Azure Virtual Desktop Best Practices: Optimize Cost, Speed and Security

Azure Virtual Desktop provides a solid, cloud-first infrastructure to organizations that want to increase agility and unlock new features in today’s fast-paced digital environment. However, enterprises must learn how to operate under a shared responsibility model with Microsoft in such environments.

A shared responsibility framework lays out what responsibilities belong to the enterprise and what Microsoft manages. Implementing Azure Virtual Desktop best practices is the first step towards tackling the subscribers’ part of the responsibility. Learn more about optimizing Azure Virtual Desktops for enhanced security, better performance and reduced costs in this article.

Best Practices for Optimizing Costs

Azure Virtual Desktop allows organizations to move costs from capital expenditure (CapEx) to more manageable operating expenses (OpEx). However, the OpEx model also introduces other cost considerations that enterprises must factor in. Below are five best practices for optimizing costs with Azure Virtual Desktop:

Right-size virtual machines (VMs). Azure provides a broad range of VMs with different computational capabilities. It would be best to test-drive different VMs with the same workload to find out which VM offers the best throughput at the lowest cost. Once you’ve discovered the VM that works best, stick with it and use the autoscaling mechanism to help you adjust the number of VMs to actual workloads.

Turn off VMs when not in use. Microsoft bills for Azure VMs using a pay-as-you-go pricing model. You can achieve considerable cost savings if you switch off VMs outside of working hours. Although you continue paying for any virtual disk (vdisk) in use, the cost is minor compared to running VMs.
Locate and delete unused vdisks. Azure does not erase vdisks when you delete VMs, which means vdisks continue to live and incur the usual pay-as-you-go costs. Identifying and deleting such vdisks can help you save a great deal.
Utilize discounts by committing to reserved instances. By default, Azure charges all its resources in terms of a pay-as-you-go pricing scheme. However, you can also use other Azure pricing models like the reserved instances for VMs and benefit from significant discounts with your commitment of one or three years.
Consider shifting workloads to containers. Since containers are lighter than VMs, you can run dozens of them on a single host. Repackaging your applications as containers can help you minimize VM utilization and reduce your IT costs significantly.

Best Practices for General Azure Security

Azure is the underlying infrastructure upon which Azure Virtual Desktop runs. As such, maximizing its security is the first step towards securing Azure Virtual Desktop. There are two fundamental best practices for securing Azure infrastructure: activating the Azure Security Center and enhancing the secure score.

Enabling Azure Security Center is the first step towards addressing security challenges for rapidly changing workloads and increasingly sophisticated attacks in cloud environments. With an enabled Azure Security Center, you can manage vulnerabilities with ease, evaluate compliance with common standards and strengthen your enterprise’s overall security.

Azure secure score can help you enhance your overall security posture by assigning value to recommendations. Because the secure score prioritizes recommendations, you can always select which options are essential and address potential vulnerabilities quickly. The recommendations also update regularly, which means you can keep up to date with the best security features.

Best Security Practices for Azure Virtual Desktop

Azure Virtual Desktop has multiple built-in security controls that you can configure to fit your enterprise’s security needs. Below are some best practices to secure Azure Virtual Desktop:

Enable multi-factor authentication (MFA). Activating MFA strengthens the entire identity and access management (IAM) in Azure Virtual Desktop by requiring users to confirm their identities via two or more verification factors.
Activate conditional access. Enabling conditional access can help you mitigate risks before they occur. You can implement automated access control decisions by leveraging Azure Active Directory (AD) Conditional Access. When granting conditional access, Azure recommends considering who the users are, how they are signing in to the platform and which endpoints they are using.
Enable audit log collection. Regular log collection is crucial to understanding the security incidents on the Azure Virtual Desktop service. This is because you can actively investigate and conduct postmortem analysis to determine the root cause of a security incident. Enabling this feature can also allow the organization to manage risks and comply with regulatory standards.
Always use RemoteApps. Azure Virtual Desktop provides two deployment models: RemoteApps, where users can access only specified applications and entire virtual desktops. RemoteApps can help you minimize risks by allowing users to work only with a subset of applications.
Ensure resource consumption monitoring. Monitoring resource usage can help you observe availability and response time and undertake predictive analysis. You can use the Azure Monitor to receive notifications about the Azure Virtual Desktop’s resource consumption.

Besides securing Azure Virtual Desktop, you should also consider session hosts. Below are a few best practices for securing session hosts in an Azure Virtual Desktop environment:

Enable vulnerability assessment. A comprehensive vulnerability analysis can potentially decrease the probability of cyberattacks by providing extensive knowledge about Azure Virtual Desktop, general risks and security flaws. Azure Security Center can help you detect security hotspots via vulnerability assessments for server OSs. You can also use Defender ATP that provides vulnerability and security threat assessment for desktop OSs.
Always enable endpoint protection. Azure recommends enabling endpoint protection on all the session hosts to protect your deployment from known malicious applications. You can either use Windows Defender or install third-party antivirus software.
Always ensure you patch any identified vulnerability. You should always patch any identified vulnerability. This should cover the running OSs, applications and all the images you create new VMs from.
Enforce the maximum dormant time and disconnection policies. Logging out inactive users helps to preserve computing resources and can prevent unauthorized access. In this regard, you should enforce policies that shut down VMs that are inactive automatically.

Install an endpoint detection and response (EDR) system. Azure recommends installing an EDR such as the Defender Advanced Threat Protection (ATP) to provide advanced security capabilities.

Best Practices for Optimizing Performance

You should consider two crucial factors when optimizing the performance of Azure Virtual Desktop: speed and latency.

Speed

The speed at which workloads run has an impact on the overall performance of Azure Virtual Desktop. Three proven best practices you can use to optimize workload speeds include:

Right-sizing session hosts based on users’ needs. You need to find out how resource intensive the workload is and how many compute resources you will allocate to each user to determine your Azure Virtual Desktop speed. The more resources you assign to a user, the faster their virtual applications and desktops will run. You can use this tool to help you estimate the amount of compute resources you need for each remote desktop workload.
Ensuring you test the performance and refine it. After deploying your VMs, testing their performances should be your priority. If you find out that the sessions are performing well, you can try increasing user density per processor by adding more users or decreasing the resources for the session host. While this reduces the overall cost, you must ensure you strike a balance between performance and cost.
Optimizing Windows 10 for Azure virtual Desktop. Windows 10 comes loaded with pre-installed applications. Uninstalling unwanted applications and not running unnecessary processes can help make session hosts more efficient.

Latency

The physical distance between Azure (that hosts Azure Virtual Desktop) and users is the primary factor when considering latency. In this regard, you should consider in which Azure region the session hosts are getting deployed. Azure recommends a round-trip time (RTT) of less than 100 milliseconds for an effective virtual desktop experience.

For example, if your users are in Australia, it makes sense to select an Azure region closer to Australia. You can also consider remote desktop protocol (RDP) Shortpath. RDP Shortpath is a new Microsoft feature that connects clients and the Azure Virtual Desktop service directly. Using this feature can help you increase bandwidth for each user session and enhance the

Reinforce Remote Access Security with Parallels RAS

Desktop as a service (DaaS) offerings such as Azure Virtual Desktop are becoming increasingly popular as more organizations transition from traditional office environments to flexible, new working models. Parallels® Remote Application Server (RAS) is a powerful remote access technology that seamlessly integrates and extends Azure Virtual Desktop.

With Parallels RAS, IT administrators can configure and maintain Azure Virtual Desktop workloads via a single console. Enterprises can meet their user demands quickly and improve performance with more than 130 inbuilt, automated image optimizations in Parallels RAS.

Besides supporting and extending Azure Virtual Desktop, Parallels RAS also provides various remote access solutions such as:

Virtual desktop infrastructure (VDI): Organizations can deliver on-premises virtual applications and desktops seamlessly without compromising performance and security.
Remote Desktop Session Host (RDSH): Users can access applications and desktops simultaneously from a single Windows Server instance.
Remote PC: Users can join a domain-linked PC securely—whether physically joined or a virtual workstation—without requiring a virtual private network (VPN).

Download Parallels RAS trial today, and reinforce your remote access security!

Growth Opportunities for MSPs, ISVs, VARs and SIs in the Post-Pandemic Era

Read our white paper

The Road from VAR to MSP: How to Successfully Transition from One-Off to Recurring Revenue

Read our white paper