Recommending a Solution for Network Connectivity
Start course

An important aspect of designing an Azure Virtual Desktop (AVD) environment is ensuring you understand user identities and profiles.  To get the most out of this cloud-hosted service, it is important to ensure our user identities are fully secure and integrated with the storage solutions you use for user profiles.  This will in turn give a much better experience for your users. 

 AVD allows organizations to set up redundant, scalable, and agile environments that offer the following key capabilities:

  • Integration with both cloud and on-premises identity and access management solutions
  • Configuring Azure native and 3rd party storage solutions to facilitate user profiles
  • Complete licensing solution that covers both Azure Virtual Desktop and Microsoft 365 SaaS services

From an identity perspective, you can synchronize your Azure cloud identities with on-premises Active Directory.  This allows you to utilize hybrid join for your Azure Virtual Desktop session hosts and integrate your user profiles with Group Policy.  

This course will help you design and plan your Azure Virtual Desktop identity and user profiles and allow you to understand how it integrates with other Azure services.  It covers understanding choosing the appropriate licensing model, looking at the different storage solutions available, planning for user profiles, and planning for Azure AD Connect for identities.

Learning Objectives

  • Select an appropriate licensing model for Azure Virtual Desktop based on requirements
  • Recommend an appropriate storage solution (including Azure NetApp Files vs. Azure Files)
  • Planning for Azure Virtual Desktop client deployment
  • Planning for user profiles
  • Recommending a solution for network connectivity
  • Planning for Azure AD Connect for user identities

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist and is preparing to take the AZ-140 exam.


If you wish to get the most out of this course, it is recommended that you have a good understanding of Azure Administration, however, this is not essential.


Welcome to this module on recommending a solution for network connectivity. We'll cover the following topics in this module. We'll first look at virtual network recommendations for Azure Virtual Desktop. We'll then move on to talking about the differences between VPN Gateway and Express Route, including use cases. Finally, we'll look at some of the networking best practices for Azure virtual desktop.

First, let's take a look at virtual network recommendations. In an Azure virtual desktop environment, it's important to pick a sensible naming convention, largely to identify who the network belongs to. Naming convention is even more important if the environment is being deployed for a global organization, as it may have different regions. It's always recommended to provision virtual networks to the closest region where the user will be situated. Make sure to revision multiple subnets. For example, if you have different host pools for different departments, you can separate these into different subnets and have more control over access. Finally, utilizing Azure services, like Network Security Groups to increase the network security posture of the Azure Virtual Desktop environment, is always recommended.

Let's now discuss the difference between VPN Gateways and Express Routes. First, VPN Gateways. This is a shared VPN connection into Azure. This can be point-to-site, which is an individual VPN user connecting into Azure, or a site-to-site VPN connection, which is an on-premise office network or some location with a VPN device like a router connecting into Azure. Let's now compare a VPN Gateway to an Express Route. This is a private connection between your organization's on-premises location and the Azure data center.

There are two types of Express Route connection. The first is where you establish a connection to Azure at an Express Route location, known as an exchange provider facility. The second is where you directly connect to Azure from an existing Wide Area Network or WAN, which is provided by your network service provider. In the final part of this module, we are going to discuss some general networking best practices for Azure Virtual Desktop.

It is the best practice recommendation to have strong network controls in place. By this, we mean centralizing management and governance of the core network functions like the virtual network and any virtual network appliances. Next, it is recommended to logically segment virtual subnets, especially if you have used a large network address space for your VNet.

We touched on security earlier in this module, and as part of that is adopting a zero-trust approach to network access. Use Azure AD features like conditional access and just-in-time access to mitigate any security risks. The final best practice recommendation is to utilize virtual network appliances where possible. This includes virtual firewalls, which add an extra layer of security to your Azure Virtual Desktop environment.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.