diff --git a/azure-specialized-workloads/avd/_index.md b/azure-specialized-workloads/avd/_index.md index 021d36f00..ec7288dfd 100644 --- a/azure-specialized-workloads/avd/_index.md +++ b/azure-specialized-workloads/avd/_index.md @@ -8,9 +8,9 @@ geekdocHidden: false | Recommendation | Provider Namespace | Resource Type | | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------: | :--------------------: | -| [(Personal) Create a validation pool for testing of planned updates](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#personal-create-a-validation-pool-for-testing-of-planned-updates) | DesktopVirtualization | hostPools | | [(Pooled) Configure scheduled agent updates](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#pooled-configure-scheduled-agent-updates) | DesktopVirtualization | hostPools | | [(Pooled) Create a validation pool for testing of planned updates](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#pooled-create-a-validation-pool-for-testing-of-planned-updates) | DesktopVirtualization | hostPools | +| [(Personal) Create a validation pool for testing of planned updates](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#personal-create-a-validation-pool-for-testing-of-planned-updates) | DesktopVirtualization | hostPools | | [Replicate your Image Templates to a secondary region](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/VirtualMachineImages/imageTemplates/) | VirtualMachineImages | imageTemplates | | [Zone redundant storage should be used for image versions](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/VirtualMachineImages/imageTemplates/#replicate-your-image-templates-to-a-secondary-regions) | Compute | galleries | | [Deploy VMs across Availability Zones](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#deploy-vms-across-availability-zones) | Compute | virtualMachines | diff --git a/azure-specialized-workloads/avd/recommendations.yaml b/azure-specialized-workloads/avd/recommendations.yaml index f2ee7b4b4..5bce0f83a 100644 --- a/azure-specialized-workloads/avd/recommendations.yaml +++ b/azure-specialized-workloads/avd/recommendations.yaml @@ -17,16 +17,18 @@ - name: Learn More url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/networking#private-endpoints-private-link" -- description: Configure AVD Insights Workbook - aprlGuid: 0cf72d91-644d-4591-9bb7-84ba3f705a41 +- description: Monitor Service Health and Resource Health of AVD + aprlGuid: a75a20e7-8cc0-4f7b-b4a9-e2476bd72429 recommendationTypeId: null recommendationControl: Monitoring and Alerting recommendationImpact: High recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - AVD Insights is an Azure Workbook template provided by the AVD product team. It is highly recommended in order to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights. - potentialBenefits: Enhanced AVD monitoring & troubleshooting + Use Service Health to stay informed about the health of the Azure services and regions that you use to insure their availability. + Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. + Use Resource Health to monitor your VMs and storage solutions. + potentialBenefits: Enhanced AVD uptime and awareness pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -34,18 +36,19 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/insights?tabs=monitor" + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/monitoring#resource-health" -- description: Provision Secondary Key Vault for Disaster Recovery - aprlGuid: 1f57434f-f884-41f3-b818-129bbe3c5d3b +- description: Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones + aprlGuid: 99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d recommendationTypeId: null - recommendationControl: Disaster Recovery + recommendationControl: High Availability recommendationImpact: High recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region. - potentialBenefits: Ensures DR readiness and access + When using an AD DS identity solution with AVD, it is recommended to deploy domain controllers and DNS servers on Azure virtual machines across availability zones. This improves the environment�s reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication. + This recommendation is not relevant when you are utilizing Microsoft Entra as the identity provider. + potentialBenefits: Enhanced reliability and performance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -53,19 +56,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance" + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/identity/adds-extend-domain#reliability" -- description: Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR - aprlGuid: 37d1091b-e599-4548-a067-a9286be16e45 +- description: Implement RDP Shortpath for Public or Managed Networks + aprlGuid: 3835b4b3-0479-4be8-9ffd-34ae29fa33b9 recommendationTypeId: null - recommendationControl: Business Continuity + recommendationControl: Other Best Practices recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - NSG and ASG per AVD persona and IP space per Prod/DR regions. - It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges. - potentialBenefits: Enhances security & prevents IP conflicts + It is recommended to enable RDP Shortpath for AVD. RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. TCP-based reverse connect transport provides the best compatibility with various networking configurations and has a high success rate for establishing RDP connections. UDP-based transport offers better connection reliability and more consistent latency. + potentialBenefits: Better reliability & consistent latency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -73,18 +75,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks" -- description: Ensure virtual networks have route tables/route server configured for all regions - aprlGuid: db1727d1-5c8e-4a01-a31e-f0d58cfd95b1 +- description: Implement a Multi-Region BCDR Plan + aprlGuid: 0714d039-535e-468d-9732-e32b5c094faa recommendationTypeId: null - recommendationControl: High Availability + recommendationControl: Disaster Recovery recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - For high availability connections back to on-premises datacenters should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region. - potentialBenefits: Enhanced availability & routing + It is recommended to adopt a multi-region deployment (active-active) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage. + potentialBenefits: Enhanced resilience & uptime pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -92,20 +94,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution" + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr" -- description: Segregate App attach storage in disaster recovery plans with distinct file shares - aprlGuid: 7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb +- description: Store Golden Image Redundantly for Disaster Recovery + aprlGuid: 0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b recommendationTypeId: null recommendationControl: Disaster Recovery - recommendationImpact: Medium + recommendationImpact: Low recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. - Best practice is to separate App Attach VHD files in a separate file share away from user profiles, both for performance and scalability purposes. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements. - Your file share should be in the same Azure region as your session hosts. - potentialBenefits: Enhances performance & scalability + If a full BCDR strategy is not in place, consider using zone-redundant storage to store golden images across availability zones. Having the image available will allow for faster recovery in case of zonal or regional outage. + potentialBenefits: Faster recovery from outages pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -113,19 +113,20 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach" + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#golden-images" -- description: Turn on Continuous Availability for ANF if using App Attach - aprlGuid: 9b2301af-9cac-4f1a-871a-f17475d01812 +- description: Capacity Planning for AVD Resources + aprlGuid: ef4b3561-c85f-47cf-8cb0-51fae9ddf929 recommendationTypeId: null - recommendationControl: High Availability - recommendationImpact: Medium + recommendationControl: Disaster Recovery + recommendationImpact: Low recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Turn on Continuous Availability if using Azure Netapp Files. - Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory. - potentialBenefits: Enhanced stability & user limit checks + Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. + Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements. + To handle a large number of users, consider scaling horizontally by creating multiple host pools. + potentialBenefits: Avoids limits, ensures smooth scaling pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -133,18 +134,25 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach" + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#capacity-planning" -- description: Manually update new FSLogix image when available - aprlGuid: d51e0a70-8b50-4be3-af8a-7c9065e47360 +- description: Ensure that FSLogix Storage Account is Redundant + aprlGuid: ed1f0327-0914-49e8-9518-16acb0d6b8d6 recommendationTypeId: null - recommendationControl: Governance - recommendationImpact: Low + recommendationControl: High Availability + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case. - potentialBenefits: Enhanced reliability & support + It is important to ensure the redundancy of our user profiles when using FSLogix. When using FSLogix with AVD, it is deployed on a file share in a storage account. Data in an Azure Storage account is always replicated three times in the primary region. Below are the options for how your data is replicated in the primary or paired region: + LRS for least expensive replication (not recommended for apps with high availability and durability). + - LRS provides eleven 9s durability and replicates three time in a single physical location. + - ZRS is recommended for apps requiring high availability across zones. ZRS provides twelve 9s durability. Replicated across three availability zones + - GRS replicates an additional three copies to secondary region and provides sixteen 9s durability. + - GZRS provides both high availability and redundancy across geo replication. It provides sixteen 9s durability over a given year. + + Generally, it is recommended to store your data as secure and redundant as possible. + potentialBenefits: Improves data durability & availability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -152,18 +160,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix" + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/storage#user-profiles" -- description: Configure Diagnostic Settings for FSLogix logs and enable review for accounts - aprlGuid: 483f5a00-84a0-49f7-903b-ef6f1fc0c389 +- description: Enable Azure Backup for FSLogix Storage Account + aprlGuid: 0025ed2e-41f4-4ada-93c1-12484cef8b0c recommendationTypeId: null - recommendationControl: Monitoring and Alerting + recommendationControl: High Availability recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Regularly review FSLogix logs for errors and issues related to login and mounting the profile. Events can be reviewed by looking locally inside the Session Host and also in Log Analytics when the Azure Monitor Agent is used. - potentialBenefits: Enhanced AVD error tracking and resolution + It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages. + potentialBenefits: Ensures data resilience and consistency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -171,18 +179,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/fslogix/troubleshooting-events-logs-diagnostics" + url: "https://learn.microsoft.com/en-us/fslogix/overview-what-is-fslogix" -- description: Ensure user permissions are set correctly on SMB shares - aprlGuid: 7b170ddd-5770-4945-9bc3-cd1ccf5f8672 +- description: Scaling plans should be created per region and not scaled across regions + aprlGuid: e091419d-10ba-4a8e-bdb0-67380cc021a9 recommendationTypeId: null - recommendationControl: Security - recommendationImpact: High + recommendationControl: Disaster Recovery + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event. - potentialBenefits: Enhanced security & disaster recovery + Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region. + potentialBenefits: Enhances reliability across failures pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -190,18 +198,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-scaling-plan?tabs=portal" -- description: Ensure the standard FSLogix configuration is deployed - aprlGuid: c15b2b73-52a1-4db2-88dd-d592424ff4e4 +- description: Validate AVD Session Host Connectivity to the AVD Control Plane and UDP Ports open if in use + aprlGuid: e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f recommendationTypeId: null recommendationControl: Governance - recommendationImpact: High + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices. - potentialBenefits: Optimized session reliability and performance + Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections. Proper connectivity validation guarantees optimal performance and user experience within the AVD environment. + potentialBenefits: Enhanced performance & user experience pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -209,19 +217,19 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-rdp-shortpath" -- description: Ensure a unique OU when deploying VMs to Domain - aprlGuid: 939cb85c-102a-4e0a-ab82-5c92116d3778 +- description: Ensure Secondary Entra ID connect synchronization server + aprlGuid: d984eaf9-0fa1-4f8d-a326-bda751993c6f recommendationTypeId: null - recommendationControl: Governance - recommendationImpact: Medium + recommendationControl: Security + recommendationImpact: Low recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Hybrid VMs should be in a unique OU. - When using AD-joined session hosts will benefit from using a unique OU to target specific AVD configurations per hostpool. Examples include Fslogix, time out limits, session controls, and much more. It�s also important to segment Prod and DR organization units to ensure resources are configured per environment. - potentialBenefits: Improved AVD hostpool config & segmentation + Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover. + Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage. + potentialBenefits: Improved failover reliability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -229,18 +237,38 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services" + url: "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains" -- description: Use Azure Site Recovery or Backups on VMs supporting personal desktops - aprlGuid: 38721758-2cc2-4d6b-b7b7-8b47dadbf7df +- description: Deploy paired Domain Controllers in the same region as AVD session hosts + aprlGuid: d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05 recommendationTypeId: null recommendationControl: Disaster Recovery + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Ensure each region with session hosts has multiple domain controllers in the same region to support high availability with regards to identity. + For a hybrid scenario, each Azure region with AVD session hosts should have Active Directory Domain Controllers in Azure and use Availability Zones or Availability Sets for resilience within the region. This also mitigates dependency on ER/VPN/Inter-Azure dependencies. + potentialBenefits: Enhanced identity resilience + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr" + +- description: Ensure DNS regions are replicated to avoid single point of failure + aprlGuid: e1a34ac6-8761-4020-b537-d60c0be7514e + recommendationTypeId: null + recommendationControl: High Availability recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Leverage Azure Site Recovery (ASR) or implement Azure Backup for personal host pools for seamless failover and failback capabilities, enabling the replication of VMs supporting personal desktops to a secondary Azure region. In the event of a disaster or unexpected outage, this ensures the recovery of these VMs from a known-state. - potentialBenefits: Ensures VM recovery & failover + Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure. + potentialBenefits: Improves uptime & resilience pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -248,7 +276,7 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates" + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr" - description: Create updated image version and replace session hosts rather than updating host directly aprlGuid: 2831dab9-6a43-44a1-8aec-90a8e84894bc @@ -270,18 +298,16 @@ - name: Learn More url: "https://learn.microsoft.com/en-us/training/modules/create-manage-session-host-image/" -- description: Monitor Service Health and Resource Health of AVD - aprlGuid: a75a20e7-8cc0-4f7b-b4a9-e2476bd72429 +- description: Use Azure Site Recovery or Backups on VMs supporting personal desktops + aprlGuid: 38721758-2cc2-4d6b-b7b7-8b47dadbf7df recommendationTypeId: null - recommendationControl: Monitoring and Alerting - recommendationImpact: High + recommendationControl: Disaster Recovery + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Use Service Health to stay informed about the health of the Azure services and regions that you use to insure their availability. - Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. - Use Resource Health to monitor your VMs and storage solutions. - potentialBenefits: Enhanced AVD uptime and awareness + Leverage Azure Site Recovery (ASR) or implement Azure Backup for personal host pools for seamless failover and failback capabilities, enabling the replication of VMs supporting personal desktops to a secondary Azure region. In the event of a disaster or unexpected outage, this ensures the recovery of these VMs from a known-state. + potentialBenefits: Ensures VM recovery & failover pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -289,19 +315,19 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/monitoring#resource-health" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates" -- description: Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones - aprlGuid: 99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d +- description: Ensure a unique OU when deploying VMs to Domain + aprlGuid: 939cb85c-102a-4e0a-ab82-5c92116d3778 recommendationTypeId: null - recommendationControl: High Availability - recommendationImpact: High + recommendationControl: Governance + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - When using an AD DS identity solution with AVD, it is recommended to deploy domain controllers and DNS servers on Azure virtual machines across availability zones. This improves the environment�s reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication. - This recommendation is not relevant when you are utilizing Microsoft Entra as the identity provider. - potentialBenefits: Enhanced reliability and performance + Hybrid VMs should be in a unique OU. + When using AD-joined session hosts will benefit from using a unique OU to target specific AVD configurations per hostpool. Examples include Fslogix, time out limits, session controls, and much more. It�s also important to segment Prod and DR organization units to ensure resources are configured per environment. + potentialBenefits: Improved AVD hostpool config & segmentation pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -309,18 +335,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/identity/adds-extend-domain#reliability" + url: "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services" -- description: Implement RDP Shortpath for Public or Managed Networks - aprlGuid: 3835b4b3-0479-4be8-9ffd-34ae29fa33b9 +- description: Ensure the standard FSLogix configuration is deployed + aprlGuid: c15b2b73-52a1-4db2-88dd-d592424ff4e4 recommendationTypeId: null - recommendationControl: Other Best Practices - recommendationImpact: Medium + recommendationControl: Governance + recommendationImpact: High recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - It is recommended to enable RDP Shortpath for AVD. RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. TCP-based reverse connect transport provides the best compatibility with various networking configurations and has a high success rate for establishing RDP connections. UDP-based transport offers better connection reliability and more consistent latency. - potentialBenefits: Better reliability & consistent latency + Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices. + potentialBenefits: Optimized session reliability and performance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -328,37 +354,37 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks" + url: "https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles" -- description: Implement a Multi-Region BCDR Plan - aprlGuid: 0714d039-535e-468d-9732-e32b5c094faa - recommendationTypeId: null - recommendationControl: Disaster Recovery - recommendationImpact: Medium +- description: Ensure user permissions are set correctly on SMB shares + aprlGuid: 7b170ddd-5770-4945-9bc3-cd1ccf5f8672 + recommendationTypeId: + recommendationControl: Security + recommendationImpact: High recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - It is recommended to adopt a multi-region deployment (active-active) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage. - potentialBenefits: Enhanced resilience & uptime + Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event. + potentialBenefits: Enhanced security & disaster recovery pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: null + tags: learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr" + url: "https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions" -- description: Store Golden Image Redundantly for Disaster Recovery - aprlGuid: 0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b +- description: Configure Diagnostic Settings for FSLogix logs and enable review for accounts + aprlGuid: 483f5a00-84a0-49f7-903b-ef6f1fc0c389 recommendationTypeId: null - recommendationControl: Disaster Recovery - recommendationImpact: Low + recommendationControl: Monitoring and Alerting + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - If a full BCDR strategy is not in place, consider using zone-redundant storage to store golden images across availability zones. Having the image available will allow for faster recovery in case of zonal or regional outage. - potentialBenefits: Faster recovery from outages + Regularly review FSLogix logs for errors and issues related to login and mounting the profile. Events can be reviewed by looking locally inside the Session Host and also in Log Analytics when the Azure Monitor Agent is used. + potentialBenefits: Enhanced AVD error tracking and resolution pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -366,20 +392,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#golden-images" + url: "https://learn.microsoft.com/en-us/fslogix/troubleshooting-events-logs-diagnostics" -- description: Capacity Planning for AVD Resources - aprlGuid: ef4b3561-c85f-47cf-8cb0-51fae9ddf929 +- description: Manually update new FSLogix image when available + aprlGuid: d51e0a70-8b50-4be3-af8a-7c9065e47360 recommendationTypeId: null - recommendationControl: Disaster Recovery + recommendationControl: Governance recommendationImpact: Low recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. - Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements. - To handle a large number of users, consider scaling horizontally by creating multiple host pools. - potentialBenefits: Avoids limits, ensures smooth scaling + Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case. + potentialBenefits: Enhanced reliability & support pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -387,18 +411,19 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#capacity-planning" + url: "https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix" -- description: Ensure separate log analytics workspaces for Prod and DR - aprlGuid: 89b4d8f6-6345-4d66-9012-c3fc2aef94e8 +- description: Turn on Continuous Availability for ANF if using App Attach + aprlGuid: 9b2301af-9cac-4f1a-871a-f17475d01812 recommendationTypeId: null - recommendationControl: Disaster Recovery - recommendationImpact: Low + recommendationControl: High Availability + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident. - potentialBenefits: Improved DR visibility & operation + Turn on Continuous Availability if using Azure Netapp Files. + Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory. + potentialBenefits: Enhanced stability & user limit checks pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -406,25 +431,20 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach" -- description: Ensure that FSLogix Storage Account is Redundant - aprlGuid: ed1f0327-0914-49e8-9518-16acb0d6b8d6 +- description: Segregate App attach storage in disaster recovery plans with distinct file shares + aprlGuid: 7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb recommendationTypeId: null - recommendationControl: High Availability + recommendationControl: Disaster Recovery recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - It is important to ensure the redundancy of our user profiles when using FSLogix. When using FSLogix with AVD, it is deployed on a file share in a storage account. Data in an Azure Storage account is always replicated three times in the primary region. Below are the options for how your data is replicated in the primary or paired region: - LRS for least expensive replication (not recommended for apps with high availability and durability). - - LRS provides eleven 9s durability and replicates three time in a single physical location. - - ZRS is recommended for apps requiring high availability across zones. ZRS provides twelve 9s durability. Replicated across three availability zones - - GRS replicates an additional three copies to secondary region and provides sixteen 9s durability. - - GZRS provides both high availability and redundancy across geo replication. It provides sixteen 9s durability over a given year. - - Generally, it is recommended to store your data as secure and redundant as possible. - potentialBenefits: Improves data durability & availability + App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. + Best practice is to separate App Attach VHD files in a separate file share away from user profiles, both for performance and scalability purposes. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements. + Your file share should be in the same Azure region as your session hosts. + potentialBenefits: Enhances performance & scalability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -432,18 +452,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/storage#user-profiles" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach" -- description: Scaling plans should be created per region and not scaled across regions - aprlGuid: e091419d-10ba-4a8e-bdb0-67380cc021a9 +- description: Ensure virtual networks have route tables/route server configured for all regions + aprlGuid: db1727d1-5c8e-4a01-a31e-f0d58cfd95b1 recommendationTypeId: null - recommendationControl: Disaster Recovery + recommendationControl: High Availability recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region. - potentialBenefits: Enhances reliability across failures + For high availability connections back to on-premises datacenters should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region. + potentialBenefits: Enhanced availability & routing pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -451,18 +471,19 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-scaling-plan?tabs=portal" + url: "https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution" -- description: Validate AVD Session Host Connectivity to the AVD Control Plane and UDP Ports open if in use - aprlGuid: e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f +- description: Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR + aprlGuid: 37d1091b-e599-4548-a067-a9286be16e45 recommendationTypeId: null - recommendationControl: Governance + recommendationControl: Business Continuity recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections. Proper connectivity validation guarantees optimal performance and user experience within the AVD environment. - potentialBenefits: Enhanced performance & user experience + NSG and ASG per AVD persona and IP space per Prod/DR regions. + It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges. + potentialBenefits: Enhances security & prevents IP conflicts pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -470,39 +491,39 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-rdp-shortpath" + url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" -- description: Ensure Secondary Entra ID connect synchronization server - aprlGuid: d984eaf9-0fa1-4f8d-a326-bda751993c6f - recommendationTypeId: null - recommendationControl: Security - recommendationImpact: Low +- description: Ensure route tables accommodate failover + aprlGuid: 4b1a45af-d35f-442d-922a-a3e7b6052de1 + recommendationTypeId: + recommendationControl: Disaster Recovery + recommendationImpact: Medium recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover. - Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage. - potentialBenefits: Improved failover reliability + Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections. + + AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected. + potentialBenefits: Enhanced failover reliability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: null + tags: learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains" + url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery" -- description: Deploy paired Domain Controllers in the same region as AVD session hosts - aprlGuid: d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05 +- description: Provision Secondary Key Vault for Disaster Recovery + aprlGuid: 1f57434f-f884-41f3-b818-129bbe3c5d3b recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Ensure each region with session hosts has multiple domain controllers in the same region to support high availability with regards to identity. - For a hybrid scenario, each Azure region with AVD session hosts should have Active Directory Domain Controllers in Azure and use Availability Zones or Availability Sets for resilience within the region. This also mitigates dependency on ER/VPN/Inter-Azure dependencies. - potentialBenefits: Enhanced identity resilience + To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region. + potentialBenefits: Ensures DR readiness and access pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -510,18 +531,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr" + url: "https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance" -- description: Ensure DNS regions are replicated to avoid single point of failure - aprlGuid: e1a34ac6-8761-4020-b537-d60c0be7514e +- description: Configure AVD Insights Workbook + aprlGuid: 0cf72d91-644d-4591-9bb7-84ba3f705a41 recommendationTypeId: null - recommendationControl: High Availability - recommendationImpact: Medium + recommendationControl: Monitoring and Alerting + recommendationImpact: High recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure. - potentialBenefits: Improves uptime & resilience + AVD Insights is an Azure Workbook template provided by the AVD product team. It is highly recommended in order to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights. + potentialBenefits: Enhanced AVD monitoring & troubleshooting pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -529,18 +550,18 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/insights?tabs=monitor" -- description: Enable Azure Backup for FSLogix Storage Account - aprlGuid: 0025ed2e-41f4-4ada-93c1-12484cef8b0c +- description: Ensure separate log analytics workspaces for Prod and DR + aprlGuid: 89b4d8f6-6345-4d66-9012-c3fc2aef94e8 recommendationTypeId: null - recommendationControl: High Availability - recommendationImpact: Medium + recommendationControl: Disaster Recovery + recommendationImpact: Low recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages. - potentialBenefits: Ensures data resilience and consistency + Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident. + potentialBenefits: Improved DR visibility & operation pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -548,7 +569,7 @@ tags: null learnMoreLink: - name: Learn More - url: "https://learn.microsoft.com/en-us/fslogix/overview-what-is-fslogix" + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics" - description: Organize AVD resources using the AVD Scale unit model described by the AVD Landing Zone Methodology aprlGuid: 204b56b0-9710-4c16-b506-bafb5fb318ed