As I have highlighted in earlier articles which I have written –> https://searchvirtualdesktop.techtarget.com/tip/Whats-missing-in-Windows-Virtual-Desktop-management and what I presented a bit about in the MYCUGC webinar –> https://www.slideshare.net/mariussandbu/state-of-the-euc-2020-whats-new-in-enduser-computing Windows Virtual Desktop is missing some main features from its ecosystem, now since that post was written a couple of months ago a lot has happened. With most products that Microsoft creates there are a lot of partners in the ecosystem that develop products or make enhancements to Microsoft’s product to fill the gap.
When designing a WVD solution in Azure it is also important to understand the other services and features in Azure you can use to secure, monitor and also how to enhance the solutions with VPN, storage options or providing GPU infrastructure as part of a WVD solution.
Instead of having a big wall of text, I wanted to make this blogpost simple and have a table to describe each of the features what they do and how it can provide value to a WVD solution.
The overview architecture and feature set
This overview picture is meant to show a simple WVD architecture High-level and also the different features and options one has available as part of Windows Virtual Desktop. Where I split it up into two main services, where the first part is Microsoft services in Azure and the second is 3.party services.
LiNK TO FULLSCREEN PICTURE https://imgur.com/a/ketrzuF if you want the Visio send me an email on [email protected] since I’m trying to keep it updated. Might spam you once in a while with a new update.
FYI: Updated edition can be found here –> https://bit.ly/2WuQxor
NOTE: Citrix and VMware are not included since the aim is the WVD ecosystem and Citrix and VMware’s offering replace the WVD components here.
Services
This describes the different services which are displayed in the picture above and how it can provide value-add to a WVD deployment.
Azure AD Services
Azure Active Directory has a range of different features which can be used to publish applications outside of WVD and also secure your users identity. I’m want to highlight a few of these services.
- Application Proxy – Allows you to publish internal web applications without the need of publishing the web site directly using public IP addresses. Web sites are then published trough a reverse connection using Azure Active Directory. Web applications can then be access using myapps.microsoft.com / portal.office.com or custom URL as part of Azure AD.
- Universal Print – New print service which allows for publishing and managing printers using Azure Active Directory. This means that there is no longer a need to have a print servers, since printers can be directly attached to Azure AD using a new universal print protocol or using a Universal Print Connector.
- Identity Protection – A feature which is aimed at protecting user identites. Based upon sign-in and user risk can be used to automatically enforce user password change, or require MFA and such. Risk information is collected from Intune / Defender ATP for device information, and specific information about sign-in location, require MFA and usch as used for identity based risk.
Security and Management
- Cloud App Security – An Cloud Access Security broker, which leverages API integration to monitor activity on SaaS application. Has direct integration with Azure, Office 365 and other SaaS services to monitor user activity. Can for instance see if users has been mass downloading data from SharePoint or OneDrive For Business. Integrates with Defender ATP to categorize SaaS applications usage based upon data collected from the endpoint. Can also be used as an forward-proxy solution trough Conditional Access. Means that web applications can be protected trough CAS Proxy.
- Defender ATP – Endpoint detection and response tool, can be used to monitor in-depth threat detection on endpoints. Also part of Azure Security Center for servers. Defender ATP can be used to monitoring process, network connections and file activity on a machine. Vulnerabiliity scanning of machines both clients and servers. Coming with support for Linux, Android and iOS as well.
- Intune – Device Management, can be used against VDI endpoints to manage patching (using Windows Update For Business), compliance, application deployment and such.
Supporting Services
- Azure Backup – Backup as a Service, can be used to backup any IaaS based machine in Azure either trough native integration or using the backup agent which allows you to backup volume or certain folders on a virtual machine. Agent based can also be used to backup machines running outside of Azure.
- Azure Security Center – Threat detection service, monitoring IaaS (with Defender ATP)
- Azure Automation – Can be used to trigger automation jobs based upon PowerShell but with WVD can be used for update management, to provide a WSUS light cloud based services.
- Log Analytics – Log aggregation tool, provides a centralized log solution is also used by other PaaS services in Azure to collect log data and PaaS diagnostics logs and audit logs.
- Azure Bastion – PaaS based bastion service. Allows for secure management to virtual machines running in Azure, where admins authenticate trough the Azure Portal and Conditional Access.
- Azure Policy – Provides Policy Management of Azure, can be used for instance to ensure that only resources can be provisioned in certain regions, limit the usage of certain virtual machine type. Also provides in-guest policy control using PowerShell DSC.
- Azure Monitor – Monitoring solution in Azure, based upon Log Analytics and can also provide more PaaS and IaaS based monitoring.
- Azure Sentinel – SIEM and SOAR solution in Azure, built upon Log Analytics.
Disk Storage
When planning for building your WVD infrastructure there are a range of different storage options that can be used for virtual infrastructure. I also recommend that you take a look at this blog post where I go trough the different storage options in Azure https://msandbu.org/storage-services-and-considerations-for-microsoft-azure/
- Managed Disk – Virtual machine storage solution based upon VHD. Attached to a single virtual machine
- Shared Managed disk – New feature to allow for shared managed disk between multiple virtual machines to provide SCSI based commands, useful for FCI instances in Azure.
- Premium Disk – SSD based disks in Azure.
- Ultra disk – Fastest disks in Azure (NVMe)
- Ephermeral Disk – Non-persistent local host based disk. Cheap and fast, but data is destroyed when restarted. Only supported for OS-disks.
SMB Storage Solutions
When planning for building your WVD infrastructure there are a range of different storage options that can be used for virtual infrastructure. I also recommend that you take a look at this blog post where I go trough the different storage options in Azure https://msandbu.org/storage-services-and-considerations-for-microsoft-azure/
These SMB storage solutions can be used to provide a backend storage solution for FSLogix and also provide a regular File Server replacement.
- Azure Files – Provides SMB based file storage for Azure. Natively does not have support for NTFS ACL’s but with the latest preview can integrate with Active Directory to provide full NTFS supports with AD ACL’s. In combination with Private Links also provide secure access directly into the virtual network.
- Azure NetApp Files – NetApp based storage, directly integrated into a VNET. Can provide both SMB and NFS based backend storage.
Networking
At the core of WVD we need to have a virtual network where the host pools reside. Now the services below are not required for WVD but can be used in addition to provide more features such as site-to-site and even optimized traffic flow from branch offices.
- VPN Gateway – VPN Gateway can provide regular Site-2-site and Point-2-Site VPN directly into the virtual network. The latest enhancement is now it has support for Azure AD based authentication. https://msandbu.org/setting-up-azure-ad-native-authentication-with-azure-vpn-gateway/ can be used to provide VPN based access to the enviroment if there are applicaitons or systems which require it.
- Azure Virtual WAN – Virtual WAN provides an enhancements to VPN Gateway with the addtion to provide front-door optimization of regular Site-2-Site VPN, essentially optimized traffic flow (https://msandbu.org/azure-virtual-wan-whats-new-and-by-the-numbers/) Azure VWAN does not enhance WVD but can provide optimized branch connectivity for Site-2-Site connections.
- Azure Private Link and Private Endpoints – Services which can provide secure access to PaaS services inside a virtual network.
GPU Instances
For GPU based workloads you would need to have a GPU based instance powered by either AMD or NVIDIA in Azure to deliver those applications. AMD is based upon providing vGPU using MxGPU, while NVIDIA is providing virtual instances based upon GPU Passtrough.
- AMD
- NVIDIA
Azure Resource Manager
The automation & management layer in Azure. It orchestrates all actions made against Microsoft Azure. Can be used for automation and to do Infrastructure as Code. Is integrated with Azure Active Directory for authentication and authorization.
Azure Migrate
Assessment and Migration service in Azure. There is a seperate assessment part here that can be used to Assess and migrate your on-premises virtual desktop infrastructure (VDI) to Windows Virtual Desktop in Azure.
Azure Lighthouse (Delegated Resource Management)
Part of Azure Resource Manager and can provide delegated access to another tenant’s subscription or resources. If an MSP this can be useful to provide easier Azure Management –> https://msandbu.org/getting-started-with-azure-lighthouse/
Azure Image Builder
A Service in Azure built upon Hashicorp Packer to build Virtual Machine Images in Azure.
3.Party Services – Coming soon