Azure Virtual Desktop Networking Planning
Azure Virtual Desktop Implementation
The course is part of this learning path
The most fundamental component of any cloud solution is the network. It is networking that will provide connectivity and security to your applications and solutions. This is most critical with an internet-accessible solution like Azure Virtual Desktop, so we need to properly build it and secure it.
In this course, we will help you design your Azure Virtual Desktop network components so you can not only gain insight into those Azure services but also understand how they integrate and relate to the Azure Virtual Desktop service and help you to pass the Azure Virtual Desktop Specialty exam.
- Understand Azure virtual desktop networking requirements
- Recommend the correct solution for network connectivity
- Implement your Azure Virtual Desktop networking solution
- Manage connectivity to the internet and on-premises networks
- Implement and manage network security
- Manage Azure Virtual Desktop session hosts using the Azure bastion service
- Monitor and troubleshoot network connectivity
- Azure administrators with subject matter expertise in planning, delivering, and managing virtual desktop experiences and remote apps, for any device, on Azure
- Anyone looking to learn more about Azure Virtual Desktop
To get the most out of this course, you should have knowledge of the following:
- Azure networking
- Network security
- Network monitoring and troubleshooting
Now that you've got the basic concepts, let's build our network in Azure. Then we'll set up our supporting services like our gateway and DNS. And then we'll set up security to allow connectivity to Azure Virtual Desktop. In the Azure portal, click the plus to create a resource and in the search box type network. Select the first option of virtual network and click create.
Every resource in Azure needs to be in a subscription and a resource group. So, select your subscription and let's click to create a new resource group. Now, there are several strategies for how to name and locate your resources in Azure, but to keep things simple today, we're going to build one resource group for our networks and we'll call it RG-AVD-Network. This way, when you're looking at your resources, you'll know that this is a resource group for Azure Virtual Desktop that contains network resources.
Now we need a name for our virtual network. So, sticking with our naming convention, we'll call this VNET-AVD. Azure resources need to reside in an Azure region and since we need to keep all of our resources as close together as possible, I suggest that you build this network in a region located closest to you, and I'll pick the East US. Click next. This is where you set up your address space. This is the number of total IP addresses in your network. By default, you've been given a /16 network, which means that you have over 65,000 IP addresses.
Now, one of the beauties of how Azure does this, is called software defined networking. You and I can both create a 10.0/16 network. Even though we have the exact same address spaces we don't overlap and the networks can't communicate together because we're two different users in two different environments of Azure. Things are different when connecting this virtual network to another virtual network in your subscription or to your on-premise networks.
Once this virtual network is connected to any other network, they must all have unique addresses. So, if we have a 10.0/16 network in Azure, you cannot have a 10.0/16 network on-premise that connects to Azure. All of these 65,000 IP addresses become usable in the bottom section where you create subnets. A subnet is where we divide those 65,000 addresses into different blocks and we will need a few of those.
Now, there are three special subnets in Azure that need specific names. The GatewaySubnet, this will contain the Azure Virtual Network gateway resources, which are required for setting up a VPN or express route connection. AzureFirewallSubnet, this is required for you to set up an Azure firewall for security. AzureBastionSubnet, this service will allow you to connect to your Azure virtual machine resources and manage them.
The first subnet has been created for you with a 10.0/24 which makes up 256 addresses. Select it by clicking the word default. Rename this subnet to GatewaySubnet and you can leave the other settings alone and click save at the bottom. Click to add a new subnet and we'll call this one AzureFirewallSubnet. For the subnet address range, we'll use the next available range, which is 10.0.1.0/24. Click add at the bottom.
Just two more. This one will be called Identity, and it's going to be for your active directory domain controllers that you'll build later. This address range will be 10.0.3.0/24. Of course, if you're planning on using only Azure AD Join you won't be needing domain controllers so you might skip the Identity subnet in the future. However, you will need this next subnet for your Azure Virtual Desktop session hosts. So let's call it AVD. If you said the address range should be 10.0.4.0/24 you get the gold star.
Now, why didn't we use the 2.0 address range? Click next and I'll explain. In the security tab, we have three options. BastionHost, DDoS protection, and the Azure firewall. Bastion turns the Azure portal into a jump host where you can literally open a RDP or shell session to your virtual machines inside your browser and this is a requirement for the AVD exam. DDos Basic is included in Azure by default. The standard version of the service enables DDoS specifically on your virtual network.
In the case of virtual desktop, I generally would not use this. The reason why is, we're going to secure our networks in such a way, that the only way in, is through either Bastion or Azure Virtual Desktop. Then we have the Azure firewall. This is a great service to secure your virtual network and is something worth knowing. However, since it's not specifically required for the Azure Virtual Desktop certification, and it's a resource that runs all the time, so it will burn through any of your Azure credits, we're going to skip it for now and use network security groups instead, which are free resources. Click to enable BastionHost. We need to provide a name and a subnet range as well as a public IP address for Bastion to use. We'll call it Bastion-AVD and the subnet range we'll use, you guessed it, 10.0.2.0/24. If we had set up the subnet in our last step with the 2.0 range, in here we would have gotten an error saying that the subnet range was already in use.
Click to create a new public IP address. Let's call it Bastion-AVD-PIP. As you see, the naming of all of our resources like this, helps you to keep track of what services are as well as what they're related to. Click next. Here's where you can add your tags. Tags are metadata that you can attach to your resources. And the purpose of tags is not only to keep track of things like owners and cost centers, but you can also use them for automation. For example, find all of my virtual machines that have a tag of AVD and another tag of January, so I can decommission them when I deploy my updated session hosts from my updated image.
Now, a tag has a name and a value. These can literally be anything. So, you should work within your organization to come up with the set of tags and values that have meaning for you so you can get the most out of them. The tags I generally use are, application, cost center, environment, maintenance window, owner, and support contact. Click the review and create button to provision your resources.
Dean Cefola is a Principal Azure Engineer at Microsoft and has worked in the IT industry for over 20 years. Dean has been supporting Azure Virtual Desktop from the beginning and is the Microsoft FastTrack Global Leader for AVD.