Monitoring & Troubleshooting Demo
Start course

The most fundamental component of any cloud solution is the network. It is networking that will provide connectivity and security to your applications and solutions. This is most critical with an internet-accessible solution like Azure Virtual Desktop, so we need to properly build it and secure it.

In this course, we will help you design your Azure Virtual Desktop network components so you can not only gain insight into those Azure services but also understand how they integrate and relate to the Azure Virtual Desktop service and help you to pass the Azure Virtual Desktop Specialty exam.

Learning Objectives

  • Understand Azure virtual desktop networking requirements
  • Recommend the correct solution for network connectivity
  • Implement your Azure Virtual Desktop networking solution
  • Manage connectivity to the internet and on-premises networks
  • Implement and manage network security
  • Manage Azure Virtual Desktop session hosts using the Azure bastion service
  • Monitor and troubleshoot network connectivity

Intended Audience

  • Azure administrators with subject matter expertise in planning, delivering, and managing virtual desktop experiences and remote apps, for any device, on Azure
  • Anyone looking to learn more about Azure Virtual Desktop


To get the most out of this course, you should have knowledge of the following:

  • Azure networking
  • Network security 
  • Network monitoring and troubleshooting

The final section in this course on AVD networking, we'll talk about monitoring and troubleshooting connectivity. When it comes to network monitoring, there are two services that you need to set up. In the search bar at the top of the screen, type monitor. Select the first match, and this is the Azure Monitor Service. Scroll down on the blade on the left, and you'll want to click on Diagnostic settings. Use the filters at the top to select the appropriate subscription and resource group where all of our networking assets are located and then it should look something like this. It currently says disabled for all of these diagnostic settings, and that means that nothing is actively being monitored.

Before we can fix this, we need a place to store all of these diagnostic logs. On the top left click the + button, and on the left near the bottom select Monitoring and Diagnostics. Select the 2nd item from the top, Log Analytics Workspace. Select the same subscription and resource group that we've used throughout this course, and I will name the workspace Logs-Networking-AVD, and located in the East US region. Click Next, and add all of your tags, and then click Review and Create.

Once that's complete, go back to the Azure Monitor, select Diagnostic settings on the bottom left again, and click on your first item. Then in the middle of the screen, click to add Diagnostic settings. The experience is the same here, no matter what the resource type is. Give the diagnostic a name. So in this case, it would be Log-AVD-Bastion. For the categories, these will be resource-specific. But I always recommend selecting all of the categories and metrics.

Now we need a destination for our logs. I'll select the first box for a Log Analytics Workspace, then select the workspace we just created. Click Save at the top, and logging on Bastion is now enabled. Repeat these steps on all of the other resources and it should look like this.

The second component of network monitoring uses the Azure Network Watcher. In the search box at the top of the screen, type network watcher. Azure Network Watcher is not a virtual desktop-specific tool, but focuses on the infrastructure side of your resources, like your network cards of your AVD session hosts as well as the virtual networks, gateways, and firewalls. Most tools inside Network Watcher require you to have VMs that are online for it to examine. And since we haven't deployed any VMs in this course, we will be somewhat limited in what I can show you, but there's still enough here to talk through everything you need.

So the first thing on the left is your topology and this will show the layout of your network resources. Just filter down to the correct subscription and resource group, where your network assets are located, and you should see something like this, showing your virtual networks, subnets, NSGs, and route tables. This'll definitely help you know that you've got all the right connectivity in place.

The next tool we'll look at is IP Flow Verify. This is an on-demand tool that will verify if traffic would be allowed to flow inbound or outbound from a VM in Azure. Again, we haven't specifically set up any VMs in this course, so I'll show an example from another project I've been working on. You select your subscription resource group and the name of a VM, and then select the network interface of that VM.

Next, we select the protocol and direction that you want to test. This will populate the local IP address for you, and now select the local port you want to test, and I'll choose 3389, then a remote IP. This IP can be in Azure or a public IP anywhere in the world. Select a port for this as well, and you would click the Check button at the bottom. In a few seconds, Azure will check which security rule will allow or deny this traffic. The other tools on the left have a different spin on connectivity troubleshooting like NSG diagnostics, Next Hop, which is helpful, if you have a hub and spoke topology or a firewall will let you know that everything is going the way that it should. The VPN troubleshooter, which will verify your gateway and connections are functioning properly to your on-prem and along with that, the NSG flow logs, which will give you even greater details than the diagnostic laws we set up earlier.

About the Author

Dean Cefola is a Principal Azure Engineer at Microsoft and has worked in the IT industry for over 20 years. Dean has been supporting Azure Virtual Desktop from the beginning and is the Microsoft FastTrack Global Leader for AVD.