Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Azure Virtual Desktop

Dependent Azure Resource Recommendations

RecommendationProvider NamespaceResource Type
Create a validation host poolDesktopVirtualizationhostPools
Configure host pool scheduled agent updatesDesktopVirtualizationhostPools
Ensure a unique OU is used when deploying host pools with domain joined session hostsDesktopVirtualizationhostPools
[Use Azure Site Recovery to protect stateful session hosts](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#use-azure-site-recovery-to-protect-stateful-session hosts)DesktopVirtualizationhostPools
Create scaling plans per regionDesktopVirtualizationscalingPlans
Replicate your image templates to a secondary regionComputevirtualMachineImages
Create image Versions replicas in secondary regionComputegalleries
Configure image version replica count per regionComputegalleries
A minimum of three replicas should be kept for production image versionsComputegalleries
Zone redundant storage should be used for image versionsComputegalleries
Deploy VMs across Availability ZonesComputevirtualMachines
Backup VMs with Azure Backup serviceComputevirtualMachines
Mission Critical Workloads should consider using Premium or Ultra DisksComputevirtualMachines
Configure diagnostic settings for all Azure Virtual MachinesComputevirtualMachines
Connect on-prem networks to Azure critical workloads via multiple ExpressRoutesNetworkexpressRouteCircuits
Ensure ExpressRoute’s physical links connect to distinct network edge devicesNetworkexpressRouteCircuits
Use Zone-redundant ExpressRoute gateway SKUsNetworkvirtualNetworkGateways
Ensure that storage accounts are zone or region redundantStoragestorageAccounts
Enable Azure Private Link Service for Key vaultKeyvaultvaults
Configure Service Health AlertsInsightsactivityLogAlerts

General Workload Guidance

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Monitor service health and resource health for AVDHighGovernanceYesNo
Configure AVD Insights workbookHighMonitoring and AlertingNoNo
Ensure separate log analytics workspaces for Prod and DRLowDisaster RecoveryNoNo
Organize AVD resources using the AVD scale unit model described by the AVD landing zone methodologyLowGovernanceNoNo
Monitor and plan capacity for AVD resourcesLowDisaster RecoveryNoNo
Ensure DNS regions are replicated to avoid single point of failureHighHigh AvailabilityNoNo
Implement a multi-region BCDR PlanHighDisaster RecoveryNoNo
Create only one FSLogix file share per Storage AccountMediumScalabilityNoNo
Create a dedicated FSLogix file share and setup per host poolMediumScalabilityNoNo
Enable Azure backup for FSLogix storage account file sharesMediumHigh AvailabilityNoNo
Implement RDP shortpath for public or managed networksMediumOther Best PracticesNoNo
Ensure AVD session hosts connect to control plane & allow UDP ports for RDP shortpathMediumGovernanceNoNo
Ensure secondary Entra ID connect synchronization serverLowSecurityNoNo
Ensure virtual networks have route tables/route server configured for all regionsMediumHigh AvailabilityNoNo
Ensure virtual networks isolation with separate IP space and NSGs for Prod and DRMediumBusiness ContinuityNoNo
Configure static routes for session hosts to directly access the AVD control plane subnetMediumOther Best PracticesNoNo
Create updated image version and replace session hosts rather than updating host directlyLowGovernanceNoNo
Ensure the standard FSLogix configuration is deployedMediumGovernanceNoNo
Ensure user permissions are set correctly on FSLogix SMB sharesMediumSecurityNoNo
Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix eventsMediumMonitoring and AlertingNoNo
Manually install FSLogix updatesLowGovernanceNoNo
Turn on continuous availability for ANF when using it for app attachMediumHigh AvailabilityNoNo
Use dedicated file share for App attach and include the storage in the disaster recovery planMediumDisaster RecoveryNoNo
Ensure resilient deployment of key vaults for AVD Host PoolsHighDisaster RecoveryNoNo
Deploy multiple domain controllers across availability zones in each region with AVD session hosts.HighDisaster RecoveryNoNo
Deploy two or more DNS servers across availability zones in each region with AVD session hosts.HighHigh AvailabilityNoNo

Details


Monitor service health and resource health for AVD

Impact:  High Category:  Governance

APRL GUID:  0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b

Description:

Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. Use Resource Health to monitor your VMs and storage solutions.

Potential Benefits:

Enhanced AVD error tracking and resolution
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// Azure Resource Graph Query
// This resource graph query, will return rows if service health alerts haven't been configured for AVD service
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| project subscriptionAlerts=tostring(id),name,tags
| join kind=leftouter (
  resources
  | where type == 'microsoft.insights/activitylogalerts' and properties.condition contains "ServiceHealth"
  | extend subscriptions = properties.scopes
  | project subscriptions
  | mv-expand subscriptions
  | project subscriptionAlerts = tostring(subscriptions)
) on subscriptionAlerts
| where isempty(subscriptionAlerts1)
| project-away subscriptionAlerts1
| project recommendationId = "0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b",id=subscriptionAlerts,name,tags, param1 = "AVDServiceHealthAlertsConfigured: False"


Configure AVD Insights workbook

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  0cf72d91-644d-4591-9bb7-84ba3f705a41

Description:

Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.

Potential Benefits:

Enhanced AVD monitoring and troubleshooting
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Ensure separate log analytics workspaces for Prod and DR

Impact:  Low Category:  Disaster Recovery

APRL GUID:  89b4d8f6-6345-4d66-9012-c3fc2aef94e8

Description:

Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.

Potential Benefits:

Improved DR visibility and operation
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development


Organize AVD resources using the AVD scale unit model described by the AVD landing zone methodology

Impact:  Low Category:  Governance

APRL GUID:  204b56b0-9710-4c16-b506-bafb5fb318ed

Description:

Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads.

Potential Benefits:

Enhanced organization and scalability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Monitor and plan capacity for AVD resources

Impact:  Low Category:  Disaster Recovery

APRL GUID:  ef4b3561-c85f-47cf-8cb0-51fae9ddf929

Description:

Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.

Potential Benefits:

Avoids limits, ensures smooth scaling
Learn More:
Capacity Planning
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Ensure DNS regions are replicated to avoid single point of failure

Impact:  High Category:  High Availability

APRL GUID:  e1a34ac6-8761-4020-b537-d60c0be7514e

Description:

Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.

Potential Benefits:

Improves uptime & resilience
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Implement a multi-region BCDR Plan

Impact:  High Category:  Disaster Recovery

APRL GUID:  0714d039-535e-468d-9732-e32b5c094faa

Description:

It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.

Potential Benefits:

Enhanced resilience and uptime
Learn More:
Multi-region BCDR
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Create only one FSLogix file share per Storage Account

Impact:  Medium Category:  Scalability

APRL GUID:  ed1f0327-0914-49e8-9518-16acb0d6b8d6

Description:

To maximize capacity and performance scaling it is recommended to creat only one file share per Azure files storage account, with this approach the single file share will be able to grow to the maximum capacities of the storage account.

Potential Benefits:

Enhanced scaling and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Create a dedicated FSLogix file share and setup per host pool

Impact:  Medium Category:  Scalability

APRL GUID:  ff916698-7507-4519-b545-c94dd81d73c5

Description:

To maximize capacity and performance scaling of the file share service and avoid user's profile contention, it is recommended to create one file share target and FSLogix setup per host pool.

Potential Benefits:

Enhanced performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development


Enable Azure backup for FSLogix storage account file shares

Impact:  Medium Category:  High Availability

APRL GUID:  0025ed2e-41f4-4ada-93c1-12484cef8b0c

Description:

It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.

Potential Benefits:

Ensures data resilience and consistency
Learn More:
FSLogix
Backup Storage Account

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Implement RDP shortpath for public or managed networks

Impact:  Medium Category:  Other Best Practices

APRL GUID:  3835b4b3-0479-4be8-9ffd-34ae29fa33b9

Description:

RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. UDP-based transport offers better connection reliability and more consistent latency.

Potential Benefits:

Better reliability and consistent latency
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Ensure AVD session hosts connect to control plane & allow UDP ports for RDP shortpath

Impact:  Medium Category:  Governance

APRL GUID:  e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f

Description:

Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections.

Potential Benefits:

Enhanced performance & user experience
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg


Ensure secondary Entra ID connect synchronization server

Impact:  Low Category:  Security

APRL GUID:  d984eaf9-0fa1-4f8d-a326-bda751993c6f

Description:

Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.

Potential Benefits:

Improved failover reliability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Ensure virtual networks have route tables/route server configured for all regions

Impact:  Medium Category:  High Availability

APRL GUID:  db1727d1-5c8e-4a01-a31e-f0d58cfd95b1

Description:

For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.

Potential Benefits:

Enhanced availability & routing
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR

Impact:  Medium Category:  Business Continuity

APRL GUID:  37d1091b-e599-4548-a067-a9286be16e45

Description:

NSG and ASG per AVD persona and IP space per Prod/DR regions.
It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges.

Potential Benefits:

Enhances security and prevents IP conflicts
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Configure static routes for session hosts to directly access the AVD control plane subnet

Impact:  Medium Category:  Other Best Practices

APRL GUID:  1c6c97d7-4d03-4f53-985d-fa239f715173

Description:

Ensure that Route Tables have static routes to allow session host traffic that targets AVD control plane to go outbound directly out of the subnet to the internet (next hop), this will avoid any delays of inspecting or adding additional hops in the communication of trusted traffic.

Potential Benefits:

Enhanced performance and Disaster Recovery
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development


Create updated image version and replace session hosts rather than updating host directly

Impact:  Low Category:  Governance

APRL GUID:  2831dab9-6a43-44a1-8aec-90a8e84894bc

Description:

Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations.

Potential Benefits:

Ensures consistency; minimizes drift
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Ensure the standard FSLogix configuration is deployed

Impact:  Medium Category:  Governance

APRL GUID:  c15b2b73-52a1-4db2-88dd-d592424ff4e4

Description:

Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.

Potential Benefits:

Optimized session reliability and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Ensure user permissions are set correctly on FSLogix SMB shares

Impact:  Medium Category:  Security

APRL GUID:  7b170ddd-5770-4945-9bc3-cd1ccf5f8672

Description:

Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.

Potential Benefits:

Enhanced security & disaster recovery
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// cannot-be-validated-with-arg



Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events

Impact:  Medium Category:  Monitoring and Alerting

APRL GUID:  483f5a00-84a0-49f7-903b-ef6f1fc0c389

Description:

Configure diagnostic settings on FSLogix storage resources and regularly its metrics and FSLogix logs for errors. Events can be reviewed by looking locally inside the Session Host, but it is recommended to configure AVD insights workbook to consolidate this information to a Log Analytics workspace.

Potential Benefits:

Enhanced AVD error tracking and resolution
Learn More:
Learn More
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Manually install FSLogix updates

Impact:  Low Category:  Governance

APRL GUID:  d51e0a70-8b50-4be3-af8a-7c9065e47360

Description:

Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case.

Potential Benefits:

Enhanced reliability & support
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Turn on continuous availability for ANF when using it for app attach

Impact:  Medium Category:  High Availability

APRL GUID:  9b2301af-9cac-4f1a-871a-f17475d01812

Description:

Turn on Continuous Availability if using Azure Netapp Files.
Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.

Potential Benefits:

Enhanced stability & user limit checks
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Use dedicated file share for App attach and include the storage in the disaster recovery plan

Impact:  Medium Category:  Disaster Recovery

APRL GUID:  7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb

Description:

App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements.
Your file share should be in the same Azure region as your session hosts.

Potential Benefits:

Enhances performance and scalability
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development



Ensure resilient deployment of key vaults for AVD Host Pools

Impact:  High Category:  Disaster Recovery

APRL GUID:  1f57434f-f884-41f3-b818-129bbe3c5d3b

Description:

To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region.

Potential Benefits:

Ensures DR readiness and access
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development


Deploy multiple domain controllers across availability zones in each region with AVD session hosts.

Impact:  High Category:  Disaster Recovery

APRL GUID:  d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05

Description:

When using an AD DS identity solution with AVD, it is recommended to deploy two or more domain controllers on Azure virtual machines across availability zones. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication.
This recommendation doesn't apply when using Microsoft Entra ID or Entra Domain Services joined session hosts.

Potential Benefits:

Enhanced identity resilience
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development


Deploy two or more DNS servers across availability zones in each region with AVD session hosts.

Impact:  High Category:  High Availability

APRL GUID:  99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d

Description:

When using custom DNS servers, deploy DNS servers on Azure virtual machines across availability zones in the same region as the session hosts. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for name resolution.

Potential Benefits:

Enhanced reliability and performance
Learn More:
Learn More

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development