[Use Azure Site Recovery to protect stateful session hosts](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#use-azure-site-recovery-to-protect-stateful-session hosts)
Monitor service health and resource health for AVD
Impact:HighCategory:Governance
APRL GUID:0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b
Description:
Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. Use Resource Health to monitor your VMs and storage solutions.
Click the Azure Resource Graph tab to view the query
//AzureResourceGraphQuery//Thisresourcegraphquery,willreturnrowsifservicehealthalertshaven't been configured for AVD service
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| project subscriptionAlerts=tostring(id),name,tags
| join kind=leftouter (
resources
| where type == 'microsoft.insights/activitylogalerts' and properties.condition contains "ServiceHealth"
| extend subscriptions = properties.scopes
| project subscriptions
| mv-expand subscriptions
| project subscriptionAlerts = tostring(subscriptions)
) on subscriptionAlerts
| where isempty(subscriptionAlerts1)
| project-away subscriptionAlerts1
| project recommendationId = "0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b",id=subscriptionAlerts,name,tags, param1 = "AVDServiceHealthAlertsConfigured: False"
Configure AVD Insights workbook
Impact:HighCategory:Monitoring and Alerting
APRL GUID:0cf72d91-644d-4591-9bb7-84ba3f705a41
Description:
Configure AVD insights workbook template to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure separate log analytics workspaces for Prod and DR
Impact:LowCategory:Disaster Recovery
APRL GUID:89b4d8f6-6345-4d66-9012-c3fc2aef94e8
Description:
Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident.
Click the Azure Resource Graph tab to view the query
//under-development
Monitor and plan capacity for AVD resources
Impact:LowCategory:Disaster Recovery
APRL GUID:ef4b3561-c85f-47cf-8cb0-51fae9ddf929
Description:
Monitor and plan for subscription limits and API throttling limits. Keep track of resource usage within your subscription. Consider scaling across multiple subscriptions if further scaling is required.
To handle a large number of users, consider scaling horizontally by creating multiple host pools.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure DNS regions are replicated to avoid single point of failure
Impact:HighCategory:High Availability
APRL GUID:e1a34ac6-8761-4020-b537-d60c0be7514e
Description:
Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure.
Click the Azure Resource Graph tab to view the query
//under-development
Implement a multi-region BCDR Plan
Impact:HighCategory:Disaster Recovery
APRL GUID:0714d039-535e-468d-9732-e32b5c094faa
Description:
It is recommended to adopt a multi-region deployment (active-active or active-passive) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage.
Click the Azure Resource Graph tab to view the query
//under-development
Create only one FSLogix file share per Storage Account
Impact:MediumCategory:Scalability
APRL GUID:ed1f0327-0914-49e8-9518-16acb0d6b8d6
Description:
To maximize capacity and performance scaling it is recommended to creat only one file share per Azure files storage account, with this approach the single file share will be able to grow to the maximum capacities of the storage account.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Create a dedicated FSLogix file share and setup per host pool
Impact:MediumCategory:Scalability
APRL GUID:ff916698-7507-4519-b545-c94dd81d73c5
Description:
To maximize capacity and performance scaling of the file share service and avoid user's profile contention, it is recommended to create one file share target and FSLogix setup per host pool.
Click the Azure Resource Graph tab to view the query
//under-development
Enable Azure backup for FSLogix storage account file shares
Impact:MediumCategory:High Availability
APRL GUID:0025ed2e-41f4-4ada-93c1-12484cef8b0c
Description:
It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages.
Click the Azure Resource Graph tab to view the query
//under-development
Implement RDP shortpath for public or managed networks
Impact:MediumCategory:Other Best Practices
APRL GUID:3835b4b3-0479-4be8-9ffd-34ae29fa33b9
Description:
RDP Shortpath establishes a direct UDP-based connection between a client and the session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. UDP-based transport offers better connection reliability and more consistent latency.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure AVD session hosts connect to control plane & allow UDP ports for RDP shortpath
Impact:MediumCategory:Governance
APRL GUID:e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f
Description:
Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure secondary Entra ID connect synchronization server
Impact:LowCategory:Security
APRL GUID:d984eaf9-0fa1-4f8d-a326-bda751993c6f
Description:
Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover.
Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure virtual networks have route tables/route server configured for all regions
Impact:MediumCategory:High Availability
APRL GUID:db1727d1-5c8e-4a01-a31e-f0d58cfd95b1
Description:
For high availability connections back to on-premises data centers should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR
Impact:MediumCategory:Business Continuity
APRL GUID:37d1091b-e599-4548-a067-a9286be16e45
Description:
NSG and ASG per AVD persona and IP space per Prod/DR regions.
It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges.
Click the Azure Resource Graph tab to view the query
//under-development
Configure static routes for session hosts to directly access the AVD control plane subnet
Impact:MediumCategory:Other Best Practices
APRL GUID:1c6c97d7-4d03-4f53-985d-fa239f715173
Description:
Ensure that Route Tables have static routes to allow session host traffic that targets AVD control plane to go outbound directly out of the subnet to the internet (next hop), this will avoid any delays of inspecting or adding additional hops in the communication of trusted traffic.
Click the Azure Resource Graph tab to view the query
//under-development
Create updated image version and replace session hosts rather than updating host directly
Impact:LowCategory:Governance
APRL GUID:2831dab9-6a43-44a1-8aec-90a8e84894bc
Description:
Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure the standard FSLogix configuration is deployed
Impact:MediumCategory:Governance
APRL GUID:c15b2b73-52a1-4db2-88dd-d592424ff4e4
Description:
Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Ensure user permissions are set correctly on FSLogix SMB shares
Impact:MediumCategory:Security
APRL GUID:7b170ddd-5770-4945-9bc3-cd1ccf5f8672
Description:
Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event.
Click the Azure Resource Graph tab to view the query
//cannot-be-validated-with-arg
Configure Diagnostic Settings on FSLogix storage and capture session hosts FSLogix events
Impact:MediumCategory:Monitoring and Alerting
APRL GUID:483f5a00-84a0-49f7-903b-ef6f1fc0c389
Description:
Configure diagnostic settings on FSLogix storage resources and regularly its metrics and FSLogix logs for errors. Events can be reviewed by looking locally inside the Session Host, but it is recommended to configure AVD insights workbook to consolidate this information to a Log Analytics workspace.
Click the Azure Resource Graph tab to view the query
//under-development
Manually install FSLogix updates
Impact:LowCategory:Governance
APRL GUID:d51e0a70-8b50-4be3-af8a-7c9065e47360
Description:
Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case.
Click the Azure Resource Graph tab to view the query
//under-development
Turn on continuous availability for ANF when using it for app attach
Impact:MediumCategory:High Availability
APRL GUID:9b2301af-9cac-4f1a-871a-f17475d01812
Description:
Turn on Continuous Availability if using Azure Netapp Files.
Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory.
Click the Azure Resource Graph tab to view the query
//under-development
Use dedicated file share for App attach and include the storage in the disaster recovery plan
Impact:MediumCategory:Disaster Recovery
APRL GUID:7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb
Description:
App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements.
Your file share should be in the same Azure region as your session hosts.
Click the Azure Resource Graph tab to view the query
//under-development
Ensure resilient deployment of key vaults for AVD Host Pools
Impact:HighCategory:Disaster Recovery
APRL GUID:1f57434f-f884-41f3-b818-129bbe3c5d3b
Description:
To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region.
Click the Azure Resource Graph tab to view the query
//under-development
Deploy multiple domain controllers across availability zones in each region with AVD session hosts.
Impact:HighCategory:Disaster Recovery
APRL GUID:d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05
Description:
When using an AD DS identity solution with AVD, it is recommended to deploy two or more domain controllers on Azure virtual machines across availability zones. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication.
This recommendation doesn't apply when using Microsoft Entra ID or Entra Domain Services joined session hosts.
Click the Azure Resource Graph tab to view the query
//under-development
Deploy two or more DNS servers across availability zones in each region with AVD session hosts.
Impact:HighCategory:High Availability
APRL GUID:99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d
Description:
When using custom DNS servers, deploy DNS servers on Azure virtual machines across availability zones in the same region as the session hosts. This improves the environment's reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for name resolution.