Azure Virtual Desktop landing zone design guide

This article provides a design-oriented overview of the enterprise-scale landing zone for Azure Virtual Desktop, for architects and technical decision makers. The goal is to help you quickly gain an understanding of the accelerator and how it's designed, allowing you to shorten the time required to complete a successful deployment.

Landing zone concepts

If you understand Azure landing zones, you can skip ahead to the next section. If not, here are some concepts to review before proceeding:

• Abstractly speaking, a landing zone helps you plan for and design an Azure deployment, by conceptualizing a designated area for placement and integration of resources. There are two types of landing zones:

  • platform landing zone: provides centralized enterprise-scale foundational services for workloads and applications.
  • application landing zone: provides services specific to an application or workload.

• Concretely, a landing zone can be viewed through two lenses:

  • reference architecture: a specific design that illustrates resource deployment to one or more Azure subscriptions, which meet the requirements of the landing zone.
  • reference implementation: artifacts that deploy Azure resources into the landing zone subscription(s), according to the reference architecture. Many landing zones offer multiple deployment options, but the most common is a ready-made Infrastructure as Code (IaC) template referred to as a landing zone accelerator. Accelerators automate and accelerate the deployment of a reference implementation, using IaC technology such as ARM, Bicep, Terraform, and others.

• A workload deployed to an application landing zone integrates with and is dependent upon services provided by the platform landing zone. These infrastructure services run workloads such as networking, identity access management, policies, and monitoring. This operational foundation enables migration, modernization, and innovation at enterprise-scale in Azure.

In summary, Azure landing zones provide a destination for cloud workloads, a prescriptive model for managing workload portfolios at scale, and consistency and governance across workload teams.

Reference architecture

The enterprise-scale landing zone for Azure Virtual Desktop is part of the "Desktop virtualization" scenario article series in the Azure Cloud Adoption Framework. The series provides compatibility requirements, design principles, and deployment guidance for the landing zone. They also serve as the reference architecture for an enterprise-scale implementation, ensuring the environment is capable of hosting desktops and any supporting workloads.

Design principles

Like other landing zones, the enterprise-scale Azure Virtual Desktop landing zone was designed using a core set of Cloud Adoption Framework design principles and guided by common design areas.

Design areas for the Azure Virtual Desktop landing zone are indicated with letters "A" through "J" in the diagram, to illustrate the hierarchy of resource organization:

Legend	Design area	Objective
A	Enterprise enrollment	Proper tenant creation, enrollment, and billing setup are important early steps.
B, G	Identity and access management	Identity and access management is a primary security boundary in the public cloud. It's the foundation for any secure and fully compliant architecture.
C-H, J	Resource organization	As cloud adoption scales, considerations for subscription design and management group hierarchy have an impact on governance, operations management, and adoption patterns.
C-H, J	Management and monitoring	For stable, ongoing operations in the cloud, a management baseline is required to provide visibility, operations compliance, and protect and recover capabilities.
E, F	Network topology and connectivity	Networking and connectivity decisions are an equally important foundational aspect of any cloud architecture.
G, F, J	Business continuity and disaster recovery	Automate auditing and enforcement of governance policies.
F, J	Security governance and compliance	Implement controls and processes to protect your cloud environments.
I	Platform automation and DevOps	Align the best tools and templates to deploy your landing zones and supporting resources.

Reference implementation

The Azure Virtual Desktop landing zone accelerator deploys resources for an enterprise-scale reference implementation of Azure Virtual Desktop. This implementation is based on the reference architecture discussed in the previous section.

Architecture

Important

The accelerator deploys resources into the Azure Virtual Desktop landing zone subscriptions identified in the following architecture diagram: AVD LZ Subscription, and AVD Shared Services LZ Subscription.

We strongly recommend deployment of the appropriate Cloud Adoption Framework platform landing zone first, to provide the enterprise-scale foundation services required by the resources deployed by the accelerator. Refer to the baseline deployment prerequisites to review the full set of prerequisites and requirements for the accelerator.

Download a Visio diagram of this architecture

Accelerator overview

The Azure Virtual Desktop landing zone accelerator supports multiple deployment scenarios depending on your requirements. Each deployment scenario supports both greenfield and brownfield deployments, and provides multiple IaC template options:

• Azure portal UI (ARM template)
• Azure CLI or Azure PowerShell (Bicep/ARM template)
• Terraform template

The accelerator uses resource naming automation based on the following recommendations:

• Microsoft Cloud Adoption Framework (CAF) best practices for naming convention
• The recommended abbreviations for Azure resource types
• The minimum suggested tags.

Before proceeding with the deployment scenarios, familiarize yourself with the Azure resource naming, tagging, and organization used by the accelerator:

Download a full-sized image of this diagram

Accelerator deployment

To continue with deployment, choose the following deployment scenario tab that best matches your requirements:

Baseline deployment

The baseline deployment deploys the Azure Virtual Desktop resources and dependent services that allow you to establish an Azure Virtual Desktop baseline.

This deployment scenario includes the following items:

• Azure Virtual Desktop resources, including one workspace, two application groups, a scaling plan, a host pool, and session host virtual machines
• An Azure Files share integrated with your identity service
• Azure Key Vault for secret, key, and certificate management
• Optionally, a new Azure Virtual Network with baseline Network Security Groups (NSG), Application Security Groups (ASG), and route tables

When you're ready for deployment, complete the following steps:

1. Review the get started document for details on prerequisites, planning information, and a discussion on what is deployed.

2. Optionally, refer to the Custom image build deployment tab to build an updated image for your Azure Virtual Desktop host sessions.

3. Continue with the baseline deployment steps. If you created a custom Azure Compute Gallery image in the previous step, be sure to select "Compute gallery" for OS image source and select the correct Image on the Session hosts page:

   

Custom image build deployment

The optional custom image build creates a new image from Azure Marketplace in an Azure compute gallery, optimized, patched and ready to be used. This deployment is optional and can be customized to extend functionality, like adding scripts to further customize your images.

The following images are currently offered:

• Windows 10 21H2
• Windows 10 22H2 (Gen 2)
• Windows 11 21H2 (Gen 2)
• Windows 11 22H2 (Gen 2)
• Windows 10 21H2 with Microsoft 365
• Windows 10 22H2 with Microsoft 365 (Gen 2)
• Windows 11 21H2 with Microsoft 365 (Gen 2)
• Windows 11 22H2 with Microsoft 365 (Gen 2)

You can also opt to enable the Trusted Launch or Confidential VM security type feature on the Azure Compute Gallery image definition. A custom image is optimized using Virtual Desktop Optimization Tool (VDOT) and patched with the latest Windows updates.

When you're ready for deployment, complete the following steps:

1. Review the get started document for details on prerequisites, planning information, and a discussion on what is deployed.
2. Continue with the custom image build deployment steps.