packaged applications. Test your applications to understand your needs. Ensure the file share is in the same Azure region as your session hosts.

Potential Benefits:

Enhances performance and scalability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure resilient deployment of key vaults for AVD Host Pools

Impact:  High Category:  Disaster Recovery

APRL GUID:  1f57434f-f884-41f3-b818-129bbe3c5d3b

Description:

To ensure continuous availability and disaster recovery readiness, provision a secondary Key Vault in a secondary region. In case of a primary region failure, the secondary Key Vault will ensure critical secrets remain accessible for deployments in the secondary region.

Potential Benefits:

Ensures DR readiness and access
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Deploy multiple domain controllers across availability zones in each region with AVD session hosts.

Impact:  High Category:  Disaster Recovery

APRL GUID:  d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05

Description:

Deploy multiple domain controllers on Azure VMs across availability zones with AVD session hosts. This removes on-premises dependencies and improves performance with a shorter authentication path. This doesn't apply to Microsoft Entra ID or Entra Domain Services joined session hosts.

Potential Benefits:

Enhanced identity resilience
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Deploy two or more DNS servers across availability zones in each region with AVD session hosts.

Impact:  High Category:  High Availability

APRL GUID:  99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d

Description:

Deploy custom DNS servers on Azure VMs across availability zones in the same region as session hosts. This removes on-premises dependencies and improves performance by shortening the name resolution path.

Potential Benefits:

Enhanced reliability and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development